`

Hipaa

Does HIPAA require encryption? Yes... No... Kinda?

Hipaa is about as confusing as things can get.  Things you must do. Things you should do but are not explicitly required to do.  Things you really want to do but don't really need to...  Encryption falls into a gray area between these things.  You must decide if it is required.

Lets get some definitions out of the way

Data at rest: Data at rest is all the data/PHI you have sitting on your computers, servers, or mobile devices.
Data in motion/transit: this is data that is actively being transmitted over the internet, moved on thumb drives, or copied to CD. 
Encryption: Encryption is the process of hiding this information behind a key or password.

OK, so encryption is not strictly required(http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2001.html) but it does fall into the area of something that must be dealt with.  it is an addressable implementation specifications.  AWESOME, everyone knows what that is right? Well basically it is something that you must decide wether or not to implement it(http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2020.html).

There are guide lines to follow...  You the business entity must decide if encryption is a reasonable and appropriate security measure. Then document your choice and the reasons why you chose that way. Then if you decided to encrypt everything, or some stuff, you must implement it or perform an equivalent security practice.

Give us a call if you ned more information.

 

Secure Email, The Who and The What

Secure Email, The Who and The What

Secure e-mail, encrypted so no one out side the intended recipient can read it, has been strictly the stuff of big companies for many years. But just like everything else these days, e-mail security has become simpler, more Web-based. Dozens of firms are offering options for sending and receiving secure messages.

Encrypted e-mail will almost certainly never replace open e-mail, it is too cumbersome and expensive. But even tiny companies need to protect critical info like tax returns, independent contractor IRS 1099-Misc forms, and human resources data, and personal health information. This security burden will only grow. Not only are federal security officials requiring stringent new rules for sending and receiving employee information, but Hipaa also requires healthcare providers to secure all personal health information.

Click the link to see a list of some of the secure email providers.

Remote desktop is, by default, not HIPAA compliant

With today's workload, long hours, and pressure to get more done in less time, remote access to your work computer can be a life saver. The remote access we will be discussing in this article is accessing your work desktop, files, printers, and applications. There are a number of options, some are better than others.

HIPAA says the following about remote access:

Any access from the Internet or a remote location must be encrypted. This means healthcare information going across the Internet cannot be read until it reaches the authenticated user on the other end where is it decrypted.
Passwords should be stored in a central, manageable location like a managed firewall or windows server.
Remote access is tracked and attempts to connect are also logged.
Login and Password are sent as encrypted data.
Unlimited attempts to guess or crack a password are stopped by the VPN device.

There are a number of solutions that are HIPAA compliant out of the box. If you use logmein for your remote access you can stop reading, logmein achieves all of the above. VNC and TeamViewer can be configured to be HIPAA compliant with some changes to there default installation. 

But what about multiple office access, and the convenience of the Microsoft solution Remote Desktop Protocol (RDP)? Citrix is an "upgraded" fuller featured version of remote desktop and does not need VPN or the overhead of RDP.

RDP between offices or from home to the office by itself is NOT HIPAA compliant, it fails on 1, 4, and 5 above. However, it can be HIPAA compliant, PCI compliant, and accepted as Standard Business Security if you use RDP across a virtual private network (VPN).

So how can a healthcare facility allow remote access without violating HIPAA, PCI, and other security standards?

We recommend installing a firewall, in particular a Sonicwall Firewall. The Sonicwall line of firewalls come with an SSL VPN, which is a secure way to create an encrypted connection to your office network before initiating a remote desktop connection. Sonicwalls are affordable for almost any business starting at about $800.00. We also offer Basic Sonicwall monitoring that stores logs offsite, sends reports, and sends alerts for threats.

Sonicwall’s SSL VPN feature provides easy access to work on data from any Internet enabled Windows PC by downloading a small SSL VPN client. For Physicians who need to access sensitive data from multiple locations in a hurry this product fits the bill perfectly.

If your practice is at risk, please contact us. We offer a free initial consultation and can offer a total HIPAA compliance package.

Are your mobile devices HIPAA compliant?

Are your mobile devices HIPAA compliant?

Mobile device use is becoming more commonplace in health care. With the increased use of mobile devices comes increased opportunity for HIPAA compliance issues. In the recently launched initiative, Mobile Devices: Know the RISKS. Take the STEPS. PROTECT and SECURE Health Information, provide tips on ways to safeguard protected health information (PHI) when using mobile devices such as laptops, tablets and smart phones.

HIPAA Compliant Online Backup

HIPAA Compliant Online Backup

There are so many choices to make these days – Meaningful Use certified EHRs, a capable practice management system, and even what computers you want your practice using. Taking HIPAA on top of all this can seem like a daunting task.

On of the most important technology tasks left out by many companies these days in a good data backup plan. Most of us associate data backup with an external hard drive, tape system, or maybe even some flash external storage. But remember, you’re dealing with both vital information to your practice as well as sensitive personal health information. Ensuring this information is secure and available in the event of an emergency are top priorities. 

Perhaps it’s time to turn to a data backup service, you know, since HIPAA deemed secure data backup not optional. Check out the rest of the article after the link.