RDP Server and HIPAA Compliance
A HIPAA compliant RDP server permits healthcare workers to work remotely and still have access to the same data they could view and update if they were employed at a practice or hospital.
Remote desktop access enables healthcare workers to work efficiently from home and remotely. Remote access to data is often required by development teams or business associates of HIPAA-covered groups. While remote desktop access offers many advantages, it also carries risks, which must be identified and managed. If a HIPAA compliant RDP server is not set up correctly, healthcare groups could be at risk of exposing sensitive data, opening the door to hackers, and breaching HIPAA Rules.
Before any remote desktop access being used on ePHI, a covered entity must complete a risk assessment to identify any vulnerabilities that could be exploited to obtain access to ePHI. Those risks must then be managed and brought down to an acceptable level.
Every Communication Should Have Encryption
Since there is a chance of communications being intercepted, HIPAA requires the use of encryption, both for any ePHI shared and also for logins and passwords. All data must then be saved securely in a centrally manageable place.
The simplest way of securing communications is to log on through a secure VPN. The encryption method used by the VPN must be of an appropriate standard to ensure compliance with HIPAA Rules. Current best practices need key lengths of 256 bits and a secure encryption algorithm such as AES.
The data shared through the VPN will only be as safe as the VPN itself. Weaknesses are often discovered with VPNs. A HIPAA-covered group must therefore ensure their VPN is kept up to date. Software upgrades and patches should be applied quickly and regular checks carried out to ensure the latest version of the VPN is installed.
Authentication Controls Must Be Used to Stop Unauthorized Access
The VPN is logged on to using a local interface on the remote device. Authentication controls should be adapted to ensure only authorized individuals are able to access the interface. Each user must be given a unique login to ensure their activity can be tracked and two factor authentication should be used to prove identity.
Once logged in, a secure connection is set up through the VPN to a centralized file management system on a HIPAA compliant RDP server where ePHI is stored safely. Stored data should be encrypted in line with NIST standards.
Additional security measures will help to ensure access to sensitive data cannot be obtained by unauthorized people. Those controls should include a mechanism that prevents unlimited login attempts to obstruct brute force attacks.
Users should also be signed out after a period of inactivity. Even if a HIPAA-compliant RDP server is implemented and all communications are encrypted, if a device remains logged in when the user is not working with the device, it would be easy for an unauthorized people to obtain access to ePHI.
Logins and Activity Must be Reviewed
A HIPAA compliant RDP server needs to be always monitored and successful logins and attempted logins must be recorded. Those access logs need to be constantly checked and any suspicious activity reviewed. Regulators are likely to require access to logs and will want to see proof that access and access attempts are being regularly reviewed.
There have been many cases where hackers have taken advantage of flaws in remote desktop software to gain access to sensitive data. If proper controls are not put in place by healthcare groups, not only could it lead to an expensive data breach, HIPAA regulators may issue severe fines for noncompliance.
Use a Managed HIPAA Compliant RDP Server
HIPAA covered groups that require workers or business associates to log on remotely can easily breach HIPAA Rules by using an out-of-the-box RDP software solution. RDP software and Windows RDP is not inherently HIPAA-compliant.
To lessen the chance of a HIPAA violation, many healthcare groups choose to implement a service provider that offers a HIPAA compliant RDP server and, as a business associate, will ensure HIPAA Rules are adhered to and all appropriate security controls are working to secure data and remote desktop communications. The service provider will review and manage their HIPAA compliant RDP server, perform all necessary updates, control firewalls and track and log the work of remote users.