Blog August 19, 2014

What is VPN and How It Applies to a HIPAA Cloud?

The body of U.S. law referred to as the Health Insurance Portability and Accountability Act, or HIPAA, provides stringent safeguards for the privacy and confidentiality of healthcare data, specifically, classes of data categorized as protected health information, or PHI. Healthcare organizations who need to enable user access to this information in the cloud need to understand the relative IT security involved in their business operations. One of the most essential components in ensuring data stays in the right hands is VPN.

The Use of VPN

Using a virtual private network (VPN) is a big step toward achieving HIPAA-compliance and secure cloud communications. In most cases, VPN provides proper encryption for health care data by creating a kind of “tunnel” for messaging data. One way to think about VPN is that it embeds a smaller private network in the public global Internet. By creating a virtual point-to-point connection, VPN controls the data packets and protects them from unauthorized access.

Encryption and VPN

VPN technologies use specific kinds of symmetric-key or public-key encryption to make sure that sensitive data is shielded from prying eyes. Typically, the pair of sending and receiving computers uses an individual key to encode data where it sent, and decode it where it is received (as in this guide).

Looking Critically at VPN for HIPAA

In general, experts consider the use of a well-set-up VPN system to be a secure and HIPAA-compliant scenario. However, some have pointed to certain lack of encryption at the layer 2 of the OSI model to say that some VPN models may not be 100 percent secure, because they may leave MAC addresses and service set IDs unencrypted (more in this paper from Sans.org).

Nevertheless, in most interpretations of HIPAA compliance, VPN fits the bill for creating a secure line of information that meets the standards for privacy. Users can securely access a database containing sensitive patient data from just about anywhere with an internet connection. VPN does have some (obvious) drawbacks when it comes to endpoint security–in other words, even though you have a secure tunnel for sending and receiving, the sensitive health care data is still displayed on the sender’s and receiver’s screens, which can potentially be a problem, depending on where each user happens to be. Another big endpoint security concern is misplacing a mobile device that has an active VPN connection and can access restricted data.

VPN is a very important component of a HIPAA Compliant Hosting solution, but is only a part of a multi-layered set of security features including: dedicated firewalls, log monitoring, encryption of data in-motion and at rest, encrypted offsite backups, vulnerability scanning and multi-factor authentication.

Related Resources

 
Do I Need to Comply With HIPAA/HITECH Privacy Rules?
In 2009, the U.S. Congress passed The Health Information Technology for Economic and Clinical Health (HITECH) Act as part of the American Recovery and Reinvestment…
 
What ISVs Need to Know About Hosting SaaS Apps in Healthcare
As reported in the HIPAA Journal, the HHS has issued a clarification statement for when business associates can be fined for non-compliance. If you are…
 
Your Crash Course on Security in the Cloud (and of the Cloud)
You’ve no doubt realized by now that cybercrime isn’t going away anytime soon. What you might not know is that approximately 43 percent of all…