Blog August 19, 2014

What is VPN and How It Applies to a HIPAA Cloud?

The body of U.S. law referred to as the Health Insurance Portability and Accountability Act, or HIPAA, provides stringent safeguards for the privacy and confidentiality of healthcare data, specifically, classes of data categorized as protected health information, or PHI. Healthcare organizations who need to enable user access to this information in the cloud need to understand the relative IT security involved in their business operations. One of the most essential components in ensuring data stays in the right hands is VPN.

The Use of VPN

Using a virtual private network (VPN) is a big step toward achieving HIPAA-compliance and secure cloud communications. In most cases, VPN provides proper encryption for health care data by creating a kind of “tunnel” for messaging data. One way to think about VPN is that it embeds a smaller private network in the public global Internet. By creating a virtual point-to-point connection, VPN controls the data packets and protects them from unauthorized access.

Encryption and VPN

VPN technologies use specific kinds of symmetric-key or public-key encryption to make sure that sensitive data is shielded from prying eyes. Typically, the pair of sending and receiving computers uses an individual key to encode data where it sent, and decode it where it is received (as in this guide).

Looking Critically at VPN for HIPAA

In general, experts consider the use of a well-set-up VPN system to be a secure and HIPAA-compliant scenario. However, some have pointed to certain lack of encryption at the layer 2 of the OSI model to say that some VPN models may not be 100 percent secure, because they may leave MAC addresses and service set IDs unencrypted (more in this paper from Sans.org).

Nevertheless, in most interpretations of HIPAA compliance, VPN fits the bill for creating a secure line of information that meets the standards for privacy. Users can securely access a database containing sensitive patient data from just about anywhere with an internet connection. VPN does have some (obvious) drawbacks when it comes to endpoint security–in other words, even though you have a secure tunnel for sending and receiving, the sensitive health care data is still displayed on the sender’s and receiver’s screens, which can potentially be a problem, depending on where each user happens to be. Another big endpoint security concern is misplacing a mobile device that has an active VPN connection and can access restricted data.

VPN is a very important component of a HIPAA Compliant Hosting solution, but is only a part of a multi-layered set of security features including: dedicated firewalls, log monitoring, encryption of data in-motion and at rest, encrypted offsite backups, vulnerability scanning and multi-factor authentication.

Related Resources

 
It’s Time to Add Social Media to Your HIPAA Compliance Checklist
Whether they’re not-for-profits or more commercially focused operations, healthcare providers are in the business of healthcare. That means they care about developing relationships with their…
 
Know Your Audit Reports! More Advice on Vetting Cloud Providers
In a recent post, we discussed four ways to vet a cloud provider before trusting them with your mission-critical workloads. If you missed that post,…
 
It’s Time to Be Honest About IT
Most people are familiar with the saying fake it until you make it. We might even be able to name people who have made it…