Contact Us
Blog August 19, 2014

What is VPN and How It Applies to a HIPAA Cloud?

The body of U.S. law referred to as the Health Insurance Portability and Accountability Act, or HIPAA, provides stringent safeguards for the privacy and confidentiality of healthcare data, specifically, classes of data categorized as protected health information, or PHI. Healthcare organizations who need to enable user access to this information in the cloud need to understand the relative IT security involved in their business operations. One of the most essential components in ensuring data stays in the right hands is VPN.

The Use of VPN

Using a virtual private network (VPN) is a big step toward achieving HIPAA-compliance and secure cloud communications. In most cases, VPN provides proper encryption for health care data by creating a kind of “tunnel” for messaging data. One way to think about VPN is that it embeds a smaller private network in the public global Internet. By creating a virtual point-to-point connection, VPN controls the data packets and protects them from unauthorized access.

Encryption and VPN

VPN technologies use specific kinds of symmetric-key or public-key encryption to make sure that sensitive data is shielded from prying eyes. Typically, the pair of sending and receiving computers uses an individual key to encode data where it sent, and decode it where it is received (as in this guide).

Looking Critically at VPN for HIPAA

In general, experts consider the use of a well-set-up VPN system to be a secure and HIPAA-compliant scenario. However, some have pointed to certain lack of encryption at the layer 2 of the OSI model to say that some VPN models may not be 100 percent secure, because they may leave MAC addresses and service set IDs unencrypted (more in this paper from

Nevertheless, in most interpretations of HIPAA compliance, VPN fits the bill for creating a secure line of information that meets the standards for privacy. Users can securely access a database containing sensitive patient data from just about anywhere with an internet connection. VPN does have some (obvious) drawbacks when it comes to endpoint security–in other words, even though you have a secure tunnel for sending and receiving, the sensitive health care data is still displayed on the sender’s and receiver’s screens, which can potentially be a problem, depending on where each user happens to be. Another big endpoint security concern is misplacing a mobile device that has an active VPN connection and can access restricted data.

VPN is a very important component of a HIPAA Compliant Hosting solution, but is only a part of a multi-layered set of security features including: dedicated firewalls, log monitoring, encryption of data in-motion and at rest, encrypted offsite backups, vulnerability scanning and multi-factor authentication.

Related Resources

Partner Powered AWS Funding Opportunities
Many IT leaders are challenged to find the cloud support their business needs. Organizational timelines for cloud adoption, cloud migration, and cloud maturity are being…
Case Study May 19, 2023
How PohlmanUSA Leverages AWS
Connectria Key Takeaways from POWERUp 2023
Common’s POWERUp conference, the largest IBM i conference event worldwide, was held last week in Denver, Colorado. This event brings IBM executives, industry experts, and…