Blog August 19, 2014

What is VPN and How It Applies to a HIPAA Cloud?

The body of U.S. law referred to as the Health Insurance Portability and Accountability Act, or HIPAA, provides stringent safeguards for the privacy and confidentiality of healthcare data, specifically, classes of data categorized as protected health information, or PHI. Healthcare organizations who need to enable user access to this information in the cloud need to understand the relative IT security involved in their business operations. One of the most essential components in ensuring data stays in the right hands is VPN.

The Use of VPN

Using a virtual private network (VPN) is a big step toward achieving HIPAA-compliance and secure cloud communications. In most cases, VPN provides proper encryption for health care data by creating a kind of “tunnel” for messaging data. One way to think about VPN is that it embeds a smaller private network in the public global Internet. By creating a virtual point-to-point connection, VPN controls the data packets and protects them from unauthorized access.

Encryption and VPN

VPN technologies use specific kinds of symmetric-key or public-key encryption to make sure that sensitive data is shielded from prying eyes. Typically, the pair of sending and receiving computers uses an individual key to encode data where it sent, and decode it where it is received (as in this guide).

Looking Critically at VPN for HIPAA

In general, experts consider the use of a well-set-up VPN system to be a secure and HIPAA-compliant scenario. However, some have pointed to certain lack of encryption at the layer 2 of the OSI model to say that some VPN models may not be 100 percent secure, because they may leave MAC addresses and service set IDs unencrypted (more in this paper from Sans.org).

Nevertheless, in most interpretations of HIPAA compliance, VPN fits the bill for creating a secure line of information that meets the standards for privacy. Users can securely access a database containing sensitive patient data from just about anywhere with an internet connection. VPN does have some (obvious) drawbacks when it comes to endpoint security–in other words, even though you have a secure tunnel for sending and receiving, the sensitive health care data is still displayed on the sender’s and receiver’s screens, which can potentially be a problem, depending on where each user happens to be. Another big endpoint security concern is misplacing a mobile device that has an active VPN connection and can access restricted data.

VPN is a very important component of a HIPAA Compliant Hosting solution, but is only a part of a multi-layered set of security features including: dedicated firewalls, log monitoring, encryption of data in-motion and at rest, encrypted offsite backups, vulnerability scanning and multi-factor authentication.

Related Resources

 
Catching Up in the Race for Digital Transformation
It seems that digital transformation is on every CIO’s agenda for 2019. What this means varies, from leveraging artificial intelligence (AI) and machine learning for…
 
An Interview with Connectria’s VP Solutions Architecture for IBM i
Thousands of companies trust their mission-critical workloads to the IBM Power Systems platform. But what happens when these organizations want to move to the cloud?…
 
8 Reasons to Move to a Managed Cloud
There are plenty of reasons to move from an on-premises environment to the cloud. In this post, I share the most common reasons our customers…