The body of U.S. law referred to as the Health Insurance Portability and Accountability Act, or HIPAA, provides stringent safeguards for the privacy and confidentiality of healthcare data, specifically, classes of data categorized as protected health information, or PHI. Healthcare organizations who need to enable user access to this information in the cloud need to understand the relative IT security involved in their business operations. One of the most essential components in ensuring data stays in the right hands is VPN.
The Use of VPN
Using a virtual private network (VPN) is a big step toward achieving HIPAA-compliance and secure cloud communications. In most cases, VPN provides proper encryption for health care data by creating a kind of “tunnel” for messaging data. One way to think about VPN is that it embeds a smaller private network in the public global Internet. By creating a virtual point-to-point connection, VPN controls the data packets and protects them from unauthorized access.
Encryption and VPN
VPN technologies use specific kinds of symmetric-key or public-key encryption to make sure that sensitive data is shielded from prying eyes. Typically, the pair of sending and receiving computers uses an individual key to encode data where it sent, and decode it where it is received (as in this guide).
Looking Critically at VPN for HIPAA
In general, experts consider the use of a well-set-up VPN system to be a secure and HIPAA-compliant scenario. However, some have pointed to certain lack of encryption at the layer 2 of the OSI model to say that some VPN models may not be 100 percent secure, because they may leave MAC addresses and service set IDs unencrypted (more in this paper from Sans.org).
Nevertheless, in most interpretations of HIPAA compliance, VPN fits the bill for creating a secure line of information that meets the standards for privacy. Users can securely access a database containing sensitive patient data from just about anywhere with an internet connection. VPN does have some (obvious) drawbacks when it comes to endpoint security–in other words, even though you have a secure tunnel for sending and receiving, the sensitive health care data is still displayed on the sender’s and receiver’s screens, which can potentially be a problem, depending on where each user happens to be. Another big endpoint security concern is misplacing a mobile device that has an active VPN connection and can access restricted data.
VPN is a very important component of a HIPAA Compliant Hosting solution, but is only a part of a multi-layered set of security features including: dedicated firewalls, log monitoring, encryption of data in-motion and at rest, encrypted offsite backups, vulnerability scanning and multi-factor authentication.