By Gil Vidals, , HIPAA Blog

One of the great blessings of technology has been an unprecedented ability to work remotely, and connect with teams and customers on a global scale.

But for remote workers involved in the transfer of sensitive data and protected health information, particularly those that have business agreements in place to maintain HIPAA compliance, adhering to standards and practices that will maintain security is of paramount importance.

For example, a company or healthcare associate may rely on Remote Desktop Protocol (RDP) to access a workplace computer from home. Simply opening a port on a company router to allow firewall access is insufficient for HIPAA compliance, as it provides an exploitable weakness that may be used for malicious intent. In other words, Windows RDP by itself cannot be considered inherently secure, or HIPAA compliant for the handling of sensitive data.

So how can you handle sensitive, electronic-protected health information (ePHI) and achieve HIPAA compliance with RDP? The key is to provide a virtual private network (VPN) that will allow access to ePHI through an encrypted channel.

Here are the basics:

  • Secure Storage: Since HIPAA rules require the protection of data both in transit and at rest, a centralized file management system such as an RDP server with secure ports should be used to store ePHI and passwords. In addition, a secure server can also help you with troublesome latency issues caused by heavy network traffic.
  • Encryption: Protection of data means utilizing a secure channel that will encrypt your data (convert it to unreadable code) when accessed from the server by a remote location, and decrypt it for the authenticated end-user. Keep in mind that remote user access and administrative rights to sensitive PHI should always be on an as-needed basis, thus mitigating risk.
  • Reporting and Patching: Tracking of login attempts, monitoring, and threat alerts, as well as keeping up to date with the latest security patches, is a necessary part of the “preventative measures” required by HIPAA rules. Failure to utilize the latest in security measures may leave your company or healthcare system vulnerable to a serious breach. This may include data theft, or any one of the increasingly novel and malicious attacks that hackers employ to hold your data hostage, such as ransomware.

The bottom line for achieving HIPAA compliance with RDP is clear: if you’re using RDP to handle sensitive, protected ePHI, you need to secure it with a VPN that will allow for the encryption of data. Utilize a secure server to store data and passwords, and employ the latest in security patching and ongoing monitoring.

Putting these measures to work for you will help protect your sensitive data, and maintain the security and confidentiality that your customers expect. If you need a HIPAA Compliant RDP Server we can help.

Avatar photo

Gil Vidals is the president and CTO of HIPAA Vault. He is a passionate, subject matter expert on HIPAA compliance and the healthcare cloud, and co-host of the HIPAA Vault podcast. Since 1997, Gil’s mission has been to provide uncompromising and affordable HIPAA compliant hosting solutions to commercial and government clients, helping protect their sensitive health information from data breaches and security vulnerabilities. HIPAA Vault has been recognized as an Inc. 5000 company and a Clutch Top B2B company. He can be reached here on Linkedin.

Infrastructure as Code: A Dynamic Approach
June 16, 2017
Malware Threatening Healthcare Organizations
November 10, 2017