Is Remote Desktop HIPAA Compliant?

The short answer NO. The long answer is it can be HIPAA compliant, PCI compliant and accepted as Standard Business Security if you use Remote Desktop (or RDP) across a VPN. We work with many healthcare providers and the HIPAA rules are pretty clear.

  1. Any access from the Internet or a remote location must be encrypted. This means healthcare information going across the Internet cannot be read until it reaches the authenticated user on the other end where is it decrypted.
  2. Passwords should be stored in a central manageable location like a managed firewall or windows server
  3. Remote access is tracked and attempts to connect are also logged
  4. Login and Password are sent as encrypted data
  5. Unlimited attempts to guess or crack a password are stopped by the VPN device

Many organizations allow users to access their PCs via windows remote desktop connections by opening a port on the firewall and allowing the user to directly access their office computer from home. This practice is not secure, and is definitely not HIPAA compliant. Setting up a remote desktop with a weak password is just asking for trouble and opening a remote desktop port on the router for it that hackers could use is definitely a risky practice.

So how can a healthcare facility or security conscious business allow remote access without violating HIPAA, PCI and other security standards?

We recommend installing a firewall, in particular a Sonicwall Firewall. The Sonicwall line of firewalls come with an SLL VPN, which is a secure way to create an encrypted connection to your office network before initiating a remote desktop connection. Sonicwalls are affordable for almost any business starting at about $500.00. We also offer Basic Sonicwall monitoring that stores logs offsite, sends reports and sends alerts for threats.

Sonicwall’s SSL VPN feature provides easy access to work data from any Internet enabled windows PC by downloading a small SLL VPN client. For Physicians and executives who need to access sensitive data from multiple locations in a hurry this product fits the bill perfectly.

Another issue that many business owners overlook is the patching of the windows operating systems. The healthcare law states that you must take preventative measures to protect the patient data, PCI sensitive data and customer’s personal information. If you fail to keep your PCs and servers patched to the latest Microsoft security patches, then your organization could be accused of negligence and this failure can lead to virus attacks, data theft and other intrusions.

How are Healthcare businesses making sure they follow the standards on the HIPAA law and qualifying for the “meaningful use” standard? They are having Micro Doctor, Inc. install our MD-Care agents on every PC, and they rely on us to not only patch the systems but also monitor and report on PCs that a missing important patches. Our MD-Care console uses the Red – Yellow –Green alerting system so we automatically get notified via a ticket and can at a glance see which systems need attention.

Our medical customers are not only protected from HIPAA violations but qualify for “Meaningful Use” and the thousands of dollars the come with upgrading to EMR/HER.

If your practice or business is at risk, please contact us. We offer a free initial consultation with one of our technical account reps.

Mark Richmond, President and CEO of Micro Doctor Inc.       04/28/2012

Leave a Comment

Scroll to Top