Securing remote access in healthcare environments.
 |
| By: Tod Ferran |
They probably use a remote access application (like GoToMyPC, LogMeIn, or RemotePC) to gain admittance to your patient database from elsewhere.
That’s great for productivity, but often bad for security.
 |
| Do employees at your office like to work from home? |
Attackers target organizations that utilize remote access applications. If a remote access application is vulnerable, it allows them to completely bypass firewalls and gain direct access to office and patient data.
Subscribe on YouTube to see more vids like this.
So what’s the remote access issue?
The foremost setback with remote access is not the tool itself, but rather, how it’s configured. By merely requiring a username and password, an attacker need only break a single level of security, and there are a plethora of online tools available to help him.Once he’s gained network access, the attacker essentially has the keys to the kingdom, and is free to install malware designed to harvest patient data and export it to his system.
How to keep hackers from hacking your remote access application
Remote access can be secure, as long as it uses strong encryption and requires two independent methods of authentication (called two-factor authentication). Be sure to enable and force strong or high encryption in your remote access configuration.In addition to entering a username and password, two-factor authentication requires an additional step, such as physically calling an onsite office manager to be granted remote system access.
Other ideas for a second-factor include:
To stay secure, ensure the remote access tool your staff uses has two-factor authentication and strong encryption.
Have a HIPAA security question? Leave a comment and you may see your question answered on the next HIPAA Snippets video.
Tod Ferran (CISSP, QSA) is a Security Analyst for SecurityMetrics with 25 years of IT security experience. He provides security consulting, risk analysis assistance, risk management plan support, and performs HIPAA and PCI compliance audits.
- Require matching of MAC addresses between the remote and onsite systems.
- Require a VPN with a pre-shared certificate
- Implement RSA SecurID with LogMeIn
- Implement DUO 2-factor
- Implement Windows Azure
To stay secure, ensure the remote access tool your staff uses has two-factor authentication and strong encryption.
Have a HIPAA security question? Leave a comment and you may see your question answered on the next HIPAA Snippets video.
Tod Ferran (CISSP, QSA) is a Security Analyst for SecurityMetrics with 25 years of IT security experience. He provides security consulting, risk analysis assistance, risk management plan support, and performs HIPAA and PCI compliance audits.