Our support team has received a few questions about HIPAA regulations and our remote support software. Some of the questions relate to compliance concerns, while others ask how well our tool can help achieve internal objectives. To assist those customers who need to comply with HIPAA regulations, here is a short summary of HIPAA and how remote support software plays a role in compliance with the act.
HIPAA (Health Insurance Portability and Accountability Act) was introduced into legislation in 1996 and is broken into two main parts. Title I works to make sure people can maintain health coverage as they change or lose their jobs. Title II handles electronic transactions and the security and accessibility of private and potentially sensitive information.
So how is this related to remote support? If you or your company accesses or allows access to computers or servers that house the private medical records of individuals, then you need to be taking the proper precautions to make sure those records remain secure. For the most part, the responsibility is on the owners of the data to ensure the data is stored securely behind firewalls and that proper processes are put in place to access the information. For consultants or employees who would be using remote support to access a computer, your main responsibility is making sure the software you use is encrypted to prevent cryptographic attacks. Additionally, you also must make sure your staff is trained on your own processes to deal with proper use of passwords, following guidelines for security, and utilizing common sense. Your staff must also understand what information they can access and items to avoid in the course of supporting or accessing remote computers.
Is ScreenConnect compliant with the regulations put forth in 45 CFR (all related parts)? The basic requirements on remote support software are data security, accessibility controls, and the protection of the integrity of all data. As a user of ScreenConnect, all the data is securely encrypted during the session to prevent a man-in-the-middle-attack, a form of eavesdropping that allows an attacker to relay and intercept messages between two parties. The ScreenConnect administrator can establish username and password access to prevent unauthorized users of the software.
- ScreenConnect is self-hosted – Security is more easily controlled than tools that transfer data through third party servers located all over the world.
- We are a true remote support application – Each connection requires the permission of someone located at the target computer. This provides additional control and accountability and falls in line with HIPAA requirements for “Access Control”.
- Each user must login via a username/password – The security of these logins is controlled by the ScreenConnect administrator. However, as long as each user is using a unique login, they are abiding by the guidelines of HIPAA.
- Encryption of data – ScreenConnect encrypts data via a AES-256 cipher, which is a well regarded encryption method. One of the primary functions is to protect against a man-in-the-middle attacks.
- Guest Login – Guests are given a password by the host to initiate the session, further securing the “encryption of data” and the prevention of cryptographic attacks.
- Integrity of data– Additional tools and methods are available to further refine your data integrity and/or auditing. Screen recording, SSL security implementation, and integrated chat keep all information in one place under our AES encryption.
We hope this brief overview answers some questions, but feel free to chime in your thoughts in the comments!