Securing remote access in healthcare environments.

Tod Ferran, CISSP, QSA
By: Tod Ferran
Do employees at your office like to work from home? Does the doctor regularly access patient data in another place besides your office? Do you use a third party for IT support or billing?

They probably use a remote access application (like GoToMyPC, LogMeIn, or RemotePC) to gain admittance to your patient database from elsewhere.

That’s great for productivity, but often bad for security.
Do employees at your office like to work from home?

Attackers target organizations that utilize remote access applications. If a remote access application is vulnerable, it allows them to completely bypass firewalls and gain direct access to office and patient data.

Subscribe on YouTube to see more vids like this.

So what’s the remote access issue?

The foremost setback with remote access is not the tool itself, but rather, how it’s configured. By merely requiring a username and password, an attacker need only break a single level of security, and there are a plethora of online tools available to help him.

Once he’s gained network access, the attacker essentially has the keys to the kingdom, and is free to install malware designed to harvest patient data and export it to his system.

How to keep hackers from hacking your remote access application

Remote access can be secure, as long as it uses strong encryption and requires two independent methods of authentication (called two-factor authentication). Be sure to enable and force strong or high encryption in your remote access configuration.

In addition to entering a username and password, two-factor authentication requires an additional step, such as physically calling an onsite office manager to be granted remote system access.

Other ideas for a second-factor include:
  • Require matching of MAC addresses between the remote and onsite systems.
  • Require a VPN with a pre-shared certificate
  • Implement RSA SecurID with LogMeIn
  • Implement DUO 2-factor
  • Implement Windows Azure
To stay secure, ensure the remote access tool your staff uses has two-factor authentication and strong encryption.

Have a HIPAA security question? Leave a comment and you may see your question answered on the next HIPAA Snippets video.

Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.