Dedicated to providing the latest
HIPAA compliance news

HIPAA Compliant RDP Server

A HIPAA compliant RDP server allows healthcare professionals to work remotely and still have access to the same information they could view and update if they were working at a practice or hospital.

Remote desktop access allows healthcare professionals to work efficiently from home and while travelling. Remote access to data is often required by development teams or business associates of HIPAA-covered entities. While remote desktop access offers many benefits, it also introduces risks, which must be identified and managed. If a HIPAA compliant RDP server is not configured correctly, healthcare organizations could be at risk of exposing sensitive data, opening the door to hackers, and violating HIPAA Rules.

Prior to any remote desktop access being used in conjunction with ePHI, a covered entity must conduct a risk assessment to identify any vulnerabilities that could be exploited to gain access to ePHI. Those risks must then be managed and reduced to an acceptable level.

All Communications Must be Encrypted

Since there is a possibility of communications being intercepted, HIPAA requires the use of encryption, both for any ePHI transmitted and also for logins and passwords. All data must then be stored securely in a central manageable location.

The easiest way of securing communications is to connect through a secure VPN. The encryption method used by the VPN must be of an appropriate standard to ensure compliance with HIPAA Rules. Current best practices require key lengths of 256 bits and a secure encryption algorithm such as AES.

The data transmitted through the VPN will only be as secure as the VPN itself. Vulnerabilities are often discovered with VPNs. A HIPAA-covered entity must therefore ensure their VPN is kept up to date. Software upgrades and patches should be applied promptly and regular checks performed to ensure the latest version of the VPN is installed.

Authentication Controls Should Be Used to Prevent Unauthorized Access

The VPN is accessed via a local interface on the remote device. Authentication controls should be implemented to ensure only authorized individuals are able to access the interface. Each user must be assigned a unique login to ensure their activity can be tracked and two factor authentication should be used to verify identity.

Once logged in, a secure connection is established through the VPN to a centralized file management system on a HIPAA compliant RDP server where ePHI is stored securely. Stored data should be encrypted to NIST standards.

Additional security controls will help to ensure access to sensitive data cannot be gained by unauthorized individuals. Those controls should include a mechanism that prevents unlimited login attempts to block brute force attacks.

Users should also be logged out after a period of inactivity.  Even if a HIPAA-compliant RDP server is used and all communications are encrypted, if a device remains logged in when the user is not at the device, it would be easy for an unauthorized individual to gain access to ePHI.

Logins and Activity Must be Monitored

A HIPAA compliant RDP server needs to be constantly monitored and successful logins and attempted logins must be logged. Those access logs need to be routinely checked and any suspicious activity investigated. Regulators are likely to require access to logs and will want to see evidence that access and access attempts are being regularly reviewed.

There have been many instances where hackers have taken advantage of vulnerabilities in remote desktop software to gain access to sensitive data. If appropriate controls are not put in place by healthcare organizations, not only could it lead to a costly data breach, HIPAA regulators may issue severe financial penalties for noncompliance.

Consider Using a Managed HIPAA Compliant RDP Server

HIPAA covered entities that require workers or business associates to access data remotely can easily violate HIPAA Rules by using an out-of-the-box RDP software solution. RDP software and Windows RDP is not inherently HIPAA-compliant.

To reduce the risk of a HIPAA violation, many healthcare organizations choose to use a service provider that offers a HIPAA compliant RDP server and, as a business associate, will ensure HIPAA Rules are followed and all appropriate security controls are implemented to secure data and remote desktop communications. The service provider will monitor and manage their HIPAA compliant RDP server, perform all necessary updates, manage firewalls and track and log the activities of remote users.