SecureLink is an Austin, TX-based provider of remote-access software. The SecureLink platform mitigates the risks associated with providing remote access to internal networks to vendors and clients, ensuring secure, accountable, and auditable third-party access while eliminating the need for VPNs, shared desktops, and other remote access solutions.
Remote Access Poses a Security Risk
Healthcare organizations have many different vendors that need to remotely connect to their networks. Those vendors typically use a variety of methods for remote access, including remote desktop solutions, VPNs, site-to-site networking, and their own proprietary tools. The variety of methods used for remote access creates an unnecessarily complex remote access environment which requires considerable hands-on management by the IT team. Disparate remote access solutions make tracking and monitoring connections difficult as there is no common method that can be used across all connection types and applications. This can make it impossible to create a universal security policy for remote access and the complexity of remote access makes HIPAA compliance difficult to determine.
Without a system in place that provides full visibility into remote access sessions, it is difficult to determine who is connected to internal networks and view the activities of authorized third parties during remote access sessions. Potential compromises and HIPAA violations can be difficult to identify and it is easy for mistakes to be made by vendors that leave applications and data exposed.
The latter can easily result in a HIPAA penalty, as evidenced by the $417,816 fine for Virtual Medical Group in 2018 over the exposure of the PHI of 1,654 patients by a third party transcription vendor who accidentally removed passwords for its remote access site.
The risk of data breaches due to the actions of third-party vendors is considerable. More than 20% of healthcare data breaches in 2018 were caused by third party vendors, including some of the largest healthcare data breaches ever reported.
SecureLink for Healthcare
SecureLink developed a solution to solve the problems associated with providing remote network access to third parties. The SecureLink platform improves security and makes management of remote access simple, with minimal IT team involvement.
The platform provides full visibility into all remote access sessions, including who has connected, who is currently accessing data, systems, and applications, and what each vendor did during their session. Data can be viewed in real time or downloaded through manual and automated reports.
The platform features a simple, browser-based interface that IT staff can use to define system access for each vendor for servers, ports, applications, files, services, and restrictions can be implemented by date and time. After setting up access, administration support is minimal, saving the IT department considerable time which can be put to better use.
SecureLink can be deployed by enterprises and vendors. Healthcare providers can deploy the solution to manage remote vendor access to internal resources and vendors can implement the platform to provide standardized remote access for supporting their customers, with connections made by non-SecureLink clients through Gatekeeper technology.
Each vendor is assigned unique credentials and all vendor users can be individually tracked. Multi-factor authentication is used for approved vendors to provide protection if credentials are compromised. The platform provides detailed information on remote access sessions to meet internal and regulatory audits. Audits can be conducted quickly down to the keystroke level, and each connection is given context to show why each vendor logged in to simplify audits and reviews. RDP and VNC connections are recorded and a video can be downloaded of each session on demand.
Approval workflows can be created which can be delegated to clinical application owners, the platform supports desktop sharing without having to download client-side agents, and provides connectivity for all TCP and UDP protocols, including SSH, Telnet, HTTPS, RDP, FTP, and custom protocols.
SecureLink for Healthcare and HIPAA Compliance
While organizations in many industry sectors use the platform, SecureLink is especially well suited for organizations in highly regulated industries. The platform provides full visibility into all remote access sessions and ensures those connections are made securely, in compliance with the HIPAA Security Rule.
A checklist has also been built into the platform to determine whether the SecureLink server is configured in accordance with security best practices and for validating whether the settings are in compliance with PCI, HIPAA, and other regulations.
The SecureLink platform:
- Mitigates the risk of noncompliance with HIPAA by third-party vendors
- Provides a standardized method of access for vendors
- Restrict access to systems containing ePHI at the vendor and vendor rep level
- Gives complete visibility into remote access sessions
- Allows granular automatic and manual control over remote access sessions, including role-based least privilege access
- Flexible settings that can be tailored to the risk profile of each vendor
- Improves uptime of critical applications ensuring vendors have 24/7 access to critical systems for providing support
- Increases remote access efficiency with self-registration option for vendors
- Obtain remote access reports for audits quickly from a single source
- Detailed audits of all vendor access and activities, including video and keystroke logging, with audit data protected by AES-256 encryption.
- HIPAA and HITECH compliance assured
SecureLink now serves more than 31,000 organizations worldwide including more than 1,000 hospitals. Healthcare clients include Allscripts, Steward Medical Center Hospital, McKesson, InterSystems, and Cerner. SecureLink is currently the only dedicated remote access platform that ensures compliance with HIPAA and the HITECH Act. The platform is now used to provide secure access for more than 28 million remote access sessions.