Rather than just listing HIPAA-compliant software, this report gives advice on all the fundamentals, along with a few misconceptions about the kind of robust security environment that is necessary to maintain HIPAA compliant hosting.
- Proper Network Segregation
- Tackling Encryption
- But That’s Not All…
HIPAA Compliant Antivirus & Proper Network Segregation
Security via obfuscation is not a legitimate way for a healthcare company to do business. This tactic is primarily used by small practices that have historically been using their own servers.
What is it? “On the commercial end of computer security, [security via obfuscation] comes in the form of (naively) believing that restricting internet access on portions of your computer network will keep you safer from malware and attackers,” explained Illinois IT consultant Derrick Wlodarz. “You can read up on how far debunked this practice has become, as even an amateur hacker can get around such lowly safeguards in a matter of minutes.”
Segregate your network, and protect it with antivirus/anti-malware HIPAA-compliance software. Use a top antivirus/anti-malware application. Remember that the most important HIPAA-compliant software achieves security by identifying threats and encrypting your data. Free options for the former, such as those from Avast or AVG, are budget-friendly but are not intended for commercial environments. The antivirus must be effective and lightweight, both reasons why Trend Micro Deep Security is used for all Atlantic.Net hosting packages.
HIPAA Compliant Encryption Software
Along with segregating the PHI area of your network with antivirus HIPAA-compliant software, you also need all information to be encrypted. Tactics to achieve that include:
- Leveraging Windows BitLocker – Here is one reason you might want Windows over Linux: BitLocker. BitLocker is a great piece of HIPAA-compliance software that was only available through the Enterprise or Ultimate versions of Windows 7 but started coming completely free with Windows 8 Pro.
- Verifying encryption of all backups – All storage systems used for protected health information must be secured against cybercrime, and that includes all hard drives and flash drives used for backup. “Part of the reason I so heavily recommend cloud storage providers [such as Atlantic.Net] for backup today is because [using a provider that is outfitted with HIPAA-compliance software] saves some hassle on encrypting system backups locally,” commented Wlodarz. “But regardless of path chosen, ensure the endpoint of data storage has proper encryption safeguards in use.” Anything that is easily detachable and portable represents a significant danger for theft.
- Using Windows Remote Desktop Services (RDS) to minimize the chance of a leak – Starting with Windows NT 4, Windows Server has included the tool Remote Desktop Services (originally known as Terminal Services). Within RDS, Session Based Desktops are basically the up-to-date version of Terminal Services, and they are the simplest to implement. Any authorized members of your staff will be able to manage patient health records from a user interface, but none of that data will leak to their PC. That means your maintenance is more affordable, your information is less exposed, and it’s less likely that protected health information will leak.
For more on encryption, read our article Encryption for HIPAA Compliance: A Quick Primer.
But That’s Not All…
There are two additional elements beyond these questions about piecing together the technology:
- Security best practices – You should never have written passwords near any computer. You must have strong passwords on all systems, with no exceptions. Get cable locks for your computers. Use two-factor authentication.
- HIPAA-compliant web host – Really the question with HIPAA is whether it makes sense to design your own system or to go with a healthcare hosting expert so that all of your core environment, sectioned off as its own private infrastructure, is established within an SSAE-16-audited, HIPAA-audited system and continually monitored by experienced technicians. That also takes care of another major security best practice: patching and upgrading. HIPAA-compliance software should always be completely up-to-date if you wanted to operate effectively.
The first element may require a culture shift at your organization.
The second element is as simple as getting a quote from us today. We haven’t just jumped into the growing HIPAA Compliance Hosting market to build revenue. We are a part of the health IT community – exhibiting, for example, at the Health Information and Management Systems Society’s annual conference.
We’d be happy to discuss any additional HIPAA Compliant software and other hosting options, like our award-winning cloud hosting solution, so that you can use it on your system to craft a solution that works best for your healthcare company.