HIPAA and Remote Utilities
Who is this document for?
This document is intended for managers and HIPAA auditors conducting an audit for HIPAA compliance. Specifically, the document mentions those HIPAA requirements that may apply to remote access software and the Remote Utilities features and configurations that satisfy these requirements. Feel free to use this document as a reference during your HIPAA audit.
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a set of government regulations protecting the privacy and security of certain health information (PHI, protected health information). Organizations and individuals that deal with PHI must follow appropriate policies, procedures and safeguards to protect this data.
The Security Rule
A subset of HIPAA known as the Security Rule establishes standards for protecting health information that is held or transferred in an electronic form (ePHI, electronic protected health information). These standards include administrative, physical and technical safeguards.
The Security Rule defines technical safeguards in § 164.304 as
Since Remote Utilities is a software product and deals with information in the electronic form, some technical safeguards of the HIPAA may apply. These technical safeguards (standards) along with Remote Utilities features that satisfy them are described below.
Access Control (§ 164.312(a)(1))
A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
Unique User Identification (R) - § 164.312(a)(2)(i)
- Remote Utilities provides 4 authentication methods. When using either of the three authentication methods — RU Security, Windows security or Custom server security — users are uniquely identified by their username.
- Access permissions can be set for each user under each authentication method above.
- 2-step verification (2FA) can be enabled for any authentication method as an extra protection layer.
Emergency Access Procedure (R) - § 164.312(a)(2)(ii)
In the event of an emergency workforce members are able to use Remote Utilities to get instant access to systems and applications that contain ePHI.
Automatic Logoff (A) - § 164.312(a)(2)(iii)
As of December 2020, Remote Utilities supports the following automatic logoff methods:
- Lock workstation on disconnect.
- Log off user on disconnect.
The ability to log off idle users by timeout is in development.
Encryption And Decryption (A) - § 164.312(a)(2)(iv)
Encryption in Remote Utilities is implemented at several levels:
- Mandatory TLS 1.2 encryption is applied to all data transfers regardless of connection type (whether direct connection or cloud connection) and license.
- Address book encryption can be used to protect address book data located on the local disc or a USB stick from unauthorized access to login data.
- Stored passwords are hashed using a one-way key derivation function.
Audit Controls (§ 164.312(b))
By default, Remote Utilities Host keeps its connectivity logs on the local disc in the Host installation folder. Logging into Windows system log is also supported for centralized log management (e.g. in Active Directory).
Other program modules, such as Viewer, Agent and RU Server keep their own logs. See logging for more information.
Integrity (§ 164.312(c)(1))
The Integrity standard requires a covered entity to:
Also, the Integrity standard has one addressable implementation specification:
Mechanism to Authenticate Electronic Protected Health Information (A) - § 164.312(c)(2)
When using Remote Utilities system administrators can take the following measures to reduce the risks of ePHI data being altered or destroyed:
- Limit users to only certain connection modes and disable those that allow manipulating data and files on the remote PC. For example, the administrator can disable all connection modes for a certain user except the "View only" mode. The limitation can be applied either to a certain machine (e.g. all users who connect to that machine will have limited access) or to a user/group. Learn more about Host security setup.
- Disable mouse and keyboard input permanently or on the fly during a live remote session.
- Disable clipboard transfer in both directions or Host-to-Viewer only.
- Enable the Ask user permission option for certain machines and/or users.
Person or Entity Authentication (§ 164.312(d))
Remote Utilities provides the following mandatory and optional security features to ensure that a person is in fact who he or she claims to be before being allowed remote access to a computer with ePHI data:
- Mandatory authentication on remote Hosts and Agent. This can be the Single password authentication or more advanced authentication methods, such as RU Security, Windows security or Custom server security. In addition, the 2-factor authentication can be enabled for ultimate security.
- Built-in protection against brute-force attacks and password cracking. Whenever there is an excessive number of incorrect password attempts, the system automatically begins to increase the amount of time required before each new attempt can be made.
- Optional address book encryption with a passphrase used to encrypt the address book on the disk and lock Viewer interface
- No blank passwords are allowed regardless of the authentication method chosen. There are no default or technical passwords either.
Transmission Security (§ 164.312(e)(1))
This standard has two implementation specifications - Integrity Controls and Encryption.
Integrity Controls (A) - § 164.312(e)(2)(i)
Certain connection modes allow users to transmit textual information and files which may contain ePHI. Remote Utilities protocol ensures that the data are not improperly modified during transmission.
Encryption (A) - § 164.312(e)(2)(ii)
This standard applies to data transmitted over the network. Remote Utilities uses strong industry-standard encryption algorithms (TLS 1.2) to encrypt data transmitted between Viewer and Host. Encryption is used for any connection mode (e.g. Full Control, View Only, File Transfer etc.), connection type (direct connection and cloud connection) and cannot be disabled.