Who is this document for?
This document is intended for managers and HIPAA auditors conducting an audit for HIPAA compliance. Specifically, the document mentions those HIPAA requirements that may apply to remote access software and the Remote Utilities features and configurations that satisfy these requirements. Feel free to use this document as a reference during your HIPAA audit.
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a set of government regulations protecting the privacy and security of certain health information (PHI, protected health information). Organizations and individuals that deal with PHI must follow appropriate policies, procedures and safeguards to protect this data.
The Security Rule
A subset of HIPAA known as the Security Rule establishes standards for protecting health information that is held or transferred in an electronic form (ePHI, electronic protected health information). These standards include administrative, physical and technical safeguards.
The Security Rule defines technical safeguards in § 164.304 as
“the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”
Since Remote Utilities is a software product and deals with information in the electronic form, some technical safeguards of the HIPAA may apply. These technical safeguards (standards) along with Remote Utilities features that satisfy them are described below.
Access Control (§ 164.312(a)(1))
A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
Unique User Identification (R) - § 164.312(a)(2)(i)
“Assign a unique name and/or number for identifying and tracking user identity.”
- Remote Utilities provides 4 authentication methods. When using either of the three authentication methods — RU Security, Windows security or Custom server security — users are uniquely identified by their username.
- Access permissions can be set for each user under each authentication method above.
- 2-step verification (2FA) can be enabled for any authentication method as an extra protection layer.
Emergency Access Procedure (R) - § 164.312(a)(2)(ii)
“Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.”
In the event of an emergency workforce members are able to use Remote Utilities to get instant access to systems and applications that contain ePHI.
Automatic Logoff (A) - § 164.312(a)(2)(iii)
“Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.”
Remote Utilities supports the following automatic logoff options:
- Lock workstation on disconnect.
- Log off user on disconnect.
- Close remote session if Viewer is idle for X minutes.
Encryption And Decryption (A) - § 164.312(a)(2)(iv)
“Implement a mechanism to encrypt and decrypt electronic protected health information.”
Encryption in Remote Utilities is implemented at several levels:
- Mandatory TLS 1.2 encryption is applied to all data transfers regardless of connection type (whether direct connection or cloud connection) and license.
- Address book encryption can be used to protect address book data located on the local disc or a USB stick from unauthorized access to login data.
- Stored passwords are hashed using a one-way key derivation function.
Audit Controls (§ 164.312(b))
“Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”
By default, Remote Utilities Host keeps its connectivity logs on the local disc in the Host installation folder. Logging into Windows system log is also supported for centralized log management (e.g. in Active Directory).
Other program modules, such as Viewer, Agent and RU Server keep their own logs. See logging for more information.
Integrity (§ 164.312(c)(1))
The Integrity standard requires a covered entity to:
“Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.”
Also, the Integrity standard has one addressable implementation specification:
Mechanism to Authenticate Electronic Protected Health Information (A) - § 164.312(c)(2)
“Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.”
When using Remote Utilities system administrators can take the following measures to reduce the risks of ePHI data being altered or destroyed:
- Limit users to only certain connection modes and disable those that allow manipulating data and files on the remote PC. For example, the administrator can disable all connection modes for a certain user except the "View only" mode. The limitation can be applied either to a certain machine (e.g. all users who connect to that machine will have limited access) or to a user/group. Learn more about Host security setup.
- Disable mouse and keyboard input permanently or on the fly during a live remote session.
- Disable clipboard transfer in both directions or Host-to-Viewer only.
- Enable the Ask user permission option for certain machines and/or users.
Person or Entity Authentication (§ 164.312(d))
“Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.”
Remote Utilities provides the following mandatory and optional security features to ensure that a person is in fact who he or she claims to be before being allowed remote access to a computer with ePHI data:
- Mandatory authentication on remote Hosts and Agent. This can be the Single password authentication or more advanced authentication methods, such as RU Security, Windows security or Custom server security. In addition, the 2-factor authentication can be enabled for ultimate security.
- Built-in protection against brute-force attacks and password cracking. Whenever there is an excessive number of incorrect password attempts, the system automatically begins to increase the amount of time required before each new attempt can be made.
- Optional address book encryption with a passphrase used to encrypt the address book on the disk and lock Viewer interface
- No blank passwords are allowed regardless of the authentication method chosen. There are no default or technical passwords either.
Transmission Security (§ 164.312(e)(1))
“Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.”
This standard has two implementation specifications - Integrity Controls and Encryption.
Integrity Controls (A) - § 164.312(e)(2)(i)
“Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.”
Certain connection modes allow users to transmit textual information and files which may contain ePHI. Remote Utilities protocol ensures that the data are not improperly modified during transmission.
Encryption (A) - § 164.312(e)(2)(ii)
“Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.”
This standard applies to data transmitted over the network. Remote Utilities uses strong industry-standard encryption algorithms (TLS 1.2) to encrypt data transmitted between Viewer and Host. Encryption is used for any connection mode (e.g. Full Control, View Only, File Transfer etc.), connection type (direct connection and cloud connection) and cannot be disabled.