BLOG HOME > HIPAA > Auditor Tips: Secure Remote Access

Auditor Tips: Secure Remote Access

*This article was taken from our HIPAA Guide. For more information on this topic, download our free HIPAA Guide. 

"Remote access services that are left open and improperly secured can be quickly picked up by malicious groups."

Have a HIPAA Deadline?

Request a Quote

Remote access to tools and data is essential to employees who work from home or are unable to go into the office for health or other logistical reasons. Additionally, IT needs to be able to provide immediate support from virtually anywhere when issues arise with workstations and back-end servers. For these reasons, there are several methods available that can allow healthcare workers or IT staff instant remote access to necessary services anywhere in the world.

This access, while vital to providing efficient, quality care, opens the door to malicious individuals. Remote access services that are left open and improperly secured can bee quickly picked up by malicious groups. Within minutes, these threat actors can infiltrate an entire network using this single point of access. 

Here are three controls to implement to secure remote access:

Use only remote access solutions that require full encryption. This encryption will not only protect your login credentials, but other sensitive data (ePHI) as well. This can be done by using a VPN or a remote access tool that enforces strong encryption.

Don’t rely only on passwords. Use a second form of authentication, such as a one-time code generator or physical token. The use of multi-factor authentication (MFA),as it’s called, makes it much more difficult for malicious actors to guess your login credentials by using brute-force methods. If possible, avoid using SMS and email as your second factor as they are less secure than other options. 

Keep your workstations, servers and remote access software patched. One of the most common ways an attacker infiltrates a network is by exploiting known vulnerabilities. These holes can be effectively plugged by keeping all firmware, operating systems, and applications up-to-date with the latest security patches.

Get my free SecurityMetrics HIPAA Guide

Download now

In addition to these basic remote access security measures, it is recommended that companies look into log monitoring or more advanced Security Information and Event Management (SIEM)solutions that can notify administrators when remote access anomalies are detected.

These systems can be configured to notify system administrators when behaviors out of the norm, like connecting at odd hours of the evening or from international locations not normally visited by staff members. These early detection mechanisms can be configured to trigger automated responses or alert personnel who can act to prevent further harm to the organization.

By employing these controls, you will greatly improve your security posture and attackers will find you to be a much more difficult target.

Michael Simpson, CISSP, CISA, QSA
By: Michael Simpson
Principal Security Analyst

Join Thousands of Security Professionals and Subscribe