What is a HIPAA Compliant RDP Server?
An RDP server or remote desktop protocol server, allows employees to access company data while working from home or outside of the office; a HIPAA compliant RDP server is often used for healthcare workers that require access to patient data while working offsite.
By connecting to a Remote Desktop session on the server, the remote worker can safely access all files and systems required for them to perform their job, without having to be concerned about the lack of security on their home network. HIPAA compliant RDP servers are discussed below.
Although using an RDP server enables easier access to data, it also poses risk when not configured properly. Before using an RDP server, HIPAA covered entities and business associates must conduct a risk assessment. A risk assessment exposes potential vulnerabilities in the RDP server; any vulnerabilities identified by a risk assessment must be addressed with remediation efforts before it can be considered a HIPAA compliant RDP server.
HIPAA Compliant RDP Server: VPN and Encryption
HIPAA compliant RDP servers and remote access software should never be internet facing, the server must be hidden from public view. A virtual private network (VPN) allows encryption for both the user and the server, creating a secure channel to connect to a corporate network. By utilizing a VPN, remote access to a corporate server is enabled, while ensuring that data is not exposed.
This is why it is recommended that healthcare organizations and business associates utilize a VPN to securely connect to an RDP server or remote access software that’s HIPAA compliant. HIPAA requires encryption to secure the protected health information (PHI) that is transmitted through them. As VPN allows internet traffic to be encrypted, while hiding users from public view, it satisfies data security requirements set forth by HIPAA.
Not only does patient data need to be encrypted, employees’ login and password information must be encrypted to prevent unauthorized access to remote access software. In addition, all encrypted data must be stored in a secure central location for HIPAA compliant remote access. Although VPN provides a secure means for remote access to data, it is essential to ensure that the VPN software remains secure and HIPAA compliant by regularly checking for updates and implementing patches to minimize vulnerabilities.
HIPAA Compliant RDP Server: Authentication Controls
To ensure that only authorized users have access to an organization’s RDP server, each employee must be given unique login credentials to access the data on the RDP server. Organizations should also implement multi-factor authentication (MFA). MFA utilizes multiple unique login credentials such as a username and password in combination with security questions of a one-time PIN. MFA increases data security as it is less likely that unauthorized individuals will gain access to a series of login credentials.
HIPAA Compliant RDP Server: Audit Logs
Audit logs track access to PHI, including what information was accessed, who accessed it, and how long they accessed it for. HIPAA requires healthcare organizations, their employees, and business associates to access only the PHI required to perform a job function, known as the minimum necessary standard.
The issuance of unique login credentials allows organizations to determine regular access patterns of PHI for each employee. As such, keeping and regularly monitoring audit logs ensures adherence to this standard. Audit logs can also be crucial to detecting unauthorized access to PHI.