LogMeIn HIPAA Considerations



Similar documents
HIPAA. considerations with LogMeIn

The Health Insurance Portability and Accountability Act - HIPAA - Using BeAnywhere on a HIPAA context

itrust Medical Records System: Requirements for Technical Safeguards

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

VMware vcloud Air HIPAA Matrix

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

How Managed File Transfer Addresses HIPAA Requirements for ephi

RemotelyAnywhere. Security Considerations

Healthcare Compliance Solutions

LogMeIn Rescue Architecture

Healthcare Compliance Solutions

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

HIPAA Information Security Overview

HIPAA Security Alert

Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud

HIPAA: The Role of PatientTrak in Supporting Compliance

HIPAA Security Checklist

HIPAA, PHI and . How to Ensure your and Other ephi are HIPAA Compliant.

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

SECURITY RISK ASSESSMENT SUMMARY

Compliance and Industry Regulations

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

LogMeIn Rescue Architecture

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

Policy Title: HIPAA Access Control

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

An Effective MSP Approach Towards HIPAA Compliance

C.T. Hellmuth & Associates, Inc.

HIPAA Privacy & Security White Paper

HIPAA compliance. Guide. and HIPAA compliance. gotomeeting.com

HIPAA Security Series

HIPAA Compliance Guide

GoToAssist Remote Support HIPAA compliance guide

CHIS, Inc. Privacy General Guidelines

FileCloud Security FAQ

Did you know your security solution can help with PCI compliance too?

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

8.03 Health Insurance Portability and Accountability Act (HIPAA)

SECURELINK.COM COMPLIANCE AND INDUSTRY REGULATIONS

HIPAA Compliance for the Wireless LAN

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

RemotelyAnywhere Getting Started Guide

Remote Administration

Copyright Telerad Tech RADSpa. HIPAA Compliance

2: Do not use vendor-supplied defaults for system passwords and other security parameters

Information Security Basic Concepts

HIPAA HANDBOOK. Keeping your backup HIPAA-compliant

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

How To Write A Health Care Security Rule For A University

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

How To Secure An Rsa Authentication Agent

Netop Remote Control Security Server

State HIPAA Security Policy State of Connecticut

Goverlan Remote Control

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

HIPAA Security. assistance with implementation of the. security standards. This series aims to

HIPAA Security COMPLIANCE Checklist For Employers

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery

A Nemaris Company. Formal Privacy & Security Assessment For Surgimap version and higher

Catapult PCI Compliance

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

HIPAA SECURITY RULES FOR IT: WHAT ARE THEY?

enicq 5 System Administrator s Guide

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

Security Whitepaper. NetTec NSI Philosophy. Best Practices

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners

PROGRAM TO PREVENT, DETECT & MITIGATE IDENTITY THEFT

HIPAA and Cloud IT: What You Need to Know

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

An Introduction to HIPAA and how it relates to docstar

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Datto Compliance 101 1

Electronic Prescribing of Controlled Substances Technical Framework Panel. Mark Gingrich, RxHub LLC July 11, 2006

HIPAA Compliance and Wireless Networks Cranite Systems, Inc. All Rights Reserved.

RSA Authentication Manager 7.1 Basic Exercises

Pennsylvania Department of Public Welfare. Bureau of Information Systems OBSOLETE. Secure User Guide. Version 1.0.

RemotelyAnywhere. Security Overview

Secure Global Desktop (SGD)

HIPAA Compliance and Wireless Networks

For more information on how to build a HIPAA-compliant wireless network with Lutrum, please contact us today!

Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services

Support for the HIPAA Security Rule

Centralized Self-service Password Reset: From the Web and Windows Desktop

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

Safeguarding Data Using Encryption. Matthew Scholl & Andrew Regenscheid Computer Security Division, ITL, NIST

WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0

HIPAA PRIVACY AND SECURITY AWARENESS

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

ITUS Med Solutions. HITECH & HIPAA Compliance Guide

MAX Insight. HIPAA Hardening & Configuration Guide for MSP s

White Paper. Support for the HIPAA Security Rule PowerScribe 360

Security. Technical article

Transcription:

LogMeIn HIPAA Considerations

Contents Introduction LogMeIn HIPAA Considerations...3 General HIPAA Information...4 Section A Background information on HIPAA Rules...4 Technical Safeguards Overview...5 Section B HIPAA Technical Safeguards 164.312...5 Using LogMeIn to Meet Technical Safeguards...6 Section C Access Control 164.312(a)(1)...6 Section D Audit Controls 164.312(b)...7 Section E Integrity policies and procedures, 164.312(c)(1)...8 Section F Integrity mechanism, 164.312(c)(2)...8 Section G Person or Entity Authentication 164.312(d)...9 Section H.1 Transmission Security 164.312(e)(1)...9 Section H.2 Transmission Security 164.312(e)(1) Integrity Controls...10 Section H.3 Transmission Security, Encryption 164.312(e)(1)...10 ii LogMeIn HIPAA Considerations

Introduction LogMeIn HIPAA Considerations The Health Insurance Portability and Accountability Act (HIPAA), passed by Congress in 1996, requires all organizations that maintain or transmit electronic healthcare information to establish and implement certain administrative, physical, and technical safeguards to keep that information safe from unauthorized access. The Department of Health & Human Services has issued specific rules to enforce the act, namely the HIPAA Security Standards published in the Federal Register on February 20, 2003 (45 CFR Parts 160, 162 and 164 Health Insurance Reform: Security Standards, Final Rule). These rules include Technical Safeguards that apply to covered entities that use remote access products to maintain or transmit electronic healthcare information. To view the HIPAA rules in their entirety, visit the Health Information Privacy page of the U.S. Department of Health and Human Services website at www.hhs.gov/ocr/privacy/, or go directly to the Security Standards: Technical Standards document. About this Document This LogMeIn publication provides a brief introduction to the scope of HIPAA compliance with regard to remote access products (including LogMeIn Pro and Central) and support and collaboration products (including LogMeIn Rescue). Section A outlines key background information needed to understand the scope of HIPAA compliance with regard to remote access products. Section B outlines the HIPAA rules Technical Safeguards (see 164.312), which apply to remote access products used by entities subject to HIPAA compliance. Sections C through H demonstrate how LogMeIn helps organizations adhere to, meet, or exceed these safeguards. Important: The information contained in this document is provided to you "AS IS" and does not constitute legal advice or an opinion regarding LogMeIn's HIPAA compliance. LogMeIn makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained in or referenced in this document. LogMeIn recommends that you seek the advice of competent legal counsel before relying on any of the statements contained in this document. Copyright 2015 LogMeIn, Inc. 3

General HIPAA Information Section A Background information on HIPAA Rules What entities are covered by HIPAA? What is considered "electronic" under the terms of HIPAA? All healthcare clearinghouses, health plans, and healthcare providers that conduct certain transactions in electronic form. This includes entities that use a billing service to conduct transactions on their behalf. The term electronic is used to describe, but is not limited to, the transmitting of healthcare information via the Internet, an extranet, leased lines, dial-up lines, etc. What are HIPAA transactions? Healthcare claims or their equivalent Healthcare payment and remittance advice Healthcare claims status Eligibility inquiries Referral certifications and authorizations Claims attachments First reports of injury 4 LogMeIn HIPAA Considerations

Technical Safeguards Overview Section B HIPAA Technical Safeguards 164.312 These safeguards apply directly to remote access products. Note: Some items are marked as addressable. Under the terms of HIPAA, the term addressable is somewhat ambiguous, but it essentially means that the covered entity is allowed some flexibility in taking reasonable steps to comply with the standard or specification referred to. Access Control Audit Controls Integrity Person or Entity Authentication Transmission Security 164.312(a)(1) 164.312(b) 164.312(c)(1) 164.312(d) 164.312(e)(1) Unique User Identification Emergency Access Procedure Automatic Logoff (Addressable) Encryption and Decryption (Addressable) Mechanism to Authenticate Electronic Protected Health Information (Addressable) Integrity Controls (Addressable) Encryption (Addressable) Copyright 2015 LogMeIn, Inc. 5

Using LogMeIn to Meet Technical Safeguards Section C Access Control 164.312(a)(1) Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to persons or software programs that have been granted access rights. Access to host computers is protected by separate, unique passwords for the website (LogMeIn.com) and each LogMeIn host computer. Access to host computers is protected by Windows or Mac authentication. Users can protect their account by turning on two-step verification. Users can authenticate to the host using one-time security codes. Tip: Log in to your account and go to Account > Security. Authenticate to the host using RSA SecurID two-factor authentication. Tip: Visit help.logmein.com for implementation details. Windows hosts only. Set a lockout threshold for failed login attempts, known as Authentication Attack Blocker. Tip: Open LogMeIn and follow this path: Options > Preferences > Security. Control access permissions at the Technician Group level. Examples: Restrict groups of technicians from using remote control, Connect on LAN, or Unattended Access. Restrict groups of technicians from using file transfer, thereby eliminating their ability to take files from remote computers. Tip: Open the Administration Center, select a group, and follow this path: Organization tab > Permissions. The customer (end user) must be present at the remote machine, and permit remote access. The customer maintains control and can terminate the session at any time. Force the customer to always grant or deny a technician s request to use specific functions (remote control, desktop view, file transfer, system information, and reboot and reconnect). Tip: Open the Administration Center, select a group, and disable the following option: Organization tab > Permissions > Use single prompt for all permissions. Access rights are automatically revoked when a session is terminated. Access rights are revoked after a specified period of inactivity. 6 LogMeIn HIPAA Considerations

Section D Audit Controls 164.312(b) Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. Connection and remote session activity is logged on the host computer to ensure security and maintain quality control. Tip: To view information on session activity, open LogMeIn and follow this path: Options > Connection and Event Details. Access the Windows Event log or Mac console log to get up-to-the-minute data, including user names and the client computer s IP address, on logon/logout and remote control events. On the host computer s hard disk, a detailed log is kept of the remote access product s activities. To protect these files from tampering, the administrator can also specify a different log file location. Tip: Open LogMeIn and follow this path: Options > Preferences > Advanced > Event Logs > Location of event logs. Configure and log on to a Syslog server, which allows you to view events the from multiple locations. Requires LogMeIn Central; Windows hosts only. Use a relational database to centrally collect log information. Log destinations can be as simple as a Microsoft Access database or as sophisticated as an Oracle server. Administrators can also restrict access to ensure that data can only be queried or modified by qualified administrators. Requires LogMeIn Central; Windows hosts only. Automatically create.avi file video recordings of every remote control session. These recordings enable the user to see the recorded sessions exactly as seen by the remote user. Recordings can be saved to a network location. Windows hosts only. Note: Open LogMeIn and follow this path: Options > Preferences > Advanced > Screen Recording. Automatically create.avi file video recordings of every remote control session. These recordings enable the user to see the recorded sessions exactly as seen by the remote user. Recordings can be saved to a network location. Tip: Open the Administration Center, select a group, and follow this path: Settings tab > Screen recording. Remote sessions are logged to ensure security and maintain quality control. Tip: Open the Administration Center and follow this path: Reports tab > Report Area: [various]. Copyright 2015 LogMeIn, Inc. 7

Section E Integrity policies and procedures, 164.312(c)(1) (Addressable) Users accessing a host computer remotely can disable the keyboard or mouse on the host computer, thereby protecting the integrity of data inputs. Tip: During remote control, on the remote control toolbar, select Options > Lock Keyboard. Users can set up automatic alerts to identify system events that indicate attempts at unauthorized access. Requires LogMeIn Central; Windows Pro hosts only. Control access permissions at the Technician Group level. Tip: Open the Administration Center, select a group, and follow this path: Organization tab > Permissions. Restrict groups of technicians from using remote control, Connect On LAN, or Unattended Access. Restrict groups of technicians from using file transfer, thereby eliminating their ability to copy files from remote computers. Section F Integrity mechanism, 164.312(c)(2) (Addressable) Mechanism to authenticate electronic protected health information. Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. All data transmitted during remote, chat, or file transfer sessions is protected by at least 128-bit encryption. When the encryption level on the client browser permits, all data transmitted during remote, chat, or file transfer sessions is protected by 256-bit TLS 1.2 encryption. User can set up automatic alerts to identify system events that indicate attempts at unauthorized access. Note: Log in to your account and go to Account > Security. End-to-end 256-bit TLS 1.2 encryption of all data. MD5 Hash for enhanced traceability of file transfers when File Transfer is enabled. 8 LogMeIn HIPAA Considerations

Section G Person or Entity Authentication 164.312(d) Access to the host computer is protected by the use of separate, unique passwords for the website and the host computer. Set up a Personal Password to access the host computer to verify that access is authorized. Tip: Open LogMeIn and follow this path: Options > Preferences > Security. Configure an IP address lockout to prevent unauthorized remote access from a specific client computer. With IP address filtering, users can grant or prevent access for multiple IP addresses. Tip: Open LogMeIn and follow this path: Options > Preferences > Security. The technician s identity is defined by a unique email address, or via an SSO ID, and the technician must be authenticated. Excessive number of unsuccessful login attempts (five unsuccessful attempts) will lock the account. Use IP address restrictions to limit access to the Technician Console. Tip: Open the Administration Center, select a group, and follow this path: Settings tab > IP Restrictions (Technician Console). Section H.1 Transmission Security 164.312(e)(1) Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. All data transmitted during remote, chat, or file transfer sessions is protected by at least 128-bit encryption. When the encryption level on the client browser permits, all data transmitted during remote, chat, or file transfer sessions is protected by 256-bit encryption. End-to-end 256-bit TLS 1.2 encryption of all data. MD5 Hash for enhanced traceability of file transfers when File Transfer is enabled. Copyright 2015 LogMeIn, Inc. 9

Section H.2 Transmission Security 164.312(e)(1) Integrity Controls (Addressable) Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. All data transmitted during remote, chat, or file transfer sessions is protected by at least 128-bit encryption. When the encryption level on the client browser permits, all data transmitted during remote, chat, or file transfer sessions is protected by 256-bit encryption. All data transmitted during remote, chat, or file transfer sessions is protected by 128-bit encryption. End-to-end 256-bit TLS 1.2 encryption of all data. MD5 Hash for enhanced traceability of file transfers when File Transfer is enabled. Section H.3 Transmission Security, Encryption 164.312(e)(1) (Addressable) All data transmitted during remote, chat, or file transfer sessions is protected by at least 128-bit encryption. User can set up automatic alerts to identify system events that indicate attempts at unauthorized access. When the encryption level on the client browser permits, all data transmitted during remote, chat, or file transfer sessions is protected by 256-bit TLS 1.2 encryption. End-to-end 256-bit TLS 1.2 encryption of all data. 10 LogMeIn HIPAA Considerations

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information