GoToAssist Corporate HIPAA Compliance Guide

Transcription

Guide: HIPAAGoToAssistCorporate HIPAACompliance GuidePrivacy, productivity and remote supportgotoassist.com

GuideHIPAA ComplianceThe healthcare industry has benefited greatly from the ability toreceive remote support from technology providers and internal ITdepartments. However, since the computers being serviced oftencontain confidential patient data, many remote support productsinadvertently put patient privacy at risk, especially if the data is sentor made accessible over unsecured networks such as the Internet.For this reason, the Health Insurance Portabilityand Accountability Act (HIPAA calls for privacyand security standards that protect the confidentiality and integrity of patient health information.Specifically, if you transmit patient data across theInternet, your remote support products and security architecture must provide end-to-endencryption so the data cannot be intercepted byanyone other than the intended recipient. In addition, the remote support products and networkmust provide access control to allow viewing onlyby authorized people.HIPAA compliance guideWe created the following matrix as a guide toassist healthcare providers in navigating the various HIPAA requirements and to demonstratehow GoToAssist Corporate can support HIPAAcompliance. General HIPAA requirements can befound in the Frequently Asked Questionssection at the end of this document. The matrixis based upon the HIPAA Security Standards rulepublished in the Federal Register on February20, 2003 (45 CFR Parts 160, 162 and 164Health Insurance Reform: Security Standards;Final Rule). The Department of Health andHuman Services provides the HIPAA SecurityStandards on its website: http://www. html.Healthcare applicationsAuthorized technology providers and IS/IT staffcan use GoToAssist Corporate patented webbased screen-sharing technology to instantly andsecurely view PC and Mac desktops andgotootoassist.comprovide remote assistance to healthcare workersfrom any location connected to the web. Unlikeother remote-support solutions, GoToAssistCorporate does not distribute actual data acrossnetworks. Rather, by using screen-sharingtechnology, security is strengthened because onlymouse and keyboard commands are transmitted.GoToAssist Corporate further protects dataconfidentiality through a combination of encryption, strong access control and computerprotection methods.Security, control and customizationSupport administrators have the option ofassigning representatives to groups defined bythe features to which they are granted access.Some features may be disabled by anadministra-tor to customize the level of securitythat is appropriate for your organization.Because the security features are built in,administrators can rest easy: Security cannot beweakened by inex-perienced users.EncryptionGoToAssist Corporate employs industrystandard end-to-end Advanced EncryptionStandard (AES) encryption using 128-bit keys toprotect the data stream, file transfers, chat andkeyboard and mouse input. Additional built-insecurity features such as strong passwords, endto-end user authentication and unique sessionconnection codes ensure data confidentiality.GoToAssist Corporate encryption fully complieswith HIPAA Security Standards to ensure thesecurity and privacy of patient data.2

GuideHIPAA ComplianceTechnical safeguards § 164.312Standardscovered entitiesmust implementImplementationspecificationsR RequiredA Addressable(a)(1) AccessControlRKey factorsSupport in GoToAssist CorporateImplement technical policiesand procedures for electronicinformation systems thatmaintain electronic protectedhealth information to allowaccess only to authorizedpersons or software programs. PC and Mac access is 100% permissionbased and the customer retains overridingcontrol at all times. Representatives and managers must log inusing strong passwords to access theGoToAssist Corporate solution. Technicians running GoToAssist Corporate asa service must log in with the propercredentials of a local or domain administrator.Unique UserIdentificationRAssign a unique name and/or number for identifying andtracking user identity. Representatives and administrators areidentified by using their unique email addressas their log-in name.Encryption andDecryptionAImplement a mechanism toencrypt and decrypt electronicprotected health information. All sensitive chat, session and control datatransmitted across the network is protectedusing the Advanced Encryption Standard(AES), FIPS 197. A unique 128-bit AES encryption key isgenerated at the start of each session.(b) Audit ControlsR(c)(1) IntegrityAImplement hardware, softwareand/or procedural mechanismsthat record and examineactivity in information systemsthat contain or use electronicprotected health information. All connection and session activity throughour distributed network serviceinfrastructure is logged for security andquality-of-service purposes.Implement policies andprocedures to protectelectronic protected healthinformation from improperalteration or destruction. Integrity protection mechanisms inGoToAssist Corporate are designedto ensure a high degree of data and serviceintegrity, working independently of anyintegrity controls that may already exist onthe customer’s computers and internaldata systems. All remote-support sessions, chat,diagnostics and customer feedback can berecorded and archived on GoToAssistCorporate servers. Customer has complete overriding control ofall keyboard and mouse activity.(c)(1) IntegrityMechanismMechanism toauthenticateelectronic protectedhealth information.AImplement methods tocorroborate that informationhas not been destroyed oraltered. All session data is compressed usingproprietary lossless compression techniquesand protected using HMAC-SHA1 messageauthentication codes. Numerous additional structural integritychecks are made on the decrypted sessiondata after it is received to ensure data andservice integrity. Session recording, if enabled, would show ifany data was inadvertently affected by theremote-support session.(d) Person orEntityAuthenticationRVerify that the person or entityseeking access is the oneclaimed. Access to GoToAssist Corporate is protectedby a strong password and a unique user login ID. Representatives must be approved and setup by an administrator before they canaccess client computers.gotoassist.com3

GuideStandardscovered entitiesmust implementHIPAA ComplianceImplementationspecificationsR RequiredA Addressable(e)(1)TransmissionSecurityRKey factorsSupport in GoToAssist CorporateImplement policies andprocedures to protectelectronic protected healthinformation from improperalteration or destruction. Integrity protection mechanisms inGoToAssist Corporate are designed to ensurea high degree of data and service integrity,working independently of any integritycontrols that may already exist on thecustomer’s computers and internal datasystems. Customer has complete overriding control ofall keyboard and mouse activity.Integrity ControlsREnsure that protected healthinformation is not improperlymodified without detection. All session data is compressed usingproprietary lossless compression techniquesand protected using HMAC-SHA1 messageauthentication codes. Numerous additional checks are made on thedecrypted session data after it is received toensure network transmission integrity.EncryptionREncrypt protected healthinformation whenever deemedappropriate. All sensitive chat, session, file transfer andservice control data transmitted across thenetwork is protected using AES (FIPS 197) incounter mode. A unique 128-bit AES encryption key isgenerated at the start of each session.Frequently asked questionsQ: What are the general requirements of theHIPAA Security Standards?(Ref: § 164.306 Security Standards: General Rules)Covered entities must do the following: Ensure the confidentiality, integrity and availability of all electronic protected healthinformation the covered entity creates,receives, maintains or transmits. Protect against any reasonably anticipatedthreats or hazards to the security or integrityof such information. Protect against any reasonably anticipated usesor disclosures of such information that are notpermitted or required under the privacyregulations. Ensure compliance with this subpart byits workforce.Q: How are covered entities expected toaddress these requirements?Covered entities may use any security measuresthat reasonably and appropriately implement thestandards; however, covered entities must firstgotoassist.comtake into account the risks to protected electronic information; the organization’s size,complexity and existing infrastructure; and costs.The final rule includes three “safeguards” sections outlining standards (what must be done)and “implementation specifications” (how it mustbe done) that are either “required” or“addressable.”If “required,” it must be implemented to meet thestandard; if “addressable,” a covered entity canimplement it, implement an equivalent measureor do nothing (documenting why it would not bereasonable and appropriate). Administrative Safeguards: Policies and procedures, workforce security and training,evaluations and business associate contracts. Physical Safeguards: Facility access, workstation security and device and media controls. Technical Safeguards: Access control, auditcontrols, data integrity, authentication andtransmission security.4

GuideQ: What are you doing to help customersaddress HIPAA regulations?To facilitate our customers’ compliance withHIPAA security regulations, we’re providingdetailed information about the security safeguardswe have implemented into the GoToAssistCorporate service. This information is provided inseveral forms, including security white papers, service-specific HIPAA-compliance matrices andother technical collateral. Additionally, our staff areavailable to provide guidance and assistance in alldeployments.Q: Is GoToAssist CorporateHIPAA compliant?Only “covered entities” (e.g. healthcareorganizations are required to comply withHIPAA. Because of the technical and securitymeasures employed by the service, when usedproperly, GoToAssist Corporate can help coveredentities fulfil their HIPAA compliance obligations.For example, the administrative con-figurationand control features provided with GoToAssistCorporate help maintain healthcare organizationcompliance with the Administrative and PhysicalSafeguards sections of the final HIPAA SecurityRules. 2017 LogMeIn, Inc. All rights reserved.HIPAA ComplianceThe net result is that GoToAssist Corporate maybe confidently deployed as a remote-supportcomponent of a larger informa-tionmanagement system without affecting HIPAAcompliance.Q: What is the best way to deploy GoToAssistCorporate in an environment subject to HIPAAregulations?Just as HIPAA allows considerable latitude in thechoice of how to implement security safeguards,a single set of guidelines is not applicable for alldeployments. Organizations should carefullyreview all configurable security features ofGoToAssist Corporate in the context of theirspecific environments, user population andpolicy requirements to determine whichfeatures should be enabled and how bestto configure.7.13.2017/293353/PDF5

GoToAssist Corporate solution. Technicians running GoToAssist Corporate as a service must log in with the proper credentials of a local or domain administrator. Unique User Identification R Assign a unique name and/ or number for identifying and tracking user identity. Representatives and administrators are