Transcription
GuideGoToMeetingand HIPAACompliancePrivacy, productivity and video conferencinggotomeeting.com
GuideGoToMeeting HIPAAThe Health Insurance Portability and Accountability Act (HIPAA)calls for privacy and security standards that protect theconfidentiality and integrity of patient health information.Specifically, if you are transmitting patient data across the Internetduring an online meeting or video conference, your onlinemeeting solution and security architecture should strive to provideend-to-end encryption and meeting access control to help avoidinterception by anyone other than the invited participants.Citrix GoToMeeting is an online meetingsolution that can help your company or officemeet these guidelines.The following matrix demonstrates howGoToMeeting can support HIPAA complianceand is based upon the HIPAA Security Standardsrule published in the Federal Register onJanuary 25, 2013 (45 CFR Parts 160, 162 and 164Health Insurance Reform: Security Standards;Final Rule). The Department of Health andgotomeeting.comHuman Services provides the HIPAA SecurityStandards on its website: e/securityrule/securityrulepdf.pdf.For more information about GoToMeetingsecurity, download the GoToMeeting Securitywhite paper at uritywhite-paper.2
GuideGoToMeeting HIPAATechnical Safeguards § 164.312Standards CoveredEntities MustImplementImplementationSpecificationsR RequiredA Addressable(a) (1) AccessControlRKey FactorsSupport in GoToMeetingImplement technicalpolicies and procedures forelectronic informationsystems that maintainelectronic protected healthinformation to allow accessonly to authorized personsor software programs.Meeting access is protected by a uniquemeeting code and optional strongpassword authentication.Configurable failed log-in lockout threshold.Meetings are not listed publicly, and access isrestricted to invited participants.Meeting organizer can easily disconnectattendees or terminate sessions in progress.Unique UserIdentificationRAssign a unique name and/or number for identifyingand tracking user identity.Organizers and account administrators* use theirunique email address as their login name; theymust also enter a unique account password.EmergencyAccessProcedureREstablish (and implementas needed) procedures forobtaining necessaryelectronic protectedhealth information duringan emergency.One-click meetings provide rapid, secure access toonline meetings from virtually anywhere, which maybe used as a supplementary method for providingemergency access to healthcare information.AutomaticLogoffAImplement electronicprocedures thatterminate an electronicsession after apredetermined timeof inactivity.Organizer-configurable session inactivitytime-out ensures that screen sharing is notenabled indefinitely.Implement a mechanismto encrypt and decryptelectronic protectedhealth information.All sensitive chat, session and control datatransmitted across the network is protected usingthe Advanced Encryption Standard (AES) with a128-bit key.EncryptionandDecryptionAWebsite inactivity time-out automatically logsusers out of their GoToMeeting accounts.A unique 128-bit AES encryption key is generatedand securely distributed to all participants at thestart of each session.gotomeeting.com3
GuideGoToMeeting HIPAATechnical Safeguards § 164.312Standards CoveredEntities MustImplementImplementationSpecificationsR RequiredA Addressable(b) Audit ControlsR(c)(1) IntegrityAKey FactorsSupport in GoToMeetingImplement hardware,software and/orprocedural mechanismsthat record and examineactivity in informationsystems that contain oruse electronic protectedhealth information.All connection and session activity through theCitrix-distributed network service infrastructure islogged for security and quality-of-service purposes.Implement policies andprocedures to protectelectronic protected healthinformation from improperalteration or destruction.Integrity protection mechanisms are designed toensure a high degree of data and service integrity,working independently of any integrity controlsthat may already exist on the customer’scomputers and internal data systems.Account managers** have up-to-the-minute,web-based access to advanced management andreporting tools.The presenter can choose to not share keyboardand mouse control, ensuring the integrity ofapplication commands and inputs.(c)(1) cprotectedhealthinformation.(d) Person or Entity AuthenticationARImplement methods tocorroborate thatinformation has not beendestroyed or altered.All executables are digitally signed.Verify that the person orentity seeking access is theone claimed.Meeting organizers must log in to GoToMeetingusing a unique email address and account password.All transmitted data is integrity protected usingHMAC-SHA-1 message authentication codes.Meeting access is protected by a unique code andoptional strong password. Only invitedparticipants may view shared meeting data.Access to data and applications on thepresenter’s computer is always under thepresenter’s control.gotomeeting.com4
GuideGoToMeeting HIPAATechnical Safeguards § 164.312Standards CoveredEntities MustImplementImplementationSpecificationsR RequiredA AddressableKey FactorsSupport in GoToMeetingRProtect electronic healthinformation that is beingtransmitted over a network.GoToMeeting provides true end-to-end datasecurity that addresses both passive and activeattacks against confidentiality. Encryption andIntegrity controls are used end-to-end to ensureconfidentiality regardless of the network the datais traversing.IntegrityControlsAEnsure that protectedhealth information is notimproperly modifiedwithout detection.All transmitted data is integrity protected usingHMAC-SHA-1 message authentication codes.EncryptionAEncrypt protected healthinformation wheneverdeemed appropriate.All sensitive chat, session, video, audio andcontrol data transmitted across the network isprotected using the Advanced EncryptionStandard (AES) with a 128-bit key.(e)(1) TransmissionSecurity*Account administrators only applicable when buying multiple user subscriptions of GoToMeeting.**Account managers only available with GoToMeeting Corporate accounts.gotomeeting.com5
GuideHealthcare applicationsPhysicians, nurses, IS/IT staff, administrativeemployees and authorized healthcare partnerscan use GoToMeeting’s patented web-basedscreen-sharing, video conferencing and audioconferencing technology to instantly andsecurely meet online with other healthcareprofessionals and share files, databaseapplications and other corporate resourcesfrom any location connected to the web. Unlikeother web conferencing solutions,GoToMeeting does not distribute the actualpatient data across networks. Rather, by usingscreen-sharing technology, security isstrengthened because only mouse andkeyboard commands are transmitted.GoToMeeting further protects dataconfidentiality through a combination ofencryption, strong access control and otherprotection methods.Security and controlOnly organizers approved by accountadministrators can organize GoToMeetingonline meetings in accounts with multipleorganizers. Organizers control online meetingattendance through the use of meeting IDcodes and optional passwords. Only oneperson can present at a time, and the presenter(either the organizer or a person chosen by theorganizer) maintains complete control ofscreen sharing, in addition to keyboard andmouse control. Thus, participants can only viewinformation the presenter chooses and canonly make changes if the presenter allows themto do so. In addition, organizers can disconnectattendees when necessary, and organizers andaccount administrators can both terminatemeetings in progress at any time.gotomeeting.comGoToMeeting HIPPAEncryptionGoToMeeting employs industry-standard endto-end Advanced Encryption Standard (AES)encryption using 128-bit keys to protect thedata stream, chat messages and keyboard andmouse input. GoToMeeting encryption isconsistent with HIPAA Security Standards toensure the security and privacy of patient data.Frequently asked questionsQ: What are the general requirements of theHIPAA Security Standards?(Ref: § 164.306 Security Standards:General Rules)Covered entities must do the following: Ensure the confidentiality, integrity andavailability of all electronic protected healthinformation the covered entity creates,receives, maintains or transmits. Protect against any reasonably anticipatedthreats or hazards to the security or integrityof such information. Protect against any reasonably anticipateduses or disclosures of such information thatare not permitted or required under theprivacy regulations. Ensure compliance with this subpartby its workforce.Q: How are covered entities expected toaddress these requirements?Covered entities may use any security measuresthat reasonably and appropriately implementthe standards; however, covered entities mustfirst take into account the risks to protectedelectronic information; the organization’s size,complexity and existing infrastructure; and costs.6
GuideGoToMeeting HIPAAThe final rule includes three “safeguards”sections outlining standards (what must bedone) and “implementation specifications”(how it must be done) that are either “required”or “addressable.” If “required,” it must beimplemented to meet the standard; if“addressable,” a covered entity can eitherimplement it, implement an equivalentmeasure or do nothing (documenting why itwould not be reasonable and appropriate). Administrative Safeguards: Policies andprocedures, workforce security and training,evaluations and business associate contracts. Physical Safeguards: Facility access, workstationsecurity and device and media controls. Technical Safeguards: Access control, auditcontrols, data integrity, authentication andtransmission security.Q: What is Citrix doing to help customersaddress HIPAA regulations?To facilitate our customers’ compliance withHIPAA security regulations, Citrix is providingdetailed information about the securitysafeguards we have implemented into theGoToMeeting service. This information isprovided in this document, our security whitepaper and other technical collateral.Additionally, our Client Services group isavailable to provide guidance and assistance inall deployments.Q: Is GoToMeeting HIPAA compliant?Only “covered entities” (e.g. healthcareorganizations) are required to comply withHIPAA. Because of the technical and securitymeasures employed by the service, when usedproperly, GoToMeeting can help coveredentities fulfil their HIPAA complianceobligations. (For example, the administrativeconfiguration and control features providedwith GoToMeeting support healthcareorganization compliance with theAdministrative and Physical Safeguards sectionsof the final HIPAA Security Rules.)As a result, GoToMeeting may be confidentlydeployed as an outsourced remote-accesscomponent of a larger information-managementsystem without affecting HIPAA compliance.Q: What is the best way to deploy GoToMeetingin an environment subject to HIPAA regulations?Just as HIPAA allows considerable latitude in thechoice of how to implement security safeguards,a single set of guidelines is not applicable for alldeployments. Organizations should carefullyreview all configurable security features ofGoToMeeting in the context of their specificenvironments, user population and policyrequirements to determine which featuresshould be enabled and how best to configure.Corporate HeadquartersFort Lauderdale, FL, USAIndia Development CenterBangalore, IndiaLatin America HeadquartersCoral Gables, FL, USASilicon Valley HeadquartersSanta Clara, CA, USAOnline Division HeadquartersSanta Barbara, CA, USAUK Development CenterChalfont, United KingdomEMEA HeadquartersSchaffhausen, SwitzerlandPacific HeadquartersHong Kong, ChinaAbout CitrixCitrix (NASDAQ:CTXS) is a leader in virtualization, networking and cloud services to enable new ways for people to work better. Citrixsolutions help IT and service providers to build, manage and secure, virtual and mobile workspaces that seamlessly deliver apps, desktops,data and services to anyone, on any device, over any network or cloud. This year Citrix is celebrating 25 years of innovation, making IT simplerand people more productive with mobile workstyles. With annual revenue in 2013 of 2.9 billion, Citrix solutions are in use at more than330,000 organizations and by over 100 million people globally. Learn more at www.citrix.com. 2015 Citrix Systems, Inc. All rights reserved. GoToMeeting is a trademark of Citrix Systems, Inc. and/or one or more of its subsidiaries, andmay be registered in the U.S. Patent and Trademark Office and in other countries. All other trademarks are the property of their m7
during an online meeting or video conference, your online meeting solution and security architecture should strive to provide end-to-end encryption and meeting access control to help avoid interception by anyone other than the invited participants. Citrix GoToMeeting is an online meeting solution that can help your company or office
