What is a virtual private network (VPN)?

A virtual private network (VPN) enhances an organization’s cybersecurity by creating an inaccessible network. The idea is to keep data safe and secure when connected to the Internet. VPNs are used in different industries, including healthcare, to protect information from inadvertent exposure.

Health organizations are tasked with finding and enabling HIPAA compliant methods that safeguard protected health information (PHI). One such method may be to employ a VPN. Before deciding whether to use a VPN, healthcare organizations should first understand what one is and what it can do.

What is a VPN and why is it a smart cyber tool?

A VPN is a cyber tool used to protect sensitive information while someone is online. It is often described as a “data tunnel” as it creates a sheltered environment to send/share data over a network or the Internet. A VPN can be a means for safeguarding online communication and interaction.

The idea behind using a VPN is to provide a safe online space that prevents eavesdropping by:

• Rerouting traffic securely
• Encrypting information by scrambling data
• Hiding an internet protocol (IP) address as well as where someone connects from
• Asking for sender authentication to prevent unauthorized access

By using a VPN, an organization may allow its employees to work remotely by extending its protected reach. Moreover, it may let employees log into complimentary (i.e., free and unsecured) Wi-Fi while remaining safe behind a virtual gate. In the event of device loss, theft, or data breach, data remains protected.

Types of VPNs

Personal VPNs: The most common VPN that hides a personal IP address from an internet service provider when connected through a home computer.

Mobile VPNs: Used on mobile devices like cell phones or tablets and works whether on a personal or public Wi-Fi.

Remote access VPNs: Used to connect other computers to a private network when not in the office.

Site-to-site VPNs: Used to establish a secure connection between two networks, either as an intranet (within a single private network) or extranet (between different private networks).

HIPAA compliance and VPNs

HIPAA, the Health Insurance Portability and Accountability Act of 1996, protects the rights and privacy of patients. The act was created to improve health coverage standards and combat fraud and abuse related to PHI. Cyberattackers see PHI as a high-value target, and healthcare organizations must use advanced cybersecurity tools to protect the information.

The guidelines require healthcare organizations to implement reasonable administrative, physical, and technical safeguards. The Privacy Rule explores how PHI can (or can’t) be accessed while the Security Rule focuses on safe storage and movement. The HIPAA rules do not mandate the use of a VPN. Rather, the decision to use a private network falls on each organization.

A VPN could provide several HIPAA compliant benefits with a single tool, making it a cost-effective feature, including:

• Transmission security (i.e., encryption and remote access)
• Access controls
• Audit controls
• Integrity controls (i.e., user authentication)

Employing a cyber tool such as a VPN has been the foundation of many healthcare cybersecurity programs as it could reduce the risk of PHI exposure after a breach. A breach of healthcare-related information can have severe consequences, not only for patients but also for the healthcare providers involved.

HIPAA compliant VPN vendors

Healthcare organizations must use VPNs that comply with HIPAA regulations and adhere to security standards. Dozens of popular services are not HIPAA compliant. Choosing a vendor will take time and research. Here are a few things to consider when searching for HIPAA compliant VPN providers:

1. What are the current organization-wide policies on cybersecurity and what needs protecting and where?
2. What is the size of the network that the VPN needs to protect?
3. Given that a VPN provider is a business associate, will the company sign a business associate agreement?
4. What type of encryption is used by the VPN to secure information?
5. Does the VPN provider collect and store user information?
6. Are there other HIPAA-related options to enable such as access and monitoring controls?

Healthcare organizations should start by conducting a risk assessment to determine how a VPN may help. The Office of the National Coordinator for Health Information Technology provides an excellent risk assessment tool. After an assessment, a practitioner may find that a VPN would not be useful for its current needs.

SEE ALSO: Does all electronic communication in healthcare have to be through a VPN?

Keep VPNs secure and use them with other HIPAA compliant security features

As with all cyber tools, VPNs have been compromised at some point and should not be used alone. In fact, no single security method should be the only line of defense. A strong cybersecurity program is layered to ensure data remains protected.

This could mean using other encryption protocols such as secure socket layer (SSL) and transport layer security (TSL). This could also mean using other methods of access controls and employing perimeter defenses such as firewalls. Moreover, this could mean reinforcing cybersecurity with continuous, up-to-date training and regular, offline backups. Finally, this should mean employing a HIPAA compliant communication solution with strong inbound security features, such as Paubox Email Suite Plus.

HIPAA compliance means using security practices that safeguard every aspect of a healthcare organization, keeping PHI safe and secure. If a VPN is helpful, it should be included in an organization’s tech toolkit and other necessary, HIPAA compliant features.