Using a Virtual Private Network (VPN) vs. SSL/TLS in a HIPAA Environment

Whether you’re working from home, your local coffee shop, or from the airport between layovers, you will likely need to connect to your organization’s network. A public or personal Wi-Fi network is available, but is it secure enough? That really depends on the security built into the sites you’re visiting.

What are the risks of using public Wi-Fi to connect to your organization’s network? One potential risk is that you make yourself susceptible to man-in-the-middle attacks, whereby an attacker creates a free, public Wi-Fi network and, once a user connects, gains full access to any online data exchange.¹ Also, without a properly configured website with SSL/TLS certificates, any information you access on a website that is not encrypted is easily intercepted in transit. The secure alternative? Using a Virtual Private Network (VPN) or SSL/TLS certificates.

What Are SSL and TLS?

You can build security into your web pages by configuring it with a Secure Sockets Layer (SSL) and Transport Layer Security (TLS). These are standard security technologies for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remains private and integral.

You know sites have this protection when a green “HTTPS” shows up in the top left corner of the address line with a green lock indicating it is secure. Many internet service providers offer SSL/TLS licenses for free or for less than $100/year. Google has also started penalizing sites that don’t have SSL/TLS by depreciating them when people are searching.² If you don’t have SSL/TLS on your site, you could be losing out to your competitors in searches — even more reason to use this technology!

What is a Virtual Private Network (VPN)?

Another data protection solution is a VPN, or Virtual Private Network. This is typically a paid service that creates a secure, encrypted connection between your device and a browser, or a network.

VPNs have their strengths and weaknesses.³

The strengths of using a VPN are:

1. An extra layer of protection. Even if you’re on a website with SSL/TLS, you have another layer of protection for your traffic.
2. Protection against a Man in the Middle Attack. A VPN provides an added barrier against attackers who might intercept your connection while it’s unencrypted and redirect you to a malicious website where, via phishing or other means, the attacker might trick you into revealing sensitive data.⁴
3. Secure traffic between multiple business sites. Have multiple sites, and need to encrypt all your traffic? A VPN might be the solution.
4. An anonymous IP address. This means your traffic is like a PO Box and no one except your VPN can track it back to you.
5. The ability to pretend you’re in another country. Many folks use this when they are in a country where sites like Facebook or Twitter aren’t available. This can be helpful if you’re traveling internationally.

Some of the weaknesses of using a VPN are:

1. Slower network speeds. A VPN will slow your processing speed since your internet traffic is going through the VPN server.
2. Depending on a third party to protect your information. If you do use a VPN, you are required to have a Business Associate Agreement with the provider. 
3. Cost. These often involve a monthly fee and can be more expensive depending on how many users you have.

Selecting a Virtual Private Network

How can I choose the right VPN service?

Here are some guidelines:

1. Avoid free services, even from reputable companies. Free services likely allow limited bandwidth usage per month or offer slower processing. Some might harvest your personal data and sell it as marketing information to advertisers. Also, if they won’t sign a BAA, they aren’t HIPAA compliant.
2. Determine what information the VPN provider keeps about your sessions. Stick with providers who collect as little data as possible. Is the provider recording the IP addresses you use, the websites you visit, the amount of bandwidth used, or any other details?
3. How long does the service keep logs? You need a provider that doesn’t keep them at all or who keeps them for hours, not months.
4. Choose a high-grade encryption service for the utmost security. Your VPN provider needs at least a 128-AES, but we recommend 256-AES and a 2048-bit RSA key.

Network Security Policy

Once you’ve chosen a VPN provider, don’t just hand out the information to everyone in the organization. You and/or your IT staff should iron out a comprehensive network security policy.

1. What should users in your organization be given permission to remotely access via your network server?
2. Which devices are authorized to connect to the organization network through a VPN?
3. What are the Standard Operating Procedures (SOPs) in the case of a network breach?
4. Which authentication method will be used and how will it be implemented?
5. What is the maximum idle VPN connection time allowed before automatic termination?
6. What other security measures, such as anti-virus software, firewalls, and encrypted office backups will you need to apply?

These are questions and discussions you should have with your IT professional as you go down the road to securing your information for better, safer remote work.

Have you performed a Risk Assessment in the past year? Do you have updated HIPAA Policies and Procedures in place? Our HIPAA Prime™ program does all this and more! We create customized compliance documents and provide your staff with easy online training, ensuring compliance for your organization.

Want to know more about our online HIPAA training or our customized compliance solution, HIPAA Prime? Email us at info@totalhipaa.com to learn more about how we can help your organization become (and stay!) compliant. Or, get started here.

1. Man in the middle (MITM) attack
2. What is SSL and why should you care?
3. Benefits of VPN for HIPAA Compliance
4. Do you need a VPN in an HTTPS world? Yes, and here’s why

Sharing is caring!