Using a Virtual Private Network (VPN) vs. SSL / TLS in a HIPAA Environment
January 16, 2019
Whether you’re working from home, your local coffee shop, or from the airport between layovers, you will likely need to connect to your company network. A public or personal Wi-Fi network is available, but is it secure enough? That really depends on the security built into the sites you’re visiting. Consider Virtual Private Network (VPN) and SSL / TLS certificates.
What are the risks of using public Wi-Fi to connect to your company’s network?
For a properly configured website with SSL / TLS certificates, the risks to the user are minimal. Without these certificates, any information you access on a website that is not encrypted is easily intercepted in transit. How do you securely access information on your devices?
What Are SSL and TLS?
You can build security into your web pages by configuring it with a Secure Sockets Layer (SSL) and Transport Layer Security (TLS). These are standard security technologies for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral.
You know sites have this protection when a green HTTPS shows up in the top left corner of the address line with a green lock indicating it is secure. Many internet service providers offer SSL / TLS licenses for free or for less than $100/ year. Also, Google is penalizing sites that don’t have SSL / TLS by depreciating them when people are searching. If you don’t have SSL / TLS on your site, you could be losing out to your competitors in searches… more reason to use this technology.
What is Virtual Private Network (VPN)?
Another data protection solution is a VPN or Virtual Private Network. This is typically a paid service that creates a secure, encrypted connection between your device and a browser, or a network.
VPN’s have their strengths and weaknesses.
The strengths of using VPN are:
- An extra layer of protection. Even if you’re on a website with SSL / TLS, you have another layer of protection for your traffic
- Secure traffic between multiple business sites. Have multiple sites, and need to encrypt all your traffic? Then VPN might be the solution.
- An anonymous IP address. This means your traffic is like a PO Box and no one except your VPN can track it back to you.
- The ability to pretend you’re in another country. Many folks use this when they are in a country where sites like Facebook or Twitter aren’t available. This can be helpful if you’re traveling internationally.
Some of the weaknesses of using VPN can be:
- Slower network speeds
- Depending on a third party to protect your information
Selecting a Virtual Private Network
How do you choose the right VPN service?
Here are some guidelines:
- Avoid free services, even from reputable companies. Free services likely allow limited bandwidth usage per month or offer a slower service. Some might harvest your personal data and sell it as marketing information to advertisers.
- Determine what information the VPN provider keeps about your sessions. Stick with providers who collect as little data as possible. Is the provider recording the IP addresses you use, the websites you visit, the amount of bandwidth used, or any other details?
- How long does the service keep their logs? You need a provider that doesn’t keep them at all or who keeps them for hours, not months.
- Choose a high-grade encryption service for the utmost security. Your VPN provider needs at least a 128-AES, but we recommend 256-AES, encryption and a 2048-bit RSA key.
Network Security Policy
Once you’ve chosen a VPN provider, don’t just hand out the information to everyone in the company. You and/or your IT staff should iron out a comprehensive network security policy.
- What should users in your company be given permission to remotely access your network server?
- Which devices are authorized to connect to the company network through a VPN?
- What are the Standard Operating Procedures (SOPs) for the case of a network breach?
- Which authentication method will be used and how will it be implemented?
- What is the maximum idle VPN connection time allowed before automatic termination?
- What are other security measures, such as anti-virus software, firewalls, and encrypted office backups that you need to apply?
These are questions and discussions you should have with your IT professional as you go down the road to securing your information.
Need help making decisions about what is best for your company? HIPAA compliant vendors are available that will help you implement a system that is best suited for your needs. Send us an email with your questions: info@TotalHIPAA.com.
Sign up for Our Blog
June 25, 2019
Andrew Kroninger, Total HIPAA’s Director of Customer Success, recently interviewed Erik Kangas, founder and CEO of LuxSci. LuxSci provides email encryption, web hosting, forms, and secure sending services for HIPAA… Read More ›Read More
June 12, 2019
This week, the Vermont Supreme Court issued a landmark ruling, regarding HIPAA lawsuits, that could potentially change the way individuals hold their healthcare providers accountable for breaches of PHI (Protected… Read More ›Read More