What healthcare organizations need to know about VPNs

Virtual Private Networks (VPNs) create secure connections that protect electronic protected health information (ePHI) during transmission. A conference paper published in Proceedings Fourth International Symposium on Wireless Personal Multimedia Communications (WPMC) titled ‘Healthcare PANs: Personal Area Networks for trauma care and home care’ comments on the benefit of it, “The security level of the VPN is the same as the private network, achieved by means of a range of techniques including access control and encryption, protecting it against the threat of hacker and other attacks.” As healthcare increasingly relies on remote access to electronic medical records (EMRs) and telemedicine services, VPNs encrypt data both in transit and at rest, minimizing risks of interception. 

A poorly configured VPN or one that does not offer safeguards to comply with HIPAA opens up healthcare organizations to a host of risks. According to a study titled ‘Common Vulnerabilities Exposed in VPN – A Survey’, “The more organizations are dependent on VPN, Similarly, the new vulnerabilities have been exposed. To date in total 479 vulnerabilities have been identified and exposed on the public domain where Top 28 vulnerabilities identified and exposed only in the year 2020.”

What are VPNs? 

“Virtual private networks (VPNs) provided a way to create private connections between computers and transfer data between them securely over the public Internet. These are still the guarantees that VPNs provide for general users today.” a USENIX conference paper  “All of them claim to be the best”: Multi-perspective study of VPN users and VPN providers notes. A VPN is a technology that creates a secure and encrypted connection over the internet, allowing users to transmit data safely and privately. It extends a private network across a public network, such as the internet, by masking the user's Internet Protocol (IP) address and encrypting their data. 

There are several types of VPNs tailored for different needs. The types of VPNs include:

• Remote access VPNs enable individual users to securely connect to corporate networks from outside the office, providing safe access to resources like files and applications. 
• Site-to-site VPNs are used by organizations to connect multiple office locations securely over the internet. 
• Mobile VPNs are designed for devices like smartphones and tablets, ensuring secure connectivity even on public Wi-Fi networks
  
  

How do they secure data transmission?  

• VPNs encrypt data using protocols like SSL/TLS or IPSec, turning it into unreadable code that only authorized parties can decrypt.
• They create secure tunnels between devices and servers, isolating data from external interference during transmission.
• VPNs mask users' IP addresses, enhancing privacy and preventing tracking by third parties.
• Authentication mechanisms ensure that only authorized users can access the VPN connection.
• Integrity checks, such as checksums and sequence numbers, prevent tampering and replay attacks during data transmission.

The risk of VPNs protect against

Healthcare organizations are subject to cyber threats like ransomware, phishing attacks, and data interception during transmission. An example of this is when, in February 2024, Change Healthcare, a major processor of U.S. medical claims, was hit by a BlackCat/ALPHV ransomware attack. The attackers exfiltrated sensitive data and deployed ransomware, crippling operations and causing disruptions in healthcare services nationwide. 

Misconfigured systems or unsecured communication channels can make healthcare organizations vulnerable. VPNs reduce this risk by securing endpoints and hardening remote access points, minimizing vulnerabilities exploited by attackers.

The requirements for a VPN to be HIPAA compliant

The above-mentioned study, published in Proceedings Fourth International Symposium on Wireless Personal Multimedia Communications (WPMC) also notes, “The real fact is that VPN clients can’t always be 'trusted,' due to which organization is affected by a large number of data breaches around the globe.” It is for this reason that the assurance provided by HIPAA’s requirements must be fulfilled by any VPN platform that covered entities consider using.  

• The VPN should use strong encryption algorithms, like AES-256, which is considered one of the most secure encryption methods available today.
• A VPN service should avoid collecting user data and provide proof of its commitment to privacy through independently audited no-logs policies. 
• A VPN should offer features that allow healthcare providers to track user access and detect potential security incidents. This helps in responding promptly to any breaches or unauthorized access attempts.
• A VPN platform should offer a business associate agreement to ensure that data is handled within strict parameters. 
  
  

Alternatives and complementary security measures 

Alternatives

• Virtual desktop infrastructure (VDI): VDI allows remote access to healthcare systems by hosting virtual desktops on centralized servers. Unlike VPNs, VDI keeps sensitive data within the server environment, minimizing risks associated with endpoint device theft or loss. It also simplifies compliance since data never resides on local devices.
• IoT-specific cryptographic frameworks: In Internet of Medical Things (IoMT) environments, symmetric encryption algorithms like DES combined with custom key generation schemes can securely transmit health data from wearable devices to cloud databases.
  
  

How email complements VPNs

While VPNs secure data transmission by encrypting traffic between devices and networks, email security protocols tackle threats specific to email communication, such as phishing, malware, and unauthorized access. Together, these measures provide layered protection for sensitive patient information.

VPNs mainly protect remote access to healthcare systems and ensure encrypted connections for data in transit. However, emails often contain sensitive information, including ePH. Secure email protocols such as Transport Layer Security (TLS) and encryption standards ensure that ePHI transmitted via email is protected from interception during transit. Integrating email traffic into VPNs can also prevent unauthorized access to email servers and block malicious attachments or phishing attempts through advanced inspection capabilities.

The benefits of using VPNs

Secure remote access to patient data

VPNs enable healthcare professionals to securely access electronic medical records (EMRs) and other sensitive patient data from remote locations. This is particularly beneficial for telehealth services and remote work arrangements. During the COVID-19 pandemic, many healthcare providers shifted to remote work, and VPNs ensured that patient data remained secure while accessed from home offices or other remote locations. According to Forbes UK it increases security when accessing public WiFi when used by at least 34% of users.

Reduced risk of data breaches

According to a journal article titled ‘Towards Reducing the Impact of Data Breaches’, “A determined attacker will find an attack path into the organization’s system that has been overlooked and cause a data breach, even though the organization believes that it has done due diligence and secured all its vulnerabilities.” VPNs reduce the risk of data breaches by encrypting data and preventing unauthorized access. Using VPNs with dedicated static IPs enhances data protection and ensures seamless global connectivity without compromising security.

FAQs 

What role do VPN gateways play in securing medical devices?

VPN gateways ensure secure, bidirectional encrypted tunnels for IoT medical devices, integrating them with healthcare networks.

Can VPNs support telehealth services?

Yes, VPNs can securely connect patients and healthcare providers remotely.

How do dedicated IP addresses benefit healthcare VPNs?

Dedicated IP addresses provide an additional layer of security by ensuring consistent access to healthcare networks. 

How does NAT and PAT enhance VPN security in healthcare?

Network Address Translation and Port Address Translation help hide internal device IP addresses, making it harder for attackers to target individual devices. This adds an extra layer of security to VPN connections.