What is VDI/VPN?
VDI = Virtual Desktop Infrastructure (commonly called MyDesk)
VPN = Virtual Private Network (commonly called GlobalProtect)
Both are options to connect securely to OU’s network environment to facilitate remote working or teleworking. OU IT has provided guidance on how and when to use these products as part of the Remote Work Guide: https://www.ou.edu/ouit/workanywhere/get-started
Any technology-related questions regarding VDI or VPN should be directed to your Tier 1/Technical Representative or the applicable OU IT Service Desk (Norman: ou.edu/ouit HSC: https://it.ouhsc.edu/services/servicedesk/ Tulsa: https://www.ou.edu/tulsa/it .
Below you can find FAQs related to HIPAA compliance and the use of VDI/VPN. If you have any additional HIPAA compliance questions on this topic or would like to set up a training session, please contact the HIPAA Security Officer – Valerie Golden (Valerie-Golden@ouhsc.edu)
If a Workforce Member is using a personal device and will use VDI, are there encryption requirements?
HIPAA policy requires each Health Care Component (HCC) to have Technical Safeguards in place to protect ePHI maintained on its Information Systems (including devices) from improper or unauthorized alteration or destruction. If ePHI is downloaded to a device, the device must be encrypted.
If a Workforce Member is going to access ePHI through systems outside of the VDI or anticipates they will need to store ePHI to their device locally, the device will need to be encrypted as previously done before VDI.
If a Workforce Member is only going to access ePHI through the VDI and will only store ePHI to a secure file share that is saved in OU’s secure data center through VDI, full disk encryption is not required.
If a Workforce Member is not sure of if they should encrypt their device they should reach out to their Tier 1/Technical Representative or the HIPAA Security Officer – Valerie Golden (Valerie-Golden@ouhsc.edu)
Can I still check Webmail or Outlook outside of the VDI and not have to encrypt my device?
Access to Webmail and Outlook will be permitted while using VDI services. Access to Webmail and Outlook outside of the VDI will also be retained. If you will be accessing Webmail or Outlook outside of the VDI and will download attachments that contain ePHI to store on the device, you are required to encrypt your device. It is strongly suggested that you only access Webmail or Outlook from the VDI environment to avoid potentially downloading ePHI to an unencrypted device.
What happens if I do not encrypt my device because I plan to only access ePHI from VDI, but I do end up storing ePHI on the device?
HIPAA policy requires that ePHI must be encrypted when stored outside of OU’s secure data center (such as on local servers or devices). If you access or store ePHI outside the VDI environment and your device is not encrypted, you have violated HIPAA policy. You would be subject to sanctions from your department, clinic, or program. Further, if the ePHI was compromised because of the violation, you may be liable for a breach of ePHI, which could result in a monetary penalty from the Office for Civil Rights.
How are users prevented from downloading ePHI to their unencrypted laptops?
While working in the VDI environment, a policy is configured on the VDI Management Server that prohibits the virtual desktops from connecting to local storage, this includes removable media. Workforce Members are prevented from using the copy and paste functions from their device in or out of the VDI. However, the Workforce Member is responsible for ensuring that they are only accessing or storing ePHI while in the VDI environment to avoid a potential HIPAA violation and sanction. If they are unsure, they should reach out to their Tier 1/Technical Representative or to HIPAA Security Officer – Valerie Golden (Valerie-Golden@ouhsc.edu)
If I use VDI but still have access to ePHI that can be stored on my personal laptop, does my laptop need to be encrypted too?
Yes, HIPAA compliance requires encryption on devices where the Workforce Member will access or store ePHI outside the VDI environment.
Am I required to report my personally-owned devices that are used for University business to OU management, even if I’m only connecting through VDI or VPN?
All devices that are used to access University data containing ePHI must be reported to your Tier 1/Technical representative or your department/clinic management and tracked on the Health Care Component’s Device Inventory List.
Do I have to report a personally-owned device, used for University Business, that is lost or stolen if I I’m only connecting through VDI or VPN?
Loss or theft of any device, including a personally-owned device, that is used for University business must be immediately reported to the departments below:
- Information Security Governance – email@example.com
- OU Police Department: Norman - (405)325-1717 ; HSC – (405) 271-4300, Tulsa - (918) 660-3900
- If the device was used to access, create, or store ePHI (even through the VDI) you must also notify:
- HIPAA Security Officer - Valerie-Golden@ouhsc.edu)
- the HIPAA point of contact for your program/department/clinic
If I own my laptop and use it for University Business, do I have to have it encrypted?
Yes, the current laptop encryption policy, revised in October 2015, states, “ALL laptops used for University business must be encrypted, regardless of who owns the laptop, or the operating system…” See Portable Computing Device Security at http://it.ouhsc.edu/policies/PortableDeviceSecurityPolicy.asp for additional information.
If you are a student connecting through VDI please see the FAQ on VDI use for determining if your device needs to be encrypted.
How is University Business defined?
University Business is work performed as part of an employee’s job responsibilities, or work performed on behalf of the University by faculty, staff, volunteers, students, trainees, and other persons whose conduct, in the performance of work for the University, is under the direct control of the University, whether or not they are paid by the University. In the context of laptop use, University Business includes the use of a laptop to access OUHSC email and to access non-public University systems, networks, or data in the performance of work for the University.
How can I prevent a HIPAA breach?
Follow these suggestions from the IT Security website:
Risks:Storing sensitive data on your local desktop places that information at risk in the event of a data stealing malware infection. Syncing your mobile device with University systems such as email or other desktop applications has the potential to inadvertently store this information in an unprotected manner. Loss of an unencrypted portable computing device places sensitive data on the lost device at risk of unauthorized access. Such events can constitute a HIPAA data breach in which individuals will be held personally liable for HIPAA fines and penalties. See HITECH on the web at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html
Regulations: Under federal and state law and University policy computer systems containing sensitive data with data-stealing malware infections or unencrypted mobile devices which have been lost are reportable as data breaches and must be identified to University officials. If you have any questions about your storage location or portable device please contact your Tier One or IT representative.
- Store sensitive data such as Protected Health Information (PHI) on a server in the campus enterprise data center.
- Install and use the most current security software available for your system to protect against malware infections and data breaches. Currently these include:
- McAfee VirusScan and Anti-Spyware for MS Windows and Macintosh operating systems.
- McAfee SiteAdvisor for Microsoft Internet Explorer and Mozilla Firefox..
- McAfee Endpoint Encryption Full-Disk for laptop encryption.
Contact your department Tier One or IT representative for more information before you install software on your desktop computer.
- Follow safe Internet browsing and email practices.
- Do not open suspicious email, especially email with unknown attachments or links to web sites.
- Do not download non University applications or unknown software from the Internet. Example: screen savers or browser add-ons.
- Do not browse the web or access email for non University related business. See: Acceptable Use of Information Systems policy athttp://it.ouhsc.edu/policies/AcceptableUse.asp
How do I use Secure Email?
Type [secure] in the Subject line of a message to ensure that the message will be sent securely. Be advised the information in the subject line will not be encrypted - only the information in the body of the email is. Your subject line should not include any PHI.
What is Secure Email?
SecureEmail allows HSC users to encrypt Sensitive Information sent to recipients outside of the campus email system. Examples of messages that should be encrypted include:
- OU healthcare billing communications with outside agencies.
- Communications between OUHSC and research agencies (FDA, NIH) that include participant information
- Communications that include patient info
For more information on Secure Email and instructions for use please see the links below.
I need to email patient or research participant PHI to an off-campus email, what should I do?
Before You Hit Send…
If emailing off-campus is necessary and permissible under your department or clinic rules, be sure your email is sent via a secure method and goes only to individuals authorized to receive the PHI. Secure methods include (1) using the patient portal and (2) putting [secure] in the subject line, using the brackets. Messages between ouhsc.edu email addresses are automatically encrypted, as are messages between an OUHSC.edu email address and an HCA email address, so these messages are secure as well.
Sending PHI via unsecured email – even to research sponsors or other providers – is a violation of HIPAA policy and can easily lead to a breach. The Office for Civil Rights may impose monetary penalties for HIPAA breaches, especially those that result from deliberate disregard for patient privacy. Check your email recipients and confirm that the method you are using to send PHI to a non-OUHSC or non-HCA email address is secure – if in doubt, contact OUP IS or IT Security . Finally, be sure you are NOT using auto-forwarding or redirecting your messages to accounts outside of the University email system.
Relevant HIPAA Policies and forms can be found at the University’s HIPAA website (https://apps.ouhsc.edu/hipaa/). (OU Physicians employees should also refer to MR 36 for specific OUP policy on emailing patients.)
If you have questions about these or any other HIPAA topics or would like to schedule a department training, please contact any of us; we are eager to help!
What are some tips for using the Auto-Complete List in outlook?
- First confirm that the recipients in the TO line of your emails are the intended recipients BEFORE hitting Send and remember that no PHI should be sent to your personal email accounts
- Utilize this helpful hint on how to remove personal email accounts from auto-completing recipients in the TO line of their emails:
Think Twice Before Checking Your Email or Calendar From Personal Devices!
- Is your cell phone secure?
- Is your personal laptop encrypted?
If the answer is “No” to the above questions, it is against University policy to access your OUHSC email or calendar from the unsecured device. To ensure that transmissions of electronic PHI are secure, portable devices used for University business must follow the Portable Computing Device Security policy. Personal Computing Devices that fall under this policy include but are not limited to: laptops, notebook computers, tablets, smart phones, cell phones, thumb drives, and external media such as CDs or DVDs. These safeguards apply to University-owned as well as personally-owned devices. Keep in mind that if you store or download PHI on a University-owned or personally-owned desktop, that computer must be encrypted as well.
The OUHSC Information Systems – Information Security web page offers more information on how to secure your mobile device or encrypt your personal laptop at the following link: http://it.ouhsc.edu/services/infosecurity/ Contact your Tier 1 or IT Representative for assistance with encrypting a desktop.