Security & HIPAA Best Practices

Allowing our entire workforce to work remotely puts our network at the highest risk it has ever been in. These requirements have come suddenly and with little warning, and we haven’t been able to take the time and care we would normally take to make something like this happen. We’re working on it – but these are unprecedented times. I know this stuff can be tedious and annoying, but consider this: 

If our network is breached at a time when we’re all depending on it to do our work – we could all be out of a job.

Seriously. Take this seriously.

Here are some best practices to keep in mind when working remotely:

    1. Make sure your WIFI and computer login require a password – this is super important. Anyone who can access your computer, either from the computer itself or from an unsecured network, can access the RDP files you download to connect remotely. This comprises not just your machine, but the entire HAM network.
    2. Never store or allow your browser to store your work logins – whether you’re logging into the SBS web portal, OWA, or your remote session – NEVER allow your computer or browser to remember your work credentials. These credentials grant access to our HAM network. DO NOT leave these logins lying around – either on a sticky note or on your local computer’s desktop or browser.
    3. If you are using a PC, you must have Windows 10 – Microsoft no longer provides security updates for it’s other systems, so this is a must. You also need to make sure that you have antivirus enabled. If you’re not sure just go here (from your home machine) and click the “Verify You’re Updated” button: https://www.microsoft.com/en-us/windows/comprehensive-security
    4. Disconnect from your remote sessions before you walk away – even if you’re working from home alone please get into this habit: make sure not to leave an active connection open when you’re not using it. Closing your laptop cover is not enough. You need to Disconnect from RDP each time.
  1. Don’t let PHI “escape” from your remote session – think of your remote session as a safe little garden for patient data. Your remote computer lives inside the HAM network, so anything on it is protected by all the security of the network. However, if you copy patient data, either as text or as a file, and paste it onto your local computer, it is no longer protected. This is, in fact, a breach of that patient’s privacy. 
  2. Learn the basics about cyber security – this video is a great and simple introduction:

As always, if you have any questions or concerns about working safely from home, please reach out to HelpDesk@HealthAffiliatesMaine.com.

Understanding Remote Desktop (RDP)

Remote Desktop (RDP) is the tool you will use to turn your home computer into a virtual terminal to your work computer in the HAM office. The biggest advantage of this is that you will only have to install a single, small application on your home computer and you will have access to all of the software and files you use at work.

A few things to keep in mind when connecting via RDP:

  1. Make sure your work computer does not have “Sleep Mode” enabled. If your work machine goes to “sleep” you won’t be able to log in remotely. I’ve put together some instructions on how to disable sleep mode below.
  2. Make sure you have permission to access your computer remotely. This feature is disabled by default, so none of the instructions below will work if we (IT) haven’t set up your account to access your computer. To request access please reach out to HelpDesk@HealthAffiliatesMaine.com.
  3. Your work computer must be turned on – so be sure to leave it on when you leave the office. Also, be careful not to choose Shut Down from your remote computer, as that will physically shut off the computer in the office and you won’t be able to turn it back on. You’ll have to call someone in the office and ask them to physically turn it back on for you.
  4. Avoid “Signing Out”. Unlike shutting down you’ll still be able to get back in, but all of your open applications will be closed. Even worse, you may lose any unsaved data. The best way to exit the RDP client is to Disconnect from RDP. This will disconnect your session, but will leave your desktop alone.
  5. You will not be able to video/voice chat from within the RDP client. If you try to do so, you’ll be accessing the camera and microphone on the remote machine, not your own. If you need to video/voice chat you should disconnect from the RDP client (to conserve bandwidth) and use your local machine to do so. I’ve put together some detailed instructions below. Note: never send PHI to your personal email address!
  6. Be hyper vigilant about security and HIPAA – learn more in the Security & HIPAA Best Practices section.

Video/Voice Conferencing from Home

This is probably the trickiest thing to get your head around because, while you’re sitting at home typing into a keyboard right in front of you, you’re actually controlling a computer that is sitting inside of the HAM office. That means that when you try to initiate any kind of activity that uses a peripheral device from that remote computer, like a camera, microphone, or speakers, it will use the peripherals on the remote computer itself – not the computer sitting in front of you.

Since our workforce is connecting from a myriad of different devices, there isn’t really any way around this.

If you need to do an activity that requires audio/video you’ll need to do it from your local computer. That means you’ll need to come up with a way to get the connection instructions from your remote session to your local machine. Unfortunately, due to security restrictions and hardware limitations, it is not always possible to simply “copy & paste” from your remote session to your local computer.

While there are a few ways to to this, I’ve put together a procedure that should work for everybody across all devices:

Step 1. Paste the connection settings into an email

Any time you are trying to initiate a voice/video call from a computer there will be some instructions for how to connect. It can simply be a link or a set of instructions that include phone numbers & meeting IDs and whatnot. As an example, here’s a standard set of instructions from RingCentral:

You are invited to a RingCentral meeting now.

Join from PC, Mac, Linux, iOS or Android: https://meetings.ringcentral.com/j/1493295721

Or iPhone one-tap :
US: +1(470)8692200,,1493295721# (US East)
+1(623)4049000,,1493295721# (US West)
+1(720)9027700,,1493295721# (US Central)
+1(773)2319226,,1493295721# (US North)
+1(469)4450100,,1493295721# (US South)
Or Telephone:
Dial(for higher quality, dial a number based on your current location):
US: +1(470)8692200 (US East)
+1(623)4049000 (US West)
+1(720)9027700 (US Central)
+1(773)2319226 (US North)
+1(469)4450100 (US South)
Meeting ID: 149 329 5721
International numbers available: https://meetings.ringcentral.com/teleconference

You will need to copy the instructions you have, compose a new email, and paste the instructions into the body of the new email.

Step 2. Send the connection settings to yourself

You will need to send that email to an address you can access from your local computer. Here are a few options:

  1. Your personal email address – this should work for everybody who is using their own computer. Note: never send PHI to your personal email.
  2. Your CM Gmail address (Chromebook only) – if you’re using a HAM Chromebook than you can use your CM account and check it in gmail from your local machine. Your CM email address is the same as your work address, except it has the letters cm after healthaffiliatesmaine. Here’s mine: randy.runnels@healthaffiliatesmainecm.com. 
  3. Your work email through OWA – if you know how to access your work email from OWA you can just send it to yourself, then open a browser on your local machine and log into OWA. 

Once you figure out which account you’re using go ahead and send the email.

Step 2. Disconnect from the RDP Client

Video/Audio conferencing takes up a lot of bandwidth. In order to maximize the performance of your activity you should Disconnect from RDP since that takes up a lot of bandwidth as well. 

Step 3. Connect from your local computer

Finally, from your local machine, open the email you just sent and use the connection settings from there.

Remember – never download or store any PHI on your local computer. Connecting to a remote audio/video conference is fine, but don’t save any notes or files pertaining to patients when in these sessions. Please be sure to review the Security & HIPAA Best Practices section.

As always, if you have any trouble please reach out to HelpDesk@HealthAffiliatesMaine.com.

Connecting from a Windows 10 Laptop or Desktop

Step 1. Connect to HAM’s SBS web portal

First you’ll need to log into our SBS web portal in order to find the client for your specific computer. To do so, go to https://remote.providerfinancial.com and log in using your Window’s credentials. These are the same credentials you use to log into your work computer. Please, do not allow your browser to remember these credentials.

 

Step 2. Download the RDP client

Once you’re logged into the portal, find your computer in the right column and click “Connect”. 

This will download the RDP client to your computer. If possible, save the .rdp file to your desktop so you can open it again later without having to repeat this step.

Depending on your browser settings you may not be able to do this. Don’t worry if you can’t – just reach out to HelpDesk@HealthAffiliatesMaine.com and Hunter or I will help you out as soon as we can.

RD

Step 3. Run the application

If your browser doesn’t open the file automatically, you can click on the file icon in the bottom left-hand side of your browser to open it.

RDP Open

At this point you should see the following popup. Check the box labeled “Don’t ask me again for connections to this computer” and click “Connect”.

Note: you may see popups like this a few times, but as long as you’re connecting to the HAM network it is safe to click “Connect”.

RDP Warning

On the next popup you’ll need to enter your Windows credentials (same as before) except you’ll need to precede your username with the “PROVIDER\” domain. My username is rrunnels so I would type this: “PROVIDER\rrunnels”. Your password is the same as before. Click “OK” when ready. Please don’t check “Remember Me”!

You MAY be prompted at this point to enter your password again. That is normal, just go ahead and enter it and click “OK” again.

That’s it! You should be logged into your work machine. 

Be sure not to “Shut Down” or “Sign Out” when in this session. Instead, Disconnect from RDP when you are done with the session.

Please be sure to review the Security & HIPAA Best Practices section. As always, if you have any trouble please reach out to HelpDesk@HealthAffiliatesMaine.com.

Connecting from a Chromebook

Use the video below for instructions on how to connect to a remote session from a Chromebook. 

Be sure not to “Shut Down” or “Sign Out” when in this session. Instead, Disconnect from RDP when you are done with the session.

Please be sure to review the Security & HIPAA Best Practices section. As always, if you have any trouble please reach out to HelpDesk@HealthAffiliatesMaine.com.

Disable “Sleep Mode” on your work PC

If your work computer goes is configured to go to “sleep” after a certain amount of time, you won’t be able to connect from home. Please make sure it is disable by following the instructions below. Please note: these instructions are for your work computer in the HAM office, not the computer you will be using from home.

Step 1. Open up Power Options in the Control Panel

You can get there from right clicking on the start menu and going to Power Options.

You should now see a settings panel called Power & Sleep. In the Screen section you will find a drop-down labeled “When plugged in, turn off after”. Make sure this drop-down has “Never” selected (it’s the last option in the list).

That’s it! You don’t have to worry about saving anything, it happens automatically. Just close this window and you’re good to go.

Disconnect from RDP

Disconnecting from the RDP client is a little bit different in Windows than it is on a Chromebook.

Windows

If you are using a Windows PC, just click the “x” on the blue bar at the top of your session:

RDP Disconnect

Chromebook

On a Chromebook you first need to click the ever present “Hamburger Menu” at the top of the screen. This will open up tool overlays on the left and right. In the left overlay you can find a thumbnail labeled with your computer name. Click the “x” in the top left of the thumbnail to disconnect.

 

Using Dual Monitors with Remote Desktop

Windows 10

Chromebook

Unfortunately, we are not currently able to use dual monitors while in a remote session from a Chromebook. We never intended for them to be used this way; the Microsoft RD Client software is actually designed for Android phones. I will keep digging to try and find a solution, but in the meantime here are a few ideas that might help.

  1. Plug an HDMI cable from the Chromebook into a big screen tv – that will give you much more screen real estate, although the kids might not be too happy about you taking over the tv. Since all TVs are different I would recommend trying this out first, and if it looks weird reach to IT with the native resolution or model number of the TV.
  2. Open EHR Your Way locally – you are able to access EHR Your Way from outside the HAM network, so you could have it open in the local Chrome browser on one screen and your remote session in the other. In addition, you can access your work email from outside of the network. There are a few caveats to this however:
    1. You can’t copy and paste between local and remote sessions – in theory you can, but I’ve had no luck making it happen.
    2. There is no Encrypt & Send option in the OWA email – if you want to send encrypted email to external addresses from the Outlook Web Application, you MUST include the word ‘secure’ in the subject line somewhere.
    3. Do not download PHI onto the local computer – Since you will be working outside the ‘safe garden’ of the HAM network, this is all the more important. Please review the Security & HIPAA Best Practices.

Voicemail Access from Home

If you are working from home here are the instructions to access your voicemail from outside the office.

Call into the office.  (if someone answers, ask to be transferred to VOICE MAIL)

Once transferred hit # key, follow the voice prompts from there.

If it is after hours or on the weekends you will have to call 777-4700 to bypass the answering service.  From there you can enter your extension, hit # key, follow the voice prompts from there.

We are trying to get everyone to use email but some habits are hard to break.