Last year, Business Solutions published a review of remote monitoring and management (RMM) platforms available in the marketplace at the time. In the months since, the platforms included in the roundup saw a host of updates, which we recently updated online to keep you informed and well-advised on changes like mobile device management. At the same time, we’ve received feedback from healthcare-focused solutions providers who are seeking information in RMM tools and the healthcare vertical. Therefore, we reached out to the RMM vendors to find out how they address the specific needs of this ever-lucrative vertical.
The first area we wanted to investigate has to do with, surprise, HIPAA. Specifically, we asked each vendor to share how their platform addresses the security requirements of HIPAA and protecting health information and how each company helps its partners with regulatory compliance and education. What you’ll see is that each vendor has addressed HIPAA to one degree or another — good news for MSPs (managed services providers) looking for choices.
HIPAA Compliance And You
AVG reported that its software dos not pull any user-specific data, only device information. It is possible to limit who has access to devices with user management and roles within Managed Workplace. User data can only be accessed by those people with permission to do so for a specific device.
Continuum has conducted systems reviews, vulnerability analyses, and penetration testing to assess its risk profile. The company says its RMM solution has undergone targeted code modifications to counter newly evolving threats. Security has been tightened in its 24/7 NOC and its U.S.-based service desk. In addition, Continuum helps address HIPAA security requirements for MSPs by providing a signed BAA (business associates agreement); secure access, including access control features like multifactor authentication, minimum password length, and rigorous complexity requirements; encryption using strong encryption algorithms such as AES-256; end-user authentication; and patching, antivirus, and anti-malware.
In addition to strengthening its technical, administrative, and physical security, the company has created the Continuum HIPAA Resource Center (www.continuum.net/hipaa-resource-center) to provide up-to-date compliance information for MSPs to help them gain a better understanding of the technical implications involved with new HIPAA rules.
According to GFI MAX, their platform has been audited by third-party HIPAA experts, and the information and recommendations for GFI MAX customers are directly available at www.gfimax.com/hipaa. GFI says that its base agent collects no personal information. Access to information can be secured by two levels of security (location and password), and all actions by all users can be fully audited.
GFI MAX offers a BAA that it will sign with any MSP/VAR that requires it. To help IT providers demonstrate HIPAA compliance, GFI MAX also provides a HIPAA readiness pack at its HIPAA landing page.
Data generated by LabTech is stored by default on the server where LabTech is installed. This gives its partner options to run the server in its controlled environment or in a cloud provider’s environment to shift HIPAA compliance risk as is appropriate for their MSP. LabTech says that all LabTech communications from agents to the LabTech Server are transmitted in an encrypted form.
Protected information stored in LabTech, such as administrative access credentials, are stored in an encrypted state. With LabTech 2013, the company added auditing that enables partners to report on access to systems containing protected health information (PHI). LabTech permissions allow limiting access to remote access functions that could be used to retrieve PHI from client systems.
From a partner education and enablement perspective, LabTech has initiatives on HIPAA education both internally and for its partners. For MSPs that have access to and maintain systems for their clients that contain PHI, it is a suggested best practice that the MSP identify and minimize any client PHI that is stored within their internal systems, unless that data is absolutely required to support their clients. This practice can minimize the regulatory risks that the MSP account for when proving IT services to a covered entity. To communicate this information and offer other guidance, LabTech has published positioning statements and has held webinars on HIPAA regulations.
N-able says that, regardless of an on-premise or hosted deployment method, communication between its application server and its agents or probes uses 128-bit RSA with RC-4-based encryption when running in HTTPS mode. This helps ensure HIPAA compliance and data protection. Additionally, N-able runs out of SSAE 16-compliant data centers, so the server’s physical and log-in access is strictly controlled. Also, all user passwords are first encrypted with one-way encryption before being stored in the database for additional security.
N-able provides multiple features and capabilities to help MSPs ensure their customers are adhering to HIPAA guidelines. These include the following:
Healthcare Device Monitoring
In addition to talking HIPAA and data security, we also wanted to find out as much as possible about the device types each RMM tool is able to monitor. The fact is, many devices used in healthcare now have IP addresses and, in theory, are open to monitoring and management. Whether the vendors have access to device information and to what degree is what we were interested in uncovering.
Unfortunately, the responses we received didn’t tell us a whole lot. Most vendors responded that, unsurprisingly, SNMP or WMI were required to monitor devices with IP addresses. None of the vendors reported having any relationships or direct integrations with healthcare-related manufacturers to monitor devices like pumps, ventilators, IVs, etc. Since none of the vendors have such relationships, it could be that we were asking for too much. Still, it’s something to keep an eye on, and we’ll continue to ask on a regular basis and keep you up to date as changes occur.
On that note, you should also know that, in the time since our first review of RMM platforms, a lot of updates unrelated to healthcare have taken place.