Skip to main content

Remote Access Policy and Procedure

Purpose

To establish uniform security requirements for all authorized users who require remote electronic access to iEHR network and information assets. The guidelines set forth in this policy are designed to minimize unauthorized use of iEHR resources and confidential information.

Definitions

  1. Defined Network Perimeter: Refers to the boundaries of the iEHR internal computer network.
  2. Electronic Protected Health Information (ePHI): PHI shall have the same meaning as defined by 45 C.F.R. 160.103.
  3. Firewalls: A logical or physical discontinuity in a network to prevent unauthorized access to data or resources. A firewall is a set of hardware and/or related programs providing protection from attacks, probes, scans and unauthorized access by separating the internal network from the Internet.
  4. Information Resources: Networks, systems, applications, and data including but not limited to, ePHI received, created, maintained or transmitted by the iEHR.
  5. Privileged Access Controls: Includes unique user IDs and user privilege restriction mechanisms such as directory and file access permission, and role-based access control mechanisms.
  6. Remote Access: The ability to gain access to iEHR network from outside the network perimeter. Common methods of communication from the remote computer to iEHR network includes, but is not limited to, Virtual Private Networks (VPN), web-based Secure Socket Layer (SSL) portals, and other methods which employ encrypted communication technologies.
  7. Role-Based Access: Access control mechanisms based on predefined roles, each of which has been assigned the various privileges needed to perform that role. Each user is assigned a predefined role based on the least-privilege principle.
  8. Web-based Portal: A secure website offering access to applications and/or data without establishing a direct connection between the computer and the hosting system. Web-based portals most often use 128-bit or higher SSL encryption.
  9. Workforce Member: Employees, volunteers (board members, community representatives), trainees (students), contractors and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.

Policy

To establish guidelines and define standards for remote access to iEHR information resources which receive, create, maintain or transmit ePHI by and for the organization. Remote access is a privilege, and is granted only to remote users who have a defined need for such access, and who demonstrate compliance with iEHR established safeguards, which protect the confidentiality, integrity, and availability of information resources.

Applicable To

All users who work outside of the organization’s environment, who connect to the organization’s network systems, applications and data, including but not limited to applications that contain ePHI, if applicable, from a remote location. Users may include members of the workforce, business associates, and vendors. These users may have permanent or temporary access, which may include temporary emergency remote access.

Procedures

  1. Gaining Remote Access
    1. Workforce members will apply for remote access connections by completing a “System Access Request” form. Remote Access is strictly controlled and made available only to workforce members with a defined business need, at the discretion of the workforce member’s manager, and with approval by the Security Officer or designee.
    2. Business associates, contractors, and vendors may be granted remote access to the network, provided they have a contract or agreement with iEHR that clearly defines the type of remote access permitted (i.e., stand-alone host, network server, etc.) as well as other conditions which may be required, such as virus protection software. Such contractual provisions must be reviewed and approved by the Security Officer and/or legal department before remote access will be permitted. Remote access is strictly controlled and made available only to business associates and vendors with a defined business need, at the discretion of and approval by the Security Officer or designee.
    3. The workforce member is responsible for adhering to all of iEHR policies and procedures, not engaging in illegal activities, and not using remote access for interests other than those for iEHR.
    4. All users granted remote access privileges must sign and comply with the “Remote Access User Agreement” kept on file with the Human Resources Department or other department as determined by the iEHR.
    5. It is the user’s responsibility to ensure that the remote worksite meets security and configuration standards established by iEHR. This includes configuration of personal routers and wireless networks.
  2. Equipment, Software, and Hardware
    1. The organization will not provide all equipment or supplies necessary to ensure proper protection of information to which the user has access. The following assists in defining the equipment and environment required.
      1. Organization Provided:
        1. Encrypted workstation
        2. If using a VPN, an organization issued firewall
        3. If printing, an organization supplied printer
        4. If approved by the organization’s Security Officer, an organization supplied phone
      2. User Provided:
        1. Broadband connection and fees
        2. Paper shredder
        3. Secure office environment isolated from visitors and family
        4. A lockable file cabinet or safe to secure documents when unattended
    2. Remote users will be allowed access through the use of equipment owned by or leased to the entity, or through the use of the workforce member’s personal computer system provided it meets the minimum standards developed by iEHR, as indicated above.
    3. Remote users utilizing personal equipment, software, and hardware are:
      1. Responsible for remote access. iEHR will bear no responsibility if the installation or use of any necessary software and/or hardware causes lockups, crashes, or any type of data loss.
      2. Responsible for remote access used to connect to the network and meeting iEHR requirements for remote access.
      3. Responsible for the purchase, setup, maintenance or support of any equipment not owned by or leased to iEHR.
    4. Continued service and support of iEHR owned equipment is completed by IS workforce members. Troubleshooting of telephone or broadband circuits installed is the primary responsibility of the remote access user and their Internet Service Provider. It is not the responsibility of iEHR to work with Internet Service Providers on troubleshooting problems with telephone or broadband circuits not supplied and paid for by iEHR.
    5. The ability to print a document to a remote printer is not supported without the organization’s approval. Documents that contain confidential business or ePHI shall be managed in accordance with the iEHR confidentiality and information security practices.
  3. Security and Privacy
    1. Only authorized remote access users are permitted remote access to any of iEHR computer systems, computer networks, and/or information, and must adhere to all of iEHR policies.
    2. It is the responsibility of iEHR workforce members with remote access privileges to the network to ensure that their remote access connection complies with the same security requirements as the user's on-site connection. Solutions for remote access to devices on the network must comply with established policies.
    3. Secure remote access must be strictly controlled through strong authentication in accordance with the Password Policy.
    4. At no time should any user of iEHR network resources provide their login or email password to anyone, not even family members. When using a shared personal computer, for example, users should employ encryption and setup separate accounts so that other users of the computer cannot access sensitive data.
    5. It is the responsibility of the remote access user, including Business Associates and contractors and vendors, to log-off and disconnect from iEHR network when access is no longer needed to perform job responsibilities.
    6. Remote users shall lock the workstation and/or system(s) when unattended, so that no other individual is able to access any ePHI or organizationally sensitive information.
    7. Remote access users are automatically disconnected from the iEHR network when there is no recognized activity for 20 minutes.
    8. It is the responsibility of remote access users to ensure that unauthorized individuals do not access the network. At no time will any remote access user provide (share) their username or password to anyone, nor configure their remote access device to remember or automatically enter their username and password.
    9. The Remote Access User must report to the Security Officer within 24 hours of any use or disclosure of PHI in a manner not permitted by this Policy or the Agreement. After the verbal report, the Remote Access User must send a written report to the Security Officer within 72 hours. The report must contain:
      1. The identification of each individual including contact information.
      2. A brief description of what happened, including the date of the unauthorized use or disclosure and the date of the discovery of the unauthorized use or disclosure, if known.
      3. A description of the types of PHI involved (such as name, Social Security number, date of birth, home address, or account number).
      4. A brief description of what the Remote Access User is doing or has done to investigate the unauthorized use or disclosure, mitigate losses to individuals, and protect against any further breaches.
      5. Identification of the names and respective titles of those who conducted the investigation on behalf of the Remote Access User.
    10. The Remote Access User must report to the Security Officer within 24 hours of any successful security incident of which it becomes aware that affects PHI.
    11. Any employee who becomes aware of an unauthorized use or disclosure by a Remote Access User must immediately contact the Security Officer.
    12. Remote access users must take necessary precautions to secure all of iEHR equipment and proprietary information in their possession.
    13. Virus Protection software is installed on all iEHR computers and is set to update the virus pattern on a daily basis. This update is critical to the security of all data, and must be allowed to complete, i.e., remote users may not stop the update process for Virus Protection on organization’s or the remote user’s workstation.
    14. A firewall shall be used and may not be disabled for any reason.
    15. Copying of confidential information, including ePHI, to personal media (hard drive, USB, cd, etc.) is strictly prohibited, unless the organization has granted prior approval in writing.
    16. Since online cloud services (e.g., Carbonite, Dropbox, iCloud, Mozy) may allow for data to be copied from a PHI approved network to a network not controlled by iEHR, they are not acceptable for use. Users must consult with IT or the Security Officer for remote file storage mechanisms.
    17. iEHR maintains logs of all activities performed by remote access users while connected to iEHR network. System administrators review this documentation and/or use automated intrusion detection systems to detect suspicious activity. Accounts that have shown no activity for 30 days will be disabled.
    18. Electronic Data Security
      1. Backup procedures have been established that encrypt data moved to an external media. If there is not a backup procedure established, or if iEHR has external media that is not encrypted, contact the IS Department or Security Officer for assistance.
      2. Transferring data to the iEHR requires the use of an approved VPN connection to ensure the confidentiality and integrity of the data being transmitted. Users may not circumvent established procedures when transmitting data to the iEHR.
      3. Users may not send any ePHI via e-mail unless it is encrypted. If PHI or ePHI needs to be transmitted through email, IS or the Security Officer must be contacted to ensure an approved encryption mechanism is used.
    19. Paper document security
      1. Remote users are discouraged from using or printing paper documents that contain PHI.
      2. Documents containing PHI must be shredded before disposal.
  4. Enforcement
    1. Remote access users who violate this policy are subject to sanctions and/or disciplinary actions, up to and including termination of employment or contract. Termination of access by remote users is processed in accordance with iEHR termination policy.
    2. Remote access violations by Business Associates and vendors may result in termination of their agreement, denial of access to the iEHR network, and liability for any damage to property and equipment.