Educause Security Discussion mailing list archives
Re: Home Access and the secure workstation
From: James H Moore <jhmfa () RIT EDU>
Date: Mon, 7 Nov 2005 12:16:49 -0500
From the technology side, Still Secure also has some interesting
options. Jim - - - - Jim Moore, CISSP, IAM Information Security Officer Rochester Institute of Technology 13 Lomb Memorial Drive Rochester, NY 14623-5603 (585) 475-5406 (office) (585) 475-4122 (lab) (585) 475-7950 (fax) "We will have a chance when we are as efficient at communicating information security best practices, as hackers and criminals are at sharing attack information" - Peter Presidio ________________________________ From: David Grisham [mailto:DGrisham () SALUD UNM EDU] Sent: Monday, November 07, 2005 12:12 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Home Access and the secure workstation We are looking at building or buying a tool like you have described. Even though we are making our clinicians agreed to appropriate use & a secure workstation, your first paragraph is absolutely correct. Since we are using Citrix we are looking at a Citrix tool that checks for security patches, firewalls & anti virus. We are layering the security tool with VPN access right now. Training and of course of auditing access will be other layers. All this still will not stop somebody from opening of a patient record at the local Internet cafe where others will see the information or a key longer will not capture information. My job is to apply reasonable and appropriate security. It is interesting that I have posted this issue on many hospital and HIPAA listservs without any response. I'm not sure if other institutions are avoiding the problem or just realizing that Internet access conflicts with the HIPAA workstation security implementation specification without some work. Cheers.-grish
ddrobert () KENT EDU 11/7/2005 9:36:27 AM >>>
I don't believe you'll ever find a technological solution to the type of scenario you describe, where a user logs in from a public place and then leaves that session unattended. No matter how idiot-proof your solution, the potential is always there that it'll be defeated by a better idiot! :-) This type of problem needs to be attacked through user education, policy and sanctions. You can find a comfort zone, but you'll never eliminate the risk completely. If remote desktop access is absolutely necessary (I have to assume you've already established that), you could use a system to check a PC's compliance with the HIPPA requirements, prior to letting it access your resources. This could be accomplished by requiring access from a managed laptops.. or with a VPN device like Juniper's SSLVPN that can perform host-checks prior to letting the user log on (requires an agent running on the PC). The concept would be similar to Cisco Clean Access, if you're familiar with that. Dan Roberts Office of Security and Compliance Information Services Division Kent State University 330-672-5373 ddrobert () kent edu David Grisham <DGrisham () SALUD UNM EDU> wrote on 11/04/2005 05:50:47 PM:
How if at all does anyone give home access to workers from the health science center & university hospital? HIPAA has a specific workstation security implementation specification that requires the institution to ensure that workstations accessing Electronic Protected Health Information (ePHI) be secure. We can make sure that our workstations have the latest security patches, firewalls & up to date anti virus software. We currently loan secure images to our home transcriptionists. However, Internet access is here and our medical staff does need to work from home or from other sites with Internet access. I would be glad to talk with anyone from any institution who was considering a portal, Internet access or just home access to ePHI and what we're doing to ensure that our workforce does not open up patient records at Starbucks, walk away from a screen in a public area, or use any workstation that does not meet are minimum security requirements. Cheers. -grish David D. Grisham, Ph.D., CISM, CHS III Manager, IT Security, UNM Hospitals, Information Technology 1650 University Blvd, S.500, Albuquerque, NM 87102 Ph: (505) 272-5657 FAX 272-3305 Work email: dgrisham () salud unm edu Adjunct Faculty, Computer Science, UNM Academic & personal email: dave () unm eduvphung () SCIENCE SJSU EDU 11/4/2005 2:46:22 PM >>>For remote access Email - webmail with SSL v3 only Web related - WebDAV with SSL v3 only All others - Remote desktop via tunnel using SSH v2 only SSH tunneling works really well with either VNC (Mac and *NIX) or RDC (Windows) from home (DSL for better performance). It's easy to implement and required almost no maintenance since most of us has an SSH server somewhere on a network where a user's computer can be reached. Instruction is here http://ncs.science.sjsu.edu/vphung/index.php?HOW_TO:RDC ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vuong Phung Operating Systems Administrator College of Science - Dean's Office San Jose State University One Washington Square San Jose, CA 95192-0099 Duncan Hall 33 Tel 1.408.924.5056 Fax 1.408.924.5033 Web http://ncs.science.sjsu.edu/helpdesk ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----Original Message----- From: clementz.7 [mailto:clementz.7 () OSU EDU]
<mailto:clementz.7 () OSU EDU%5d>
Sent: Friday, November 04, 2005 12:02 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Home Access How many schools allow remote access and what types of access do you allow. Please email me directly and I will give you my phone number to talk more securly. . We have faculty that are pushing more and more for remote access, but we do not have the manpower to support it. Just curious if others are experiencing the same issues. Todd Clementz Systems Administrator The Austin E. Knowlton School of Architecture The Ohio State University Support Site. http://support.knowlton.ohio-state.edu clementz.7 () osu edu
Current thread:
- Re: Home Access and the secure workstation David Grisham (Nov 07)
- <Possible follow-ups>
- Re: Home Access and the secure workstation James H Moore (Nov 07)