Re: Health centers and VPN access to patient records systems

["McCrone, Kevin" <kmccrone () ILSTU EDU>]

We do allow remote access.  To access the EHR, one must first use the campus VPN system.  Secondly, they must use the 
Citrix system to gain access to the application or a remote desktop.  Even then, only select personnel are enabled for 
remote access to the EHR according to their business need.

I'd love to require a specific, controlled end point to use, such as a health-center issued laptop (for business use 
only) or perhaps even better, a thin client device or locked-down tablet or netbook.  The reality is that once remote 
access is given, any client can connect - at least that is the current reality with our campus VPN technology.

We encourage our staff to use health computers to connect and remind them that if their home system is compromised and 
used to connect, it could expose the University to a disaster.

-- Kevin McCrone, Information Technology Technical Associate
-- Illinois State University, Division of Student Affairs
-- (309) 438-1111

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Nathan 
Zierfuss
Sent: Monday, January 23, 2012 8:08 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Health centers and VPN access to patient records systems

Does anyone allow campus health center staff remote acces via VPN to their patient records systems? If so, what 
requirements/guidelines to you use to insure the end point is secure beyond just using a secure connection?

Nathan

--
Nathan Zierfuss, CISSP, Information Security Officer
-
Technology Oversight Services, University of Alaska
910 Yukon Dr. Suite 105, PO Box 755320
Fairbanks, Alaska 99775-5320
-
Phone: 907-450-8112  Fax: 907-450-8381