Re: Home Access and the secure workstation

[David Grisham <DGrisham () SALUD UNM EDU>]

We are looking at building or buying a tool like you have described.  Even though we are making our clinicians agreed 
to appropriate use & a secure workstation, your first paragraph is absolutely correct.  Since we are using Citrix we 
are looking at a Citrix tool that checks for security patches, firewalls & anti virus.  We are layering the security 
tool with VPN access right now.  Training and of course of auditing access will be other layers.  All this still will 
not stop somebody from opening of a patient record at the local Internet cafe where others will see the information or 
a key longer will not capture information.
 
My job is to apply reasonable and appropriate security.  It is interesting that I have posted this issue on many 
hospital and HIPAA listservs without any response.  I'm not sure if other institutions are avoiding the problem or just 
realizing that Internet access conflicts with the HIPAA workstation security implementation specification without some 
work.  Cheers.-grish

> > > ddrobert () KENT EDU 11/7/2005 9:36:27 AM >>>

I don't believe you'll ever find a technological solution to the type of
scenario you describe, where a user logs in from a public place and then
leaves that session unattended.  No matter how idiot-proof your solution,
the potential is always there that it'll be defeated by a better idiot!
:-)  This type of problem needs to be attacked through user education,
policy and sanctions.  You can find a comfort zone, but you'll never
eliminate the risk completely.

If remote desktop access is absolutely necessary (I have to assume you've
already established that), you could use a system to check a PC's
compliance with the HIPPA requirements, prior to letting it access your
resources.  This could be accomplished by requiring access from a managed
laptops.. or with a VPN device like Juniper's SSLVPN that can perform
host-checks prior to letting the user log on (requires an agent running on
the PC).  The concept would be similar to Cisco Clean Access, if you're
familiar with that.

Dan Roberts
Office of Security and Compliance
Information Services Division
Kent State University

330-672-5373
ddrobert () kent edu

David Grisham <DGrisham () SALUD UNM EDU> wrote on 11/04/2005 05:50:47 PM:

> How if at all does anyone give home access to workers from the
> health science center & university hospital?  HIPAA has a specific
> workstation security implementation specification that requires the
> institution to ensure that workstations accessing Electronic
> Protected Health Information (ePHI) be secure.  We can make sure
> that our workstations have the latest security patches, firewalls &
> up to date anti virus software.  We currently loan secure images to
> our home transcriptionists.  However, Internet access is here and
> our medical staff does need to work from home or from other sites
> with Internet access.
>
> I would be glad to talk with anyone from any institution who was
> considering a portal, Internet access or just home access to ePHI
> and what we're doing to ensure that our workforce does not open up
> patient records at Starbucks, walk away from a screen in a public
> area, or use any workstation that does not meet are minimum security
> requirements.
>
>
> Cheers. -grish
> David D. Grisham, Ph.D.,  CISM, CHS III
> Manager, IT Security,
> UNM Hospitals, Information Technology
> 1650 University Blvd,  S.500, Albuquerque, NM 87102
> Ph: (505) 272-5657 FAX 272-3305
> Work email:  dgrisham () salud unm edu
> Adjunct Faculty, Computer Science, UNM
> Academic & personal email:  dave () unm edu
>
>
> > > > vphung () SCIENCE SJSU EDU 11/4/2005 2:46:22 PM >>>
> For remote access
>
> Email - webmail with SSL v3 only
> Web related - WebDAV with SSL v3 only
> All others - Remote desktop via tunnel using SSH v2 only
>
> SSH tunneling works really well with either VNC (Mac and *NIX) or
> RDC (Windows) from home (DSL for better performance). It's easy to
> implement and required almost no maintenance since most of us has an
> SSH server somewhere on a network where a user's computer can be
> reached. Instruction is here
>
> http://ncs.science.sjsu.edu/vphung/index.php?HOW_TO:RDC
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Vuong Phung
> Operating Systems Administrator
> College of Science - Dean's Office
>
> San Jose State University
> One Washington Square
> San Jose, CA 95192-0099
> Duncan Hall 33
>
> Tel 1.408.924.5056
> Fax 1.408.924.5033
> Web http://ncs.science.sjsu.edu/helpdesk
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> -----Original Message-----
> From: clementz.7 [mailto:clementz.7 () OSU EDU]
> Sent: Friday, November 04, 2005 12:02 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Home Access
>
>
> How many schools allow remote access and what types of access do you
> allow.  Please email me directly and I will give you my phone number
> to talk more securly.
> .  We have faculty that are pushing more and more for remote access,
> but we do not have the manpower to support it.  Just curious if
> others are experiencing the same issues.
>
> Todd Clementz
> Systems Administrator
> The Austin E. Knowlton School of Architecture
> The Ohio State University
> Support Site.  http://support.knowlton.ohio-state.edu
> clementz.7 () osu edu