Re: Health centers and VPN access to patient records systems

[Nathan Zierfuss <nathan.zierfuss () ALASKA EDU>]

Thanks for the response. We do have a Citrix system as well and that wasn't
a posible solution I had considered. It would keep the end point a managed
system we know the security posture of but allow viewing/editing.

I'd like to require use a university managed device as the ultimate end
point as well.

Thanks,
Nathan

On Tue, Jan 24, 2012 at 7:14 AM, McCrone, Kevin <kmccrone () ilstu edu> wrote:

>  We do allow remote access.  To access the EHR, one must first use the
> campus VPN system.  Secondly, they must use the Citrix system to gain
> access to the application or a remote desktop.  Even then, only select
> personnel are enabled for remote access to the EHR according to their
> business need.****
>
> ** **
>
> I’d love to require a specific, controlled end point to use, such as a
> health-center issued laptop (for business use only) or perhaps even better,
> a thin client device or locked-down tablet or netbook.  The reality is that
> once remote access is given, any client can connect – at least that is the
> current reality with our campus VPN technology.****
>
> ** **
>
> We encourage our staff to use health computers to connect and remind them
> that if their home system is compromised and used to connect, it could
> expose the University to a disaster.****
>
> ** **
>
> -- Kevin McCrone, Information Technology Technical Associate****
>
> -- Illinois State University, Division of Student Affairs****
>
> -- (309) 438-1111****
>
> ** **
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Nathan Zierfuss
> *Sent:* Monday, January 23, 2012 8:08 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] Health centers and VPN access to patient records
> systems****
>
> ** **
>
> Does anyone allow campus health center staff remote acces via VPN to their
> patient records systems? If so, what requirements/guidelines to you use to
> insure the end point is secure beyond just using a secure connection?
> ****
>
> ** **
>
> Nathan****
>
> ** **
>
> --
> Nathan Zierfuss, CISSP, Information Security Officer
> -
> Technology Oversight Services, University of Alaska
> 910 Yukon Dr. Suite 105, PO Box 755320
> Fairbanks, Alaska 99775-5320
> -
> Phone: 907-450-8112  Fax: 907-450-8381****



-- 
Nathan Zierfuss, CISSP, Information Security Officer
-
Technology Oversight Services, University of Alaska
910 Yukon Dr. Suite 105, PO Box 755320
Fairbanks, Alaska 99775-5320
-
Phone: 907-450-8112  Fax: 907-450-8381