SunSpot Health Care Provider
Remote Access Policy for Remote Workers & Medical Clinics
1.0 Policy Statement
- It is SunSpot Health Care Provider (SHCP) policy to protect Information Resources based on risk against accidental or unauthorized disclosure, modification, or destruction, and assure the Confidentiality, Integrity, and Availability (CIA) of clinic and patient data.
- Apply appropriate physical and technical safeguards in a manner intended to reduce obstacles to conducting clinic business.
- Comply with applicable state and federal laws, and other clinic governing policies.
2.0 Purpose/Objectives
This Policy serves as the foundation for the security of remote access to clinic information system resources, and provides the Information Security Officer the authority to implement policies, standards, procedures, and guidelines, deemed necessary to protect clinic and patient data. Definitions found in this policy are as follows:
- Information Security Office: (ISO)
- Health Insurance Portability and Accountability Act: (HIPAA)
- Virtual Private Network: (VPN). A technology that allows the creation of a secure connection to a private network, or between private networks, over public networks such as the Internet.
- Secure Socket Layer: (SSL). A standard security technology for establishing an encrypted link between a web server and a browser.
- Electronic Private Health Information (ePHI).
3.0 Scope
This policy applies to all SHCP Local Area Network (LAN) to Wide-area Network (WAN) devices and security detection systems, firewalls, remote access VPN software and hardware, and remote access users, that are controlled and operated by SHCP staff or its designated IT Infrastructure Implementation Agents, contractors, and vendors, throughout at all branches of SHCP, SHCP Enterprise Cloud, Web, and Data Center providers, and other offsite facilities.
4.0 Standards
SHCP security policies are guided by HIPAA which defines data protection controls necessary to comply with the HIPAA standards. These standards are mandatory requirements, and establish an effective baseline of appropriate system, administrative, and physical controls. All policies must be designed to ensure that SHCP conforms to the following HIPAA standards:
- Two-factor authentication, example; unique user name and password
- Proper remote user access privilege approval system.
- Time-outs on inactive portals or VPN sessions.
- Restrictions on downloading of ePHI to remote host devices.
- ePHI in transit or at rest must be encrypted on host and server systems.
- Ensure remote access users are trained on policies and remote access use.
- All computers that use or store ePHI must use anti-malware software.
- Use Intrusion Detection/Intrusion Detection Prevention (IDS/IDPS).
- Conduct regular system scans and audits.
5.0 Procedures
Responsible administrators and managers must consider HIPAA standards when performing maintenance and configuration of information systems. They must implement processes and control procedures that meet HIPAA standards to include effective oversight of activities and transactions. The ISO will establish the requirement for a remote access policy and is responsible for the design, implementation, and management of the clinics security program.
- Authentication and granting remote access privileges. Individual department heads are responsible for requesting remote access privileges for their employees to include specifying the desired level of access. The department head will initiate a remote access request form that must be approved by the ISO, and then routed to the system administrator. The system administrator will create a unique account requiring a complex password for each remote user. Accounts created will be logged and tracked.
- The system administrator will be responsible for configuring a twenty (20) minute inactivity time-out on all VPN connections.
- Downloading ePHI on unprotected non-clinic devices is prohibited. The system administrator will configure mechanisms that will prevent remote hosts from downloading information.
- Users transmitting data outside of SHCP systems are required to encrypt the data using SSL certificates and digital signatures. All physical storage media must be encrypted using proven industry standard algorithms. The ISO is responsible for approving all SSL certificates. The system administrator is responsible for the creation, configuration, and tracking of SSL certificates.
- The ISO is responsible for overseeing and monitoring security and remote access user training. Department heads are responsible for ensuring employee compliance.
- The system administrator will install, update, and monitor anti-malware software on all SHCP computers and servers. The ISO will regularly audit patch and update policy compliance, and review scan logs monthly.
- The system administrator will review IDS/IDPS scan logs daily. The ISO will audit system logs monthly.
6.0 Guidelines
In the course of business it is inevitable that situations will arise that policy does not specifically address. Guidelines for these issues are as follows:
- Unforeseen security events or conflicts in procedures are to be referred to the ISO for guidance. In the event that the ISO is unavailable, the system administrator fulfills ISO duties.
7.0 Policy Enforcement and Violations
Violations of this policy will be addressed in accordance relevant SHCP information security and human resource policies. The appropriate level of disciplinary action will be determined on an individual case basis by the appropriate executive or designee, with sanctions up to or including termination depending upon the severity of the offense. The ISO is responsible for official interpretation of this policy. Questions regarding the application of this policy should be directed to the SHCP Information Technology department.