Subject: Mgmt. Review: Completed
Remote Access Procedure Effective: 1/1/03
Prepared By: Supersedes: Previous Policy
Eran Marom Approved By: Eran Marom
Approved Date:  

 

General Policy:

 

The internal computers systems, networks and data repositories of the Stellaris Health Network  and its affiliated hospitals are critical resources and must be protected against unauthorized access, malicious access, and disruption of service. Authorized users may be permitted to remotely connect to those systems, networks and data repositories for the conduct of related business only through secure, authenticated and centrally managed access methods.
 

  1. Only individuals will be given remote access account.  No generic or company accounts are allowed.

  2. Access will be permitted through a centrally managed virtual private network (VPN) or through the dial-up modem bank which provide encryption and secure authentication.

  3. Access may be revoked at any time for reasons including non-compliance with security policies or negative impact on overall network performance attributable to remote connections.

  4. Remote access privileges will be reviewed and audited on a routine basis.

  5. Systems will be available for off-site remote access only after an explicit request is made and approved by a Hospital IT Steering Committee of the target system and the Security Officer of the Stellaris IT Department.  (See approval procedures)

  6. All users who require remote access privileges are responsible for the activity performed with their personal user-IDs.

  7. User-IDs must never be shared with associates, friends, family members, or others. User-IDs may not be utilized by anyone but the individuals to whom they have been issued. Similarly, users are forbidden from performing any activity with user-IDs belonging to other individuals.

  8. Only approved computer setup are to be allowed remote connectivity. (See Approved Computers)

  9. Each hospital is given a finite number of remote access slots. No additional requests will be approved once these slots are exhausted. (A site to site VPN setup takes two slots.)

  10. All user-IDs will be suspended once the agreement with the outside entity is terminated.

Approved Computer Setups:

  1. A Stellaris laptop computer with virus and intrusion protection supported by the Stellaris IT Department.

  2. A Stellaris desktop computer with virus and intrusion protection set up and locked down by the Stellaris IT Department and taken offsite.

  3. A third party computer or network of computers within another company whose IT security policies adhere to industry practices and HIPAA regulations.

Required Client Security:

  1. Internet Firewall

  2. Virus Protection

  3. A time-out system to terminate all sessions that have had no activity for a period of 30 minutes.

  4. An absolute time-out will occur after 24 hours of continuous connection and will require reconnection and authentication to re-enter the network.

  5. The Stellaris  computer systems will terminate the connection or time-out the user-ID after three unsuccessful attempts to log-in.

User Rules:

All users remotely accessing the Stellaris Network resources must adhere to the following rules, regardless of what access method they are using:

  • Log-off when not using the network and terminate the connection.
  • Safeguard your password and do not have it automatically issued by a login script
  • Use Stellaris resources for authorized purposes only.
  • Do not allow others (such as family members) to use the computer and protect against any other unauthorized use; the employee is ultimately responsible for its use and what is accessed.
  • Alteration of the configuration on the Stellaris equipment is not allowed unless authorized by IT personnel.
  • Up-to-date and properly configured virus protection software must be installed by Stellaris IT.
  • Information transmitted to and from the computer will be encrypted when connecting through the Stellaris VPN.

Procedure:

  1. The remote access user will submit a Request for Remote Access to the Support Desk. The form will need to be signed by the chair person of the controlling IT Steering Committee.

  2. If the remote user is an employee of one of the Stellaris'  hospitals, he or she must sign the attached Confidentiality Agreement Form. If the remote user is a Physician he will sign a Physician Confidentiality Agreement. If the remote user is a Vendor, he will sign a Service provider Confidentiality Agreement.

  3. The support desk will check that

    • All the appropriate forms were submitted

    • The requesting institution has an open slot

    • The requesting form has been signed by the appropriate ITSC Chair.

  4. If all checks are passed, the support desk will open a service ticket assigning it to the Stellaris Security Officer.  Otherwise, the request will be returned to the requesting user with the reason for the rejection clearly noted.

  5. The Stellaris Security Officer will verify that the appropriate forms have been signed and that the requesting user's computer has the appropriate virus and intrusion protection.  He or she will then approve the form and transfer the information and the ticket to the Network Support Group.

  6. The network technician who picks up the ticket creates a remote access account and test the access.

  7. If the client PC is a Stellaris supported device, the tech must set up the client on that PC. Otherwise, he must send the requesting user instructions on how to download and set up the remote access client.

  8. The network tech then sends the requesting user ID and password and closes the tickets.