Remote Access Policy for Remote Workers & Medical Clinics
Policy Statement
It is the mission of Sunshine Health
Care to provide secure platform for remote access that ensures the reliability,
accessibility and confidentiality of our clinic's data asset and that of all
stakeholder connected to our information infrastructure.
Purpose/Objectives
The purpose and objective of this policy is to establish a baseline for
security requirement for any authorized user(s) who wish to access
Sunshine Healthcare information system remotely. These requirements are meant
to ensure compliance and minimize exposure of Sunshine Healthcare patient data
to a potential data breach from an unauthorized user. Such breaches can result
in loss of patient/employee's information to unauthorized user via such remote
access connection. Definitions found in this policy includes:
§ Virtual Private Network: (VPN). VPN is a
technology that allow for secure remote access to a private network, between private
networks, or public to private network.
§ Secure Socket Layer: (SSL) Secure Socket
layer security allow for encrypted link between browser and a webserver.
§ Intrusion Detection System and Intrusion
Prevention System: (IDS/IPS)
§ Health Insurance Portability and
Accountability Act: (HIPAA).
§ Electronic Private Health Information:
(ePHI)
Scope
This policy covers all Sunshine Healthcare employees and or, anyone who
seek to connect to non-public areas of the Clinic's network. The policy covers
all Sunshine Healthcare information infrastructure users, Workstations, Local
Area Network(LAN), Wide Area Network (WAN), LAN-to-WAN, Remote Access VPN
infrastructure, Firewalls, (IDS/IPS), and hardware.
Standards
The Sunshine Healthcare security policy is designed using the framework
set by HIPAA which defines the control baseline for data security to comply
with its standards. These standards are strict requirements that must be
followed and establish a baseline of physical and administrative controls of
the information asset of Sunshine Healthcare. Sunshine Healthcare Remote Access
Policy is designed to comply with the following HIPAA standards:
§ All Sunshine Healthcare Computers using
or storing ePHI must have anti-malware installed.
§ All inactive portals or VPN sessions
must be set to time-out.
§ Users must be prompted for two-factor authentication.
§ Remote access users must be trained on Sunshine Healthcare Remote Access
Policy.
§ Regular system scan and audits must be performed on workstations
§ Downloading of ePHI on the remote host
must be restricted.
§ Remote Users must not be allowed to
escalate privilege.
§ Intrusion Detection System/ Intrusion Prevention
System (IDS/IPS) must be in use.
§ All ePHI data must be encrypted in
transit and at rest on all workstations (Host and remote users) using the Secure
Socket layer encryption standard.
Procedures
The Information Security Officer (ISO) will be responsible for
implementing, designing, and managing requirements for remote access and all
clinics security policies. The system administrator is mandated to create a
unique account with a password for each remote user and configuring a 30-minute
inactive time-out on all VPN connections. Any downloading of ePHI on
unprotected non-clinic workstations is prohibited. All data assets transmitted
outside of Sunshine Healthcare systems must encrypt all data using the SSL
certificates. It is the responsibility of the ISO to oversee the audit and
monitoring security of remote access user. IDS/IPS scan logs must be reviewed
daily by the system administrator, it is the duty of the ISO to audit system
logs monthly. The system administrator must
install, update, and monitor all security systems on all Sunshine Healthcare
system.
Guidelines
In the event of unforeseen events in the course of daily business operations,
any security incident during normal business operations should refer to the ISO for guidance. If or when the ISO is
unavailable, the system administrator must fulfill such responsibilities as
spelt out in the policy document.
No comments:
Post a Comment