Unit 2 Assignment 2: Procedure Guide on Access Control
I. Access Control Procedure
a. If a system does not support the minimum structure and complexity as detailed in the aforementioned guidelines, one of the following procedures must be implemented:
i. The password assigned must be adequately complex to insure that it is not easily guessed and the complexity of the chosen alternative must be defined and documented. ii. The legacy system must be upgraded to support the requirements of this paragraph as soon as administratively possible. iii. All EPHI must be removed and relocated to a system that supports the foregoing security password structure. iv. Users or workforce members must not allow another user or workforce member to…show more content… This implementation of secure remote access extends the secure network to the remote user using a secure PSTN (Public Switched Telephone Network) connection. iii. Authentication and encryption mechanisms are required for all remote access sessions to networks containing EPHI via an ISP (Internet service provider). Mechanisms utilized or planned within RO include: VPN clients, authenticated SSL web sessions, secure shell and secured Citrix client access.
c. The following security measures must be implemented for any remote access connection into a secure network containing EPHI:
i. Use of technology to bypass authorized remote access mechanisms (e.g. VPN) is strictly prohibited. For example, use of remote control software and applications such as PC anywhere or GoToMyPC.com to bypass VPN or Citrix access mechanisms is not permitted. ii. Remote access systems must employ a mechanism to “clear out” cache and other session information upon termination of session. iii. Remote access workstations must employ a virus detection and protection mechanism. (See HIPAA Security Policy # 11 – Server, Desktop, and Wireless Computer System Security) iv. Users of remote workstations must comply with HIPAA Security Policy # 10 - Workstation Use)
v. VPN split-tunneling is not permitted for connections originating from outside the WU network (WUCON or .wustl.edu) or from an insecure network within the Washington University domain. vi. All encryption mechanisms