HS 9453-D Remote Access - Office of Compliance Services - UCLA ...

Remote Access PolicyHS 9453-DREMOTE ACCESSPURPOSEThe purpose of this policy is to set forth the procedures for obtaining remote access intothe networks of the UCLA Health System and David Geffen School of Medicine atUCLA (hereafter referred to as “UCLA Health”).DEFINITIONS“Protected health information” or “PHI” is any individually identifiable healthinformation, in any format, including verbal communications, regarding a patient createdas a consequence of the provision of health care. “Individually identifiable” means thatthe health or medical information includes or contains any element of personalidentifying information sufficient to allow identification of the individual, such as thepatient’s name, address, electronic mail address, telephone number, or social securitynumber, or other information that, alone or in combination with other publicly availableinformation, reveals the individual’s identity. PHI includes patient billing and healthinsurance information and applies to a patient’s past, current or future physical ormental health or treatment.“Electronic Protected Health Information” or “ePHI” is PHI that is transmitted byelectronic media or is maintained in electronic media. For example, ePHI includes alldata that may be transmitted over the Internet, or stored on a computer, a CD, a disk,magnetic tape or other media.“Personal Information (PI)” as used in this policy is an individual’s first name or firstinitial and last name combined with any one of the following:(1) social security number,(2) driver’s license number or California identification card number,(3) account number, credit, or debit card number, in combination with anyrequired security code, access code, or password that would permitaccess to an individual’s financial account,(4) medical information, or(5) health insurance information.“Medical information” means any information, in either electronic or physical form,regarding an individual's medical history, mental or physical condition, or medicaltreatment or diagnosis by a health care professional, and which may be in thepossession of or derived from a health care provider, health care service plan,pharmaceutical company or contractor. “Health insurance information” means anindividual's health insurance policy number or subscriber identification number, anyunique identifier used by a health insurer to identify the individual, or any information inan individual's application and claims history, including any appeals records. Medical1 of 5 UCLA HealthCompliance Policies and ProceduresPrivacy and Information Security Policies

Remote Access PolicyHS 9453-Dinformation and health insurance information for patients are also considered to be PHI.“Restricted Information” (as defined by UC Policy IS-3, Electronic InformationSecurity) describes any confidential or Personal Information that is protected by law orpolicy and that requires the highest level of access control and security protection,whether in storage or in transit. This includes Personal Information, PHI and ePHI asdefined in this section but could also include other types of information such as researchdata.“Authorized Personnel” means the designated IT support person or group for an area.For hospital areas, this would be Medical Information Technology Services (MITS); fordepartments within the David Geffen School of Medicine at UCLA (“School ofMedicine”), it would be the departmental Computer Support Coordinator (CSC); forareas supported by the School of Medicine IT Services (SOMITS), it would be SOMITS.“Device” refers to a networked device (e.g., PC, server, medical equipment).“MedNet” is the data network connecting the UCLA Medical Centers, the School ofMedicine and the UCLA Community Physician Network.“Virtual Private Network” or “VPN” is a method to allow secure remote access acrossthe Internet by using encryption and other security mechanisms to ensure that onlyauthorized users can access the network and that data cannot be intercepted.“Workforce” means employees, volunteers, and other persons whose conduct, in theperformance of their work for UCLA Health, is under the direct control of UCLA Healthor the Regents of the University of California, whether or not UCLA Health pays them.The Workforce includes employees, medical staff, and other health care professionals,agency, temporary and registry personnel, and trainees, housestaff, students andinterns, regardless of whether they are UCLA trainees or rotating through UCLA Healthfacilities from another institution.POLICYI. All remote access into UCLA Health networks across the Internet must useapproved VPN technology, and the remote access must be approved in advanceby the Department Authorizer.II.Devices that will be used for remote access that are not UCLA Health ownedequipment must be configured to comply with the provisions of this policy.2 of 5 UCLA HealthCompliance Policies and ProceduresPrivacy and Information Security Policies

Remote Access PolicyHS 9453-DPROCEDUREI. Remote Use of UCLA Health Electronic Information ResourcesAll of the following requirements apply when connecting into MedNet from anexternal device:A. The only permitted remote access into MedNet is that which is directedthrough the MedNet VPN Concentrator, the MedNet SSL VPN client or theMedNet reverse proxy.i. Only approved Mednet VPN software may be used.ii. Only approved Mednet VPN devices may be used and they mustbe installed by Authorized Personnel (for example, firewall/vpnboxes for remote locations).B. Individual VPN users must be authorized for VPN access by their homedepartments and must be registered. Possession of a VPN configurationfile (.PCF) does not confer authorization or permission for VPN access.Generic accounts (such as those assigned for classroom calendars) maynot be used for VPN access.C. Business-to-Business VPN connections from external third parties mustbe approved by the business owner of the application requiring remoteaccess and must comply with the MITS Business-to-Business VPN policy.D. Remote access users are responsible for selecting an Internet ServiceProvider (ISP), coordinating installation, installing any required software,and paying any associated fees.E. It is the responsibility of individuals with these privileges to ensure thatunauthorized users are not allowed access to MedNet. This includesensuring that:i. At no time should any UCLA Health computer account user providehis/her login password to anyone, including family members.ii. Users may not redistribute any VPN configuration files (.PCFs) thathave been entrusted to them.F. VPN Access and Use.i. VPN users will be automatically disconnected from MedNet after 2hours of inactivity. The user must then logon again to reconnect tothe network. Pings or other artificial network processes are not tobe used to keep the connection open.3 of 5 UCLA HealthCompliance Policies and ProceduresPrivacy and Information Security Policies

Remote Access Policyii.iii.iv.The maximum VPN concentrator session length is 15 hours.HS 9453-DNo Device connected to MedNet via VPN is allowed to serve as aproxy to forward traffic from other devices.When using VPN technology with personal equipment, users mustunderstand that they must comply with all UCLA and UCLA Healthpolicies applicable to devices connected to UCLA networks.Requirements include, but are not limited toa. Operating systems must be kept up to date on patches.b. Anti-virus software must be running and the virus definitionskept up to date.c. If there is a native host-based firewall, it must be enabled.d. Restricted Information must be encrypted.For more information, see the following policies:HS Policy No. 9421, “Workforce Access to and use of PHI(Minimum Necessary)”HS Policy No. 9451, “Use of Electronic Information”HS Policy No. 9453-C, “Storage of Restricted Information onMobile Devices and Removable Media”HS Policy No. 9457, “Minimum Standards for NetworkDevices”UCLA Policy No. 401, “Minimum Standards for NetworkDevices”UCLA Policy No. 404, “Protection of Electronically StoredPersonal Information”II.III.IV.EnforcementFailure to follow any provisions of this policy may result in disciplinary action, upto and including termination.QuestionsWorkforce members should consult their IT support group or the InformationSecurity Office (InfoSecAll@mednet.ucla.edu) if they have any questions on thispolicy.Exceptions to PolicyAny exceptions to these policies must be for a valid patient care or businessreason and must be approved by the Information Security Officer working inconsultation with the appropriate IT groups prior to any remote access.4 of 5 UCLA HealthCompliance Policies and ProceduresPrivacy and Information Security Policies

Remote Access PolicyHS 9453-DREFERENCESHealth Insurance Portability and Accountability Act, 45 CFR 160-164California Medical Information Act, California Civil Code Section 56 et seq.Information Practices Act of 1977, California Civil Code Sections 1798.29 and 1798.82California Health and Safety Code Sections 1280.15 and 130203University of California Business and Finance Bulletin IS-3, Electronic InformationSecurityUniversity of California Electronic Communications Policy (ECP)CONTACTChief Privacy Officer, Compliance OfficeChief Information Security Officer, Compliance OfficeREVISION HISTORYApproved: February 22, 2006Effective Date: April 20, 2005Revised Date: November 2005; June 21, 2007; May 30, 2008, March 31, 2011APPROVALHealth Sciences Enterprise Compliance Oversight BoardApproved 12/11/2010David Feinberg, MDCEO and Associate Vice ChancellorUCLA Hospital SystemRandolph Steadman, MDChief of StaffRonald Reagan UCLA Medical CenterDenise Sur, MDChief of StaffSanta Monica-UCLA Medical Center and Orthopaedic hospitalJames J. McGough, MDChief of StaffResnick Neuropsychiatric Hospital at UCLA5 of 5 UCLA HealthCompliance Policies and ProceduresPrivacy and Information Security Policies