HS 9453-D Remote Access - Office of Compliance Services - UCLA ...

More documents

Recommendations

Info

Remote Access PolicyHS 9453-Dinformation and health insurance information for patients are also considered to be PHI.“Restricted Information” (as defined by UC Policy IS-3, Electronic InformationSecurity) describes any confidential or Personal Information that is protected by law orpolicy and that requires the highest level of access control and security protection,whether in storage or in transit. This includes Personal Information, PHI and ePHI asdefined in this section but could also include other types of information such as researchdata.“Authorized Personnel” means the designated IT support person or group for an area.For hospital areas, this would be Medical Information Technology Services (MITS); fordepartments within the David Geffen School of Medicine at UCLA (“School ofMedicine”), it would be the departmental Computer Support Coordinator (CSC); forareas supported by the School of Medicine IT Services (SOMITS), it would be SOMITS.“Device” refers to a networked device (e.g., PC, server, medical equipment).“MedNet” is the data network connecting the UCLA Medical Centers, the School ofMedicine and the UCLA Community Physician Network.“Virtual Private Network” or “VPN” is a method to allow secure remote access acrossthe Internet by using encryption and other security mechanisms to ensure that onlyauthorized users can access the network and that data cannot be intercepted.“Workforce” means employees, volunteers, and other persons whose conduct, in theperformance of their work for UCLA Health, is under the direct control of UCLA Healthor the Regents of the University of California, whether or not UCLA Health pays them.The Workforce includes employees, medical staff, and other health care professionals,agency, temporary and registry personnel, and trainees, housestaff, students andinterns, regardless of whether they are UCLA trainees or rotating through UCLA Healthfacilities from another institution.POLICYI. All remote access into UCLA Health networks across the Internet must useapproved VPN technology, and the remote access must be approved in advanceby the Department Authorizer.II.Devices that will be used for remote access that are not UCLA Health ownedequipment must be configured to comply with the provisions of this policy.2 of 5 UCLA HealthCompliance Policies and ProceduresPrivacy and Information Security Policies
Remote Access PolicyHS 9453-DPROCEDUREI. Remote Use of UCLA Health Electronic Information ResourcesAll of the following requirements apply when connecting into MedNet from anexternal device:A. The only permitted remote access into MedNet is that which is directedthrough the MedNet VPN Concentrator, the MedNet SSL VPN client or theMedNet reverse proxy.i. Only approved Mednet VPN software may be used.ii. Only approved Mednet VPN devices may be used and they mustbe installed by Authorized Personnel (for example, firewall/vpnboxes for remote locations).B. Individual VPN users must be authorized for VPN access by their homedepartments and must be registered. Possession of a VPN configurationfile (.PCF) does not confer authorization or permission for VPN access.Generic accounts (such as those assigned for classroom calendars) maynot be used for VPN access.C. Business-to-Business VPN connections from external third parties mustbe approved by the business owner of the application requiring remoteaccess and must comply with the MITS Business-to-Business VPN policy.D. Remote access users are responsible for selecting an Internet ServiceProvider (ISP), coordinating installation, installing any required software,and paying any associated fees.E. It is the responsibility of individuals with these privileges to ensure thatunauthorized users are not allowed access to MedNet. This includesensuring that:i. At no time should any UCLA Health computer account user providehis/her login password to anyone, including family members.ii. Users may not redistribute any VPN configuration files (.PCFs) thathave been entrusted to them.F. VPN Access and Use.i. VPN users will be automatically disconnected from MedNet after 2hours of inactivity. The user must then logon again to reconnect tothe network. Pings or other artificial network processes are not tobe used to keep the connection open.3 of 5 UCLA HealthCompliance Policies and ProceduresPrivacy and Information Security Policies
Page 1: Remote Access PolicyHS 9453-DREMOTE
Page 5: Remote Access PolicyHS 9453-DREFERE

HS 9453-D Remote Access - Office of Compliance Services - UCLA ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?