Remote Access Policy for Remote Workers & Medical Clinics

Policy Statement

Any personnel who access the ABC Healthcare network from offsite need to be properly authenticated. There is a possibility that remote users will be on unsecured networks. Protected Health Information needs to be available to remote personnel, remain inaccessible to any unauthorized persons, and must meet HIPAA requirements.

Purpose

The purpose of this policy is to improve the security of remote employee connections to the organization’s network.  

Objectives

• Devices using remote access must use the organization’s VPN
• Devices using remote access must be equipped  with up-to-date malware and virus protection software
• Malware and antivirus software must be configured to scan devices regularly
• Any mobile device not provided by the organization must be approved by the Information Security Team.
• Credentials used to login to company devices and resources must be protected by their respective users.

Scope

This policy applies to all ABC Healthcare employees, vendors, contractors, and others working for or with ABC Healthcare needing remote access to the organization’s network. This policy applies to both devices owned and distributed by ABC Healthcare as well as to personal devices.  This policy also extends to any methods for remote access software used to connect to the network. This policy applies to any users and devices within the Remote Access Domain.

Standards

This section lists standards that can be referenced for methods of configuring and implementing technologies to improve the security of Protected Health Information. Standards pertaining to ABC Healthcare’s network security and remote access security are also included here. HIPAA standards and regulations for PHI can and should be referenced here:

https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html

• Encryption Methods and Tools Policy
• Acceptable Use Policy
• Password Policy
• VPN Configuration and Use Policy

Procedures

Security awareness training will be held via video conference for all remote employees semiannually with extra training sessions held as needed. For onsite employees these training sessions will be held in person. This policy and the aforementioned training will be implemented in a hierarchical model beginning at the executive level. This rollout will be applied to ABC Healthcare’s domain in a similar manner. Administrators will implement the policy using Configuration Management software a few locations/departments at a time to ensure compliance and to address any potential configuration issues.

Guidelines

The cybersecurity landscape is constantly changing. Due to this, ongoing security training should be conducted on an as needed basis to address any changes in organizational and industry standards. Implementing the policy and standards at the user policy/configuration level has the potential to cause issues in the domain. For this reason any updates to domain policies or software should be tested on an isolated machine before being applied to a department or location.