@Paul Blank:
While I understand your desire to have the ability for users, especially in offices, to NOT have to do double authentication, the HITECH portion of HIPAA, now mandates the EVERY logout, whether elective, or enforced for time-out reasons, must use the full authentication protocol for every login.
If the user has elected to lock their workstation, then a standard login can be used - with the second factor, to unlock the device.
However, if an EHR, or another program like SmarterMail, running under a locked screen, on a user's computer, or web enabled device, has auto-logged the user out, because of a time-out. This is a separate action from the computer, workstation, or terminal device, and is not covered under the security policy established for the overall network login.
Additionally, for all HITECH covered properties under HIPAA, we must now keep LOGS of all actions performed:
- the logs must be kept in a, SEARCHABLE, READ ONLY format, accessible by only those named in HIPAA/HITECH/NETWORK document management policy and then ONLY by those persons who are either authorized employees, or outsourced employees who have a current, annually renewable, letter of agency on file - individually signed. (As of March, 2014, every employee for every agency, colocation hosting group, support group, etc, must have an individually signed letter, whether they have access to the actual customer data or not. If they are an employee, then they must sign a letter of agency with their employer, and a copy of that letter must be on-file, with the customer who's network they may have the potential to work on, whether remotely or on-sight.
- who logged in, at what device, using what username, on what date, and at what time, including minute and second. We must also know what programs or documents, covered under HIPAA they looked at (even if they just opened and closed them); if they modified them; if they printed them; if they converted them to a PDF; and if they e-mailed or shared them - via any other manner, and to WHOM they were shared. If they were printed, we must log what printer was used. Those logs must also include the DATE and TIME.
- when accessing data within any EHR (electronic healthcare record) system, the logged in individual's action, must also record, within the EHR system, the following data:
- the username, login, and IP address(es), along with the date and time, of the workstation from which they are logged in;
- the FQDN, from ACTIVE DIRECTORY, of the network to which they are attached; the username, date and time of the login to the EHR software; a complete record of every screen accessed by the user who is logged into the EHR system, while within the EHR system;
- the patient record number/name of every patient looked up within the EHR system, while logged in;
- what patient record screens are looked at; what data is accessed, modified, changed, or otherwise accessed, along with date and timestamps;
- a record of any data added, changed, modified, exported (including file name and path), with date and time;
- a log of any data e-mailed to a co-worker, another medical facility, doctor, hospital, patient, etc, including date and timestamp, along with the SMTP server used, a record of the software type, whether built-into the EHR system or via an external SMTP service or program;
- and a record of the date and time of the logout from the EHR system.
- in the case of SmarterMail, we must require extremely strong passwords, setting a minimum length of 12 characters. We require upper and lower case letters, numbers, and special characters. We do not allow the inclusion of any portion of the username, or the domain name, and are taking advantage of the new "disallowed words" table to augment some of that information so the user can automatically change their passwords. NOTE: We have filed a letter of opinion to the forced password change table, presenting the fact that the use of a strong password, or passphrase, which is extremely secure, and easily remembered by the user, is much more secure than shorter passwords which must be changed every 30 to 45 days, and causing distress for both end-users and support desk personnel.
- We must archive all of the IIS logs, associated with any web, REMOTE DESKTOP EHR access, remote server maintenance access, SmarterMail web access.
- We must archive all POP, IMAP, SMTP CALDAV/WEBDAV, and ActiveSync logs.
- All of the above referenced logs, whether network, EHR software, or SmarterMail, must be ARCHIVED for a period of 60 months.
- We have disabled all PLAIN TEXT logins, enabling TLS only security - enforcing TLS, point-to-point security through SmarterMail connections.
- If we receive a LEGAL or INSURANCE inquiry, we must STOP THE ARCHIVE CLOCK on all of the LOGS for the patient's medical records which were accessed by any of the following:
- employees,
- medical providers,
- imaging department;
- billing department;
- IT support department,
- any outside consulting group,
- all management and accounting staff,
- anyone within the general office staff, whether they have access to the EHR system or not;
- anyone else who may have accessed the network, EHR, SmarterMail system, or any other portion of the data stored on the network;
- The STOPED LOG CLOCK, initially based on the initial END DATE of the archive of all of the data: network, e-mail, EHR, document, or any other aspect of that data, must remain stopped and locked, until there is an outstanding resolution on the inquiry received.
- In the case of a legal inquiry, this means that the STOPPED CLOCK remains frozen until all inquiries, court cases, discoveries, verdicts, settlements, agreements, or appeals, and associated appeals actions, have been completely settled, at which time the RETENTION CLOCK starts all over at ZERO, and the LOG records must be retained for another 60 months for all documents associated with the inquiry.
I only bring up this incredible detail because Paul Blank, myself, and several others, both within this post, and via other posts, have all related that e-mail, network, and other security, is not a simple issue.
The HITECH portion of HIPAA has, for the last 7 years (or more), mandated that IN SERVICE EDUCATION and TRAINING be provided for NETWORK, EHR, E-MAIL, and general Web and Internet security, be conducted at least once a year.
The HITECH portion of HIPAA has also mandated that an ACCEPTABLE USE POLICY, for Internet, Network E-Mail, and EHR, be developed, and regularly kept up to date. Prior to a couple of years ago, this was not required to be part of the IN SERVICE / EDUCATION program with the healthcare organization.
Prior to December, 2014, conducting of regular IN SERVICES / EDUCATIONS was not always a normal procedure in most environments.
OCR, the Federal Agency which regularly conducts Meaningful Use audits, has now notified all healthcare agencies, that they would be allowed to skate on security procedures or regular educational in services for all medical personal, and would begin to take serious actions against any healthcare group, hospital or agency who was not in complete compliance.
They made a couple of examples, and have begun, in earnest, to become more aggressive, in their meaningful use and HITECH audits during the last few weeks.
If we are going to provide e-mail services, via SmarterMail, to any of those agencies, or groups, from the smallest Doctor's office or neighborhood not-for-profit healthcare group, to the largest hospital or research university, then we need to work with SmarterTools to ensure the preparedness of the SmarterTools family of products via shared communications and ideas.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net
Phonr: (773) 491-9019
Phone: (224) 444-0169
E-Mail and DNS Security Specialist
Network Security Specialist
Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/
Web and E-Mail Hosting, E-Mail Security and Consulting