Children s Health System Remote User Policy July 28, 2008
Reason for this Policy This policy defines standards for connecting to the Children s Health System (CHS) network from any remote host. These standards are designed to minimize the potential exposure to CHS from damages which may result from unauthorized use of CHS resources. Damages include the loss of Sensitive or Restricted Data, including Protected Healthcare Information (PHI); loss of intellectual property; damage to public image; or damage to critical internal systems. Statement of Policy Scope: This policy applies to all Remote Users of CHS IT Resources including staff, physicians, residents, outside contractors, vendors, and other agents with a CHS-owned or personally-owned computer used to connect to the CHS network. This policy applies to remote access connections used to do work on behalf of CHS, including but not limited to, connecting to CHS resources, reading or sending e-mail and viewing intranet Web resources. All remote access implementations at CHS are covered by this policy including dial-in modems, frame relay, ISDN, DSL, VPN, SSH, cable modems, Citrix Access Gateway, and hardware or services provided by third parties. General 1. It is the responsibility of Remote Users to ensure that all possible measures have been taken to secure the remote machine. This includes hardware and software firewalls and anti-virus software as well as have the most recent operating system and application patches applied. A Remote User's computer system must be at least as secure as its on-site counterpart. 2. Remote Users must comply with federal, state, and local law and all CHS policies. 3. All Remote User activity during a remote session is subject to CHS policies and may be monitored and logged for compliance. 2
Requirements 1. Secure remote access must be strictly controlled. Access to CHS IT Resources will be controlled via either a Cisco VPN Client utilizing a SecurID user account and password or Dial Up Networking also utilizing a SecurID user account and password or through the Citrix Access Gateway utilizing a user ID and password. 2. All Remote Users working with Sensitive or Restricted Data must use CHS VPN services or the Citrix Access Gateway. 3. At no time will a Remote User provide their password to anyone, including family members. CHS employees will never ask for a Remote User's password. 4. Remote Users must ensure that their CHS-owned or personal computer or workstation, which is remotely connected to the CHS network, is not connected to any other network at the same time, other than a Private Network under the user's control. 5. All hosts that are connected to the CHS network must use up-todate anti-virus software, keep virus definitions up to date, and run regular scans. 6. Remote Users must ensure that systems used to connect to the CHS network have the most recent operating system and application patches applied. 7. When connecting to the CHS network with wireless connections on personal networks, the wireless connections must be encrypted using WEP or other acceptable secure technology. If connecting through a router that has a wireless transmitter, whether connected through either the wired or wireless ports, the transmitter must be configured in an encrypted mode or it must be turned off. 8. Users must ensure proper physical security precautions are taken when connecting to the CHS network from remote locations. For example: 1. Machines should not be left unattended while connected or logged into the CHS network. 2. In public environments, users should take precautions to prevent unwanted viewing of computer screens by unauthorized persons. Risks Connecting to the CHS network from an external source opens up the CHS network to any vulnerability that computer may have. If the remote user has viruses, Trojans, or worms running on their computer, those same vulnerabilities can be transferred to the CHS network when they 3
connect remotely. Since we will be logging Remote User connectivity, those vulnerabilities will be traced back to their originator. Compliance Anyone found to have violated this policy is subject to disciplinary action, up to and including termination. Approval (Please Initial the Risk Section above and then Sign and Date) Requestor print Date Requestor signature Supervisor Approval Director Approval Definitions Cable Modem Cable companies such as Charter provide Internet access over Cable TV coaxial cable. A cable modem accepts this coaxial cable and can receive data from the Internet at over 3 Mbps. Cable is currently available only in certain communities. Dial-in Modem The dial-in modem is a peripheral device that connects computers to each other for sending communications via the telephone lines. The modem modulates the digital data of computers into analog signals to send over the telephone lines, then demodulates back into digital signals to be read by the computer on the other end; thus the name "modem" for modulator/demodulator. 4
DSL Digital Subscriber Line (DSL) is a form of high-speed Internet access competing with cable modems. DSL works over standard phone lines and supports data speeds of over 3 Mbps downstream (to the user) and slower speeds upstream (to the Internet). ISDN There are two flavors of Integrated Services Digital Network or ISDN: BRI and PRI. BRI is used for home office/remote access. BRI has two "Bearer" channels at 64kbit (aggregate 128kb) and 1 D channel for signaling info. LEAP Lightweight Extensible Authentication Protocol is a challenge/response protocol that authenticates the user and, if authenticated, grants network access. Remote Access Remote Access is any access to the CHS corporate network through a network, device, or medium not controlled by CHS. SSH Secure Shell is a cryptographically strong replacement for login, telnet, ftp, and other programs that protects against spoofing'', man in the middle attacks, and packet sniffing. SSL Secured Sockets Layer is a protocol that transmits your communications over the Internet in an encrypted form. SSL ensures that the information is sent, unchanged, only to the server you intended to send it to. Online shopping sites frequently use SSL technology to safeguard your credit card information. VPN Virtual Private Network is a way to communicate through a dedicated server securely to a corporate network over the internet. WEP Wired Equivalent Privacy is a security protocol for wireless local area networks (WLANs). WEP is designed to provide the same level of security as that of a wired LAN. Wi-Fi Short for wireless fidelity and is another name for IEEE 802.11a\b\g wireless technology. 5
Citrix Access Gateway Provides access to applications deployed via Citrix to users utilizing a standard web browser. 6