Professional Documents
Culture Documents
Overview
Remote Access Domain Risks & Threats Risk Mitigation Tactic / Solution
Brute force user ID and password attacks - Increase the password complexity
requirement
- Put attempt capping on login
Multiple login retries and access control - Restrict the number of attempt
attacks whenever login
Unauthorized remote access to IT - Setup IAM System for company
systems, applications, and data - Setup Permissions Level for the
system
- Monitor Access logging full time
Privacy data or confidential data is - Apply Encryption on data
compromised remotely - Ensure database safety by
increase security on firewall
Data leakage in violation of existing Data - Hire a third party professional on
Classification Standards Data Classification Standards for
auditing and implementing better
security
Mobile worker laptop is stolen - Remove UUID of the the laptop
out of the system
- Trigger auto data purge on laptop
if available
- Install better data encryption on
drive
Mobile worker token or other lost or - Revoke Access Token the
stolen authentication device Database
- Provide the worker the new one
- Migrate worker personal data to
the new one
Remote worker requires remote access to - Use Proxy Server to direct
medical patient online system through connection to the data center
the public Internet - Use data encryption to make sure
no data leakage
Users and employees are unaware of the - Host seminars on Internet Security
risks and threats caused by the public - Publish a guideline on safety on
Internet the internet
- Have employee safety training
when using the internet
Lab #6 - Assessment Worksheet
Elements of a Remote Access Domain Policy
Policy Statement
ABC Healthcare Provider is committed to managing the confidentiality, integrity,
and availability of their information technology (IT) networks, systems, and
applications (IT Systems). This includes establishing guidelines for Remote Access
to the Organization's critical information assets maintained within the IT Systems.
Remote User responsibilities are described below:
- Remote Users must ensure that their Remote Hosts used to access IT Resources
meet all security expectations specified in the End User Security Guidelines prior
to accessing any.
- It is the responsibility of Remote Users to take reasonable precautions to ensure
their remote access connections are secured from interception, eavesdropping,
or misuse.
- All Remote Users are responsible for following applicable policy, including the all
Handling Requirements, when handling any data remotely accessed within the
course of the Remote User’s job function. Policies to follow and actions to
perform include, but are not limited to.
- All Remote Users are expected to only remotely access data in accordance with
IT policies.
- Do not save or store sensitive or restricted data on the Remote Host used to
access.
Purpose/Objectives
The remote access policy is designed to prevent damage to the organizational
network or computer systems and to prevent compromise or loss of data.
Scope
This policy applies to all ABC Health Providers employees, contractors, vendors
and agents with an ABC HealthCare Provider owned or personally-owned
computer or workstation used to connect to the ABC HealthCare Provider
network. This policy applies to remote access connections used to do work on
behalf of ABC HealthCare Provider including reading or sending email and viewing
intranet web resources. Remote access implementations that are covered by this
policy include, but are not limited to, dial-in modems, frame relay, ISDN, DSL,
VPN, SSH, and cable modems, etc.
All Remote Users must follow the security requirements set forth in this standard
for any Remote Host accessing IT Resources prior to such access, as well as any
guidelines, procedures, or other requirements issued by their departmental IT
units and/or the owners of the IT Resource which are to be remotely accessed.
Procedures
This policy is applied to every employee, contractor, consultant, temporary, and
other workers of ABC Healthcare Provider, including all personnel affiliated with
third parties. Remote Access to ABC Healthcare Provider IT Systems is a privilege
granted through the user provisioning process to exempt workforce members.
Users of Remote Access must have a submitted Remote Access Request form on
file with IT, users of Remote Access to access Meditech must have a signed
Confidentiality agreement. All remote access into ABC Healthcare Provider
networks across the Internet must use approved VPN technology, and the remote
access must be approved in advance by the Department Authorizer. Devices that
will be used for remote access that are not ABC Healthcare Provider owned
equipment must be configured to comply with the provisions of this policy.
+ Compliance Measurement:
The Infosec Team will verify compliance to this policy through various methods,
including but not limited to, periodic walk-thrus, video monitoring, business tool
reports, internal and external audits, and inspection, and will provide feedback
to the policy owner and appropriate business unit manager.
+ Exceptions:
Any exception to the policy must be approved by Remote Access Services and
the Infosec Team in advance.
+ Non-Compliance:
An employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment.
Guildlines
Any employee, contractor, or other third parties found to have violated this policy
may be subject to disciplinary action, up to and including termination of
employment. Criminal charges could be brought forth if it is deemed that
violation of this policy also violates any local, state or federal law. Physicians with
active privileges, business associates, vendors, and/or other individuals (Users) as
approved by ABC Healthcare Provider Leadership. Remote Access privileges
granted to Users will be restricted to the minimum necessary information
required to carry out job responsibilities, terms of business agreements, or as
further defined by ABC Healthcare Provider leadership.
Lab #6 - Assessment Worksheet
Elements of a Remote Access Domain Policy
2. Why does this mock healthcare organization need to define a Remote Access
Policy to properly implement remote access through the public Internet?
The mock XYZ Health care provider needs to define a remote access policy so that
it can access public internet that connects to the healthcare so that only
authorized personal is able to access the network.
4. One of the major prerequisites for this scenario was the requirement to
support nurses and healthcare professionals that are mobile and who visit
patients in their homes. Another requirement was for remote clinics to access a
shared patient medical records system via a web browser. Which type of secure
remote VPN solution is recommended for these two types of remote access?
They would Remote Access VPN to support the nurses that are mobile who visits
patients in their home and site-to-site VPN for accessing medical records.
6. Why is it important to mobile workers and users about the risks, threats, and
vulnerabilities when conducting remote access through the public Internet?
Data breach, Packet Sniffing are a thing. So it would be advisable for users to
apply best practice when remote accessing the infrastructure online.
8. Which domain (not the Remote Access Domain) throughout the seven
domains of a typical IT infrastructure supports remote access connectivity for
users and mobile workers needing to connect to the organization’s IT
infrastructure?
10. A remote clinic has a requirement to upload ePHI data from the clinic to the
organization’s IT infrastructure on a daily basis in a batch-processing format.
How should this remote access requirement be handled within or outside of this
Remote Access Policy definition?
11. Why is a remote access policy definition a best practice for handling remote
employees and authorized users that require remote access from home or on
business trips?
Remote access policy is best practice for handling remote employees and
authorized users as it gives the user the security and flexible way to access
network from anywhere.
14. What security controls, monitoring, and logging should be enabled for
remote VPN access and users?
The security controls, monitoring and logging should be enabled for remote VPN
access and users are multifactor authentication of users, to monitor there is an
account and computer audit policy and for logging event administrators will send
access request or notification.
15. Should an organization mention that they will be monitoring and logging
remote access use in the Remote Access Policy Definition?
Yes, an organization should mention that it will be monitoring and logging remote
access use in its remote access policy so that the organization will ensure
transparency so that the employee will know the policy.