Overview

Automatic logoff occurs after a defined period of inactivity for institutional computer systems containing patient information, where available. In addition, users will log off all systems after completing their work. Refer to Medical Center Policy No. 0163 Access to Electronic Medical Records and Institutional Computer Systems.

Purpose

To ensure the security and confidentiality of patient records and information.

Scope

This standard applies to individual workstations, shared workstations and clinical workstations.

Description

The Medical Center addresses automatic logoff with guidance from the HIPAA Security Rule Technical Safeguards on Access Control section 164.312(a)(2)(iii) which states “Automatic logoff is an effective way to prevent unauthorized users from accessing EPHI on a workstation when it is left unattended for a period of time.”

Current intervals are:

  • Epic:  28 minutes
  • Siemens Invision (A2K3):  30 minutes
  • PACs:  5 minutes
  • SunQuest:  6  minutes
  • MobileIron: 15 minutes

Individual Standard Workstations are set to go into a password-secured screen saver after 10 minutes of inactivity.

Shared Workstations when logged on with a non-generic User ID are set to automatically log off after 10 minutes of inactivity.

Clinical Workstations are set to go into a non-password secured screen saver after 10 minutes of inactivity.

In instances where automatic logoff and/or screen saver may not be feasible (for example, on clinical devices/monitors that monitor patient vital signs and other clinical observations), additional safeguards should be applied to physically secure access to the workstation in order to limit inappropriate exposure of Electronic Protected Health Information (EPHI). For additional information see Workstation Security and Use. Methods to secure these clinical devices should be determined from the results of a risk analysis.

A Mobile device is one that has a small form factor and has at least one wireless interface. Mobile devices use Wi-Fi, cellular or other  technologies to connect with network infrastructure.

Mobile devices can be used in various locations outside the organizations control. Therefore, the UVA Medical Center uses MobileIron to manage and control mobile devices that have connections to Medical Center resources such as email, Epic, PACS, etc.

MobileIron enforces a 4-digit PIN. If the PIN is enter incorrectly 10 times the device will be erased to the factory default. In the event the mobile device is lost or stolen, upon notification by the Department Administrator or employee, the mobile device will be remotely wiped.

Document Supporting Resources