25

We are a healthcare IT company. My machine has PHI on it. Our IT contractor verbally asked if he could remote in to fix my printer so I said sure. I expected some sort of prompt to allow it but he was just in. Some form of VNC I guess.

Is this okay? In regards to HIPAA?

THE JOATMON
  • 571
  • 6
  • 14
  • 1
    What might be highly questionable is the track log of what accesses and changes were performed on your computer. Just ask this log to check if you are HIPAA compliant. – dan May 10 '16 at 15:15
  • 11
    I have no idea about HIPAA requirements, but note that the presumption of your question title "remote in without authorization" is not met: You did give him authorization verbally. – Hagen von Eitzen May 10 '16 at 19:44
  • 3
    That's a bit pedantic. I could rename the question `Is it okay for our IT support contractor to have the ability to remote in without authorization?` – THE JOATMON May 10 '16 at 21:22
  • 14
    Take note that just because you didn't personally authorize this person doesn't mean he wasn't authorized. He may have still been prompted to entered credentials in on his end as the authorization code for your PC - In other words, just because you didn't get a popup doesn't mean he didn't. – Numeron May 10 '16 at 23:37
  • 6
    Numeron is right! As the question stands it implies what you want to believe. If the data on your PC is not in your ownership, someone else has the ability to give authorization, if the IT-Guy has a formal authorization to access your computer and gets a verbal authorization from you, that means he has authorized access. Your question should be "**Is it ok if our IT support contractor has the ability to remote in without my confirmation**" – Falco May 11 '16 at 09:52

6 Answers6

56

You haven't actually provided enough details to say one way or the other. The fact that you didn't see an authentication prompt doesn't preclude there from being one.

The remote access tools I use in my job (which also deals with HIPAA) both require me to authenticate with my domain admin credentials and do not prompt users to accept the connection, because I've configured them that way.

HopelessN00b
  • 3,385
  • 19
  • 27
  • 1
    Authentication <> Authorization. I could have been viewing sensitive patient material. A simple "Do you want to allow support to connect?" would give a chance to close anything important. Also, we have no domain here, nothing to authenticate against. Also I like that your justification is the configuration you set up. I worked for a large health system for 15 years. Our internal support tools always prompted us. Even if there is no malicious intent, we don't want help desk employees accidentally seeing colonoscopy images or something... – THE JOATMON May 10 '16 at 13:34
  • 20
    @Devil'sAdvocate OK. None of that changes anything. He got authorization verbally from you (which is something you shouldn't have done if you actually were viewing sensitive materials at that particular moment), and you have have no idea what authentication is being used here (yes, domainless/workgroup computers authenticate users), what logging or auditing is being done, or even what protocol or program the guy used for remote access. You're just guessing at everything, so, not enough information to say. – HopelessN00b May 10 '16 at 13:42
  • I currently work for a health care system, and our general IT guys, and specifically the one assigned to our group, remote into desktops all the time. They have two options for doing it, one gives me a pop up allowing me to authorize the connection, one doesn't. In both cases, I've given _verbal_ permission _before_ the connection is made. No matter _who_ I've worked for in the past, I _always_ close, or at least minimize, any window that I don't want the remote connector to look at, PHI or otherwise (like *.SE while at work...). – FreeMan May 11 '16 at 12:02
28

HIPAA does not get to specifics of policy, the substance of it is that organization have to have sufficient controls in place to protect data. There's nothing inherently wrong with an unprompted takeover from a HIPAA perspective, as long as other controls (authentication, authorization, access control lists, access logging and auditing, antimalware on the support PC, legal agreements in place between the support organization and your organization, etc) are in place.

So without knowing what your organization has in the way of IT security policies, processes and procedures there's no way to tell.

As for whether unprompted take-overs are a good thing then no, they are not. You really want to have a warning when someone is taking over your PC for support, or even looking at your screen.

GdD
  • 17,291
  • 2
  • 41
  • 63
  • 7
    I disagree with your closing statement. The IT contractor verbally confirmed before taking over. Also, if the contractor needs to get into the PC while the user is away then who will click "accept" when the prompt comes up? Unless of course you meant "just a warning" with no prompt nor confirmation. – MonkeyZeus May 09 '16 at 17:39
  • 15
    @MonkeyZeus He did ask, but the fact that there was no prompt means he didn't have to ask. That's the scary part in my books. What if he chose not to ask? I'd have no way of knowing I was being monitored, much less that I may not be the only person with control. – corsiKa May 09 '16 at 17:57
  • 6
    @corsiKa OP does not own the computer and should always be working as if they **are** being monitored, especially in the health field. If OP feels that his/her rights have been violated then they should bring it up with upper-management since they will have the final say in terms of what is allowed in their company or not. – MonkeyZeus May 09 '16 at 18:06
  • 4
    @MonkeyZeus Sure, you should always be operating as if you're being monitored. However, when OP is at the computer, OP is responsible for the actions that take place on it. If someone else can act, that is a problem and OP needs to be aware that someone else may be entering data. – corsiKa May 09 '16 at 18:14
  • @MonkeyZeus I see a very large difference between in-house IT being able to take over a computer without user approval versus an external contractor being able to do the same. The former is totally appropriate since the employee doing the unprompted takeover works for the entity that owns the computer and the data. The latter is pretty uncool in my opinion because it's not the contractor's computer or data. We give contractors the bare minimum access and there is no takeover of computers or sessions allowed without user intervention, but policies can and will vary. – Todd Wilcox May 09 '16 at 19:09
  • @ToddWilcox Agreed, hence my "they should bring it up with upper-management" statement. – MonkeyZeus May 09 '16 at 19:11
  • 3
    @ToddWilcox: again, I think it depends on the surrounding process/policy/contracts. A contractor can "work for the entity that owns the computer", despite not being a permanent employee, because they still have a responsibility (potentially a fiduciary responsibility) to their client. I don't know whether HIPAA says anything about janitorial staff, but in the general run of business you can contract out cleaning and give the contractors keys. You just have to make sure the diligence is in place that would be there if it was in-house. – Steve Jessop May 09 '16 at 19:24
  • 2
    ... the extreme case is lawyers and accountants where their duty to their client is statutory, regardless of their employment arrangements. Some people prefer to keep in-house lawyers, but not usually for the reason that "contractor" lawyers, employed by or partners of a law firm, "don't work for me", whereas in-house lawyers do. If your IT people need to solve problems at night, you might well give them remote access without local approval whether IT is contracted out or in-house. But it's unwise for them them to use that power during office hours without informing the user at the machine. – Steve Jessop May 09 '16 at 19:33
  • 1
    @corsiKa: "I have no way of knowing." is not the same as "There is no way of knowing." – Williham Totland May 09 '16 at 22:24
  • 1
    @WillihamTotland What does that matter? The person entering the data has an obligation to know if that entered data may be compromised by another actor. – corsiKa May 09 '16 at 22:26
  • 2
    @corsiKa nope, the compliant organization needs to have appropriate procedures on how access to data is controlled, how modification is ensured and how logs are kept, but it does not necessarily imply that the person entering the data needs to be kept informed on all other parties that have read (or write) access to the data - the *patient* has certain rights to that information, but it could be quite reasonable for the organization in some circumstances to grant some access to third parties and, as a policy, not inform the person entering (some of) the data. – Peteris May 09 '16 at 23:06
  • 1
    @Peteris That's preposterous. If I have a window up on my screen and I enter a user's medical information, and someone somewhere has the ability to modify the transaction I'm about to make, I can no longer ensure the credibility of the data I'm about to enter. I'm not saying it shouldn't be monitored, but one person entering one data record should be an ACID (Atomic, Consistent, Isolated, Durable) operation. Sure someone else may have write access to that data, but they should not have write access to my transaction or pass off information I write *as if it came from me*. That's non-compliant. – corsiKa May 09 '16 at 23:18
  • 1
    @corsiKa Your ideas & concerns makes logical sense. However, it isn't reality I've experienced. I worked for a company that provided (outsourced) IT services. After installing custom software, we could perform multiple remote services including installing & running a VNC server. No "end user" involvement was needed. Logs, showing which admin connected, were kept on our machines. I could see screens & input mouse clicks & keystrokes, which the remote system would accept. The local machine's software would assume this to be input of the logged in user. We also advertised HIPPA compliance – TOOGAM May 10 '16 at 09:55
  • @ToddWilcox We don't actually know that this _is_ an external contractor, either. OP just said "IT contractor". I've been a contractor on an internal IT team many, many times. For that matter, the company I currently work for provides IT infrastructure and services to clients, some of which do not have an internal IT department, making us both external contractors and the IT department for those clients. – HopelessN00b May 10 '16 at 14:59
1

Using the author's preferred restatement in the comment:

Is it okay for our IT support contractor to have the ability to remote in without authorization?

Under normal circumstances, Yes.

Let's talk about the specific key words.

Remote: Assuming you don't work from home, remember that the IT Admins can sit in your chair at the end of the day and login to your workstations, install updates, and re-image your computer after you leave the company. They already have full access to your computer and can (typically) view everything on it. It's possible they have access to the company databases and health records too, and so there likely is nothing they could possibly see on your screen during a remote session that they wouldn't already have access to outside of the remote session, if they decided to view it. If that's the case then asking for your permission before taking over your computer could be thought of as more of a courtesy, rather than a legal requirement.

Contractor: Many contractors work as an extension of the company, and have to sign NDA's, HIPAA disclosures, attend training, and follow the same rules and laws regarding security, privacy, and ethics that all of the employees do. Even in a situation where a contractor was not asked to sign anything, that would not grant them permission to break the law.

Note: these statements are generalizations which may apply to the healthcare industry, but don't necessarily apply to all industries. For example in the defense industry you might not allow an IT person to remote into a machine without user interaction in case the user is viewing a document that is above the clearance level of the IT person. (Though this isn't a problem if there are dedicated rooms with machines specifically for viewing top secret documents.)

TTT
  • 9,122
  • 4
  • 19
  • 31
  • Ignoring the body of my post removes a lot of context and many of your assumptions are wrong. – THE JOATMON May 10 '16 at 23:18
  • 1
    @DevilsAdvocate: I have answered the question in general. Your particular scenario obviously could be different from that, but I didn't see anything in your question that would lead me to believe it definitely is in violation of HIPAA. Which part of the question do you feel is relevant which I ignored? – TTT May 11 '16 at 02:05
0

It strongly depends on the country you're living in, as this is more of a legal question. In some states this approach is legally correct if you signed it in your employment contract, others forbid this proceedure completly owing to privacy policy.

licklake
  • 1,032
  • 1
  • 9
  • 22
-3

I completely disagree with the answer stating: "HIPAA does not get to specifics of policy". While they won't tell you how to write, or create a policy, they do get into VERY specific guidance. Here is the unbiased, facts to answer your question. The rules on HIPAA requirements administrative, physical and technical safeguards mandate basic requirements for security and privacy are as follows:

  • Identification and authentication
  • Audit controls

Identification and Authentication

It is fundamental that healthcare facility IT personnel know who is accessing their network, software, and systems, and that the person or entity gaining access is the one claimed. HIPAA, 45 CFR Part 164.312(d).3

Your vendor, and your organization violate the HIPAA mandates, since HIPAA requires the use of unique user IDs. You stated he logged in without credentials. This answers your question without needing to go further, but further we shall go.

Audit Controls

A healthcare IT professional will want to create, store, and protect appropriate log files of all security sensitive activities that take place during a remote session. HIPAA, 45 CFR Part 164.312(b).6 In addition, HIPAA requires a covered entity “to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.” HIPAA, 45 CFR 164.308 (a)(1)(ii)(D). Under the HITECH Act, a patient can request a disclosure accounting from a covered entity basically asking “who has viewed my health information” for up to the prior 3 years. HIPAA, 45 CFR 164.528(a) and HITECH Act, 13405(c). … must provide an audit trail of logins and logon attempts. HIPAA, 45 CFR 164.308(a)(5)(ii)(C)

You stated a vendor logged in without credentials, outside of verbal notes (which mean nothing in a court of law) what kind of auditing was done via way of logs? Even if you DID have a log of the event, who are you going to associate it with?

Community
  • 1
munkeyoto
  • 8,682
  • 16
  • 31
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/39655/discussion-on-answer-by-munkeyoto-is-it-okay-for-our-it-support-contractor-to-re). – Rory Alsop May 12 '16 at 06:20
-3

Well, no. If he can get in without authorization than anybody can get in without authorization. However,

1) You did provide him with legal authorization. This is not the same thing as technical authorization. If I called somebody up and asked for help and he up and did it remotely and I don't know how he got in to do it I would be nervous too.

2) Your IT support probably has some kind of remote access already set up. This is convenient for many reasons. Here it is most important to know how it works though.

3) If the remote access method provides no logs it does not satisfy HIPAA.

Joshua
  • 1,090
  • 7
  • 11