1

First off, I don't want to do this, but the doctors want us to do what they like, and they like another hospital that does this.

The doctors want a computer that is always logged in, they want to walk up to the computer click on the application and then only log on to that application. The doctors are accessing protected information at these workstations. My boss wants to use citrix with thin clients at these workstation. If we use Citrix presents its own problems. My biggest concern is, with Citrix any user could click reconnect on the agent software and they would then have control of every session that was logged on using this system login account. That would allow them access to many patients records as if they were another doctor, invalidating our audit trail, and at the same time violating HIPAA.

Is there a good way to set up shared workstations like this?

As for an answer, I want to know how to make our citrix workstation idea work, but any idea that could make our doctors happy and still maintain HIPAA compliance would be welcome.

Adam Towne
  • 119
  • 2
  • 12

2 Answers2

1

I'm not sure there's a way you can do this in a way that's secure (or even legal with security compliance in HIPAA).

If you know this other hospital, I'd call their IT people and ask to arrange a lunch with their admin (if they're not out of state) or a phone meeting asking how they solve this issue if it's supposedly "like this other hospital" that the doctors want at your site. You could end up with liability issues if you're audited or sued.

Any time you try a "shared" access for simplicity you're going to end up with audit issues. Hope someone else has a better answer, but my first instinct is to contact the other place they're citing and ask how they did it.

To be clear, you're trying to set up terminals running Citrix clients to connect to a central Citrix server, so the doctors end up still having to log in with a username and password on the server? In that case wouldn't your security still be fine?

Or do you mean you're going to have X number of Citrix terminals that they just walk up to and they automatically log into the Citrix server as a system user, so you would have fifty doctors logged in as John Doe on the Citrix server at any given time?

Bart Silverstrim
  • 31,092
  • 9
  • 65
  • 87
  • We are actually talking with them about how they are doing this, and from what I have heard so far, their auditing will not be reliable. I think they are actually failing to meet the legal requirements. However, the doctors, who control the money, want us to meet their standard of performance and usability. As to your second question, yes, what is being considered is 50 doctors logged in as "Doc" to windows, and then logging in as themselves to the application, and relying on the application for security and audit. – Adam Towne Aug 19 '09 at 14:26
  • So...basically, the application needs auditing trails built in, and they want access from dumb terms acting like kiosks scattered all over. Looks like either your application needs really good auditing built in and/or the server needs to periodically log output from tcpview to get where and when connections occur to log who's logged in when, or you would have to talk to your organizations lawyers and have them intervene...usually administrators (non-tech) don't like "lawsuits" slightly more than whining. – Bart Silverstrim Aug 19 '09 at 16:18
  • Is there anything in your citrix server administration kit that logs when/where connections come in? Does it go to system logs? If so there may be a tool that parses Windows system logs and can try extrapolating audit trails of some sort from that approach. – Bart Silverstrim Aug 19 '09 at 16:21
  • If it wasn't in the exam rooms you could always rig up USB cameras (or cameras in the halls outside the rooms where terminals are placed) that then log motion triggered pictures to a directory in a central server...terminal XYZ accessed five minutes after Dr. Doe walked in to the room gives you an idea who's using it at that time :-) – Bart Silverstrim Aug 19 '09 at 16:30
  • Currently all our applications have auditing, but we have a lot of new incoming applications. To make things a little worse, there has been a recent change in management, with a new philosophy. I am not sure if the trend will continue, but new applications are being purchased by departments without our input. So, I don't think we can be sure that we will get applications that can do their own audit. That means that this will go beyond what tech can do, but I just want to get the "here and now" part ironed out, and I can pass along my concerns to my superiors. – Adam Towne Aug 19 '09 at 17:02
  • Personally...and I don't know your situation, of course...it sounds like you might be being put into a position where you or your department might be liable for a bunch of things that are not within your control...ever consider jobs.stackoverflow.com? Otherwise you might want to look at a system of tracking incoming IP connections and logging them, or seriously look at the whole camera ID thing. If they don't want to be held liable for their actions then they should consent to being tracked passively, although I personally don't like the idea. Sounds like you're being set up to fail. – Bart Silverstrim Aug 19 '09 at 21:42
0

Can the applications be configured to timeout after a very short period?

BTW - Citrix XenApp and thin clients has always been an excellent solution for hospitals. I'm always amazed when I walk into my local practice of ~10 doctors and there are PCs all over the place. They must have 20. Even with 20, the TCO of Citrix makes sense.

Cheers, Rob.

Rob Nicholson
  • 1,678
  • 8
  • 27
  • 53
  • We think all of our applications time out at this time. We are currently reviewing the applications at this time. – Adam Towne Aug 21 '09 at 14:35