Policies,Administrative,UW Health Administrative,Administration

Remote Access to Electronic Information Systems (1.01)

Remote Access to Electronic Information Systems (1.01) - Policies, Administrative, UW Health Administrative, Administration



Administrative (Non-Clinical) Policy
This administrative policy applies to the operations and staff of the University of Wisconsin Hospitals and
Clinics Authority as integrated effective July 1, 2015, including the legacy operations and staff of
University of Wisconsin Hospital and Clinics and University of Wisconsin Medical Foundation.
Policy Title: Remote Access to Electronic Information Systems
Policy Number: 1.01
Effective Date: December 21, 2017
Chapter: Administration
Version: Revision


The purpose of this policy is to define standards for authorized employees or affiliates to connect to
UW Health’s electronic information systems from outside the UW Health computer network. These
standards are designed to limit risk and minimize the potential damages which may result from
unauthorized access to UW Health resources. Potential damages include inappropriate access to
protected health information (PHI), the loss of sensitive or confidential organizational data,
intellectual property, damage to public image, or damage to critical internal systems.

This policy also applies to the faculty and staff of the University of Wisconsin School of Medicine
and Public Health.
This policy does not apply to remote access by vendors who remotely connect to UW Health’s
network to support their products, and where contractual agreements govern vendor responsibilities.


A. Remote Access: Access to UW Health systems from a device that is not itself connected to the
internal UW Health network. This includes personal devices that use internal “free” Wi-Fi,
which is the same as a public Wi-Fi connection, and UW Health owned devices when used from
home or elsewhere.
B. Managed Device: a computing device that is able to receive instruction and updates from a UW
Health network location. UW Health is able to maintain the security and integrity of managed
devices for storage and transmission of sensitive data even if the device is connected to the
network remotely. Managed devices are usually owned by UW Health, but in some cases
technology is available to manage personal devices. For example, UW Health Information
Services secures both corporate owned and personally owned mobile smart phones and tablets
using a mobile device management system. All other devices are not considered managed
C. Virtualized Session: a remote computer session that allows access to computer systems without
running any of those systems on the local computer. Virtual access leaves all the data and
processing in a secured data center, not on the local device. Applications are unable to leave data


on the local computer without the user’s awareness. Examples of virtual access software are
Citrix and VMware.
D. Multi-factor Authentication: a more secure way to gain access computer systems than using
only a login ID and password. In addition to proving your identity using your ID and password,
with multi-factor authentication you must also provide an additional piece of information that
represents something you have (like a physical token or generated code) or something unique to
you (i.e., like a fingerprint). Use of multi-factor authentication prevents security breaches caused
when login IDs and passwords are lost or stolen.

A. Remote access permits authorized users to support patient care activities or conduct UW Health
business and may not be used for any other purposes.
B. Remote access to UW Health systems from public computers, such as those found in airports,
hotels, and libraries, is absolutely prohibited. Public computers might contain malicious
programs that could be used to steal authentication information, such as user IDs and passwords.
C. All remote access data transmissions that traverse the internet will be encrypted. To further
minimize risk, remote access solutions will leverage managed devices or virtualized sessions, and
multi-factor authentication whenever feasible.
D. When users initiate a transmission that leaves the UW Health infrastructure, such as when
forwarding an email to an external recipient, security controls such as encryption cannot be
enforced. Therefore, users must use due care when transmitting content outside of the UW Health
E. The following systems may be accessed from personally owned devices. Access to these systems
is not technologically limited to managed devices or virtualized sessions in order to facilitate
employee communication:
1. E-mail via a web interface (Outlook Web Access).
2. U-Connect, the UW Health intranet.
3. Employee time tracking, staff scheduling and human resources systems.
F. Remote access is monitored for inappropriate or malicious activity.
G. To assure UW Health is able to meet its obligations regarding system monitoring and auditing,
organizations or individuals affiliated with UW Health may not facilitate access to UW Health
electronic information systems using their own remote access solutions.

A. Eligibility and Working from Home
1. UW Health Information Services (IS) enables remote access for all UW Health
credentialed providers to support direct patient care.
2. Remote access for all other UW Health employees must be approved by a Director, VP or
above, unless IS has ongoing authorization for staff in a specific job title on file.
3. UW Health department directors who wish to pursue offering remote access privileges to
hourly/non-exempt employees must consult with senior management and Employee
Relations in Human Resources. Whether hourly/non-exempt employees are paid for their
time spent using the system from a location outside of their regular workplace and/or
outside their work hours will depend on the nature of the system accessed and the
function performed. Other policies regarding working from home may apply (see: Policy
9.61-Home as Primary Work Site).
4. All employees may remotely access web e-mail, U-Connect, Employee Self-Service


within PeopleSoft, and time and attendance/staff scheduling systems. UW Health will not
provide equipment or internet access to use these systems from a location outside of the
employees' regular workplace. UW Health does not guarantee that the systems will be
continuously available 24/7 due to maintenance and other needs.
5. Hourly/non-exempt employees need to ensure they have approval in advance from their
supervisor before conducting work of any kind from a location outside of their regular
workplace and/or outside their regular work hours. Any and all other requirements,
provisions and conditions contained in this policy apply.
6. Staff who are not employed or credentialed by UW Health, but who have authorized
access to UW Health systems, may be eligible for remote access when commensurate
controls to secure such access are available. Requestors should consult with the UW
Health IS department.
7. Student employees may not access UW Health systems remotely.
8. UW Health IS department, after consultation with Employee Relations, may suspend
remote access at any time.
B. Professional Conduct and Boundaries
1. Users must remain constantly aware that remote access connections between their
location and UW Health are literal extensions of UW Health’s network, and must ensure
a remote connection is not used by unauthorized personnel to view or gain access to
confidential systems or data.
2. Users must not use personal email accounts or other internet resources that have not been
vetted by UW Health Information Services to conduct UW Health business, thereby
ensuring that official business is never confused with personal business and appropriate
security measures are put in place. (See also Policy 1.29 Computer, Electronic
Communication and Internet Usage Via UW Health Resources).
C. Securing Electronic and Paper Copies:
1. Authorized users may not save or store patient or other sensitive business data to local
media (hard drives, USB drives, CDs, etc.) on personally owned devices.
2. Users may print patient or other sensitive data from home work locations when the
following are true:
a. The user is located in his or her own home while remotely connected,
b. The user maintains a personal shredder to properly dispose of confidential
materials when paper copies are no longer needed, and
c. The user has a compelling, business-related reason to print the information to
paper that cannot be accomplished by viewing the data electronically.
3. Under no circumstances may users store paper copies of patient data in their homes or
other remote locations. Any printed copies generated at remote locations must be
immediately shredded, or where retention is absolutely necessary, returned to an
appropriate physical location and stored in accordance with applicable policies.
D. Securing Personal Equipment:
1. Authorized users are responsible for securing equipment that is not managed by UW
Health IS from common security threats inherent on the internet.
2. Users whose personal equipment poses a security risk will have their remote access
suspended until the problem is corrected.
3. Steps users should take to secure their personal equipment include, at minimum:
a. Using anti-virus software and keeping it up to date
b. Maintaining a software or hardware firewall
c. Keeping operating systems patched with the latest security patches


UW Health Administrative Policy 1.46 Mobile Device Policy
UWHC Administrative Policy 9.61 Home as Primary Work Site
UWMF Administrative Policy 108.016 At-Home Coding Policy
UWHC Administrative Policy 6.21 Security of Paper Medical Records
UWHC Administrative Policy 6.20 Security of Faxed, Printed, and Copied Documents
UW Health Administrative Policy 1.29 Computer, Electronic Communication and Internet Usage via
UW Health Resources

Sr. Management Sponsor: VP/Chief Information Security Officer
Author: Director, Security Systems
Reviewer(s): VP/Business Integrity; Director, Employee Relations, Sr. Security Consultant

Approval Committee: UW Health Administrative Policy and Procedure Committee


Elizabeth Bolt
UW Health Chief Administrative Officer