By Nic Cofield, Vice President, Client Services 

Most medical practices have permitted key business partners to access critical IT systems remotely. This is usually done to provide fast and efficient support of these systems. It could be an EMR vendor that needs to access a database, or perhaps a third-party IT service provider that will access systems for updates. Regardless of the requirement, every form of remote access that is provided to an outside party is a potential risk.  

As part of ongoing risk management, practices should evaluate the remote access that has been given over time to make sure any vulnerabilities are minimized. Questions that should be asked of vendors in order to determine the level of risk include:

• Are employees of the vendor required to have complex passwords for access to the remote tool? And are passwords required to be changed on a frequent basis?
• Is multi-factor authentication required for log-ins to the remote tool by vendor staff?
• Does the remote tool have auditing and logging capabilities to review any activity that takes place using the service?
• Does somebody at the practice have the ability to allow or deny remote access or is access given without any specific consent?
• Is the remote connection encrypted end-to-end?

Practices should also review their offboarding policies to ensure that any remote tools that may have been used by vendors (or staff) are removed when a relationship is terminated. Remote access should only be facilitated via secure technologies that are designed to be used within a highly-secure business environment.

Evaluating remote access as part of an ongoing vendor management program can help minimize the risk of unauthorized access. If you're currently planning your next IT Risk Assessment, I would strongly consider including as part of your evaluation an analysis of the current remote access tools to determine if changes should be made.

Nic Cofield is an IT specialist with Jackson Thornton Technologies.