HIPAA: Why do I need a timeout on my EMR/Cloud Solution/Desktop/Virtual Desktop/Remote Desktop?
-HIPAA is written intentionally vague. For example, §164.312(a)(2)(iii) specifically just states that you will automatically logoff an electronic session after a predetermined time of inactivity as part of your technical safeguards.
-HIPAA Administrative Simplification from https://www.hhs.gov/hipaa/for-professionals/
-HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework from https://www.hhs.gov/hipaa/for-professionals/security/nist-security-hipaa-crosswalk/
How does this help you?
You can look up §164.312(a)(2)(iii) on the crosswalk and see that it maps to several controls from NIST SP 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations [PDF]. From there we are shown the following control:
AC-11 SESSION LOCK
Control: The information system:
Prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity or upon receiving a request from a user; and
Retains the session lock until the user reestablishes access using established identification and authentication procedures.
Supplemental Guidance: Session locks are temporary actions taken when users stop work and move away from the immediate vicinity of information systems but do not want to log out because of the temporary nature of their absences. Session locks are implemented where session activities can be determined. This is typically at the operating system level, but can also be at the application level. Session locks are not an acceptable substitute for logging out of information systems, for example, if organizations require users to log out at the end of workdays. Related control: AC-7.
(1) SESSION LOCK | PATTERN-HIDING DISPLAYS
The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.
Supplemental Guidance: Publicly viewable images can include static or dynamic images, for example, patterns used with screen savers, photographic images, solid colors, clock, battery life indicator, or a blank screen, with the additional caveat that none of the images convey sensitive information. References: OMB Memorandum 06-16
References: OMB Memorandum 06-16.
And then if you chase down the references you will see that OMB is recommending Federal Agencies to have a timeout of no more than 30 minutes.
Realistically and ultimately, its up to your organization and the results of your risk assessment to determine a “reasonable or appropriate” timeout period. High traffic areas that the public could access easily (read: not in a locked office) probably need a shorter timeout than that.
When your organization gets a no-kidding audit from OCR there is a protocol they follow (https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html). They’ll ask to see the documentation on your controls, they’ll test the effectiveness of the controls, they’ll ask for the procedures and policies driving the controls, and they’ll question how you arrived to the decision you did.
Basically, if you do a risk assessment use a known and well accepted framework. If you implement controls, base them on an industry standard. Using NIST as the basis of your policy standards is a fairly safe move in the U.S. but the crosswalk also highlights COBIT, ISA, ISO/IEC, and CCS CSC.
Additional information regarding HIPAA can be found here: https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html