Main Nav

Does anyone allow campus health center staff remote acces via VPN to their patient records systems? If so, what requirements/guidelines to you use to insure the end point is secure beyond just using a secure connection?


Nathan Zierfuss, CISSP, Information Security Officer
Technology Oversight Services, University of Alaska
910 Yukon Dr. Suite 105, PO Box 755320
Fairbanks, Alaska 99775-5320
Phone: 907-450-8112  Fax: 907-450-8381


Message from

We do allow remote access.  To access the EHR, one must first use the campus VPN system.  Secondly, they must use the Citrix system to gain access to the application or a remote desktop.  Even then, only select personnel are enabled for remote access to the EHR according to their business need.


I’d love to require a specific, controlled end point to use, such as a health-center issued laptop (for business use only) or perhaps even better, a thin client device or locked-down tablet or netbook.  The reality is that once remote access is given, any client can connect – at least that is the current reality with our campus VPN technology.


We encourage our staff to use health computers to connect and remind them that if their home system is compromised and used to connect, it could expose the University to a disaster.


-- Kevin McCrone, Information Technology Technical Associate

-- Illinois State University, Division of Student Affairs

-- (309) 438-1111


Thanks for the response. We do have a Citrix system as well and that wasn't a posible solution I had considered. It would keep the end point a managed system we know the security posture of but allow viewing/editing. 

I'd like to require use a university managed device as the ultimate end point as well.