Risk: Lack of automatic logoff capability for applications or workstations accessing ePHI
Explanation: Sometimes users, working on workstations running applications that access ePHI, may forget to logoff or sometimes may not have the time to log off when they move away from their workstation. This may pose a threat since the workstation is left unattended and unauthorized users can easily access ePHI, tamper with it or even steal the data. An effective way to prevent this kind of unauthorized access is automatic logoff.
Major Mitigation: The mitigation can be carried out in 2 ways:
- Configure the applications that access ePHI to automatically logoff after a predetermined period of inactivity.
- For systems with limited capabilities, activate a password protected screen saver after a period of inactivity.
In either of the above 2 cases, unauthorized users do not have access to the workstation containing ePHI.
Secondary Mitigation: There needs to be a shorter log off period for computers in high traffic areas.
Success Criteria: Applications that log logoff activities along with the time when the logoff had taken place, show if the automatic logoff has taken place after a specific period of inactivity. Random and periodic testing of automatic logoff by the system administrators on all workstations accessing ePHI can verify if this risk has been taken care off.