(2) Implementation specifications:
(iii) Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
Tell Me More:
The Automatic Logoff implementation specification requires covered entities to address implementing electronic procedures that terminate an electronic session after a predetermined time of inactivity. This is an addressable specification.
Workforce members often walk away from workstations without logging off. This can be a security concern, particularly in areas with public access. Automatic log-off procedures can be implemented to minimize the likelihood that an unauthorized individual may access the workstation.
Such mechanisms might include a password-protected screen saver or configuring the operating system or other application to terminate a session after being idle for more than a few minutes.
A complete set of HIPAA Security Policies and Procedures may be purchased here.
Questions to consider:
- Do the technical systems support automatic log-offs?
- Does the organization want to implement automatic log-offs? While addressable, it is likely that automatic log-offs will need to be implemented to reduce the risk of a security breach. Remember to monitor the use of log-offs and to minimize the ability of workforce members to override the automatic log-offs.
- NIST SP 800-12 chapter 17 An Introduction to Computer Security: The NIST Handbook
- NIST SP 800-34 Contingency Planning Guide for Information Technology Systems
- NIST SP 800-18 Guide for Developing Security Plans for Information Technology Systems
- NIST SP 800-26 Security Self-Assessment Guide for Information Technology Systems
- NIST SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems
- NIST SP 800-56 Recommendation on Key Establishment Schemes
- NIST SP 800-57 Recommendation on Key Management
- NIST SP 800-63 Recommendation for Electronic Authentication
- FIPS 140-2 Security Requirements for Cryptographic Modules
- NIST SP800-52 Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations
- NIST SP800-77 Guide to IPsec VPNs
- NIST SP800-88 Guidelines for Media Sanitization
- NIST SP800-111 Guide to Storage Encryption Technologies for End User Devices
- NIST SP800-113 Guide to SSL VPNs