Great advice, Indy! Good stuff. Just a couple of questions.
The first things to do to improve your compliance is to ensure that all users have non-admin accounts for regular use, and do not have access (in general) to admin passwords. This protects the practice and the machines, as both internal and external attacks are limited if the user does not have admin permissions.
I am assuming you mean local admin. Of course, you would never give a regular user a domain account. I know I got a rootkit virus that had the user been logged in as a non-local admin, it probably wouldn't have taken hold. I did have all my users as non admins, but it can get frustrating when you want to quickly do something that requires admin rights (local) and their is no Run As option. But, it is the safest way.
You are correct - accounts with admin permissions,[machine or domain] should be not be the normal user accts, but specifically used to administrate the machine/network. It requires some new habits to begin thinking that way, but worth the effort.
In use - if each user has their own credentials, and they don't share, then in the event of a staff change you just deactivate one account. Don't leave a computer logged in as a practitioner without locking the screen.
Are you referring to logging into the domain and authenticating with the server where users can be activated, deactivated or deleted?
Thanks.
If the network has a domain control, or in the case of independent computers, it means disabling the account on each machine where the account was created.
Let me use a client practice as an example of a similar approach.
Each exam room has a computer, and when the patient is "roomed", their chart brought up, their vitals entered, etc., and when the MA leaves the room, they lock the screen using a password/account in common for exam rooms. This keeps patients from having to resit the urge to poke around the application.
The practitioner knows the password, so they unlock the computer as soon as they come in.
Overall, a natural flow. They are moving to a monthly revolving password, which will require a bit more effort the first day of each new month, but naturally deals with any turnover issues, and a gentle reminder that there is a reason to protect that private data.
