Automatic Logoff

The next Access Control task is Automatic Logoff. This is an addressable task that requires agencies implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

This is a relatively simple task, although it has its caveats. Simply put, if you leave your workstation for a period of time, the EPHI data must be made unavailable to unauthorized users. We suggest that you use the Windows Screen Saver timeout for this function. After a predetermined amount of inactivity the workstation's screensaver will come on, requiring the user's password to continue working. At the Windows level this will cover any application that is running. Some applications like Misys and McKesson have built in timeouts as well which will work just fine for that one application, but not any other EPHI type of application.

The amount of time before the inactivity timeout is triggered can be tricky. Setting it to 5 minutes is to short while setting it to 60 minutes is too long. Our Clients find 20 to 30 minutes seems reasonable.

You should also have a policy stating users need to logout when leaving their workstations for a period of time.