Date
of Last Review 6/6/08
SME: Director of Management Information Systems
Sunrise Clinical System Audit
Policy
The following policy relates to auditing user access to the Sunrise clinical system and describes safeguards that are in place in lieu of some system audit capabilities.
Access
• All users needing access to the Sunrise clinical system will have to obtain authorization via the DPSR process.
• Users will need to have a Novell user account, to login on a computer system that has the Sunrise client installed on it.
• The computer system that has the Sunrise client installed must be registered into the Sunrise database as a system that can be used to run the Sunrise application
• The Sunrise username and password are different from the Novell username and password, therefore login to the Novell system does not mean that users have access to the Sunrise clinical system.
• All authorized users will have a unique userid to login to the Sunrise Clinical system that is disabled upon termination of employment.
Lockout and Screensavers
• Currently the Sunrise system does not have the capability to lockout users after a set number of incorrect logins. The Novell network login however, will lockout users after 4 incorrect logins for 30 minutes. Users must login to the Novell network prior to accessing the Sunrise Clinical system.
• The Sunrise system has a security lockout after 30 minutes of inactivity. Once the security lockout has been triggered users must reenter their Sunrise credentials to gain access to the Sunrise Clinical system within 10 minutes of the suspended session or they will be exited from Sunrise, ending the current session.
• Windows screensavers are also enabled and will activate within 10 minutes of user inactivity. Once the windows screensaver has been triggered users must reenter their Novell login credentials to disengage the screensaver.
Auditing
• Sunrise currently does not have the capability of auditing failed attempts; however, a future release will include this capability which will be implemented.
• Sunrise currently does not have the capability of locking out users after a predetermined number of incorrect logins; however, a future release will include this capability which will be implemented.
• Sunrise has a report called “Chart Access Log” which records Tab access (in essence “opening” the medical record) first attempts, per patient, per user. Individual documentation viewing access is not logged, as Sunrise relies on document view security rights assigned to the user.
• Due to extensive cross coverage workflow at UT-HCPC, any user with rights to Sunrise has access to view all information on any patient at any time.
• All documentation/order entry or edits are tracked by Sunrise with user name, date/time stamp.
• Social Security numbers are not available or viewed in Sunrise.
• Printing details from Sunrise can be viewed from Sunrise Report Manager for 48 hours from time of report submission.
• Copy / Paste functionality cannot be audited as it is a function of the windows operating system and not specific to Sunrise.
Director of MIS
UT-HCPC
Related standards
Texas Administrative Code Chapter 202
The Joint Commission : Management of Information
HIPAA
