• E-mail
• Print
• RSS

Are there existing standards on inactivity timeouts we can reference?

HIPAA Weekly Advisor, September 6, 2004

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

Our doctors complain that the 15-minute inactivity timeout is too short. They want us to change it to 30 minutes. Are there existing standards we can reference?

No universally accepted standard exists for how quickly an inactive session should time out. A CMS publication titled Information Security Acceptable Risk Safeguards calls for a 15-minute timeout. But there are problems with this.

It is important to understand that the risk of an "open" connection on an unattended workstation largely depends on the physical surroundings. On an open floor in a hospital or in a busy emergency room accessible to the public, the risk is high and the timeout should be shorter than 15 minutes.

In a private office or other secure location off limits to unattended visitors, it's reasonable to make the inactivity timeout longer. Unfortunately, few application vendors provide a timeout feature a provider can set by location. Organizations should press vendors for this flexibility to better address risk and avoid unnecessarily short timeouts that irk users.

Editor's Note: Kate Borten, CISSP, CISM, is president and founder of The Marblehead Group, Inc., a national consulting firm focusing on the healthcare industry. This is not legal advice. Please consult your attorney for legal matters.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive