Connect Care Manual - Remote Access

Remote Access

"Remote access" refers to any access to any clinical information system (CIS) or other Alberta Health Services (AHS) information asset from outside AHS network locations, whether wired (Ethernet) or wireless. The protected AHS network is usually identified as "AHSRESTRICT"; if one is connected to this network, it is because they are connecting from within a location serviced by AHS.

External access can be from a remote clinical office, from home when on call, or from just about anywhere on the Internet. Additional security protections are required to ensure that only authorized individuals gain access to health system assets from outside health system environments. "Two factor" authentication is mandated; one factor is something you know (username and password), and the second factor is something you have (a "Token" displaying a constantly changing numeric code).

Security Tokens

Prescribers seeking external access must obtain an authorized security Token. This can be an actual "hard" physical device (RSA Token) or a "soft" application (the SecurID app, previously called RSA SecurID) running on one's smartphone (Apple iOS or Android).

The Token generates a digital code that is entered along with an AHS username and password at remote access login. The code is tied to the specific user and cannot be "borrowed" by anyone else.

We strongly recommend soft tokens for prescribers. These are easier to work with, and a smartphone tends to be present whenever and wherever needed. Soft Tokens are provided by default. Hard Tokens are provided only in special cases, such as lack of access to a smartphone.

Prescribers must be approved for remote access and security Token allocation. This should happen automatically when AHS-affiliated physicians are onboarded through Zone Medical Affairs. Physicians previously assigned a Token (hard or soft) for Alberta Netcare Portal (Alberta Health) can use it for AHS remote access. However, the Token must be explicitly activated and additionally assigned for this purpose, which is initiated through Medical Affairs. For nurse practitioners, the process is not automatic, and access/activation needs to be requested via Provincial NP Services.

Requesting Remote Access

Prescribers needing a Token for Connect Care, or any other form of remote access, should initiate their request through their Zone Medical Affairs office, or through Provincial NP Services for nurse practitioners.

Note that physicians are "vouched" for by Medical Affairs (not IT), and so any attempt to initiate a Token request through Identity and Access Management (iam.ahs.ca) gets re-directed to Zone Medical Affairs. Eligible physicians are normally contacted with Token activation information at the time of AHS onboarding. Physicians who may have failed to follow remote access instructions at the time of onboarding, or who may otherwise need urgent access but do not yet have Token activation instructions, should contact one of the following Medical Affairs Zone intake emails:

- Calgary Zone: CAL.MedicalStaffOffice@ahs.ca
- Central Zone: CZMAprivileging@ahs.ca
- Edmonton Zone: Edm.MedicalAffairs@ahs.ca
- North Zone: NZ.Privileging@ahs.ca
- South Zone: SZ.MedicalAffairs@ahs.ca
- Alberta Precision Laboratories: APL.MedicalAffairs@albertaprecisionlabs.ca

Physicians should provide the following information in the body of the email, which should be sent via AHS email (secure):

- AHS user name (do not provide password)
- Physician full name
- Subject line: RUNA Request

Nurse practitioners who need access can submit their request by following the instructions at the below link. If additional remote access support is needed, contact Provincial NP Services (Prov.NPServices@ahs.ca).

Guide: Remote User Network Access (RUNA) for Nurse Practitioners

Activating Remote Access

Once remote access permissions have been assigned to a prescriber's AHS credentials, instructions will be sent via email from remoteaccess@ahs.ca. The email is sent to the address that Medical Affairs uses for the prescriber or, for nurse practitioners, the address provided on the IAM request form, and will contain a link to download a "SecurID" security certificate. It is important to open the email from the mobile device (Apple or Android smartphone) that will be used to facilitate remote access. This ensures that the security certificate is installed on the mobile (not desktop) device; a security certificate can be installed only once and on only one device.

To complete the soft Token process, an "RSA Token" application is downloaded and installed on the smartphone. Instructions are included in a separate email from the one containing the SecurID certificate. Once installed and configured, the RSA App facilitates two-factor authentication as an extra measure of security for gaining remote access to AHS information assets.

MyApps and Citrix Workspace

Remote access to clinical applications, including Connect Care, happens through a software application called Citrix Workspace, which must be installed on the remote device:

The Citrix software gives access to a "virtual machine" running on AHS servers. Clinical software applications can be found and launched within this protected bubble. The workspace is opened from an Internet browser (FireFox works well on all operating systems) by going to myapps.ahs.ca. The MyApps login requirements differ according to whether the page is accessed from inside an AHS network or remotely from outside the AHS intranet:

- Internal (AHSRESTRICT) login: enter AHS username and password
- External login: enter AHS username, password and security code from RSA security Token (hard Tokens generate a 6-digit code, soft Tokens generate an 8-digit code)

Upon successful login, the MyApps page will launch a Citrix Workspace session, opening a window showing icons for all the business and clinical applications assigned to the current user.

Citrix Workspace on an iPad (iOS)

When using the Citrix application on an iPad (iOS), it can help to set up two server ("Citrix store") accounts, one for use when connecting from outside AHS and one for use on the intranet.

Intranet (inside AHS)
set up an access "account" using "https://mystore.albertahealthservices.ca" as the Citrix "store" address and log on with AHS Healthy username and password credentials. The default setup should work well.
Extranet (outside AHS)
set up a separate access "account" using "https://myapps.albertahealthservices.ca" as the Citrix "store" address. This time, it is important to not allow the default setup and instead do a "manual setup" as described in the following instructions:
- - Tip: Installing Citrix Workspace on an iPad (external use)

A number of user interface adaptations are important to be aware of when using touch to emulate pointer movements and right or left "clicks".

Guide: Citrix Workspace for iOS (Citrix)

Clinical Applications in MyApps

Physicians may not find all of the clinical applications (e.g., Netcare, Connect Care, Sunrise Clinical Manager, IMPAX) that they require in myapps.ahs.ca. The process for requesting attachment to the user's MyApps collection is the same as requesting remote access and a security Token. Use the Zone Medical Affairs intake emails listed above to request access to one or more clinical applications. But first, be sure to explore the "Apps" tab and all folders and sub-folders to make sure that the desired application is not already assigned.

For nurse practitioners, access to clinical applications should be requested through their operational leader.