"Remote access" refers to any access to any clinical information system (CIS) or other Alberta Health Services (AHS) information asset from outside AHS network locations, whether wired (Ethernet) or wireless. The protected AHS network is usually identified as "AHSRESTRICT". If one is connected to this network, it is because one is connecting from within a location serviced by AHS.
External access can be from a remote clinical office, from home when on call, or from just about anywhere on the Internet. Additional security protections are required to ensure that only authorized individuals gain access to health system assets from outside health system environments. "Two factor" authentication is mandated. One factor is something you know (username and password). Another factor is something you have (a "FOB" displaying a constantly changing numeric code).
Prescribers seeking external access must obtain an authorized security FOB. This can be an actual "hard" physical device (RSA Fob) or a "soft" application running on one's smartphone (Apple iOS or Android).
The FOB generates a digital code that is entered along with an AHS username and password at remote access logon. The code is tied to the specific user and cannot be "borrowed" by anyone else.
We strongly recommend soft tokens for prescribers. These are easier to work with and a smartphone tends to be present whenever and wherever needed. Soft FOBs are provided by default. Hard FOBs are provided only in special cases, such as lack of access to a smartphone.
Prescribers must be approved for remote access and security fob allocation. This should happen automatically when AHS-affiliated prescribers are on-boarded through Zone Medical Affairs. Anyone previously assigned a FOB (hard or soft) for Alberta Netcare Portal (Alberta Health) can use it for AHS remote access. However, the FOB must be explicitly activated and additionally assigned for this purpose; something initiated through Medical Affairs.
Requesting Remote Access
Prescribers needing a FOB for Connect Care, or any other form of remote access, should initiate their request through their zone Medical Affairs office. Note that physicians are "vouched" for by Medical Affairs (not IT) and so any attempt to initiate a FOB request through Identity and Access Management (iam.ahs.ca) gets re-directed to Zone Medical Affairs anyway. Eligible physicians are normally contacted with FOB activation information at the time of AHS on-boarding.
Physicians who may have failed to follow remote access instructions at the time of on-boarding, or who may otherwise need urgent access but do not yet have FOB activation instructions, should contact one of the following Medical Affairs Zone intake emails:
- Calgary Zone: CAL.MedicalStaffOffice@albertahealthservices.ca
- Central Zone: CZMAprivileging@ahs.ca
- Edmonton Zone: Edm.MedicalAffairs@ahs.ca
- North Zone: NZ.Priviledging@ahs.ca
- South Zone: MedicalAffairs.firstname.lastname@example.org (former Palliser region) or MedicalAffairs.email@example.com (former Chinook region)
- Alberta Precision Laboratories: APL.MedicalAffairs@albertaprescitionlabs.ca
Provide the following information in the body of the email, which should be sent via AHS email (secure):
- AHS user name (do not provide password)
- Physician full name
- Subject Line: RUNA Request
Activating Remote Access
Once remote access permissions have been assigned to a prescriber's AHS credentials, instructions will be sent via email from firstname.lastname@example.org. The email is sent to the address that Medical Affairs uses for the prescriber and will contain a link to download a "SecurID" security certificate. It is important to open the email from the mobile device (Apple or Android smartphone) that will be used to facilitate remote access. This ensures that the security certificate is installed on the mobile (not desktop) device. A certificate can be installed only once and on only one device (smartphone).
To complete the soft FOB process, a "RSA Token" application is downloaded and installed on the smartphone. Instructions are included in a separate email from the one containing the SecurID certificate. Once installed and configured, the RSA App facilitates two-factor authentication as an extra measure of security for gaining remote access to AHS information assets.
MyApps and Citrix Workspace
Remote access to clinical applications, including Connect Care, happens through a software application called "Citrix Workspace", which must be installed on the remote device:
The Citrix software gives access to a "virtual machine" running on AHS servers. Clinical software applications can be found and launched within this protected bubble. The workspace is opened from an Internet Browser (FireFox works well on all operating systems) by going to "https://myapps.ahs.ca". The MyApps logon page requirements differ according to whether the page is accessed from inside an AHS network or remotely from outside the AHS intranet:
- Internal (AHSRESTRICT) logon: enter AHS username and password
- External logon: enter AHS username, password and security code (6 digits) from RAS security FOB.
Upon successful logon, the MyApps page will launch a Citrix Workspace session, opening a window showing icons for all the business and clinical applications assigned to the current user.
Clinical Applications in MyApps
Physicians may not find all of the clinical applications (e.g., Netcare, Connect Care, Sunrise Clinical Manager, IMPAX, etc.) that they require in myapps.ahs.ca. The process for requesting attachment to the user's MyApps collection is the same as requesting remote access and a security FOB. Use the Zone Medical Affairs intake emails listed above to request access to one or more clinical applications. But first, be sure to explore the "Apps" tab and all folders and sub-folders to make sure that the desired application is not already assigned.