"Remote access" refers to any access to any clinical information system (CIS) or other Alberta Health Services (AHS) information asset from outside AHS network locations, whether wired (Ethernet) or wireless. The protected AHS network is usually identified as "AHSRESTRICT"; if one is connected to this network, it is because they are connecting from within a location serviced by AHS.
External access can be from a remote clinical office, from home when on call, or from just about anywhere on the Internet. Additional security protections are required to ensure that only authorized individuals gain access to health system assets from outside health system environments. "Two factor" authentication is mandated; one factor is something you know (username and password), and the second factor is something you have (a "FOB" displaying a constantly changing numeric code).
Prescribers seeking external access must obtain an authorized security FOB. This can be an actual "hard" physical device (RSA Fob) or a "soft" application (the SecurID app, previously called RSA SecurID) running on one's smartphone (Apple iOS or Android).
The FOB generates a digital code that is entered along with an AHS username and password at remote access login. The code is tied to the specific user and cannot be "borrowed" by anyone else.
We strongly recommend soft tokens for prescribers. These are easier to work with, and a smartphone tends to be present whenever and wherever needed. Soft FOBs are provided by default. Hard FOBs are provided only in special cases, such as lack of access to a smartphone.
Prescribers must be approved for remote access and security FOB allocation. This should happen automatically when AHS-affiliated physicians are onboarded through Zone Medical Affairs. Physicians previously assigned a FOB (hard or soft) for Alberta Netcare Portal (Alberta Health) can use it for AHS remote access. However, the FOB must be explicitly activated and additionally assigned for this purpose, which is initiated through Medical Affairs. For nurse practitioners, the process is not automatic, and access/activation needs to be requested via Provincial NP Services.
Requesting Remote Access
Prescribers needing a FOB for Connect Care, or any other form of remote access, should initiate their request through their Zone Medical Affairs office, or through Provincial NP Services for nurse practitioners.
Note that physicians are "vouched" for by Medical Affairs (not IT), and so any attempt to initiate a FOB request through Identity and Access Management (iam.ahs.ca) gets re-directed to Zone Medical Affairs. Eligible physicians are normally contacted with FOB activation information at the time of AHS onboarding. Physicians who may have failed to follow remote access instructions at the time of onboarding, or who may otherwise need urgent access but do not yet have FOB activation instructions, should contact one of the following Medical Affairs Zone intake emails:
Physicians should provide the following information in the body of the email, which should be sent via AHS email (secure):
AHS user name (do not provide password)
Physician full name
Subject line: RUNA Request
Nurse practitioners who need access can submit their request by following the instructions at the below link. If additional remote access support is needed, contact Provincial NP Services (email@example.com).
Activating Remote Access
Once remote access permissions have been assigned to a prescriber's AHS credentials, instructions will be sent via email from firstname.lastname@example.org. The email is sent to the address that Medical Affairs uses for the prescriber or, for nurse practitioners, the address provided on the IAM request form, and will contain a link to download a "SecurID" security certificate. It is important to open the email from the mobile device (Apple or Android smartphone) that will be used to facilitate remote access. This ensures that the security certificate is installed on the mobile (not desktop) device; a security certificate can be installed only once and on only one device.
To complete the soft FOB process, an "RSA Token" application is downloaded and installed on the smartphone. Instructions are included in a separate email from the one containing the SecurID certificate. Once installed and configured, the RSA App facilitates two-factor authentication as an extra measure of security for gaining remote access to AHS information assets.
MyApps and Citrix Workspace
Remote access to clinical applications, including Connect Care, happens through a software application called Citrix Workspace, which must be installed on the remote device:
The Citrix software gives access to a "virtual machine" running on AHS servers. Clinical software applications can be found and launched within this protected bubble. The workspace is opened from an Internet browser (FireFox works well on all operating systems) by going to myapps.ahs.ca. The MyApps login requirements differ according to whether the page is accessed from inside an AHS network or remotely from outside the AHS intranet:
Internal (AHSRESTRICT) login: enter AHS username and password
External login: enter AHS username, password and security code from RSA security FOB (hard FOBs generate a 6-digit code, soft FOBs generate an 8-digit code)
Upon successful login, the MyApps page will launch a Citrix Workspace session, opening a window showing icons for all the business and clinical applications assigned to the current user.
Clinical Applications in MyApps
Physicians may not find all of the clinical applications (e.g., Netcare, Connect Care, Sunrise Clinical Manager, IMPAX) that they require in myapps.ahs.ca. The process for requesting attachment to the user's MyApps collection is the same as requesting remote access and a security FOB. Use the Zone Medical Affairs intake emails listed above to request access to one or more clinical applications. But first, be sure to explore the "Apps" tab and all folders and sub-folders to make sure that the desired application is not already assigned.
For nurse practitioners, access to clinical applications should be requested through their operational leader.