Concurrent Session Control in Healthcare for CMS compliance

concurrent session control

UserLock is the only solution on the market that allows our organisation to fulfill the CMS compliance requirements for its government contracts. It is absolutely critical to our business in this respect, but brings with it numerous other benefits in usability and reporting functionality.”

Technology Editor for Active Directory, Leading US Healthcare Insurance Provider


The following case study highlights how UserLock enables a leading US healthcare insurance provider to adhere to complex government security requirements around access control including concurrent session control.

Healthcare is one of the most information intensive industries in society today. Controlling and securing users access to the network and the information contained within is a healthcare organization priority, to ensure information is accessible only to authorized users.

Enhanced access control protects the patient’s right to privacy, while ensuring users get the necessary access to help provide the best possible treatment for their patients.

About the US Healthcare Insurance Provider

The healthcare insurance provider is a federation of several separate United States health insurance organisations and companies. Not only is it an insurance business but is it also a hosting service for smaller government contract subsidiaries.

The challenge to meet CMS security requirements

Contracting to the US government requires the healthcare insurance provider to uphold various CMS (Center for Medicare and Medicaid Services) security requirements. There is a specific CMS requirement for the government contracts division which states that a user is only able to log on to one workstation at any given time unless otherwise approved.

AC-10: Concurrent Session Control

The information system limits the number of concurrent sessions for each system account to one (1) session. The number of concurrent application/process sessions is limited and enforced to the number of sessions expressly required for the performance of job duties and any requirement for more than one (1) concurrent application/process session is documented in the security plan.

AC 10 Concurrent Session Control

Full document can be viewed here

Native Windows commands had been used previously to try to meet these compulsory security requirements, however the organisation found that it had to look outside of Microsoft’s native solutions to address the necessary requirements.

Managing concurrent user sessions with UserLock

UserLock, which is Microsoft-certified for compliance and support with Windows Server 2012 as well as Windows 8, has enabled the organisation to implement restrictions around concurrent user logins, disabling users from logging in to more than one machine, or for multiple users to log into one.

In addition, UserLock’s reporting features allow the identification of unused and available computers. Moreover, they can see whether a particular workstation, across more than 10 different locations, has remained inactive for long periods of time and can therefore remove or reallocate that resource appropriately. The same function is available for servers in the secure data centre.

Managing and securing all users network access

First and foremost, UserLock has enabled the organisation to meet its crucial compliance requirements with regard to fulfilling its US government contracts. The organisation undertakes an annual review of its technology providers, and UserLock has consistently surpassed its requirements for three years, without any other solutions able to fulfill them.

On a day-to-day basis all UserLock users feel the interface is easy to use with various helpful reporting benefits.


In addition, the software is providing business benefits beyond security.

A live information feed and trending alerts allows admin staff to keep track of peak hours which helps plan when access to accounts will be at its highest. Although this information is not currently shared company-wide, it does have the potential to be shared with the help desk allowing them the advantage of knowing when patching may be necessary and what the times implementation is likely to cause the minimal disturbance.

Users are yet to report any issues and are limited to one connection by default but are able to request more connections if they feel it necessary, which includes IT staff who need multiple connections in order to access the various organisations’ servers.

What’s next:

Three out of 10 Active Directories on the health insurance provider’s servers are currently using UserLock, which covers between 5,000 and 6,000 users, and the company is currently discussing plans to expand to a further 3,000.

Furthermore, the organisation is in the process of standardizing builds for all government contracts, including a road-map for all government services. Going forward UserLock will be highlighted as a standard requirement for other health insurance plans providing services to government.

Free 30 Day Trial of UserLock

Learn how UserLock & FileAudit can help you address HIPAA compliance to keep patient data safe

Share this post :


Chris Bunn is the Directeur Général Adjoint of IS Decisions, a global cybersecurity software company, specializing in access management and multi-factor authentication for Microsoft Active Directory environments and the cloud.

Secured By miniOrange