HIPAA Security Workstation Use and Location and Portable Computing
Shared by: qtp78691
BC 6.830 - WORKSTATION SECURITY POLICY I. POLICY: Employees are responsible for maintaining the physical security of _________ computer resources under their control and for protecting the integrity and privacy of the data maintained on them by the appropriate use of lockdown devices, password controlled access, data encryption, virus protection software, and routine backup procedures. _________ reserves the right to inspect all data and to monitor the use of all its computer systems, and as such, workstation users have no right of privacy with regard to information on workstations. _________’s right of access to personally owned computing devices will be limited to _________’s patient or business information and applications important to maintaining security over that information, including, but not limited to anti-virus softare, operating systems, etc. _________ reserves the right to remotely access, monitor, control and configure workstations and any software residing on them. Non-compliance with this policy is subject to management review and action, up to and including termination of employment, vendor contract and/or legal action. All workstations with fixed storage that support more than one user, process critical, and/or process sensitive information including modems, must be equipped with security that secures hardware and/or restricts access to software. All workstations must be equipped with updated software for detecting the presence of malicious software (e.g., computer viruses). All computing devices must have current versions of anti-virus software enabled. Operating systems must have all critical updates installed. All workstations must be positioned or located in a manner that will minimize the exposure of any displayed patient or sensitive business information. When necessary, privacy screens should be deployed. Users accessing the _________ network or information from remote locations, such as connections from home, should employ appropriate security safeguards. The Information Systems Department shall have sole discretion in determining which hardware, operating systems, and connectivity solutions will be supported. Users may not, independently install connectivity hardware or software to the computing resources of _________. All employees must comply with _________ policies, state and federal laws and regulations regarding the proper acquisition, use and copying of copyrighted software and commercial software licenses. II. PURPOSE: _________ (_________) is committed and required to provide security to protect its computerized clinical and business information systems. Its computer system hardware and software as well as the information and data carried by the system are the sole property of _________. Any misuse of _________ workstations may result in withdrawal of access to the system or _________ information or data. The intent of this policy is to: Ensure that each workstation has the necessary access controls to restrict unauthorized users and programs from accessing patient health or sensitive business information. Ensure that software on each workstation on the system (network) is internally compatible and will not lead to degradation of the system. This document was contributed by Baystate Health System, Springfield, MA. You are free to copy and use this 1 document with the understanding that Baystate Health System provides no warranties for its utility and assumes no liability for its use. Ensure that users are oriented and trained on workstation use and the maintenance of information integrity and privacy and resource security. Establish the security requirements for the appropriate use of mobile computing resources including laptops and PDAs (Personal Digital Assistants) that access _________ information or interface to the _________ network. III. SCOPE: Employees, vendors, contractors or business associates who have access to _________ patient clinical or business information stored on its computers or have access to its computer resources or network. Devices include workstations, wireless devices, PDA or laptops, or home or personal computers or devices which are used to directly or remotely access the _________ network. IV. DEFINITIONS: Workstation: A terminal or personal computer which has the capability to access or store _________ patient information (including Protected Health Information as defined by HIPAA), _________ IT resources such as the Internet and Intranet, and _________ business information. Portable-Computer Device: A portable-computing device is a computer that is easily transported by hand and has the ability to store _________ patient or business information. "Portable computing device" generally refers to laptop computers, smart clipboard, and personal digital assistants (PDAs), but can include other emerging technologies that allow storage of and access to information, and that are capable of connection (physical or wireless) to the computer network, including connection to any server or workstation on the computer network. Portable Storage Devices and Media: Devices which can store patient or business information and which are relatively portable such as disk drives, CD-RW drives, floppy disks, zip disks, CDs and DVDs, flash memory devices, etc. Protected Health Information (PHI): Patient information, including demographic information, that: A. Is created or received by a health care provider, health plan, employer or health care clearinghouse; B. Relates to the past, present or future physical or mental health condition of a patient; the provision of health care to a patient; or the past, present or future payment for the provision of health care to a patient; and C. Identifies the patient or can be used to identify a patient. V. PROCEDURES A. General 1. Users are required to log-off of applications containing patient health or sensitive business information before leaving their workstations. 2. It is the user’s option to save work on their hard drive (c-drive) or to the network. When the user does not use the _________ network to store information and instead, uses other media, e.g. hard drive, diskettes, zip disks, etc, it is the responsibility of the user to make back-up copies of such information on a frequent basis. For assistance, contact the Help Desk at 4- 3000. This document was contributed by Baystate Health System, Springfield, MA. You are free to copy and use this 2 document with the understanding that Baystate Health System provides no warranties for its utility and assumes no liability for its use. 3. In the event a critical document or file is inadvertently deleted, contact the Help Desk immediately at 4-3000. Do not continue to use the workstation, or save additional work. 4. All laptops and any other portable computer equipment must be secured (protected) when not in use. Proper security is dependent on risk factors and available resources at specific locations throughout _________. Security may be provided by locking the equipment in a cabinet, desk, office, etc. Where such alternatives are not feasible, keeping the device out of sight in a desk or brief case may be appropriate. 5. Keeping information stored on a Portable Computing Device secure and current is the responsibility of the person who has the device in his or her possession and control. Those in possession are responsible for breaches of security related to devices in their possession. 6. Password Protection: All windows based _________ workstations, except shared workstations, which access patient health information or sensitive business information, are required to have enabled a password-protected screensaver. Any exceptions must be approved in writing by the division vice president. In cases where password protected screen savers are not available, non- password protected screen savers should be enabled. Users are authorized by this policy to disable the screensaver protection in certain circumstances, for example, when computer support/repair personnel are expected. Department level procedures should define the allowable delay before automatic screensavers activate. That delay should be based upon a balance between operational needs and security risks. For example, consideration should be given to the: number of users having access to the application, number of patient records (high numbers are higher risk), location (higher traffic or public would be high risk) level of sensitivity of the information (HIV, oncology, performance evaluations, etc.) 7. All systems containing sensitive patient or business information should enable auto log-off capabilities if available. The delay should be determined based upon the risk criteria above. 8. Employees, physicians, volunteers, and outside vendors are required to have appropriate clearance prior to access to computer workstations. 9. Upon termination or change of job position, users will have network access removed or modified (Ref. Access Control Policy # 6.850). 10. Where possible, workstations should be segregated based on function and access privileges as it pertains to patient health or sensitive business information. 11. All computing devices owned by _________ shall be tagged and tracked by the Information Systems Department in accordance with _________ asset management policies and procedures. B. Workstations 1. _________ has established standard configurations for desktop technologies deployed throughout the organization. All computers, computer peripherals and software as well as printers, faxes, and other miscellaneous hardware purchased with Health System funds or attached to any component of the _________ network must meet these standards. (BC 6.310 – Desktop Technology) This document was contributed by Baystate Health System, Springfield, MA. You are free to copy and use this 3 document with the understanding that Baystate Health System provides no warranties for its utility and assumes no liability for its use. 2. Installation of personal software, purchased or downloaded, including, but not limited to screensavers and animated GIFs, by employees is prohibited. Software required for end user purposes must be approved and installed by IS. The end user must document and maintain proof of license to have such applications. Software installations will be coordinated through Information Services by calling 4-3000. 3. Workstations must be installed with physical safeguards to eliminate or minimize the possibility of unauthorized access to information or theft of equipment. To the extent possible, equipment should be located in areas that have some degree of physical separation from the public and, where possible, should face away from the public. Where computers can not be protected from public view, privacy screens are mandated. When applicable, computer screens should also face away from other employees to ensure privacy of sensitive material. 4. Workstation equipment and portable computing devices will be protected from exposure to physical threats including theft based on potential risk and available safeguards. Desktops will be physically secured to desktops, tables or walls to prevent theft. Portable Computing Devices, such as notebooks and PDA’s are the responsibility of the user. 5. Computer access and password training, provided by the Information System Department, must be completed before access privileges are granted to ensure adequate training has occurred (Ref. Password Policy BC 6.840). 6. All workstations, must be equipped with security hardware and/or software. Where appropriate, all workstations and portable devices must be equipped with updated software for detecting the presence of malicious software (e.g. computer viruses). All computing devices must have current versions of anti-virus software enabled. Operating systems must have all critical updates installed. C. Portable Computing Devices 1. The loss or theft of any portable computing device on which _________ patient or sensitive business information is stored shall be immediately reported to Department Supervisor whether or not the hardware is owned by _________. The supervisor will contact the _________ Information Security Officer (Ref. Information Security Incident Reporting & Procedures, Policy BC 6.860). 2. Start up authentication and authorization passwords (user name and password) are required on all portable-computing devices that store patient health information (PHI) or confidential data whether or not the hardware is owned by _________. Additional passwords and/or encryption may be required at the discretion of the Information Systems Department. 3. Passwords and user IDs for computer systems and networks must not be stored on portable computing devices. 4. The Information Systems Department will establish approved remote access via portable computing devices, when necessary. 5. Portable computing devices that have stored data belonging to _________, may not be shared with others who are not authorized to access that information unless that information is stored as encrypted password protected files. This document was contributed by Baystate Health System, Springfield, MA. You are free to copy and use this 4 document with the understanding that Baystate Health System provides no warranties for its utility and assumes no liability for its use. 6. The installation of virus protection programs is the responsibility of the user, except where a _________ device is connected to the _________ network, which will install and run appropriate antivirus protection. 7. Vendors, consultants, business associates and all others wishing to connect portable computing devices to the _________ network must first submit the equipment to _________ Information Services for inspection of the adequacy of anti-virus software and installation of critical operation system updates. Contact the Help Desk at 4-3000 to initiate this process. 8. Users should contact the Help Desk (4-3000) for more information or assistance if they feel that their portable computing device contains particularly sensitive information requiring higher levels of protection. 9. _________ reserves the right to identify particularly sensitive information and initiate methods to secure such information. D. Remote Access 1. Access to _________ computer systems from remote locations must be approved by the department supervisor, and the Information Systems Department. If a remote access system utilizes a dial-up modem, it must be expressly configured to provide secure network access. 2. Access to _________’ internal network from outside of its defined network perimeter must be controlled by privileged access controls that may only be established by the Information Systems Department. Users are not authorized to install connections such as modems, PC Anywhere, etc. Dial-in access and Virtual Private Network (VPN) connections should be strictly controlled using one time password authentication. 3. It is the responsibility of users with dial-in access and VPN privileges to ensure that a dial-in connection to _________ is not used by non-authorized individuals to gain access to company information or to internal networks. Users with remote access from personally owned computing devices have responsibility to employ security protections that can prevent their computing device from passing along viruses or similar internet threats to the _________ network and data. VI. CROSS REFERENCES Access Control Policy - BC 6.6.850 Password Policy BC - 6.840 Security Incident Policy - BC 6.860 Desktop Technology - BC 6.310 Date Approved: Information Services Oversight Committee (ISOC) 9/10/2003 , CIO & VP Information Services Prepared by: , Information Security Officer Effective: 10/1/2003 Replaces: New This document was contributed by Baystate Health System, Springfield, MA. You are free to copy and use this 5 document with the understanding that Baystate Health System provides no warranties for its utility and assumes no liability for its use. This document was contributed by Baystate Health System, Springfield, MA. You are free to copy and use this 6 document with the understanding that Baystate Health System provides no warranties for its utility and assumes no liability for its use.