HIPAA Security Workstation Use and Location and Portable Computing

							                           BC 6.830 - WORKSTATION SECURITY POLICY


I.        POLICY:
Employees are responsible for maintaining the physical security of _________ computer resources under
their control and for protecting the integrity and privacy of the data maintained on them by the
appropriate use of lockdown devices, password controlled access, data encryption, virus protection
software, and routine backup procedures. _________ reserves the right to inspect all data and to
monitor the use of all its computer systems, and as such, workstation users have no right of privacy
with regard to information on workstations. _________’s right of access to personally owned
computing devices will be limited to _________’s patient or business information and applications
important to maintaining security over that information, including, but not limited to anti-virus
softare, operating systems, etc. _________ reserves the right to remotely access, monitor, control and
configure workstations and any software residing on them. Non-compliance with this policy is subject
to management review and action, up to and including termination of employment, vendor contract
and/or legal action.
All workstations with fixed storage that support more than one user, process critical, and/or process
sensitive information including modems, must be equipped with security that secures hardware and/or
restricts access to software.
All workstations must be equipped with updated software for detecting the presence of malicious
software (e.g., computer viruses). All computing devices must have current versions of anti-virus
software enabled. Operating systems must have all critical updates installed.
All workstations must be positioned or located in a manner that will minimize the exposure of any
displayed patient or sensitive business information. When necessary, privacy screens should be
deployed.
Users accessing the _________ network or information from remote locations, such as connections from
home, should employ appropriate security safeguards.
The Information Systems Department shall have sole discretion in determining which hardware,
operating systems, and connectivity solutions will be supported. Users may not, independently install
connectivity hardware or software to the computing resources of _________.
All employees must comply with _________ policies, state and federal laws and regulations regarding
the proper acquisition, use and copying of copyrighted software and commercial software licenses.


II.       PURPOSE:
_________ (_________) is committed and required to provide security to protect its computerized
clinical and business information systems. Its computer system hardware and software as well as the
information and data carried by the system are the sole property of _________. Any misuse of
_________ workstations may result in withdrawal of access to the system or _________ information or
data. The intent of this policy is to:
         Ensure that each workstation has the necessary access controls to restrict unauthorized users and
          programs from accessing patient health or sensitive business information.
         Ensure that software on each workstation on the system (network) is internally compatible and
          will not lead to degradation of the system.

This document was contributed by Baystate Health System, Springfield, MA. You are free to copy and use this       1
document with the understanding that Baystate Health System provides no warranties for its utility and assumes no
liability for its use.
         Ensure that users are oriented and trained on workstation use and the maintenance of information
          integrity and privacy and resource security.
         Establish the security requirements for the appropriate use of mobile computing resources
          including laptops and PDAs (Personal Digital Assistants) that access _________ information or
          interface to the _________ network.


III.      SCOPE:
Employees, vendors, contractors or business associates who have access to _________ patient clinical or
business information stored on its computers or have access to its computer resources or network.
Devices include workstations, wireless devices, PDA or laptops, or home or personal computers or
devices which are used to directly or remotely access the _________ network.


IV.      DEFINITIONS:
Workstation: A terminal or personal computer which has the capability to access or store _________
patient information (including Protected Health Information as defined by HIPAA), _________ IT
resources such as the Internet and Intranet, and _________ business information.
Portable-Computer Device: A portable-computing device is a computer that is easily transported by
hand and has the ability to store _________ patient or business information. "Portable computing
device" generally refers to laptop computers, smart clipboard, and personal digital assistants (PDAs), but
can include other emerging technologies that allow storage of and access to information, and that are
capable of connection (physical or wireless) to the computer network, including connection to any server
or workstation on the computer network.
Portable Storage Devices and Media: Devices which can store patient or business information and
which are relatively portable such as disk drives, CD-RW drives, floppy disks, zip disks, CDs and
DVDs, flash memory devices, etc.
Protected Health Information (PHI): Patient information, including demographic information, that:
       A.     Is created or received by a health care provider, health plan, employer or health care
              clearinghouse;
       B.     Relates to the past, present or future physical or mental health condition of a patient; the
              provision of health care to a patient; or the past, present or future payment for the
              provision of health care to a patient; and
       C.     Identifies the patient or can be used to identify a patient.

V.        PROCEDURES
       A. General
          1. Users are required to log-off of applications containing patient health or sensitive business
             information before leaving their workstations.
          2. It is the user’s option to save work on their hard drive (c-drive) or to the network. When the
             user does not use the _________ network to store information and instead, uses other media,
             e.g. hard drive, diskettes, zip disks, etc, it is the responsibility of the user to make back-up
             copies of such information on a frequent basis. For assistance, contact the Help Desk at 4-
             3000.


This document was contributed by Baystate Health System, Springfield, MA. You are free to copy and use this       2
document with the understanding that Baystate Health System provides no warranties for its utility and assumes no
liability for its use.
        3. In the event a critical document or file is inadvertently deleted, contact the Help Desk
           immediately at 4-3000. Do not continue to use the workstation, or save additional work.
        4. All laptops and any other portable computer equipment must be secured (protected) when not
           in use. Proper security is dependent on risk factors and available resources at specific
           locations throughout _________. Security may be provided by locking the equipment in a
           cabinet, desk, office, etc. Where such alternatives are not feasible, keeping the device out of
           sight in a desk or brief case may be appropriate.
        5. Keeping information stored on a Portable Computing Device secure and current is the
           responsibility of the person who has the device in his or her possession and control. Those in
           possession are responsible for breaches of security related to devices in their possession.
        6. Password Protection:
           All windows based _________ workstations, except shared workstations, which access
           patient health information or sensitive business information, are required to have enabled a
           password-protected screensaver. Any exceptions must be approved in writing by the division
           vice president. In cases where password protected screen savers are not available, non-
           password protected screen savers should be enabled. Users are authorized by this policy to
           disable the screensaver protection in certain circumstances, for example, when computer
           support/repair personnel are expected. Department level procedures should define the
           allowable delay before automatic screensavers activate. That delay should be based upon a
           balance between operational needs and security risks. For example, consideration should be
           given to the:
                             number of users having access to the application,
                             number of patient records (high numbers are higher risk),
                             location (higher traffic or public would be high risk)
                             level of sensitivity of the information
                                (HIV, oncology, performance evaluations, etc.)
        7. All systems containing sensitive patient or business information should enable auto log-off
           capabilities if available. The delay should be determined based upon the risk criteria above.
        8. Employees, physicians, volunteers, and outside vendors are required to have appropriate
           clearance prior to access to computer workstations.
        9. Upon termination or change of job position, users will have network access removed or
           modified (Ref. Access Control Policy # 6.850).
        10. Where possible, workstations should be segregated based on function and access privileges
            as it pertains to patient health or sensitive business information.
        11. All computing devices owned by _________ shall be tagged and tracked by the Information
            Systems Department in accordance with _________ asset management policies and
            procedures.


    B. Workstations
        1. _________ has established standard configurations for desktop technologies deployed
           throughout the organization. All computers, computer peripherals and software as well as
           printers, faxes, and other miscellaneous hardware purchased with Health System funds or
           attached to any component of the _________ network must meet these standards. (BC 6.310
           – Desktop Technology)
This document was contributed by Baystate Health System, Springfield, MA. You are free to copy and use this       3
document with the understanding that Baystate Health System provides no warranties for its utility and assumes no
liability for its use.
        2. Installation of personal software, purchased or downloaded, including, but not limited to
           screensavers and animated GIFs, by employees is prohibited. Software required for end user
           purposes must be approved and installed by IS. The end user must document and maintain
           proof of license to have such applications. Software installations will be coordinated
           through Information Services by calling 4-3000.
        3. Workstations must be installed with physical safeguards to eliminate or minimize the
           possibility of unauthorized access to information or theft of equipment. To the extent
           possible, equipment should be located in areas that have some degree of physical separation
           from the public and, where possible, should face away from the public. Where computers
           can not be protected from public view, privacy screens are mandated. When applicable,
           computer screens should also face away from other employees to ensure privacy of sensitive
           material.
        4. Workstation equipment and portable computing devices will be protected from exposure to
           physical threats including theft based on potential risk and available safeguards. Desktops
           will be physically secured to desktops, tables or walls to prevent theft. Portable Computing
           Devices, such as notebooks and PDA’s are the responsibility of the user.
        5. Computer access and password training, provided by the Information System Department,
           must be completed before access privileges are granted to ensure adequate training has
           occurred (Ref. Password Policy BC 6.840).
        6. All workstations, must be equipped with security hardware and/or software. Where
           appropriate, all workstations and portable devices must be equipped with updated software
           for detecting the presence of malicious software (e.g. computer viruses). All computing
           devices must have current versions of anti-virus software enabled. Operating systems must
           have all critical updates installed.


    C. Portable Computing Devices
        1. The loss or theft of any portable computing device on which _________ patient or sensitive
           business information is stored shall be immediately reported to Department Supervisor
           whether or not the hardware is owned by _________. The supervisor will contact the
           _________ Information Security Officer (Ref. Information Security Incident Reporting &
           Procedures, Policy BC 6.860).
        2. Start up authentication and authorization passwords (user name and password) are required
           on all portable-computing devices that store patient health information (PHI) or confidential
           data whether or not the hardware is owned by _________. Additional passwords and/or
           encryption may be required at the discretion of the Information Systems Department.
        3. Passwords and user IDs for computer systems and networks must not be stored on portable
           computing devices.
        4. The Information Systems Department will establish approved remote access via portable
           computing devices, when necessary.
        5. Portable computing devices that have stored data belonging to _________, may not be shared
           with others who are not authorized to access that information unless that information is
           stored as encrypted password protected files.



This document was contributed by Baystate Health System, Springfield, MA. You are free to copy and use this       4
document with the understanding that Baystate Health System provides no warranties for its utility and assumes no
liability for its use.
          6. The installation of virus protection programs is the responsibility of the user, except where a
             _________ device is connected to the _________ network, which will install and run
             appropriate antivirus protection.
          7. Vendors, consultants, business associates and all others wishing to connect portable
             computing devices to the _________ network must first submit the equipment to _________
             Information Services for inspection of the adequacy of anti-virus software and installation of
             critical operation system updates. Contact the Help Desk at 4-3000 to initiate this process.
          8. Users should contact the Help Desk (4-3000) for more information or assistance if they feel
             that their portable computing device contains particularly sensitive information requiring
             higher levels of protection.
          9. _________ reserves the right to identify particularly sensitive information and initiate
             methods to secure such information.


      D. Remote Access
         1.   Access to _________ computer systems from remote locations must be approved by the
              department supervisor, and the Information Systems Department. If a remote access system
              utilizes a dial-up modem, it must be expressly configured to provide secure network access.
         2.   Access to _________’ internal network from outside of its defined network perimeter must
              be controlled by privileged access controls that may only be established by the Information
              Systems Department. Users are not authorized to install connections such as modems, PC
              Anywhere, etc. Dial-in access and Virtual Private Network (VPN) connections should be
              strictly controlled using one time password authentication.
         3.   It is the responsibility of users with dial-in access and VPN privileges to ensure that a dial-in
              connection to _________ is not used by non-authorized individuals to gain access to
              company information or to internal networks. Users with remote access from personally
              owned computing devices have responsibility to employ security protections that can prevent
              their computing device from passing along viruses or similar internet threats to the
              _________ network and data.


VI.       CROSS REFERENCES
              Access Control Policy - BC 6.6.850
              Password Policy BC - 6.840
              Security Incident Policy - BC 6.860
              Desktop Technology - BC 6.310

                                                                                               Date
      Approved:        Information Services Oversight Committee (ISOC)                         9/10/2003
                       , CIO & VP Information Services
      Prepared by:     , Information Security Officer
      Effective:                                                                               10/1/2003
      Replaces:        New
This document was contributed by Baystate Health System, Springfield, MA. You are free to copy and use this       5
document with the understanding that Baystate Health System provides no warranties for its utility and assumes no
liability for its use.
This document was contributed by Baystate Health System, Springfield, MA. You are free to copy and use this       6
document with the understanding that Baystate Health System provides no warranties for its utility and assumes no
liability for its use.