Wilson Medical Center

SUBJECT: Workstation Use and Security

Section: 2
Policy #: 13 Page 1 of 3

Department: HOSPITAL WIDE Effective: 04/01/2005
Reviewed/Revised: 8/15/2013
Reference: Workstation Use Safeguard (164.310(b)) and
Workstation Security Safeguard (164.310(c))

Approved By: Administration



WORKSTATION USE AND SECURITY

Purpose:

The purpose of this policy is to specify the proper functions to be performed, the manner in
which those functions are to be performed, and the physical attributes of the surroundings of a
specific workstation or class of workstation that can access e-PHI. The policy also identifies
physical safeguards for all workstations that access e-PHI to restrict access to authorized users.

This document addressed Workstation Use Safeguard (164.310 (b)) and Workstation Security
Safeguard (164.310 (c)).

Policy Statement:

Wilson Medical Center (WMC) shall maintain appropriate procedures and safeguards to
ensure its workstations are utilized in an appropriate and secure manner by members of
workforce.

Definition:

Workstation refers to any screen or other computer device used to create, receive, maintain, or
transmit e-PHI. This includes, but is not limited to, desktop computers, laptop and notebook
computers, tablets, PDAs, IPads, smart phones and remote computers connected by VPN.

Procedure:

1. Workforce member shall be given access and authorization to use WMCs information
systems in a manner consistent with the policy entitled Information Access Management
and Workforce Security. An appropriate access control system shall be installed on all
workstations. Workstations shall be configured to require a user to enter a unique user ID
and password to gain access. WMC may remove or deactivate any workforce members
user privileges when necessary to preserve the integrity, confidentiality, and availability
of its facilities, user services, and data.

2. Workforce members shall use workstations for WMCs business purposes. Workforce
members should know what any information created, received, maintained, or transmitted
is not private. WMC reserves the right to periodically access, monitor, print, copy, and
disclose the contents of computer files and drives and e-mail messages.

3. Workforce members shall not download files from unknown or suspicious sources, nor
open any files or macros attached to an e-mail from an unknown, suspicious or
untrustworthy source.

4. Workforce members shall not use any workstation to send or receive any message or
download or retrieve any materials (video or audio) that could be considered
inappropriate or illegal under state or federal law. Workstations shall not be used to
store, transmit, or receive messages or materials (video or audio) having languages or
images that may reasonably be considered offensive, harassing, demeaning, or disruptive
to any member in the workforce. Such prohibited conduct includes, but is not limited to,
sexually explicit or derogatory comments or images, gender-specific comments, racial
epithets and slurs, or any comments, jokes, or images that would offend someone or
create a hostile work environment based on his/her race, color, sex religion, creed,
national origin, age, or disability. Workforce members are prohibited from sending or
receiving messages or materials on workstations in a way which includes the use of
profane or offensive language, or, in the judgment of management, is determined to be
profane, demeaning, insulting, disruptive, threatening, intimidating, violent, defamatory,
harassing, embarrassing, insubordinate, or otherwise inappropriate or unprofessional.
Finally, workstations shall not be used to conduct a job search or open misaddressed
mail.

5. Only approved software may be loaded on any workstation. Members of the workforce
are prohibited from downloading any software to a workstation with the express
permission from the Information Systems Director.

6. Password protected screen savers shall be installed on all workstations so that when a
user is away from their computer, unauthorized persons do not gain access to such a
workstation or confidential information. Such password protected screen savers shall be
configured to activate after a short interval (and shall also be capable of being manually
activated by a user) so that after such screen saver activates the computer screen
thereafter does not display any confidential information and the computer itself cannot be
utilized again until a password is entered. The length of time before a screen saver
activates shall be set to avoid disclosure of confidential information to unauthorized
persons, as could happen if a user left their work area and forget to manually activate the
screen saver.

7. Laptop and notebook computers, PDAs, IPad, and other mobile devices shall have
power-on passwords or data encryption to reduce the likelihood of access should such
device be lost or stolen.

8. Software to detect malicious software shall be installed on all workstations. The IS
Director shall be responsible for acquiring the software for WMC and any necessary
subscriptions to receive virus signature updates. Network Engineer shall be responsible
for installing and configuring the software and ensuring that the virus signature files are
updated on a regular basis. Any available auto-protect features will be enabled, full
alerts set, logging functions turned on, and quarantine repair operations will be selected.

9. Upon detection of malicious software, WMC shall take steps to prevent further infection.
Users shall cease using their workstations until the situation is resolved. The workstation
needs to be turned off. They should not attempt to send or receive e-mails, open new
programs, or reboot computers. Once the software has been contained and quarantined,
WMC shall clean/repair any infected files.

10. Workstation monitors shall be positioned so that they cannot be easily seen by anyone
other than the user. In high traffic areas, workstations shall be located behind enclosures
or partitions, or screen protectors shall be applied that shield the view of the information
displayed.

11. Workstations shall be plugged into electrical power strips that have built-in surge
protectors. The same power strip shall not be used for other electrical appliances that
draw a significant amount of current (e.g., vacuum cleaner, coffeepot, microwave), to
prevent interference with the workstations operations.

12. When leaving a workstation or other computer system unattended, workforce members
must lock or activate the automatic logoff mechanisms (e.g., CNTL, ALT, DELETE and
Lock Computer) or log out of all applications and database systems containing e-PHI.
Workforce members shall log-of workstations prior to the completion of their workday.