Department: HOSPITAL WIDE Effective: 04/01/2005 Reviewed/Revised: 8/15/2013 Reference: Workstation Use Safeguard (164.310(b)) and Workstation Security Safeguard (164.310(c))
Approved By: Administration
WORKSTATION USE AND SECURITY
Purpose:
The purpose of this policy is to specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access e-PHI. The policy also identifies physical safeguards for all workstations that access e-PHI to restrict access to authorized users.
This document addressed Workstation Use Safeguard (164.310 (b)) and Workstation Security Safeguard (164.310 (c)).
Policy Statement:
Wilson Medical Center (WMC) shall maintain appropriate procedures and safeguards to ensure its workstations are utilized in an appropriate and secure manner by members of workforce.
Definition:
Workstation refers to any screen or other computer device used to create, receive, maintain, or transmit e-PHI. This includes, but is not limited to, desktop computers, laptop and notebook computers, tablets, PDAs, IPads, smart phones and remote computers connected by VPN.
Procedure:
1. Workforce member shall be given access and authorization to use WMCs information systems in a manner consistent with the policy entitled Information Access Management and Workforce Security. An appropriate access control system shall be installed on all workstations. Workstations shall be configured to require a user to enter a unique user ID and password to gain access. WMC may remove or deactivate any workforce members user privileges when necessary to preserve the integrity, confidentiality, and availability of its facilities, user services, and data.
2. Workforce members shall use workstations for WMCs business purposes. Workforce members should know what any information created, received, maintained, or transmitted is not private. WMC reserves the right to periodically access, monitor, print, copy, and disclose the contents of computer files and drives and e-mail messages.
3. Workforce members shall not download files from unknown or suspicious sources, nor open any files or macros attached to an e-mail from an unknown, suspicious or untrustworthy source.
4. Workforce members shall not use any workstation to send or receive any message or download or retrieve any materials (video or audio) that could be considered inappropriate or illegal under state or federal law. Workstations shall not be used to store, transmit, or receive messages or materials (video or audio) having languages or images that may reasonably be considered offensive, harassing, demeaning, or disruptive to any member in the workforce. Such prohibited conduct includes, but is not limited to, sexually explicit or derogatory comments or images, gender-specific comments, racial epithets and slurs, or any comments, jokes, or images that would offend someone or create a hostile work environment based on his/her race, color, sex religion, creed, national origin, age, or disability. Workforce members are prohibited from sending or receiving messages or materials on workstations in a way which includes the use of profane or offensive language, or, in the judgment of management, is determined to be profane, demeaning, insulting, disruptive, threatening, intimidating, violent, defamatory, harassing, embarrassing, insubordinate, or otherwise inappropriate or unprofessional. Finally, workstations shall not be used to conduct a job search or open misaddressed mail.
5. Only approved software may be loaded on any workstation. Members of the workforce are prohibited from downloading any software to a workstation with the express permission from the Information Systems Director.
6. Password protected screen savers shall be installed on all workstations so that when a user is away from their computer, unauthorized persons do not gain access to such a workstation or confidential information. Such password protected screen savers shall be configured to activate after a short interval (and shall also be capable of being manually activated by a user) so that after such screen saver activates the computer screen thereafter does not display any confidential information and the computer itself cannot be utilized again until a password is entered. The length of time before a screen saver activates shall be set to avoid disclosure of confidential information to unauthorized persons, as could happen if a user left their work area and forget to manually activate the screen saver.
7. Laptop and notebook computers, PDAs, IPad, and other mobile devices shall have power-on passwords or data encryption to reduce the likelihood of access should such device be lost or stolen.
8. Software to detect malicious software shall be installed on all workstations. The IS Director shall be responsible for acquiring the software for WMC and any necessary subscriptions to receive virus signature updates. Network Engineer shall be responsible for installing and configuring the software and ensuring that the virus signature files are updated on a regular basis. Any available auto-protect features will be enabled, full alerts set, logging functions turned on, and quarantine repair operations will be selected.
9. Upon detection of malicious software, WMC shall take steps to prevent further infection. Users shall cease using their workstations until the situation is resolved. The workstation needs to be turned off. They should not attempt to send or receive e-mails, open new programs, or reboot computers. Once the software has been contained and quarantined, WMC shall clean/repair any infected files.
10. Workstation monitors shall be positioned so that they cannot be easily seen by anyone other than the user. In high traffic areas, workstations shall be located behind enclosures or partitions, or screen protectors shall be applied that shield the view of the information displayed.
11. Workstations shall be plugged into electrical power strips that have built-in surge protectors. The same power strip shall not be used for other electrical appliances that draw a significant amount of current (e.g., vacuum cleaner, coffeepot, microwave), to prevent interference with the workstations operations.
12. When leaving a workstation or other computer system unattended, workforce members must lock or activate the automatic logoff mechanisms (e.g., CNTL, ALT, DELETE and Lock Computer) or log out of all applications and database systems containing e-PHI. Workforce members shall log-of workstations prior to the completion of their workday.