Skip to main content

Workstation Security Policy

Purpose

It is the policy of iEHR to safeguard the confidentiality, integrity, and availability of protected health information (PHI), business and proprietary information within its information systems by controlling access to these systems/applications. As such, this policy describes the different workstation security requirements of the organization.

Policy

  1. Access to information systems by all users is allowable only on a minimum necessary basis.
  2. All users are responsible for reporting an incident of unauthorized access of the organization’s information systems.
  3. The same levels of confidentiality that exist for hard copy PHI, business, and proprietary information apply to digital and/or electronic protected health information (ePHI) within the organization’s information systems and are extended even after termination or other conclusion of access.
  4. Automatic Logoff
    1. Users are required to make information systems inaccessible by any other individual when unattended by the user, such as locking or logging off the systems; if the device is used only by a single individual with a unique log in, it may be locked.
    2. Users must log off information systems/applications at the end of their shift, or at the end of their need to use the system/application, whichever is sooner.
    3. Information systems should automatically log users off the systems after 30 minutes of inactivity.
      1. Shortened automatic log off times should be implemented for workstations located in public or high traffic areas or for portable devices.
    4. The Security & Privacy Officers shall approve exceptions to automatic log off requirements.
  5. Workstation Use
    1. Workstations should only be used for authorized business purposes.
    2. When possible, workstations should be placed in secure areas.
    3. Workstations in patient rooms or public areas must be logged off or locked when not in use.
    4. Users must take actions to prevent unauthorized viewing, such as privacy screens, minimizing sessions, closing laptops, etc.
    5. All users are responsible for practicing precautions to protect the confidentiality, integrity, and availability of ePHI in the information systems at all times.
    6. Workstations may not be used to engage in any activity that is illegal or is in violation of organization’s policies.
      1. Access may not be used for transmitting, retrieving, or storage of any communications of a discriminatory or harassing nature or materials that are obscene or “X-rated”.
      2. No messages with derogatory or inflammatory remarks about an individual’s race, age, disability, religion, national origin, physical attributes, sexual preference, political affiliation, or health condition shall be transmitted or maintained.
      3. No abusive, hostile, profane, or offensive language is to be transmitted through organization’s system.
    7. Information systems/applications also may not be used for any other purpose that is illegal, unethical, or against company policies or contrary to organization’s best interests.
      1. Messages containing information related to a lawsuit or investigation may not be sent without prior approval.
    8. Solicitation of non-company business, or any use of organization’s information systems/applications for personal gain is prohibited.
    9. Participation in chain letters and other such activities is also prohibited.
    10. Transmitted messages may not contain material that criticizes iEHR, its providers, its employees, or others.
    11. Users may not misrepresent, obscure, suppress, or replace another user’s identity in transmitted or stored messages.
  6. Workstation Security

    1. Workstations are the property of iEHR and must always remain on the premises, unless prior authorization by the Security Officer or other designee has been granted for removal of workstations from the premises.

    2. Workstations utilized off organization’s premises are protected with security controls equivalent to those for on-site workstations.

    3. Users may access and utilize workstations as assigned by their supervisor.

    4. Supervisors are responsible for monitoring use of workstations.

    5. All users must report unauthorized workstation use to the Security Officer or designee.

    6. iEHR will install anti-virus software on all workstations to prevent transmission of malicious software. This anti-virus software is regularly updated.

    7. Portable workstations are also subject to the same safeguards and protections.

    8. Portable workstations are maintained in a safe and secure manner when transported.

    9. Any portable device that contains PHI must be encrypted.

      1. Portable media is also subject to the same requirements.

    10. Networks are secured with a Firewall.

    11. Network access is limited to legitimate or established connections. An established connection is return traffic in response to an application request submitted from within the secure network.

    12. Firewall console and other management ports are appropriately secured or disabled and are located in a physically secure environment.

    13. Mechanisms to log failed access attempts are in place.

      1. iEHR will lock accounts after 3 failed login attempts.

    14. The configuration of firewalls used to protect networks is approved by the Security Officer or designee and maintained by the IT Department.

    15. Firewalls will be maintained as staff change positions.

    16. Servers are located in a physically secure environment and are on a secure network with firewall protection.

    17. The system administrator or root account is password protected.

    18. A security patch and update procedure is established and implemented to ensure that all relevant security patches and updates are promptly applied based on the severity of the vulnerability corrected.

    19. All unused or unnecessary services are disabled.

Violations

  1. Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
  2. Violation may also result in civil and criminal penalties to iEHR as determined by federal and state laws and regulations related to loss of data.