Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

POLICY # 16 ADMINISTRATIVE MANUAL APPROVED BY:

PROTECTION FROM MALICIOUS SOFTWARE POLICY # 16
ADMINISTRATIVE MANUAL
APPROVED BY:
ADOPTED:
SUPERCEDES POLICY:
REVISED:
REVIEWED:
DATE:
REVIEW:
PAGE:
HIPAA Security
Rule Language:
“Implement…..Procedures for guarding against, detecting, and
reporting malicious software…..”
Policy Summary:
Sindecuse Health Center (SHC) must regularly train and remind its
workforce members about its process for guarding against, detecting, and
reporting malicious software that poses a risk to its information systems.
Purpose:
This policy reflects SHC’s commitment to provide regular training and
awareness to its employees about its process for guarding against,
detecting, and reporting malicious software that poses a risk to its
information systems.
Policy:
1. SHC must be able to effectively detect and prevent malicious
software, particularly viruses, worms and malicious code.
2. SHC must develop, implement, and regularly review a formal,
documented process for guarding against, detecting, and reporting
malicious software that poses a risk to its information systems and data.
All SHC workforce members must be regularly trained and reminded
about this process.
3. At a minimum, SHC’s malicious software prevention, detection and
reporting process must include:




Installation and regular updating of anti-virus software on all
SHC information systems.
Examination of data on electronic media and data received over
networks to ensure that it does not contain malicious software.
The examination of all electronic mail attachments and data
downloads for malicious software before use on SHC
information systems.
Procedures for members of the workforce to report suspected or
Page 1 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
PROTECTION FROM MALICIOUS SOFTWARE




known malicious software.
An appropriate disaster recovery plan for recovering from
malicious software attacks.
Procedures to verify that all information relating to malicious
software is accurate and informative.
Procedures to ensure that SHC workforce members do not
modify web browser security settings without appropriate
authorization.
Procedures to ensure that unauthorized software is not installed
on SHC information systems.
4. At a minimum, SHC protection from malicious software training and
awareness must cover topics including, but not limited to:





How to identify malicious software.
How to report malicious software.
How to effectively use anti-virus software.
How to avoid downloading or receiving malicious software.
How to identify malicious software hoaxes.
5. Unless appropriately authorized, SHC workforce members must not
bypass or disable anti-virus software.
Scope/Applicability: This policy is applicable to all departments that use or disclose electronic
protected health information for any purposes.
This policy’s scope includes all electronic protected health information,
as described in Definitions below.
Regulatory
Category:
Administrative Safeguards
Regulatory Type:
ADDRESSABLE Implementation Specification for Security Awareness
and Training Standard
Regulatory
Reference:
45 CFR 164.308(a)(5)(ii)(B)
Definitions:
Electronic protected health information means individually identifiable
health information that is:


Transmitted by electronic media
Maintained in electronic media
Electronic media means:
Page 2 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
PROTECTION FROM MALICIOUS SOFTWARE
(1) Electronic storage media including memory devices in computers
(hard drives) and any removable/transportable digital memory medium,
such as magnetic tape or disk, optical disk, or digital memory card; or
(2) Transmission media used to exchange information already in
electronic storage media. Transmission media include, for example, the
internet (wide-open), extranet (using internet technology to link a
business with information accessible only to collaborating parties), leased
lines, dial-up lines, private networks, and the physical movement of
removable/transportable electronic storage media. Certain transmissions,
including of paper, via facsimile, and of voice, via telephone, are not
considered to be transmissions via electronic media, because the
information being exchanged did not exist in electronic form before the
transmission.
Information system means an interconnected set of information resources
under the same direct management control that shares common
functionality. A system normally includes hardware, software,
information, data, applications, communications, and people.
Workforce member means employees, volunteers, and other persons
whose conduct, in the performance of work for a covered entity, is under
the direct control of such entity, whether or not they are paid by the
covered entity. This includes full and part time employees, affiliates,
associates, students, volunteers, and staff from third party entities who
provide service to the covered entity.
Risk means the likelihood that a specific threat will exploit a certain
vulnerability, and the resulting impact of that event.
Virus means a piece of code, typically disguised, that causes an
unexpected and often undesirable event. Viruses are frequently designed
to automatically spread to other computers. They can be transmitted by
numerous methods: as e-mail attachments, as downloads, and on floppy
disks or CDs.
Worm means a piece of code, usually disguised, that spreads itself by
attacking and copying itself to other machines. Some worms carry
destructive payloads that delete files or distribute files; others alter Web
pages or launch denial of service attacks.
Malicious software means software, for example, a virus, designed to
damage or disrupt an information system.
Malicious code means an executable application (e.g. Java applet or
Active X control) designed to damage or disrupt an information system.
Anti-virus software means software that detects or prevents malicious
Page 3 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
PROTECTION FROM MALICIOUS SOFTWARE
software.
Responsible
Department:
Information Systems; WMU OIT
Policy Authority/
Enforcement:
SHC’s Security Official is responsible for monitoring and enforcement of
this policy, in accordance with Procedure # (TBD).
Related Policies:
Security Awareness and Training
Security Reminders
Protection from Malicious Software
Log-in Monitoring
Password Management
Renewal/Review:
This policy is to be reviewed annually to determine if the policy complies
with current HIPAA Security regulations. In the event that significant
related regulatory changes occur, the policy will be reviewed and updated
as needed.
Procedures:
TBD
Page 4 of 4
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
Related documents
Document11683291 11683291
Document11683291 11683291
URLDOC: Learning To Detect Malicious URLs Using Online Logistic Regression U-R
URLDOC: Learning To Detect Malicious URLs Using Online Logistic Regression U-R
Download