WORKSTATION USE
POLICY # 34
ADMINISTRATIVE MANUAL
APPROVED BY:
ADOPTED:
SUPERCEDES POLICY:
REVISED:
REVIEWED:
DATE:
REVIEW:
PAGE:
HIPAA Security
Rule Language:
“Implement policies and procedures that specify the proper functions to
be performed, the manner in which those functions are to be performed,
and the physical attributes of the surroundings of a specific workstation
or class of workstations that can access EPHI.”
Policy Summary:
Sindecuse Health Center (SHC) workstations must be used only for
authorized purposes. Workforce members must not use SHC
workstations to engage in any activity that is either illegal under local,
state, federal, or international law or is in violation of SHC policy.
Access to SHC workstations with EPHI must be controlled and
authenticated.
SHC workstations containing EPHI must be located in physically secure
areas and their display screens must be positioned so as to prevent
unauthorized viewing of EPHI. SHC workforce members must activate
their workstation locking software whenever they leave their workstation
unattended for ___ [time to be determined by
organization] minutes or more. Workstations removed from SHC
premises must be protected with security controls equivalent to those for
on-site workstations.
Purpose:
This policy reflects SHC’s commitment to appropriately use and protect
its workstations.
Policy:
1. SHC workstations must be used only for authorized purposes: to
support the research, education, clinical, administrative, and other
functions of SHC. Such use demonstrates respect for intellectual
property, ownership of data, security controls, and individuals' rights to
privacy.
2. All workforce members who use SHC workstations must take all
reasonable precautions to protect the confidentiality, integrity, and
Page 1 of 6
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
WORKSTATION USE
availability of EPHI contained on the workstations.
3. Workforce members must not use SHC workstations to engage in any
activity that is either illegal under local, state, federal, or international law
or is in violation of WMU or SHC policy.
4. Activities that workforce members must not perform while using SHC
workstations include, but are not limited to:









Violations of the rights to privacy of protected healthcare
information of SHC’s patients.
Violations of the rights of any person or company protected by
copyright, trade secret, patent, or other intellectual property or
similar laws or regulations. This includes, but is not limited to,
the installation or distribution of "pirated" or other
inappropriately licensed software products.
Unauthorized copying of copyrighted material, including but not
limited to digitization and distribution of photographs from
magazines, books, or other copyrighted sources and copyrighted
music.
Purposeful introduction of malicious software onto a workstation
or network (e.g., viruses, worms, Trojan horses).
Actively engaging in procuring or transmitting material that is in
violation of WMU sexual harassment or hostile workplace
policies.
Making fraudulent offers of products, items, or services.
Purposefully causing security breaches. Security breaches
include, but are not limited to, accessing electronic data that the
workforce member is not authorized to access or logging into an
account that he or she is not authorized to access. SHC
employees that perform this activity as part of their defined job
are exempt from this prohibition.
Performing any form of network monitoring that will intercept
electronic data not intended for the workforce member. SHC
employees that perform this activity as part of their defined job
are exempt from this prohibition.
Circumvent or attempt to avoid the user authentication or
security of any SHC workstation or account. Employees that
perform this activity as part of their defined job are exempt from
this prohibition.
5. Access to all SHC workstations containing EPHI must be controlled
with a username and password or an access device such as a token.
6. Access to all SHC workstations with EPHI must be authenticated via a
process that includes, at a minimum:

Unique user IDs that enable users to be identified and tracked.
Group IDs may only be used to access SHC workstations not
Page 2 of 6
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
WORKSTATION USE


containing EPHI.
The prompt removal of workstation access privileges for
workforce members who whose employment or contracted
service with SHC has ended.
Verification that redundant user IDs is not issued.
7. All password-based access control systems on SHC workstations must
mask, suppress, or otherwise obscure the passwords so that unauthorized
persons are not able to observe them.
8. SHC workforce members must not share passwords with others. If a
SHC workforce member believes that someone else is inappropriately
using a user-ID or password, they must immediately notify the
Information Systems manager.
9. Where possible, the initial password(s) issued to a new SHC
workforce member must be valid only for the new user's first logon to a
workstation. At initial logon, the user must be required to choose another
password. Where possible, this same process must be used when a
workforce member’s workstation password is reset.
10. SHC workstations containing EPHI must be physically located in
such a manner as to minimize the risk that unauthorized individuals can
gain access to them.
11. The display screens of all SHC workstations containing EPHI must
be positioned such that information cannot be readily viewed through a
window, by persons walking in a hallway, or by persons waiting in
reception, public, or other related areas.
12. WMU Information Security office approved anti-virus software must
be installed on workstations to prevent transmission of malicious
software. Such software must be regularly updated.
13. SHC workforce members must activate their workstation locking
software whenever they leave their workstation unattended for ___
[time to be determined by organization] minutes or
more. SHC workforce members must log off from their workstation(s)
when their shifts are complete.
14. Connections from one workstation to another computer must be
logged off after the session is completed.
15. Workstations removed from SHC premises must be protected with
security controls equivalent to those for on-site workstations.
16. Special precautions must be taken with portable workstations such as
laptops. The following guidelines must be followed with such systems:
Page 3 of 6
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
WORKSTATION USE



EPHI must not be stored on a portable workstation unless such
information is appropriately protected. SHC security office
approved encryption should be used.
Locking software for unattended laptops must activate after
______ [time to be determined by
organization] minutes.
SHC portable workstations must be carried as carry-on (hand)
baggage when workforce members use public transport. They
must be concealed and/or locked when in private transport (e.g.,
locked in the trunk of an automobile).
Scope/Applicability: This policy is applicable to all departments that use or disclose electronic
protected health information for any purposes.
This policy’s scope includes all electronic protected health information,
as described in Definitions below.
Regulatory
Category:
Physical Safeguards
Regulatory Type:
Standard
Regulatory
Reference:
45 CFR 164.310(b)
Definitions:
Electronic protected health information means individually identifiable
health information that is:


Transmitted by electronic media
Maintained in electronic media
Electronic media means:
(1) Electronic storage media including memory devices in computers
(hard drives) and any removable/transportable digital memory medium,
such as magnetic tape or disk, optical disk, or digital memory card; or
(2) Transmission media used to exchange information already in
electronic storage media. Transmission media include, for example, the
internet (wide-open), extranet (using internet technology to link a
business with information accessible only to collaborating parties), leased
lines, dial-up lines, private networks, and the physical movement of
removable/transportable electronic storage media. Certain transmissions,
including of paper, via facsimile, and of voice, via telephone, are not
considered to be transmissions via electronic media, because the
information being exchanged did not exist in electronic form before the
Page 4 of 6
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
WORKSTATION USE
transmission.
Information system means an interconnected set of information resources
under the same direct management control that shares common
functionality. A system normally includes hardware, software,
information, data, applications, communications, and people.
Workforce member means employees, volunteers, and other persons
whose conduct, in the performance of work for a covered entity, is under
the direct control of such entity, whether or not they are paid by the
covered entity. This includes full and part time employees, affiliates,
associates, students, volunteers, and staff from third party entities who
provide service to the covered entity.
Workstation means an electronic computing device, for example, a laptop
or desktop computer, or any other device that performs similar functions,
and electronic media stored in its immediate environment.
Virus means a piece of code, typically disguised, that causes an
unexpected and often undesirable event. Viruses are frequently designed
to automatically spread to other computers. They can be transmitted by
numerous methods: as e-mail attachments, as downloads, and on floppy
disks or CDs.
Worm means a piece of code, usually disguised, that spreads itself by
attacking and copying itself to other machines. Some worms carry
destructive payloads that delete files or distribute files; others alter Web
pages or launch denial of service attacks.
Trojan horse means a program in which malicious or harmful code is
contained inside apparently harmless programming or data.
Authentication means the corroboration that a person or entity is the one
claimed.
Password means confidential authentication information composed of a
string of characters.
Token means a physical device which, together with something that a
user knows, will enable authorized access to an information system.
Anti-virus software means software that detects or prevents malicious
software.
Responsible
Department:
Supervisors; Information Systems
Policy Authority/
SHC’s Security Official is responsible for monitoring and enforcement of
Page 5 of 6
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.
WORKSTATION USE
Enforcement:
this policy, in accordance with Procedure # (TBD).
Related Policies:
Workstation Security
Renewal/Review:
This policy is to be reviewed annually to determine if the policy complies
with current HIPAA Security regulations. In the event that significant
related regulatory changes occur, the policy will be reviewed and updated
as needed.
Procedures:
TBD
Page 6 of 6
Copyright 2003 Phoenix Health Systems, Inc.
Limited rights granted to licensee for internal use only.
All other rights reserved.