CODE NO. 913
SUPERSEDES: NEW
SECTION:
POLICY & PROCEDURE MANUAL
900 – IT SECURITY
SUBJECT: E-MAIL USAGE POLICY
Rationale
An Email Usage Policy is required to maintain a high level of IT Enterprise services and
availability to customers and to the IT Enterprise. This policy is essential for Jackson
Health System (JHS) to promote its primary goal of being a patient-focused organization
by supporting a secure, reliable, robust, and interoperable computing environment.
Scope
This policy applies to all personnel, including but not limited to Jackson Health System
staff, agency partners, vendors, and contractors who provide Jackson Health System
services while involved in activities related to providing those services.
Exemptions
Exemptions can be applied if the security protection mechanisms or processes exceed
those communicated in this policy. For any other exemptions to this policy, contact the
office of the Chief Information Security Officer.
Definitions
The definitions for terminology in this document can be found in the Enterprise
Glossary.
Policy Language
Personal Use
Jackson Health System electronic messaging systems generally must be used primarily
for business activities. Incidental personal use is permissible so long as: (a) it does not
consume more than a small amount of system resources, (b) does not interfere with
worker productivity, and (c) does not preempt any business activity.
All email messages are deemed Jackson Health System records. Personal electronic
messages will be treated no differently from other messages. The Jackson Health
System has the right to access all messages and to monitor the system to enforce
policies regarding business use and appropriateness.
Access
Access to the electronic messaging system and use of external email is granted by
Jackson Health System designated personnel. Access can be limited by time and site.
The amount of access is dependent on the approval granted by an employee’s
manager. Internet electronic messaging requires approval by authorized personnel.
DATE: 2/1/08
Page 1 of 7
CODE NO. 913
SUPERSEDES: NEW
SECTION:
POLICY & PROCEDURE MANUAL
900 – IT SECURITY
SUBJECT: E-MAIL USAGE POLICY
The use of electronic messaging should only be performed through Jackson Health
System approved equipment and software.
Explicitly Denied Access
Workforce members of Jackson Health System must not use their personal electronic
mail accounts with an Internet Service Provider (ISP), webmail accounts or any other
third party to send Jackson Health System business messages. To do so would
circumvent logging and backup controls that Jackson Health System has established.
Users of the Jackson Health System email infrastructure must not automatically forward
jhsmiami.org addresses to a third party address.
E-Mail Attachments
Attachments to e-mail are the number one way to spread worms, viruses and other
attacks on computer systems. In order to limit the exposure of the Hospital’s computer
systems to such attacks, certain attachments will not be permitted into the environment.
If an e-mail message is sent with a questionable attachment to an internal mail
recipient, the attachment will be removed from the message and the message will be
sent on to the recipient. The message will indicate that there was an attachment, but
was removed, due to policy restrictions.
Any e-mail message that is sent or received to or from a Jackson Health System
workforce member is limited to a Jackson Health System standard. This size limit is the
total size of the message plus all attachments accompanying the message. This limit
will be imposed on all messages whether it is being sent or received from external
sources or from within the Jackson Health System organization.
Responsible Use of Computer Resources
Electronic messaging systems must employ personal user-IDs and associated
passwords to isolate the communications of different users. Workforce members must
not employ the user-ID or other identifier of any other user.
These and all other prudent and reasonable steps must be taken to prevent
unauthorized access.
Malware Code Protection
Malware code protection will be provided by the Hospital. Protection from Viruses,
Worms and other attacks will be performed at multiple levels, included servers,
gateways, routers and workstations. Even though these services are provided,
workforce members should still follow the policies and practices so as not to bring in or
expose Jackson Health System to such attacks.
DATE: 2/1/08
Page 2 of 7
CODE NO. 913
SUPERSEDES: NEW
SECTION:
POLICY & PROCEDURE MANUAL
900 – IT SECURITY
SUBJECT: E-MAIL USAGE POLICY
If an attack or infection is detected, any combination of the following will be notified: the
sender, the recipient and the proper incident handling personnel. Once the notification
is sent action will be taken to correct the issue.
Monitoring of Email Use
Employees should have no expectation of personal privacy rights in any materials
created, received or sent through the Jackson Health System’ provided electronic
messaging systems.
Consistent with generally accepted business practice, Jackson Health System collects
statistical data about its electronic communication systems. Using such information,
technical support personnel monitor the use of electronic communications to ensure the
ongoing availability and reliability of these systems.
It may be necessary for Information Security personnel to review the content of an
individual worker's communications during the course of problem resolution. Monitoring of
Mail Content is only performed by the authorized personnel with approval of the Chief
Information Security Officer, or delegate.
Monitoring shall include, but is not limited to: viruses, inappropriate content, profanity,
private health information, Jackson Health System confidential material and spam.
Harassment
Acceptable use of computing resources requires respect of the individual's right to
privacy and to freedom from intimidation, harassment and unwarranted annoyance.
The use of insulting, obscene, offensive, derogatory remarks or suggestive e-mail or
news, tampering with others' files or any invasive access to others' equipment is
forbidden. It is possible that such remarks would later be taken out of context and used
against the Health System. As a matter of standard business practice, all Jackson
Health System electronic communications must be consistent with conventional
business standards of ethical and polite conduct.
Computer and communications systems are not intended to be used for, and must not be
used for the exercise of the workforce members' right to free speech. These systems
must not be used as an open forum to discuss Jackson Health System organizational
changes or business policy matters.
Likewise, as a further restriction of free speech, sexual, ethnic, and racial harassment -including unwanted electronic mail -- is strictly prohibited. Workers who receive
offensive unsolicited material from outside sources must not forward/redistribute it to
either internal or external parties.
DATE: 2/1/08
Page 3 of 7
CODE NO. 913
SUPERSEDES: NEW
SECTION:
POLICY & PROCEDURE MANUAL
900 – IT SECURITY
SUBJECT: E-MAIL USAGE POLICY
Accessing Obscene or Offensive Materials
The Health System’s electronic messaging system shall not be used to send, post, or
download information that contains obscene, derogatory, suggestive or offensive
language or images, unless it is considered part of a job responsibility (evidence
gathering, research, etc). It is forbidden to access or display material that is prurient,
lewd, or lascivious in content. Care should be taken to avoid accessing or displaying
any material that may be offensive to others.
Prevention of Corporate Liability
Jackson Health System employees and business associates must avoid sending
electronic mail, bulletin board messages, or discussion group messages that could
cause legal exposures to Jackson Health System based on their content. Additionally,
Jackson Health System employees and business associates may not download any
documents or files that may violate any proprietary rights of any third party, including but
not limited to intellectual property rights.
Privacy
All electronic mail containing non-public data must be encrypted before leaving the
Jackson Health System network.
Release of Proprietary or Confidential Information
Information and data that can be exchanged over the Internet needs to be appropriately
protected from unauthorized access.
Exchanges of personally identifiable or confidential information or data between
Jackson Health System and third parties will not proceed without Business Associate
Agreements having first been executed. Such exchanges will abide to the terms of the
agreement.
Libel
Jackson Health System does not accept responsibility for the personal opinions
expressed by its electronic messaging systems users. Jackson Health System does not
act as a publisher, but allows the means to distribute statements made by its
employees. However, Jackson Health System takes the issue of libel seriously, and
prohibits the distribution of false or harmful text regarding a specific individual, entity, or
corporation to another party.
DATE: 2/1/08
Page 4 of 7
CODE NO. 913
SUPERSEDES: NEW
SECTION:
POLICY & PROCEDURE MANUAL
900 – IT SECURITY
SUBJECT: E-MAIL USAGE POLICY
Conducting Business Online
Generally, business with clients and/or business partners online should be restricted to
those with proper authorization and training. If there is doubt, such business should be
conducted through other means.
Contracts
Electronic mail addresses do not satisfy the requirement for a legal signature.
In any electronic communication, in which the possibility of contracting exists, a
disclaimer must be included indicating that official approval must be obtained prior to
agreement.
Electronic Mail (E-Mail)
Electronic mail on the Internet is not secure. Information that must be kept private and
confidential should never be included in an e-mail message unless security
mechanisms have been utilized.
Secure Electronic Mail
The process is detailed in the Encryption and Digital Signature Standards and
Procedures documents.
Reporting
Users must promptly report all information security alerts, warnings, and reported
vulnerabilities.
Apparent Authority and Submission to a Foreign Jurisdiction
Any false representation of authority or engagement in unauthorized business is strictly
prohibited.
Jackson Health System operates under the jurisdiction of the locations where its
Internet transmissions commence and shall not be subject to the jurisdiction of foreign
judicial systems or to taxation by foreign governments.
Policy Enforcement
Electronic Messaging use at Jackson Health System is monitored. Any information
obtained during the course of monitoring will be forwarded to management as
appropriate.
Management may review the electronic mail communications, by personnel using
Jackson Health System facilities assigned to them for any reasonable business
purpose, including, but not limited to, breaches of security, violations of Jackson Health
DATE: 2/1/08
Page 5 of 7
CODE NO. 913
SUPERSEDES: NEW
SECTION:
POLICY & PROCEDURE MANUAL
900 – IT SECURITY
SUBJECT: E-MAIL USAGE POLICY
System policy, or unauthorized actions on the part of the employee, consultant, or
business associate.
The Jackson Health System reserves the right to disclose any electronic mail message,
attachments or other data obtained via Jackson Health System electronic messaging
usage, to law enforcement agents without any prior notice to personnel who may have
sent or received such data.
Employees who abuse or violate this electronic messaging policy are subject to
discipline up to and including termination.
Jackson Health System will assure Email Usage mechanisms are in place and effective
by assuring these processes are conducted:


Perform regular quality assurance checks of applications & systems to assure
the Email Usage mechanisms are effective at least once per year
Produce reports, both regular and ad hoc, to fulfill associated processes and
management’s needs
Jackson Health System’s Email Usage policies, processes, procedures and standards:
 Gather pertinent data that will benefit the Hospital’s collection of configuration
and asset information.
 Support all the other service management processes (e.g., Change
Management, Incident Management, and Problem Management).
 Are flexible enough to respond to the customer’s business needs.
 Minimize effort to maintain data through automation, consolidation and sharing of
data sources.
 Are readily accessible and available to JHS customers and staff.
 Are written to be understandable to its audience.
 Are regularly updated based on customer feedback, new business needs and
changing practices to ensure continual quality improvement and those changes
communicated to Jackson Health System customers and staff.
Human Resource Implications
In order to provide exemplary Email Usage standards, Jackson Health System
management must:
 Offer initial and continuing training to Jackson Health System staff in Email
Usage policy, processes, procedures and standards.
DATE: 2/1/08
Page 6 of 7
CODE NO. 913
SUPERSEDES: NEW
SECTION:
POLICY & PROCEDURE MANUAL



900 – IT SECURITY
SUBJECT: E-MAIL USAGE POLICY
Ensure documentation for Email Usage policy, processes, and procedures
documentation is accessible to all staff.
Ensure all Jackson Health System staff consistently follows the Email Usage
policy, processes, procedures, and standards.
Assist staff to understand Email Usage policy, processes, procedures, and
standards, and enforce compliance with the policy, processes, procedures, and
standards.
Related Policies, Processes, Procedures, Standards, or Best Practices
 Jackson Health System Acceptable Use
 Jackson Health System Asset & Classification
 Jackson Health System Asset Protection
 Jackson Health System Configuration/Asset Management
 Jackson Health System Incident Management
 Jackson Health System Information Security Staff
 Jackson Health System Threat Assessment & Monitoring
 Jackson Health System Vulnerability Assessment & Risk Management
 NIST Special Publication 800-45, “Guidelines on Electronic Mail Security”
Timeline
Effective Date: Effective upon implementation.
Review Date: Within one year from the effective date.
Authorization:
Marvin O’Quinn, President, Public Health Trust
DATE: 2/1/08
Page 7 of 7