Category: IS
POLICY & PROCEDURE
Subject:
Internet Usage and Security
Classification:
Management Approved
Policy Owner:
WFH Chief Information Officer
Approved by:
WFH President and CEO
POLICY:
It is the policy of Wheaton Franciscan Healthcare (WFH) that access to the
Internet is provided to only those associates who have a legitimate business need
for such access.
RATIONALE:
Information technology is a resource that aids the physicians and the associates
of WFH to fulfill our mission and vision. In honoring our values of respect and
stewardship, we must understand that policies and procedures are in place to
protect the technology available to WFH associates by enabling them to have
reliable, effective, and efficient means of communicating, developing documents,
and storing vital information. Without information technology, the ministry provided
by WFH for its associates, patients and residents could not be fulfilled.
Effective: May 1, 2009
Specifically, WFH has made every effort to establish secure access to the
Internet. However, the wide array of new resources, new services, and
interconnectivity available via the Internet introduce new opportunities and risks.
SCOPE:
This policy applies to Wheaton Franciscan Healthcare’s owned and managed
regions and joint ventures that utilize WFH’s information technology.
PROCEDURE:
Access to the Internet will be granted based on the receipt of both a written
request from the appropriate manager and a signed Request for Internet Web
Access form by WFH Information Services (IS). It is the manager’s responsibility
to monitor appropriate staff use of the Internet.
Contractors and on-site consultants who have a need for Internet connectivity
while they are located in WFH facilities are encouraged to use the WFH guest
network, if available. If a guest network is not available, or if internal network
access is also required, the contractor/consultant may be granted associateequivalent access upon receipt of a written request from the sponsoring WFH
manager and a signed Request for Internet Web Access form by WFH IS. The
access granted will not be any greater than base access granted to WFH staff. In
particular, no additional firewall ports will be opened, nor will access to Web site
categories normally blocked for WFH staff be allowed. As with associates, it is the
manager’s responsibility to monitor appropriate contractor/consultant use of
WFH’s Internet facilities. It is the contractor’s/consultant’s responsibility to adhere
to WFH policies governing Internet use.
If an associate does not have sufficient Internet access and needs greater access
for a specific project or to perform their job duties, he/she may request enhanced
access by contacting WFH Information Security and presenting a valid business
IS
Internet Usage and Security
Page 1 of 5
reason for the enhanced access privileges.
ASSOCIATE ACCOUNTABILITY:
Use of the Internet: The ability to “surf” the World Wide Web and engage in other
Internet activities is not a fringe benefit to which all associates are entitled.
Violations of this policy or inappropriate use of the Internet can lead to revocation
of system privileges and/or disciplinary action. Inappropriate use includes, but is
not limited to:
 Use for personal business or gain
 Sending or forwarding chain letters, jokes, images, videos or other media
unrelated to your employment
 Installing or accessing non-work related software
 Use of, or posting material to Internet-based storage systems, bulletin
boards, and blogs
 Providing information about associates and patients
 Use of interactive web media and social networking sites, including but
not limited to YouTube, Facebook, Twitter and MySpace
 Any use which violates WFH Mission, Vision, or Values
Monitoring and Auditing: All use of the Internet is subject to monitoring by the
Information Services department. By signing the Request for Internet Web Access
form, associates acknowledge and agree to such monitoring. Internet use is
audited on a regular basis, and evidence of excessive or inappropriate use may
be provided to managers, leadership, Human Resources, and/or Office of General
Counsel.
INFORMATION INTEGRITY:
Information Reliability: There is no quality control process on the Internet. All
information taken from the Internet should be considered suspect until confirmed
by separate information from another source. Before using free Internet-supplied
information for business decision-making purposes, associates must corroborate
the information by consulting other sources.
Automatic Software Updates: User-requested automatic updating of software or
information on WFH computers via any Internet technology is prohibited.
INFORMATION CONFIDENTIALITY:
Posting Materials: Associates must not post WFH material (internal memos,
policies, etc.) on any publicly accessible Internet computer unless the director of
public relations has first approved the posting of these materials. In more general
terms, WFH internal information must not be placed in any computer unless the
persons who have access to that computer have a legitimate need to know the
involved information. Further, use of Internet-based data storage systems (like
Amazon Web Services, Google Desktop, etc) to store WFH-owned and managed
data is specifically prohibited.
Security Parameters: Credit card numbers, telephone calling card numbers,
passwords, and other security parameters that can be used to gain access to
goods or services, must not be sent over the Internet in readable form. The SSL
or SET encryption processes are both acceptable Internet encryption standards
for the protection of security parameters - in general these can be identified by the
presence of a closed padlock at the bottom of the browser screen.
PUBLIC REPRESENTATIONS:
External Representations: Associates may indicate his/her affiliation with WFH
in mailing lists (listservs), chat sessions, and other offerings on the Internet. This
IS
Internet Usage and Security
Page 2 of 5
may be done by explicitly adding certain words, or it may be implied, for instance
via an electronic mail address. In either case, whenever associates provide an
affiliation, they must also clearly indicate that the opinions expressed are their
own, or not necessarily those of WFH. Likewise, if an affiliation with WFH is
provided, political advocacy statements and product/service endorsements cannot
be issued unless the director of public relations has approved them.
Appropriate Behavior: Whenever an affiliation with WFH is included with an
Internet message or posting, "flaming" or similar written attacks are strictly
prohibited in order to avoid libel, defamation of character, and other legal
problems. Likewise, associates must not make threats against another user or
organization over the Internet. All Internet messages intended to harass, annoy,
or alarm another person are similarly prohibited. Acquisition and/or use of
materials or information inconsistent with WFH’s business are prohibited.
Examples of such materials include pirated software, purloined passwords, stolen
credit card numbers, and inappropriate written or graphic material (for instance,
pornography).
Blocking Sites: WFH firewalls, proxies, and other access control devices
(collectively, ‘firewalls’) routinely prevent users from connecting with certain nonbusiness Web sites. The ability to connect with a specific Web site does not in
itself imply that users of WFH systems are permitted to visit that site. Associates
using WFH computers who discover they have connected with a Web site that
contains sexually explicit, racist, violent, or other potentially offensive material
must immediately disconnect from that site. If a user encounters an inappropriate
Web site that is not blocked, they should submit the web site address (URL) to
WFH IS. The Web site will be reviewed and blocked, if appropriate. Likewise, if a
user believes that there is a legitimate need to access a Web site that has been
blocked; a request to remove the block should be submitted by either submitting
the built in feedback/request form from the block page, or submitting a request
through WFH IS Customer Service and Support (Help Desk). The request should
state the Web site address (URL), the reasons that the site is needed, and why
the block should be removed.
INTELLECTUAL PROPERTY RIGHTS:
Copyrights: WFH adheres to software vendors' license agreements. When at
work, or when using WFH computing or networking resources, copying of
software in a manner that is not consistent with the vendor's license is forbidden,
and prior to making any copy you deem to be lawful, you should consult with IS
and the vendor’s license terms. Likewise, participation in pirate software bulletin
boards and similar activities represent a conflict of interest with WFH work, and
are therefore prohibited. Similarly, the reproduction, forwarding, or in any other
way republishing or redistributing words, graphics, images or other materials,
whether originally obtained in hard copy or via the Internet, must be done only
with the permission of the author/owner. Associates should assume that all text,
images and graphics found on the Internet are protected by copyright unless
specific notices from a credible source state otherwise. When information from the
Internet is integrated into internal reports or used for other purposes, all material
must include labels such as "copyright, all rights reserved" as well as specifics
about the source of the information (author names, URLs, dates, etc.).
ACCESS CONTROL:
Browser User Authentication: Users must not save passwords in his/her Web
browsers or electronic mail clients because this may allow anybody who has
physical access to their workstations access to both the Internet with their
identities, as well as read and send their electronic mail. Instead, these passwords
must be provided each time that a browser or electronic mail client is invoked.
IS
Internet Usage and Security
Page 3 of 5
Internet Service Providers: With the exception of telecommuters and mobile
computer users, associates must not employ Internet service provider (ISP)
accounts and dial-up lines to access the Internet with WFH computers. Instead, all
Internet activity must pass through WFH firewalls so that access controls and
related security mechanisms can be applied.
PRIVACY EXPECTATIONS:
Junk E-mail: When associates receive unwanted or unsolicited e-mail (also
known as spam), they must refrain from responding directly to the sender and
should simply delete the message from his/her inbox. To respond to the sender
would indicate that the user ID is monitored regularly, and this would then invite
further junk email. If the message contains objectionable material, forward the
message to WFH IS Customer Service and Support (Help Desk). Messages from
these senders will automatically be blocked and discarded by the e-mail system at
the point they “enter the door”.
“Spoofing” (Impersonation): The current state of Internet e-mail technology
makes it relatively easy to “spoof” an electronic message (i.e. masquerade as
another user). To facilitate communications and to properly identify the sending
party, all e-mail sent outside the company using the Internet e-mail system must
contain the sender’s:
 First and last name
 Job title
 Department or function
 Organization
 Organizational unit (e.g., Information Services, Covenant Health System,
Waterloo, IA)
 Office phone and fax phone numbers
 E-mail address
This can be accomplished in Microsoft Outlook by creating an electronic
“signature” block that is automatically attached to all messages you send. The
Corporate Identity Standards manual contains information on how to create such
signatures.
Internet E-mail is not Private: When using Internet e-mail to conduct business
with external entities, remember that Internet e-mail is essentially the electronic
equivalent of a post card. These communications are visible for open viewing
while in transit to its destination. Internet e-mail use has made it even more likely
that a simple typing mistake will send the message to the wrong place. Therefore:
 The use of hand-typed Internet e-mail addresses in the “To:” line is
strongly discouraged. It is strongly recommended that personal address
book or contact list entries be created for anybody that you communicate
with on a regular basis. When the entry is created, double-check the
spelling of the e-mail address.
 The first time you send e-mail using an address book entry, it is
recommended that you verify via phone or fax message that the intended
user actually received it.
 Our Microsoft Exchange e-mail system automatically attaches an
additional disclaimer to all messages sent via Internet e-mail. This
message will be the functional equivalent of the standard “confidentiality”
message that appears on our fax cover sheets.
Because Internet e-mail is normally sent in clear text, sending patient or other
confidential information to external recipients via e-mail is prohibited unless a
WFH IS approved encryption solution is being employed.
User Anonymity: Misrepresenting, obscuring, suppressing, or replacing a user's
IS
Internet Usage and Security
Page 4 of 5
identity on the Internet or any WFH electronic communications system is
forbidden. The user name, electronic mail address, organizational affiliation, and
related information included with messages or postings must reflect the actual
originator of the messages or postings. No use of re-mailers or other services to
render a person anonymous may be used. Use of services that have been
established with the expectation that users would be anonymous is permissible
(e.g. anonymous FTP log-ins, web browsing).
REPORTING SECURITY PROBLEMS:
Notification Process:
The WFH Vice President, Compliance and HIPAA Services must be notified
immediately if:
 Sensitive WFH information is lost, disclosed to unauthorized parties, or
suspected of being lost or disclosed to unauthorized parties;
 Any unauthorized use of WFH's information systems has taken place, or
is suspected of taking place; or
 Passwords or other system access control mechanisms are lost, stolen,
or disclosed, or are suspected of being lost, stolen, or disclosed.
The specifics of security problems should not be discussed widely, but should
instead be shared on a need-to-know basis.
False Security Reports: The Internet has been plagued with hoaxes alleging
various security problems. Many of these hoaxes take the form of chain letters
that request that the receiving party send the message to other people.
Associates in receipt of information about computer viruses and other problems
should forward it to WFH IS Customer Service and Support (Help Desk), where it
will be logged and forwarded for investigation. Associates must not personally
redistribute this type of information.
Testing Controls: Associates must not probe ("test the doors”) the security
mechanisms at either WFH or other Internet sites unless they have first obtained
written permission from the WFH CIO. If associates probe security mechanisms,
alarms will be triggered and resources will needlessly be spent tracking the
activity. Likewise, both the possession and the usage of tools for cracking
information security are prohibited without the advance permission of the WFH
CIO.
Replaces:
IS Regulation 009
Cross reference:
Use of Computers and Communications Systems policy
Information Systems Access policy
Corporate Identity Standards Manual
Review Period:
Two (2) years
Original Policy Date:
December 14, 1999
Dates Updated:
August 25, 2000; March 19, 2003; May 1, 2005; May 1, 2009
IS
Internet Usage and Security
Page 5 of 5