IT Policy June 24, 2015 revision The computer network used at the Practice contains private business and patient health information. Keeping this information safe is important. The following policies have been adopted to aid in this goal. Table of Contents IT Compliance Officer.................................................................................................................................... 1 Business Associates Agreement.................................................................................................................... 2 Firewall Review ............................................................................................................................................. 3 Automatic Account Lockout and Reset of Microsoft Windows Login .......................................................... 4 Local Workstation Security Accounts Review ............................................................................................... 5 IT Compliance Officer Obligations in this policy include ongoing standards, actions triggered by changes, and periodic reviews to ensure compliance. It should be clear who within the Practice is responsible for overseeing compliance and that they are aware of the responsibilities. IT Policy Compliance Officer: ____________________________________________________________ Page 1 of 6 Business Associates Agreement The Practice will maintain on file a fully executed Business Associates Agreement (BAA) with any external party (such as an IT company or 3rd party service provider) that will have access to the private Practice data for any reason. The agreement should be in place prior to granting any access to information. Third Party Service Providers may include (review and revise this list to those applicable): Internet based Backup Provider Internet based Email Provider Practice Management software company Seasame Communications Televox Gaidge Demand Force Patient Rewards Hub Lighthouse 360 Suresmile Annually the IT Compliance Officer will evaluate which companies the Practice should have agreements with, and then the BAA(s) will be audited to ensure that a fully executed copy is in place and for the correct companies. Document that this was done using the IT Annual Review Checklist that includes: 1. 2. 3. 4. 5. Date Who performed the audit Which BAA(s) were reviewed Summary of observations and changes made Signature of auditor Store the completed checklist in a safe place for future reference. The completed BAA(s) will be kept on file here: ______________________________________________ Page 2 of 6 Firewall Review The firewall device is the Practices primary defense from Internet intruders. It should be routinely reviewed to ensure proper performance. On an Annual basis, the following checks should be performed by a qualified individual: 1. Change the password a. Ensure the new password meets the Practices password complexity standard b. Under NO circumstances should the firewalls default password be used c. Document the password in the Practices Password Database 2. Update to the latest firmware 3. Perform a security review Critically review the firewalls configuration to prevent unauthorized access to devices on the network. Question whether ports found open are still required. Remove settings that are no longer needed. a. Review port forwards and remove unnecessary ports b. Review DMZ settings and disable if unnecessary c. Review VPN settings and remove unnecessary VPN tunnels or accounts d. No remote management from external IPs 4. Backup the firewalls configuration to a safe place on the network to aid in future troubleshooting and repair. Document that this was done using the Firewall Review Checklist that includes: 1. 2. 3. 4. 5. 6. Date Who performed the audit What device was reviewed (model and S/N) Confirmation that steps were performed Summary of observations and changes made Signature of auditor Keep the completed checklist in a safe place for future reference. Location of completed checklist storage: ____________________________________________________ Page 3 of 6 Automatic Account Lockout and Reset of Microsoft Windows Login As a protection measure against a brute force attack (where someone just tries to break an account by repeatedly guessing passwords) the network will be configured to automatically lock out the affected Microsoft Windows Login account from further use. The account can be either reset by the IT Administrator or will automatically unlock after a predetermined time. Number of failed login attempts allowed before account is locked out: 5 attempts Time window that failed attempts can occur in: 30 minutes Amount of time before a locked out account will automatically reset: 30 minutes In a Microsoft Windows Domain this is most easily accomplished by merely enabling the include GPO settings. In a non-domain based network it can be done manually as a local security policy. Annually review that this is working by attempting to login to one of the Staff Microsoft Windows Login accounts incorrectly the appropriate number of times, and observe that the account automatically becomes disabled and then resets after the correct amount of time. Document this using the Account Lockout Policy Review Checklist which shall include: 1. 2. 3. 4. 5. 6. 7. 8. Date Who performed the audit Which Microsoft Windows Login was tested What number of attempts and reset time were tested Did it lock out automatically as planned? Did it automatically reset after the correct amount of time? Summary of observations and changes made Signature of auditor Keep the completed checklist in a safe place for future reference. Location of completed checklist storage: ____________________________________________________ Page 4 of 6 Local Workstation Security Accounts Review Every Microsoft Windows computer on the network has a number of Local User Accounts that can be used to login to the PC without needing to know a Username and Password on the overall Practice network security domain. These accounts are often overlooked or forgotten. Often they may have blank passwords when they ship to you. Hackers and viruses can exploit these accounts, so it is important that they are secured or deleted. Annually perform a review of every PCs local security accounts and: 1. Set or verify the Local Administrator Account Password This can be done by either just setting the account (ignoring what it was) or actually logging in to test that the account and password are as expected. a. Ensure that it is Enabled (for use in future troubleshooting) b. Ensure that the password meets the Password Complexity requirement c. Document the password in the Password Storage Database d. Optionally the account could be renamed to something else or disabled and an alternate local administrator account created. Document this. 2. Review the Local Administrators Group Membership roster a. Every entry should have a specific purpose in this group, and you should know that each account in this group has a hard password (and that it’s documented). b. Typical membership would include these individual Local accounts i. Administrator ii. An account for your IT Provider iii. Domain Admins if your network has a Microsoft Security Domain c. Looks for Rogue accounts that don’t belong. i. Previous IT people ii. Follow-up and disable or delete accounts that shouldn’t be there 1. If you are finding accounts and you don’t know how they got there, you need to be concerned and try and work out what happened. Could be a sign of a larger hack or spyware. Don’t just delete and go ‘huh – that was weird’ 3. Disable the built in Windows ‘Guest’ account a. No practical use for this within the Practice so disable (or delete) the account. Document this using the Local Workstation Security Account Review Checklist which shall include: 1. 2. 3. 4. 5. 6. 7. 8. Date Who performed the audit The name and serial number of each PC tested Verify the Administrator account was enabled and password checked Document that the Administrators Group was reviewed Verify the Guest account was disabled or not present Summary of observations and changes made Signature of auditor Page 5 of 6 Keep the completed checklist in a safe place for future reference. Location of completed checklist storage: ____________________________________________________ Page 6 of 6