IT Policy
June 24, 2015 revision
The computer network used at the Practice contains private business and patient health information.
Keeping this information safe is important. The following policies have been adopted to aid in this goal.
Table of Contents
IT Compliance Officer.................................................................................................................................... 1
Business Associates Agreement.................................................................................................................... 2
Firewall Review ............................................................................................................................................. 3
Automatic Account Lockout and Reset of Microsoft Windows Login .......................................................... 4
Local Workstation Security Accounts Review ............................................................................................... 5
IT Compliance Officer
Obligations in this policy include ongoing standards, actions triggered by changes, and periodic reviews
to ensure compliance. It should be clear who within the Practice is responsible for overseeing
compliance and that they are aware of the responsibilities.
IT Policy Compliance Officer: ____________________________________________________________
Page 1 of 6
Business Associates Agreement
The Practice will maintain on file a fully executed Business Associates Agreement (BAA) with any
external party (such as an IT company or 3rd party service provider) that will have access to the private
Practice data for any reason. The agreement should be in place prior to granting any access to
information.
Third Party Service Providers may include (review and revise this list to those applicable):










Internet based Backup Provider
Internet based Email Provider
Practice Management software company
Seasame Communications
Televox
Gaidge
Demand Force
Patient Rewards Hub
Lighthouse 360
Suresmile
Annually the IT Compliance Officer will evaluate which companies the Practice should have agreements
with, and then the BAA(s) will be audited to ensure that a fully executed copy is in place and for the
correct companies. Document that this was done using the IT Annual Review Checklist that includes:
1.
2.
3.
4.
5.
Date
Who performed the audit
Which BAA(s) were reviewed
Summary of observations and changes made
Signature of auditor
Store the completed checklist in a safe place for future reference.
The completed BAA(s) will be kept on file here: ______________________________________________
Page 2 of 6
Firewall Review
The firewall device is the Practices primary defense from Internet intruders. It should be routinely
reviewed to ensure proper performance.
On an Annual basis, the following checks should be performed by a qualified individual:
1. Change the password
a. Ensure the new password meets the Practices password complexity standard
b. Under NO circumstances should the firewalls default password be used
c. Document the password in the Practices Password Database
2. Update to the latest firmware
3. Perform a security review
Critically review the firewalls configuration to prevent unauthorized access to devices on the
network. Question whether ports found open are still required. Remove settings that are no longer
needed.
a. Review port forwards and remove unnecessary ports
b. Review DMZ settings and disable if unnecessary
c. Review VPN settings and remove unnecessary VPN tunnels or accounts
d. No remote management from external IPs
4. Backup the firewalls configuration to a safe place on the network to aid in future
troubleshooting and repair.
Document that this was done using the Firewall Review Checklist that includes:
1.
2.
3.
4.
5.
6.
Date
Who performed the audit
What device was reviewed (model and S/N)
Confirmation that steps were performed
Summary of observations and changes made
Signature of auditor
Keep the completed checklist in a safe place for future reference.
Location of completed checklist storage: ____________________________________________________
Page 3 of 6
Automatic Account Lockout and Reset of Microsoft Windows Login
As a protection measure against a brute force attack (where someone just tries to break an account by
repeatedly guessing passwords) the network will be configured to automatically lock out the affected
Microsoft Windows Login account from further use.
The account can be either reset by the IT Administrator or will automatically unlock after a
predetermined time.
Number of failed login attempts allowed before account is locked out:
5 attempts
Time window that failed attempts can occur in:
30 minutes
Amount of time before a locked out account will automatically reset:
30 minutes
In a Microsoft Windows Domain this is most easily accomplished by merely enabling the include GPO
settings. In a non-domain based network it can be done manually as a local security policy.
Annually review that this is working by attempting to login to one of the Staff Microsoft Windows Login
accounts incorrectly the appropriate number of times, and observe that the account automatically
becomes disabled and then resets after the correct amount of time.
Document this using the Account Lockout Policy Review Checklist which shall include:
1.
2.
3.
4.
5.
6.
7.
8.
Date
Who performed the audit
Which Microsoft Windows Login was tested
What number of attempts and reset time were tested
Did it lock out automatically as planned?
Did it automatically reset after the correct amount of time?
Summary of observations and changes made
Signature of auditor
Keep the completed checklist in a safe place for future reference.
Location of completed checklist storage: ____________________________________________________
Page 4 of 6
Local Workstation Security Accounts Review
Every Microsoft Windows computer on the network has a number of Local User Accounts that can be
used to login to the PC without needing to know a Username and Password on the overall Practice
network security domain. These accounts are often overlooked or forgotten. Often they may have
blank passwords when they ship to you. Hackers and viruses can exploit these accounts, so it is
important that they are secured or deleted.
Annually perform a review of every PCs local security accounts and:
1. Set or verify the Local Administrator Account Password
This can be done by either just setting the account (ignoring what it was) or actually logging in to
test that the account and password are as expected.
a. Ensure that it is Enabled (for use in future troubleshooting)
b. Ensure that the password meets the Password Complexity requirement
c. Document the password in the Password Storage Database
d. Optionally the account could be renamed to something else or disabled and an alternate
local administrator account created. Document this.
2. Review the Local Administrators Group Membership roster
a. Every entry should have a specific purpose in this group, and you should know that each
account in this group has a hard password (and that it’s documented).
b. Typical membership would include these individual Local accounts
i. Administrator
ii. An account for your IT Provider
iii. Domain Admins if your network has a Microsoft Security Domain
c. Looks for Rogue accounts that don’t belong.
i. Previous IT people
ii. Follow-up and disable or delete accounts that shouldn’t be there
1. If you are finding accounts and you don’t know how they got there, you
need to be concerned and try and work out what happened. Could be a
sign of a larger hack or spyware. Don’t just delete and go ‘huh – that
was weird’
3. Disable the built in Windows ‘Guest’ account
a. No practical use for this within the Practice so disable (or delete) the account.
Document this using the Local Workstation Security Account Review Checklist which shall include:
1.
2.
3.
4.
5.
6.
7.
8.
Date
Who performed the audit
The name and serial number of each PC tested
Verify the Administrator account was enabled and password checked
Document that the Administrators Group was reviewed
Verify the Guest account was disabled or not present
Summary of observations and changes made
Signature of auditor
Page 5 of 6
Keep the completed checklist in a safe place for future reference.
Location of completed checklist storage: ____________________________________________________
Page 6 of 6