info security policy template v1 0

8/18/2019 Info Security Policy Template v1 0

1/96

Information SecurityPolicy Template

Provided By:The National Learning Consortium (NLC)

Developed By:Health Information Technology Research Center (HITRC)Privacy & Security Community of Practice (Toolkit orkgrou!)

"#$%"$"" 'ersion "#


2/96

National Learning Consortium

The National Learning Consortium (NLC) is a virtual an evolving *oy of kno+lege an tools esigneto su!!ort healthcare !roviers an health IT !rofessionals +orking to+ars the im!lementation, ao!tionan meaningful use of certifie -HR systems

The NLC re!resents the collective -HR im!lementation e.!eriences an kno+lege gaine irectly fromthe fiel of /NC0s outreach !rograms (REC , Beacon, State HIE ) an through the Health InformationTechnology Research Center (HITRC) Communities of Practice (CoPs)

The follo+ing resource is an e.am!le of a tool use in the fiel toay that is recommene *y 1*oots2on2the2groun3 !rofessionals for use *y others +ho have mae the commitment to im!lement or u!grae tocertifie -HR systems

Instructions

The Information Security Policy Tem!late that has *een !rovie re4uires some areas to *e fille in toensure the !olicy is com!lete /nce com!lete, it is im!ortant that it is istri*ute to all staff mem*ers anenforce as state It may *e necessary to make other a5ustments as necessary *ase on the nees ofyour environment as +ell as other feeral an state regulatory re4uirements

Items highlighte in Re +ithin the tem!late are re4uire an items highlighte in yello+ may re4uiresome a5ustments *ase on your environment -ach highlighte item has a num*er after+ars +hich isreference *elo+ to assist you in the com!letion of this !olicy tem!late

Number Value Description

" Com!any Name$Logo Com!any name or logo of organi6ation

% Last Revision 7ate Last revision ate of the Information Security Policy

8 7ocument /+ner 7ocument o+ner of the !olicy This is usually someone at ane.ecutive level

9 :!!roval 7ate 7ate that the !olicy has *een officially a!!rove

; -ffective 7ate -ffective ate of the !olicy This can *e a ifferent than thea!!rove ate if neee

< Com!any Name Com!any$Practice name No logo use for this !articular !art of the!olicy

= /utsie :gencies List any outsie agencies or organi6ations, if a!!lica*le, +hosela+s, manates, irectives, or regulations +ere inclue in the!olicy, ie C>S, 7HHS, 'H:, etc

http://www.healthit.gov/providers-professionals/regional-extension-centers-recshttp://www.healthit.gov/providers-professionals/beacon-community-centershttp://www.healthit.gov/providers-professionals/beacon-community-centershttp://www.healthit.gov/providers-professionals/beacon-community-centershttp://www.healthit.gov/providers-professionals/state-health-information-exchangehttp://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov__rec_program/1495http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov__rec_program/1495http://www.healthit.gov/providers-professionals/beacon-community-centershttp://www.healthit.gov/providers-professionals/state-health-information-exchangehttp://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov__rec_program/1495http://healthit.hhs.gov/portal/server.pt/community/healthit_hhs_gov__rec_program/1495http://www.healthit.gov/providers-professionals/regional-extension-centers-recs


3/96

Number Value Description? Privacy /fficer List the name an !hone num*er of the !erson esignate as the

Privacy /fficer

@ CST Team List the title an name of the iniviuals that +ill *ecome !art ofConfientiality an Security Team

"# Contractor :ccess Aor contractors that enter the *uiling, s!ecify +hat ientifying*age is given to them uring their visit into your facility

"" Screen Lock hen a user leaves a com!uter unlocke, s!ecify ho+ long untilthe screen automatically locks This value +ill nee to *e enforce

"% -lectronicCommunication, -2>ail, Internet Bsage

S!ecifies allo+a*le an !rohi*ite uses of electroniccommunications, e2mail an the Internet /ftentimes, anorgani6ation +ill maintain com!uter, Internet an e2mail usage!olicies in other HR !olicies or the em!loyee han*ook Please

refer to these sources an moify this section accoringly"8 :uit of Login I70s S!ecify ho+ often user I7s are auite This inclues net+ork an

-HR user accounts

"9 Bser Lockout S!ecify ho+ many unsuccessful login attem!ts a user has *eforethe account *ecomes locke out

"; Pass+or Length S!ecify the minimum !ass+or length This shoul *e the same fornet+ork an -HR access *ut if ifferent, *e sure to s!ecify this

"< Pass+or Change S!ecify ho+ many ays *efore the !ass+or must *e change

"= Pass+or Reuse S!ecify ho+ many !revious !ass+ors cannot *e use

"? :ntivirus Soft+are S!ecify the name of the antivirus soft+are *eing use at thePractice

"@ :ntivirus Com!any S!ecify the name of the antivirus com!any that makes the !rouct*eing use

%# :ntivirus B!ates S!ecify +hat time antivirus u!ates are scheule to !erform If thisis not an o!tion, then ensure it u!ates at least aily

%" Security System S!ecify the security metho *eing use to !rotect the facility uringnon2+orking hours

%% usiness Hours S!ecify the *usiness hours of +hen the rece!tion area is staffeThis may or may not *e the hours of o!eration for the Practice

%8 Secure 7oors S!ecify ho+ access to secure areas of the facility is controlle, ies+i!e cars, stanar locks, or ci!her locks

%9 >otion 7etectors S!ecify +hether motion sensors$etectors are use If not, then 5ustremove this information

%; Dlass Sensors S!ecify +hether glass *reakage sensors are use If not, then 5ust

remove this information%< Security Cameras S!ecify +hether security cameras are use If not, then 5ust remove

this information

%= Pass+or Change S!ecify ho+ many ays *efore the !ass+or must *e change forthose users +ho +ork remotely, if ifferent than internal users

%? Provie -4ui!ment List all the e4ui!ment that is !rovie to users that +ork from home+hether full time or even occasionally

%@ Screen Lock hen a user leaves a com!uter unlocke, s!ecify ho+ long untilthe screen automatically locks for users that +ork remotely


4/96

Number Value Description8# Recor Retention S!ecify ho+ long ocuments are ke!t relate to uses an

isclosures, notice of !rivacy !ractices, com!laints, etc

8" >isc 'alues 'alues that can *e a5uste as necessary as a!!ro!riate for thePractice

8% Contact Num*er -nter the contact num*er for the Privacy /fficer for the !ur!oses ofre!orting a *reach


5/96

INA/R>:TI/N S-CBRITE P/LICEC/>P:NE N:>- :N7$/R L/D/"

L :ST R-'ISI/N 7 :T-7ate%

7/CB>-NT /N-RName8


6/96

T :L- /A C/NT-NTS

" Introuction

"" Pur!ose

"% Sco!e

"8 :cronyms $ 7efinitions

"9 :!!lica*le Statutes $ Regulations

"; Privacy /fficer

"< Confientiality $ Security Team (CST)

% -m!loyee Res!onsi*ilities

%" -m!loyee Re4uirements

%% Prohi*ite :ctivities

%8 -lectronic Communication, -2mail, Internet Bsage12

%9 Internet :ccess

%; Re!orting Soft+are >alfunctions

%< Re!ort Security Incients

%= Transfer of Sensitive$Confiential Information

%? Transferring Soft+are an Ailes *et+een Home an ork

%@ Internet Consierations

%"# Installation of authentication an encry!tion certificates on the e2mail system

%"" Bse of inFi! encry!te an 6i!!e e2mail

%"% 7e2ientification $ Re2ientification of Personal Health Information (PHI)

8 Ientification an :uthentication

8" Bser Logon I7s

8% Pass+ors

88 Confientiality :greement

89 :ccess Control

8; Bser Login -ntitlement Revie+s

8< Termination of Bser Logon :ccount

9 Net+ork Connectivity

9" 7ial2In Connections


7/96

9% 7ial /ut Connections

98 Telecommunication -4ui!ment

99 Permanent Connections

9; -m!hasis on Security in Thir Party Contracts

9< Aire+alls

; >alicious Coe

;" :ntivirus Soft+are Installation

;% Ne+ Soft+are 7istri*ution

;8 Retention of /+nershi!

< -ncry!tion

eia

@ S!ecific Protocols an 7evices

@" ireless Bsage Stanars an Policy

@% Bse of Trans!orta*le >eia

"# Retention $ 7estruction of >eical Information

"" 7is!osal of -.ternal >eia $ Har+are

""" 7is!osal of -.ternal >eia

""% Re4uirements Regaring -4ui!ment

""8 7is!osition of -.cess -4ui!ment

"% Change >anagement

"8 :uit Controls

"9 Information System :ctivity Revie+


8/96

"; 7ata Integrity

"< Contingency Plan

"= Security :+areness an Training

"? Security >anagement Process

"@ -mergency /!erations Proceures

%# -mergency :ccess 1reak the Dlass3

%" Sanction Policy

%% -m!loyee ackgroun Checks

%8 7iscovery Policy Prouction an 7isclosure

%9 e27iscovery Policy Retention

%; reach Notification Proceures

:!!eni. : Net+ork :ccess Re4uest Aorm

:!!eni. Confientiality Aorm

:!!eni. C :!!rove Soft+are

:!!eni. 7 :!!rove 'enors

:!!eni. - Incient Res!onse Tools

:!!eni. A ackgroun Check :uthori6ation

:!!eni. D Change >anagement Tracking Log

:!!eni. H -m!loyee Hiring an Termination Checklist


9/96

Com!any Name or Logo"

Policy and ProcedureTitle: INTRODCTION P!P ": IS2"#

#pproval Date: Date9 Revie$: #nnual

%ffective Date: Date;Information Tec&nology'T(S))*+

* Introduction

*,* PRPOS%

This !olicy efines the technical controls an security configurations users an Information Technology(IT) aministrators are re4uire to im!lement in orer to ensure the integrity an availa*ility of the ataenvironment at Com!any Name


10/96

*,. #CRON/0S 1 D%2INITIONS

Common terms an acronyms that may *e use throughout this ocument

C%O 3 The Chief -.ecutive /fficer is res!onsi*le for the overall !rivacy an security !ractices of thecom!anyCIO The Chief Information /fficer C0O 3 The Chief >eical /fficerCO 3 The Confientiality /fficer is res!onsi*le for annual security training of all staff on confientialityissuesCPO 3 The Chief Privacy /fficer is res!onsi*le for HIP:: !rivacy com!liance issuesCST Confientiality an Security TeamDoD 3 7e!artment of 7efense

%ncryption The !rocess of transforming information, using an algorithm, to make it unreaa*le toanyone other than those +ho have a s!ecific Jnee to kno+0%4ternal 0edia 3i,e, C72R/>s, 7'7s, flo!!y isks, flash rives, BS keys, thum* rives, ta!es2#T 3 Aile :llocation Ta*le 2 The A:T file system is relatively uncom!licate an an ieal format for flo!!yisks an soli2state memory cars The most common im!lementations have a serious ra+*ack in that+hen files are elete an ne+ files +ritten to the meia, their fragments ten to *ecome scattere overthe entire meia, making reaing an +riting a slo+ !rocess2ire$all 3 a eicate !iece of har+are or soft+are running on a com!uter +hich allo+s or enies traffic!assing through it, *ase on a set of rules2TP Aile Transfer Protocol5IP## 2 Health Insurance Porta*ility an :ccounta*ility :ctIT 2 Information TechnologyL#N Local :rea Net+ork a com!uter net+ork that covers a small geogra!hic area, ie a grou! of

*uilings, an officeNT2S 3 Ne+ Technology Aile Systems 3 NTAS has im!rove su!!ort for metaata an the use ofavance ata structures to im!rove !erformance, relia*ility, an isk s!ace utili6ation !lus aitionale.tensions such as security access control lists an file system 5ournaling The e.act s!ecification is atrae secret of >icrosoftSO6 7 Statement of 6or8 7 :n agreement *et+een t+o or more !arties that etails the +orkingrelationshi! *et+een the !arties an lists a *oy of +ork to *e com!leteser 2 :ny !erson authori6e to access an information resourcePrivileged sers 3 system aministrators an others s!ecifically ientifie an authori6e *yPractice managementsers $it& edit1update capa9ilities 3 iniviuals +ho are !ermitte, *ase on 5o* assignment, to a,elete, or change recors in a ata*ase,sers $it& inuiry 'read only+ capa9ilities 3 iniviuals +ho are !revente, *ase on 5o* assignment,from aing, eleting, or changing recors in a ata*ase Their system access is limite to reainginformation only(L#N 3 'irtual Local :rea Net+ork : logical net+ork, ty!ically create +ithin a net+ork evice, usuallyuse to segment net+ork traffic for aministrative, !erformance an$or security !ur!oses(PN 'irtual Private Net+ork Provies a secure !assage through the !u*lic Internet6#N ie :rea Net+ork : com!uter net+ork that ena*les communication across a *roa area, ieregional, national(irus 7 a soft+are !rogram ca!a*le of re!roucing itself an usually ca!a*le of causing great harm tofiles or other !rograms on the com!uter it attacks : true virus cannot s!rea to another com!uter +ithouthuman assistance


11/96

*,; #PPLIC#BL% ST#TT%S 1 R% CON2ID%NTI#LIT/ 1 S%CRIT/ T%#0 'CST+

The Practice has esta*lishe a Confientiality $ Security Team mae u! of key !ersonnel +hoseres!onsi*ility it is to ientify areas of concern +ithin the Practice an act as the first line of efense inenhancing the a!!ro!riate security !osture

:ll mem*ers ientifie +ithin this !olicy are assigne to their !ositions *y the C-/ The term of eachmem*er assigne is at the iscretion of the C-/, *ut generally it is e.!ecte that the term +ill *e oneyear >em*ers for each year +ill *e assigne at the first meeting of the Kuality Council in a ne+ calenaryear This committee +ill consist of the !ositions +ithin the Practice most res!onsi*le for the overallsecurity !olicy !lanning of the organi6ation2 the C-/, P/, C>/, IS/, an the CI/ (+here a!!lica*le)The current mem*ers of the CST are

Title Name@

Title NameTitle NameTitle NameTitle Name

The CST +ill meet 4uarterly to iscuss security issues an to revie+ concerns that arose uring the4uarter The CST +ill ientify areas that shoul *e aresse uring annual training an revie+$u!atesecurity !olicies as necessary


12/96

The CST +ill aress security issues as they arise an recommen an a!!rove immeiate securityactions to *e unertaken It is the res!onsi*ility of the CST to ientify areas of concern +ithin the Practicean act as the first line of efense in enhancing the security !osture of the Practice

The CST is res!onsi*le for maintaining a log of security concerns or confientiality issues This log must*e maintaine on a routine *asis, an must inclue the ates of an event, the actions taken to aressthe event, an recommenations for !ersonnel actions, if a!!ro!riate This log +ill *e revie+e uring the4uarterly meetings

The Privacy /fficer (P/) or other assigne !ersonnel is res!onsi*le for maintaining a log of securityenhancements an features that have *een im!lemente to further !rotect all sensitive information anassets hel *y the Practice This log +ill also *e revie+e uring the 4uarterly meetings


13/96


Policy and Procedure

Title: %0PLO/%% R%SPONSIBILITI%S P!P ": IS2""


%ffective Date: Date;Information Tec&nology'T(S))-? T(S)).+

- %mployee Responsi9ilities

-,* %0PLO/%% R%@IR%0%NTSThe first line of efense in ata security is the iniviual Practice user Practice users are res!onsi*le forthe security of all ata +hich may come to them in +hatever format The Practice is res!onsi*le formaintaining ongoing training !rograms to inform all users of these re4uirements

ear Ientifying age so that it may *e easily vie+e *y others 7 In orer to hel! maintain *uilingsecurity, all em!loyees shoul !rominently is!lay their em!loyee ientification *age Contractors +homay *e in Practice facilities are !rovie +ith ifferent colore ientification *ages"# /ther !eo!le +homay *e +ithin Practice facilities shoul *e +earing visitor *ages an shoul *e cha!erone

Challenge Bnrecogni6e Personnel 7 It is the res!onsi*ility of all Practice !ersonnel to take !ositive actionto !rovie !hysical security If you see an unrecogni6e !erson in a restricte Practice office location, youshoul challenge them as to their right to *e there :ll visitors to Practice offices must sign in at the frontesk In aition, all visitors, e.cluing !atients, must +ear a visitor$contractor *age :ll other !ersonnelmust *e em!loyees of the Practice :ny challenge !erson +ho oes not res!on a!!ro!riately shoul *eimmeiately re!orte to su!ervisory staff

Secure La!to! +ith a Ca*le Lock 7 hen out of the office all la!to! com!uters must *e secure +ith theuse of a ca*le lock Ca*le locks are !rovie +ith all ne+ la!to!s com!uters uring the original set u! :llusers +ill *e instructe on their use an a sim!le user ocument, revie+e uring em!loyee orientation,is inclue on all la!to! com!uters >ost Practice com!uters +ill contain sensitive ata either of ameical, !ersonnel, or financial nature, an the utmost care shoul *e taken to ensure that this ata is notcom!romise La!to! com!uters are unfortunately easy to steal, !articularly uring the stressful !erio+hile traveling The ca*le locks are not fool !roof, *ut o !rovie an aitional level of security >anyla!to! com!uters are stolen in snatch an run ro**eries, +here the thief runs through an office or hotelroom an gra*s all of the e4ui!ment he$she can 4uickly remove The use of a ca*le lock hel!s to th+art

this ty!e of event

Bnattene Com!uters 7 Bnattene com!uters shoul *e locke *y the user +hen leaving the +orkarea This feature is iscusse +ith all em!loyees uring yearly security training Practice !olicy statesthat all com!uters +ill have the automatic screen lock function set to automatically activate u!on fifteen(";)"" minutes of inactivity -m!loyees are not allo+e to take any action +hich +oul overrie thissetting


14/96

Home Bse of Practice Cor!orate :ssets 2 /nly com!uter har+are an soft+are o+ne *y an installe*y the Practice is !ermitte to *e connecte to or installe on Practice e4ui!ment /nly soft+are that has*een a!!rove for cor!orate use *y the Practice may *e installe on Practice e4ui!ment Personalcom!uters su!!lie *y the Practice are to *e use solely for *usiness !ur!oses :ll em!loyees ancontractors must rea an unerstan the list of !rohi*ite activities that are outline *elo+ >oificationsor configuration changes are not !ermitte on com!uters su!!lie *y the Practice for home use

Retention of /+nershi! 2 :ll soft+are !rograms an ocumentation generate or !rovie *y em!loyees,consultants, or contractors for the *enefit of the Practice are the !ro!erty of the Practice unless covere*y a contractual agreement Nothing containe herein a!!lies to soft+are !urchase *y Practiceem!loyees at their o+n e.!ense

-,- PRO5IBIT%D #CTI(ITI%S

Personnel are !rohi*ite from the follo+ing activities The list is not inclusive /ther !rohi*ite activitiesare reference else+here in this ocument

• Crashing an information system 7eli*erately crashing an information system is strictly !rohi*ite

Bsers may not reali6e that they cause a system crash, *ut if it is sho+n that the crash occurre as aresult of user action, a re!etition of the action *y that user may *e vie+e as a eli*erate act

• :ttem!ting to *reak into an information resource or to *y!ass a security feature This inclues running

!ass+or2cracking !rograms or sniffer !rograms, an attem!ting to circumvent file or other resource!ermissions

• Introucing, or attem!ting to introuce, com!uter viruses, Tro5an horses, !eer2to2!eer (1P%P3) or other

malicious coe into an information system

• -.ce!tion :uthori6e information system su!!ort !ersonnel, or others authori6e *y the Practice

Privacy /fficer, may test the resiliency of a system Such !ersonnel may test for susce!ti*ility tohar+are or soft+are failure, security against hacker attacks, an system infection

• ro+sing The +illful, unauthori6e access or ins!ection of confiential or sensitive information to

+hich you have not *een a!!rove on a nee to kno+ *asis is !rohi*ite The Practice has accessto !atient level health information +hich is !rotecte *y HIP:: regulations +hich sti!ulate a nee tokno+ *efore a!!roval is grante to vie+ the information The !ur!oseful attem!t to look at or accessinformation to +hich you have not *een grante access *y the a!!ro!riate a!!roval !roceure isstrictly !rohi*ite

• Personal or Bnauthori6e Soft+are Bse of !ersonal soft+are is !rohi*ite :ll soft+are installe on

Practice com!uters must *e a!!rove *y the Practice

• Soft+are Bse 'iolating or attem!ting to violate the terms of use or license agreement of any

soft+are !rouct use *y the Practice is strictly !rohi*ite

• System Bse -ngaging in any activity for any !ur!ose that is illegal or contrary to the !olicies,

!roceures or *usiness interests of the Practice is strictly !rohi*ite

-,. %L%CTRONIC CO00NIC#TION? %70#IL? INT%RN%T S#


15/96

hanle *y Practice o+ne e4ui!ment are consiere the !ro!erty of the Practice not the !ro!erty ofiniviual users Conse4uently, this !olicy a!!lies to all Practice em!loyees an contractors, an coversall electronic communications incluing, *ut not limite to, tele!hones, e2mail, voice mail, instantmessaging, Internet, fa., !ersonal com!uters, an servers

Practice !rovie resources, such as iniviual com!uter +orkstations or la!to!s, com!uter systems,net+orks, e2mail, an Internet soft+are an services are intene for *usiness !ur!oses Ho+ever,inciental !ersonal use is !ermissi*le as long as

") it oes not consume more than a trivial amount of em!loyee time or resources,%) it oes not interfere +ith staff !rouctivity,8) it oes not !reem!t any *usiness activity,9) it oes not violate any of the follo+ing

a) Co!yright violations This inclues the act of !irating soft+are, music, *ooks an$orvieos or the use of !irate soft+are, music, *ooks an$or vieos an the illegalu!lication an$or istri*ution of information an other intellectual !ro!erty that isuner co!yright

*) Illegal activities Bse of Practice information resources for or in su!!ort of illegal!ur!oses as efine *y feeral, state or local la+ is strictly !rohi*ite

c) Commercial use Bse of Practice information resources for !ersonal or commercial!rofit is strictly !rohi*ite

) Political :ctivities :ll !olitical activities are strictly !rohi*ite on Practice !remisesThe Practice encourages all of its em!loyees to vote an to !artici!ate in the election!rocess, *ut these activities must not *e !erforme using Practice assets orresources

e) Harassment The Practice strives to maintain a +ork!lace free of harassment anthat is sensitive to the iversity of its em!loyees Therefore, the Practice !rohi*its theuse of com!uters, e2mail, voice mail, instant messaging, te.ting an the Internet in+ays that are isru!tive, offensive to others, or harmful to morale Aor e.am!le, theis!lay or transmission of se.ually e.!licit images, messages, an cartoons is strictly!rohi*ite /ther e.am!les of misuse inclues, *ut is not limite to, ethnic slurs,racial comments, off2color 5okes, or anything that may *e construe as harassing,iscriminatory, erogatory, efamatory, threatening or sho+ing isres!ect for others

f) Munk -2mail 2 :ll communications using IT resources shall *e !ur!oseful ana!!ro!riate 7istri*uting 15unk3 mail, such as chain letters, avertisements, orunauthori6e solicitations is !rohi*ite : chain letter is efine as a letter sent toseveral !ersons +ith a re4uest that each sen co!ies of the letter to an e4ual num*er of !ersons :vertisements offer services from someone else to you Solicitationsare +hen someone asks you for something If you receive any of the a*ove, eletethe e2mail message immeiately 7o not for+ar the e2mail message to anyone

Denerally, +hile it is NOT the !olicy of the Practice to monitor the content of any electroniccommunication, the Practice is res!onsi*le for servicing an !rotecting the Practice0s e4ui!ment,net+orks, ata, an resource availa*ility an therefore may *e re4uire to access an$or monitorelectronic communications from time to time Several ifferent methos are em!loye to accom!lishthese goals Aor e.am!le, an auit or cost analysis may re4uire re!orts that monitor !hone num*ersiale, length of calls, num*er of calls to $ from a s!ecific hanset, the time of ay, etc /ther e.am!les+here electronic communications may *e monitore inclue, *ut are not limite to, research an testing


16/96

to o!timi6e IT resources, trou*leshooting technical !ro*lems an etecting !atterns of a*use or illegalactivity

The Practice reserves the right, at its iscretion, to revie+ any em!loyee0s files or electroniccommunications to the e.tent necessary to ensure all electronic meia an services are use incom!liance +ith all a!!lica*le la+s an regulations as +ell as Practice !olicies

-m!loyees shoul structure all electronic communication +ith recognition of the fact that the contentcoul *e monitore, an that any electronic communication coul *e for+are, interce!te, !rinte orstore *y others

-,; INT%RN%T #CC%SS

Internet access is !rovie for Practice users an is consiere a great resource for the organi6ationThis resource is costly to o!erate an maintain, an must *e allocate !rimarily to those +ith *usiness,aministrative or contract nees The Internet access !rovie *y the Practice shoul not *e use forentertainment, listening to music, vie+ing the s!orts highlight of the ay, games, movies, etc 7o not usethe Internet as a raio or to constantly monitor the +eather or stock market results hile seemingly trivialto a single user, the com!any +ie use of these non2*usiness sites consumes a huge amount of Internet*an+ith, +hich is therefore not availa*le to res!onsi*le users

Bsers must unerstan that iniviual Internet usage is monitore, an if an em!loyee is foun to *es!ening an e.cessive amount of time or consuming large amounts of *an+ith for !ersonal use,isci!linary action +ill *e taken

>any Internet sites, such as games, !eer2to2!eer file sharing a!!lications, chat rooms, an on2line musicsharing a!!lications, have alreay *een *locke *y the Practice routers an fire+alls This list isconstantly monitore an u!ate as necessary :ny em!loyee visiting !ornogra!hic sites +ill *eisci!line an may *e terminate

-,= R%PORTIN< SO2T6#R% 0#L2NCTIONS

Bsers shoul inform the a!!ro!riate Practice !ersonnel +hen the users soft+are oes not a!!ear to *efunctioning correctly The malfunction 2 +hether acciental or eli*erate 2 may !ose an informationsecurity risk If the user, or the users manager or su!ervisor, sus!ects a com!uter virus infection, thePractice com!uter virus !olicy shoul *e follo+e, an these ste!s shoul *e taken immeiately

• Sto! using the com!uter

• 7o not carry out any commans, incluing commans to OSave ata

• 7o not close any of the com!uters +ino+s or !rograms

• 7o not turn off the com!uter or !eri!heral evices

• If !ossi*le, !hysically isconnect the com!uter from net+orks to +hich it is attache

• Inform the a!!ro!riate !ersonnel or Practice IS/ as soon as !ossi*le rite o+n any unusual

*ehavior of the com!uter (screen messages, une.!ecte isk access, unusual res!onses tocommans) an the time +hen they +ere first notice


17/96

• rite o+n any changes in har+are, soft+are, or soft+are use that !recee the malfunction• 7o not attem!t to remove a sus!ecte virusQ

The IS/ shoul monitor the resolution of the malfunction or incient, an re!ort to the CST the result ofthe action +ith recommenations on action ste!s to avert future similar occurrences

-,> R%PORT S%CRIT/ INCID%NTS

It is the res!onsi*ility of each Practice em!loyee or contractor to re!ort !erceive security incients on acontinuous *asis to the a!!ro!riate su!ervisor or security !erson : Bser is any !erson authori6e toaccess an information resource Bsers are res!onsi*le for the ay2to2ay, hans2on security of thatresource Bsers are to formally re!ort all security incients or violations of the security !olicy immeiately

to the Privacy /fficer Bsers shoul re!ort any !erceive security incient to either their immeiatesu!ervisor, or to their e!artment hea, or to any mem*er of the Practice CST >em*ers of the CST ares!ecifie a*ove in this ocument

Re!orts of security incients shall *e escalate as 4uickly as !ossi*le -ach mem*er of the Practice CSTmust inform the other mem*ers as ra!ily as !ossi*le -ach incient +ill *e analy6e to etermine ifchanges in the e.isting security structure are necessary :ll re!orte incients are logge an theremeial action inicate It is the res!onsi*ility of the CST to !rovie training on any !roceural changesthat may *e re4uire as a result of the investigation of an incient

Security *reaches shall *e !rom!tly investigate If criminal action is sus!ecte, the Practice Privacy/fficer shall contact the a!!ro!riate la+ enforcement an investigative authorities immeiately, +hichmay inclue *ut is not limite to the !olice or the AI

-,A TR#NS2%R O2 S%NSITI(%1CON2ID%NTI#L IN2OR0#TION

hen confiential or sensitive information from one iniviual is receive *y another iniviual +hileconucting official *usiness, the receiving iniviual shall maintain the confientiality or sensitivity of theinformation in accorance +ith the conitions im!ose *y the !roviing iniviual :ll em!loyees mustrecogni6e the sensitive nature of ata maintaine *y the Practice an hol all ata in the strictestconfience :ny !ur!oseful release of ata to +hich an em!loyee may have access is a violation ofPractice !olicy an +ill result in !ersonnel action, an may result in legal action

-, TR#NS2%RRIN< SO2T6#R% #ND 2IL%S B%T6%%N 5O0% #ND

6ORPersonal soft+are shall not *e use on Practice com!uters or net+orks If a nee for s!ecific soft+aree.ists, su*mit a re4uest to your su!ervisor or e!artment hea Bsers shall not use Practice !urchasesoft+are on home or on non2Practice com!uters or e4ui!ment

Practice !ro!rietary ata, incluing *ut not limite to !atient information, IT Systems information, financialinformation or human resource ata, shall not *e !lace on any com!uter that is not the !ro!erty of thePractice +ithout +ritten consent of the res!ective su!ervisor or e!artment hea It is crucial to thePractice to !rotect all ata an, in orer to o that effectively +e must control the systems in +hich it is


18/96

containe In the event that a su!ervisor or e!artment hea receives a re4uest to transfer Practice atato a non2Practice Com!uter System, the su!ervisor or e!artment hea shoul notify the Privacy /fficeror a!!ro!riate !ersonnel of the intentions an the nee for such a transfer of ata

The Practice ie :rea Net+ork (1:N3) is maintaine +ith a +ie range of security !rotections in !lace,+hich inclue features such as virus !rotection, e2mail file ty!e restrictions, fire+alls, anti2hackinghar+are an soft+are, etc Since the Practice oes not control non2Practice !ersonal com!uters, thePractice cannot *e sure of the methos that may or may not *e in !lace to !rotect Practice sensitiveinformation, hence the nee for this restriction

-, INT%RN%T CONSID%R#TIONS

S!ecial !recautions are re4uire to *lock Internet (!u*lic) access to Practice information resources notintene for !u*lic access, an to !rotect confiential Practice information +hen it is to *e transmitteover the Internet

The follo+ing security an aministration issues shall govern Internet usage

Prior a!!roval of the Practice Privacy /fficer or a!!ro!riate !ersonnel authori6e *y the Practice shall *eo*taine *efore

• :n Internet, or other e.ternal net+ork connection, is esta*lishe

• Practice information (incluing notices, memorana, ocumentation an soft+are) is mae availa*le

on any Internet2accessi*le com!uter (eg +e* or ft! server) or evice

• Bsers may not install or o+nloa any soft+are (a!!lications, screen savers, etc) If users have a

nee for aitional soft+are, the user is to contact their su!ervisor• Bse shall *e consistent +ith the goals of the Practice The net+ork can *e use to market services

relate to the Practice, ho+ever use of the net+ork for !ersonal !rofit or gain is !rohi*ite

• Confiential or sensitive ata 2 incluing creit car num*ers, tele!hone calling car num*ers, logon

!ass+ors, an other !arameters that can *e use to access goos or services 2 shall *e encry!te*efore *eing transmitte through the Internet

• The encry!tion soft+are use, an the s!ecific encry!tion keys (eg !ass+ors, !ass !hrases), shall

*e escro+e +ith the Practice Privacy /fficer or a!!ro!riate !ersonnel, to ensure they are safelymaintaine$store The use of encry!tion soft+are an keys, +hich have not *een escro+e as!rescri*e a*ove, is !rohi*ite, an may make the user su*5ect to isci!linary action

-,*) INST#LL#TION O2 #T5%NTIC#TION #ND %NCR/PTIONC%RTI2IC#T%S ON T5% %70#IL S/ST%0

:ny user esiring to transfer secure e2mail +ith a s!ecific ientifie e.ternal user may re4uest toe.change !u*lic keys +ith the e.ternal user /nce verifie, the certificate is installe on *oth reci!ients0+orkstations, an the t+o may safely e.change secure e2mail


19/96

-,** S% O2 6INEIP %NCR/PT%D #ND EIPP%D %70#IL

This soft+are allo+s Practice !ersonnel to e.change e2mail +ith remote users +ho have the a!!ro!riateencry!tion soft+are on their system The t+o users e.change !rivate keys that +ill *e use to *othencry!t an ecry!t each transmission :ny Practice staff mem*er +ho esires to utili6e this technologymay re4uest this soft+are from the Privacy /fficer or a!!ro!riate !ersonnel

-,*- D%7ID%NTI2IC#TION 1 R%7ID%NTI2IC#TION O2 P%RSON#L 5%#LT5

IN2OR0#TION 'P5I+

:s irecte *y HIP::, all !ersonal ientifying information is remove from all ata that falls +ithin theefinition of PHI *efore it is store or e.change7e2ientification is efine as the removal of any information that may *e use to ientify an iniviual orof relatives, em!loyers, or househol mem*ers

PHI inclues

• Names

• :resses

• Deogra!hic su*ivisions smaller than a state

• :ll elements of ates irectly relate to the iniviual (7ates of *irth, marriage, eath, etc)

• Tele!hone num*ers

• Aacsimile num*ers

• 7river0s license num*ers

• -lectronic mail aresses

• Social security num*ers

• >eical recor num*ers

• Health !lan *eneficiary num*ers

• :ccount num*ers, certificate$license num*ers

• 'ehicle ientifiers an serial num*ers

• 7evice ientifiers an serial num*ers

• e* Bniversal Resource Locators (BRLs)

• Internet Protocol (IP) aress num*ers

• iometric ientifiers

• Aull face !hotogra!hic images an any com!ara*le images

Re2ientification of confiential information : cross2reference coe or other means of recorientification is use to re2ientify ata as long as the coe is not erive from or relate to informationa*out the iniviual an cannot *e translate to ientify the iniviual In aition, the coe is notisclose for any other !ur!ose nor is the mechanism for re2ientification isclose


20/96


21/96



Title: ID%NTI2IC#TION and #T5%NTIC#TION P!P ": IS2"%


%ffective Date: Date;Information Tec&nology'T(S))? T(S)*=? T(S)*>? T(S)-.+

. Identification and #ut&entication

.,* S%R LO


22/96

Change Are4uency Pass+ors must *e change every @# ays"


23/96

/nline *anner screens, if use, shall contain statements to the effect that unauthori6e use of the systemis !rohi*ite an that violators +ill *e su*5ect to criminal !rosecution

Identification and #ut&entication Reuirements

The host security management !rogram shall maintain current user a!!lication activity authori6ations-ach initial re4uest for a connection or a session is su*5ect to the authori6ation !rocess !reviouslyaresse

.,= S%R LOanager shall facilitate entitlement revie+s +ith e!artment heas toensure that all em!loyees have the a!!ro!riate roles, access, an soft+are necessary to !erform their 5o*functions effectively +hile *eing limite to the minimum necessary ata to facilitate HIP:: com!liancean !rotect !atient ata

.,> T%R0IN#TION O2 S%R LOanager or their esignee shall !rovie a list of active user accounts for*oth net+ork an a!!lication access, incluing access to the clinical electronic health recor (1-HR3) anthe !ractice management system (1P>S3), to e!artment heas for revie+ 7e!artment heas shallrevie+ the em!loyee access lists +ithin five (;) *usiness ays of recei!t If any of the em!loyees on thelist are no longer em!loye *y the Practice, the e!artment hea +ill immeiately notify the IT7e!artment of the em!loyee0s termination status an su*mit the u!ate Net+ork :ccess Re4uest Aorm(:!!eni. C)


24/96



Title: N%T6OR CONN%CTI(IT/ P!P ": IS2"8


%ffective Date: Date; Information Tec&nology

; Net$or8 Connectivity

;,* DI#L7IN CONN%CTIONS

:ccess to Practice information resources through moems or other ial2in evices $ soft+are, if availa*le,shall *e su*5ect to authori6ation an authentication *y an access control system Direct in$ard dialing$it&out passing t&roug& t&e access control system is pro&i9ited,

7ial2u! num*ers shall *e unliste

Systems that allo+ !u*lic access to host com!uters, incluing mission2critical servers, +arrants aitionalsecurity at the o!erating system an a!!lication levels Such systems shall have the ca!a*ility to monitoractivity levels to ensure that !u*lic usage oes not unacce!ta*ly egrae system res!onsiveness

7ial2u! access !rivileges are grante only u!on the re4uest of a e!artment hea +ith the su*mission ofthe Net+ork :ccess Aorm an the a!!roval of the Privacy /fficer or a!!ro!riate !ersonnel

;,- DI#L OT CONN%CTIONS

Practice !rovies a link to an Internet Service Provier , If a user has a s!ecific nee to link +ith anoutsie com!uter or net+ork through a irect link, a!!roval must *e o*taine from the Privacy /fficer ora!!ro!riate !ersonnel The a!!ro!riate !ersonnel +ill ensure ae4uate security measures are in !lace

;,. T%L%CO00NIC#TION %@IP0%NT

Certain irect link connections may re4uire a eicate or lease !hone line These facilities are

authori6e only *y the Privacy /fficer or a!!ro!riate !ersonnel an orere *y the a!!ro!riate !ersonnelTelecommunication e4ui!ment an services inclue *ut are not limite to the follo+ing

• !hone lines

• fa. lines

• calling cars

• !hone hea sets

• soft+are ty!e !hones installe on +orkstations


25/96

• conference calling contracts• cell !hones

• lack*erry ty!e evices

• call routing soft+are

• call re!orting soft+are

• !hone system aministration e4ui!ment

• T"$Net+ork lines

• long istance lines

• ?## lines

• local !hone lines

• PRI circuits

• tele!hone e4ui!ment

;,; P%R0#N%NT CONN%CTIONS

The security of Practice systems can *e 5eo!ari6e from thir !arty locations if security !ractices anresources are inae4uate hen there is a nee to connect to a thir !arty location, a risk analysisshoul *e conucte The risk analysis shoul consier the ty!e of access re4uire, the value of theinformation, the security measures em!loye *y the thir !arty, an the im!lications for the security ofPractice systems The Privacy /fficer or a!!ro!riate !ersonnel shoul *e involve in the !rocess, esignan a!!roval

;,= %0P5#SIS ON S%CRIT/ IN T5IRD P#RT/ CONTR#CTS

:ccess to Practice com!uter systems or cor!orate net+orks shoul not *e grante until a revie+ of thefollo+ing concerns have *een mae, an a!!ro!riate restrictions or covenants inclue in a statement of+ork (1S/3) +ith the !arty re4uesting access

• :!!lica*le sections of the Practice Information Security Policy have *een revie+e an consiere

• Policies an stanars esta*lishe in the Practice information security !rogram have *een enforce

• : risk assessment of the aitional lia*ilities that +ill attach to each of the !arties to the agreement

• The right to auit contractual res!onsi*ilities shoul *e inclue in the agreement or S/

• :rrangements for re!orting an investigating security incients must *e inclue in the agreement inorer to meet the covenants of the HIP:: usiness :ssociate :greement

• : escri!tion of each service to *e mae availa*le

• -ach service, access, account, an$or !ermission mae availa*le shoul only *e the minimum

necessary for the thir !arty to !erform their contractual o*ligations

• : etaile list of users that have access to Practice com!uter systems must *e maintaine an

auita*le

• If re4uire uner the contract, !ermission shoul *e sought to screen authori6e users


26/96

• 7ates an times +hen the service is to *e availa*le shoul *e agree u!on in avance• Proceures regaring !rotection of information resources shoul *e agree u!on in avance an a

metho of auit an enforcement im!lemente an a!!rove *y *oth !arties

• The right to monitor an revoke user activity shoul *e inclue in each agreement

• Language on restrictions on co!ying an isclosing information shoul *e inclue in all agreements

• Res!onsi*ilities regaring har+are an soft+are installation an maintenance shoul *e unerstoo

an agreement u!on in avance

• >easures to ensure the return or estruction of !rograms an information at the en of the contract

shoul *e +ritten into the agreement

• If !hysical !rotection measures are necessary *ecause of contract sti!ulations, these shoul *e

inclue in the agreement

• : formal metho to grant an authori6e users +ho +ill access to the ata collecte uner theagreement shoul *e formally esta*lishe *efore any users are grante access

• >echanisms shoul *e in !lace to ensure that security measures are *eing follo+e *y all !arties to

the agreement

• ecause annual confientiality training is re4uire uner the HIP:: regulation, a formal !roceure

shoul *e esta*lishe to ensure that the training takes !lace, that there is a metho to etermine +homust take the training, +ho +ill aminister the training, an the !rocess to etermine the content ofthe training esta*lishe

• : etaile list of the security measures +hich +ill *e unertaken *y all !arties to the agreement

shoul *e !u*lishe in avance of the agreement

;,> 2IR%6#LLS

:uthority from the Privacy /fficer or a!!ro!riate !ersonnel must *e receive *efore any em!loyee orcontractor is grante access to a Practice router or fire+all


27/96



Title: 0#LICIOS COD% P!P ": IS2"9


%ffective Date: Date;Information Tec&nology'T(S)*+

= 0alicious Code

=,* #NTI(IRS SO2T6#R% INST#LL#TION

:ntivirus soft+are is installe on all Practice !ersonal com!uters an servers 'irus u!ate !atterns areu!ate aily on the Practice servers an +orkstations 'irus u!ate engines an ata files aremonitore *y a!!ro!riate aministrative staff that is res!onsi*le for kee!ing all virus !atterns u! to ate

Configuration 7 The antivirus soft+are currently im!lemente *y the Practice is >c:fee 'irusScan-nter!rise"? B!ates are receive irectly from >c:fee"@ +hich is scheule aily at ;## P>%#

Remote 7e!loyment Configuration 7 Through an automate !roceure, u!ates an virus !atches may*e !ushe out to the iniviual +orkstations an servers on an as neee *asis >onitoring$Re!orting : recor of virus !atterns for all +orkstations an servers on the Practice net+orkmay *e maintaine :!!ro!riate aministrative staff is res!onsi*le for !roviing re!orts for auiting anemergency situations as re4ueste *y the Privacy /fficer or a!!ro!riate !ersonnel

=,- N%6 SO2T6#R% DISTRIBTION

/nly soft+are create *y Practice a!!lication staff, if a!!lica*le, or soft+are a!!rove *y the Privacy/fficer or a!!ro!riate !ersonnel +ill *e use on internal com!uters an net+orks : list of a!!rovesoft+are is maintaine in :!!eni. C :ll ne+ soft+are +ill *e teste *y a!!ro!riate !ersonnel in orer toensure com!ati*ility +ith currently installe soft+are an net+ork configuration In aition, a!!ro!riate!ersonnel must scan all soft+are for viruses *efore installation This inclues shrink2+ra!!e soft+are!rocure irectly from commercial sources as +ell as share+are an free+are o*taine from electronic*ulletin *oars, the Internet, or on isks (magnetic or C72R/> an custom2evelo!e soft+are)

:lthough share+are an free+are can often *e useful sources of +ork2relate !rograms, the use an$orac4uisition of such soft+are must *e a!!rove *y the Privacy /fficer or a!!ro!riate !ersonnel ecausethe soft+are is often !rovie in an o!en istri*ution environment, s!ecial !recautions must *e taken*efore it is installe on Practice com!uters an net+orks These !recautions inclue etermining that thesoft+are oes not, *ecause of faulty esign, 1mis*ehave3 an interfere +ith or amage Practicehar+are, soft+are, or ata, an that the soft+are oes not contain viruses, either originating +ith thesoft+are esigner or ac4uire in the !rocess of istri*ution


28/96

:ll ata an !rogram files that have *een electronically transmitte to a Practice com!uter or net+orkfrom another location must *e scanne for viruses immeiately after *eing receive Contact thea!!ro!riate Practice !ersonnel for instructions for scanning files for viruses

-very iskette, C72R/>, 7'7 an BS evice is a !otential source for a com!uter virus Therefore,every iskette, C72R/>, 7'7 an BS evice must *e scanne for virus infection !rior to co!yinginformation to a Practice com!uter or net+ork

Com!uters shall never *e 1*oote3 from a iskette, C72R/>, 7'7 or BS evice receive from anoutsie source Bsers shall al+ays remove any iskette, C72R/>, 7'7 or BS evice from thecom!uter +hen not in use This is to ensure that the iskette, C72R/>, 7'7 or BS evice is not in thecom!uter +hen the machine is !o+ere on : iskette, C72R/>, 7'7 or BS evice infecte +ith a*oot virus may infect a com!uter in that manner, even if the iskette, C7R/>, 7'7 or BS evice isnot 1*oota*le3

=,. R%T%NTION O2 O6N%RS5IP

:ll soft+are !rograms an ocumentation generate or !rovie *y em!loyees, consultants, orcontractors for the *enefit of the Practice are the !ro!erty of the Practice unless covere *y a contractualagreement -m!loyees evelo!ing !rograms or ocumentation must sign a statement ackno+legingPractice o+nershi! at the time of em!loyment Nothing containe herein a!!lies to soft+are !urchase *yPractice em!loyees at their o+n e.!ense


29/96



Title: %NCR/PTION P!P ": IS2";


%ffective Date: Date;Information Tec&nology'T(S)*-? T(S)*=+

> %ncryption

>,* D%2INITION

-ncry!tion is the translation of ata into a secret coe -ncry!tion is the most effective +ay to achieveata security To rea an encry!te file, you must have access to a secret key or !ass+or that ena*lesyou to ecry!t it Bnencry!te ata is calle !lain te.t# encry!te ata is referre to as ci!her te.t,

>,- %NCR/PTION %/

:n encry!tion key s!ecifies the !articular transformation of !lain te.t into ci!her te.t, or vice versa uringecry!tion

If 5ustifie *y risk analysis, sensitive ata an files shall *e encry!te *efore *eing transmitte throughnet+orks hen encry!te ata are transferre *et+een agencies, the agencies shall evise a mutuallyagreea*le !roceure for secure key management In the case of conflict, the Practice shall esta*lish thecriteria in con5unction +ith the Privacy /fficer or a!!ro!riate !ersonnel The Practice em!loys severalmethos of secure ata transmission

>,. INST#LL#TION O2 #T5%NTIC#TION #ND %NCR/PTION

C%RTI2IC#T%S ON T5% %70#IL S/ST%0

:ny user esiring to transfer secure e2mail +ith a s!ecific ientifie e.ternal user may re4uest toe.change !u*lic keys +ith the e.ternal user *y contacting the Privacy /fficer or a!!ro!riate !ersonnel/nce verifie, the certificate is installe on each reci!ient +orkstation, an the t+o may safely e.change

secure e2mail

>,; S% O2 6INEIP %NCR/PT%D #ND EIPP%D %70#IL

This soft+are allo+s Practice !ersonnel to e.change e2mail +ith remote users +ho have the a!!ro!riateencry!tion soft+are on their system The t+o users e.change !rivate keys that +ill *e use to *othencry!t an ecry!t each transmission :ny Practice staff mem*er +ho esires to utili6e this technologymay re4uest this soft+are from the Privacy /fficer or a!!ro!riate !ersonnel


30/96

>,= 2IL% TR#NS2%R PROTOCOL '2TP+

Ailes may *e transferre to secure ATP sites through the use of a!!ro!riate security !recautionsRe4uests for any ATP transfers shoul *e irecte to the Privacy /fficer or a!!ro!riate !ersonnel

>,> S%CR% SOC%T L#/%R 'SSL+ 6%B INT%R2#C%

:ny -HR hoste (:SP) system, if a!!lica*le, +ill re4uire access to a secure SSL +e*site :ny suchaccess must *e re4ueste using the Net+ork :ccess Re4uest Aorm (foun in :!!eni. :) an have

a!!ro!riate a!!roval from the su!ervisor or e!artment hea as +ell as the Privacy /fficer or a!!ro!riate!ersonnel *efore any access is grante


31/96



Title: BILDIN< S%CRIT/ P!P ": IS2"<


%ffective Date: Date;Information Tec&nology'T(S))? T(S)*)+

A Building Security

It is the !olicy of the Practice to !rovie *uiling access in a secure manner -ach site, if a!!lica*le, is

some+hat uni4ue in terms of *uiling o+nershi!, lease contracts, entrance+ay access, fire esca!ere4uirements, an server room control Ho+ever, the Practice strives to continuously u!grae an e.!anits security an to enhance !rotection of its assets an meical information that has *een entruste to itThe follo+ing list ientifies measures that are in effect at the Practice :ll other facilities, if a!!lica*le,have similar security a!!ro!riate for that location

7escri!tion of *uiling, location, s4uare footage, an the use of any generator

• -ntrance to the *uiling uring non2+orking hours is controlle *y a security coe system%"

:ttem!te entrance +ithout this coe results in immeiate notification to the !olice e!artment

• /nly s!ecific Practice em!loyees are given the security coe for entrance 7isclosure of the security

coe to non2em!loyees is strictly !rohi*ite

• The security coe is change on a !erioic *asis an eligi*le em!loyees are notifie *y com!any e2

mail or voice mail Security coes are change u!on termination of em!loyees that ha access

• The oor to the rece!tion area is locke at all times an re4uires a!!ro!riate creentials or escort

!ast the rece!tion or +aiting area oor(s)

• The rece!tion area is staffe at all times uring the +orking hours of ?## :> to ;## P>%%

• :ny unrecogni6e !erson in a restricte office location shoul *e challenge as to their right to *e

there :ll visitors must sign in at the front esk, +ear a visitor *age (e.cluing !atients), an *eaccom!anie *y a Practice staff mem*er In some situations, non2Practice !ersonnel, +ho havesigne the confientiality agreement, o not nee to *e accom!anie at all times

• S+i!e cars control access to all other oors -ach car is coe to allo+ amission to s!ecific areas

*ase on each iniviual0s 5o* function or nee to kno+%8

• The first floor of the *uiling has motion etection sensors that are activate after hours :ny

movement +ithin the *uiling +ill result in immeiate notification to the !olice e!artment%9• :ll outsie +ino+s have glass *reakage sensors +hich, if tri!!e, +ill result in immeiate notification

to the !olice e!artment%;

• The *uiling is e4ui!!e +ith security cameras to recor activities in the !arking lot an +ithin the

area encom!assing the front entrance :ll activities in these areas are recore on a %9 hour a ay8


32/96


33/96


Title: T%L%CO00TIN< P!P ": IS2"=


%ffective Date: Date; Information Tec&nology

Telecommuting

ith the increase availa*ility of *roa*an access an 'PNs, telecommuting has *ecome more via*lefor many organi6ations The Practice consiers telecommuting to *e an acce!ta*le +ork arrangement incertain circumstances This !olicy is a!!lica*le to all em!loyees an contractors +ho +ork either

!ermanently or only occasionally outsie of the Practice office environment It a!!lies to users +ho +orkfrom their home full time, to em!loyees on tem!orary travel, to users +ho +ork from a remote officelocation, an to any user +ho connects to the Practice net+ork an$or hoste -HR, if a!!lica*le, from aremote location

hile telecommuting can *e an avantage for users an for the organi6ation in general, it !resents ne+risks in the areas of confientiality an security of ata orkers linke to the Practice0s net+ork *ecomean e.tension of the +ie area net+ork an !resent aitional environments that must *e !rotecteagainst the anger of s!reaing Tro5ans, viruses, or other mal+are This arrangement also e.!oses thecor!orate as +ell as !atient ata to risks not !resent in the traitional +ork environment

,*


34/96

Practice Provided:Practice su!!lie +orkstation%?

: ca*le lock to secure the +orkstation to a fi.e o*5ectIf using 'PN, a Practice issue har+are fire+all is re4uireIf !rinting, a Practice su!!lie !rinterIf a!!rove *y your su!ervisor, a Practice su!!lie !hone

%mployee Provided:roa*an connection an fees,Pa!er shreer,Secure office environment isolate from visitors an family,

: locka*le file ca*inet or safe to secure ocuments +hen a+ay from the home office

,. 5#RD6#R% S%CRIT/ PROT%CTIONS

'irus Protection: Home users must never sto! the u!ate !rocess for 'irus Protection 'irus Protectionsoft+are is installe on all Practice !ersonal com!uters an is set to u!ate the virus !attern on a aily*asis This u!ate is critical to the security of all ata, an must *e allo+e to com!lete

'PN an Aire+all Bse: -sta*lishe !roceures must *e rigily follo+e +hen accessing Practiceinformation of any ty!e The Practice re4uires the use of 'PN soft+are an a f ire+all evice 7isa*ling avirus scanner or fire+all is reason for termination

Security Locks Bse security ca*le locks for la!to!s at all times, even if at home or at the office Ca*lelocks have *een emonstrate as effective in th+arting ro**eries

Lock Screens: No matter +hat location, al+ays lock the screen *efore +alking a+ay from the +orkstationThe ata on the screen may *e !rotecte *y HIP:: or may contain confiential information e sure theautomatic lock feature has *een set to automatically turn on after ";%@ minutes of inactivity

,; D#T# S%CRIT/ PROT%CTION

7ata acku!: acku! !roceures have *een esta*lishe that encry!t the ata *eing move to ane.ternal meia Bse only that !roceure o not create one on your o+n If there is not a *acku!!roceure esta*lishe, or if you have e.ternal meia that is not encry!te, contact the a!!ro!riatePractice !ersonnel for assistance Protect e.ternal meia *y kee!ing it in your !ossession +hentraveling

Transferring 7ata to the Practice: Transferring of ata to the Practice re4uires the use of an a!!rove'PN connection to ensure the confientiality an integrity of the ata *eing transmitte 7o notcircumvent esta*lishe !roceures, nor create your o+n metho, +hen transferring ata to the Practice

-.ternal System :ccess If you re4uire access to an e.ternal system, contact your su!ervisor ore!artment hea Privacy /fficer or a!!ro!riate !ersonnel +ill assist in esta*lishing a secure metho ofaccess to the e.ternal system


35/96

-2mail 7o not sen any iniviual2ientifia*le information (PHI or PII) via e2mail unless it is encry!te Ifyou nee assistance +ith this, contact the Privacy /fficer or a!!ro!riate !ersonnel to ensure an a!!roveencry!tion mechanism is use for transmission through e2mail

Non2Practice Net+orks -.treme care must *e taken +hen connecting Practice e4ui!ment to a home orhotel net+ork :lthough the Practice actively monitors its security status an maintains organi6ation +ie!rotection !olicies to !rotect the ata +ithin all contracts, the Practice has no a*ility to monitor or controlthe security !roceures on non2Practice net+orksProtect 7ata in Eour Possession 'ie+ or access only the information that you have a nee to see tocom!lete your +ork assignment Regularly revie+ the ata you have store to ensure that the amount of!atient level ata is ke!t at a minimum an that ol ata is eliminate as soon as !ossi*le Storeelectronic ata only in encry!te +ork s!aces If your la!to! has not *een set u! +ith an encry!te +orks!ace, contact the Privacy /fficer or a!!ro!riate !ersonnel for assistance

Har Co!y Re!orts or ork Pa!ers Never leave !a!er recors aroun your +ork area Lock all !a!errecors in a file ca*inet at night or +hen you leave your +ork area

7ata -ntry hen in a Pu*lic Location 7o not !erform +ork tasks +hich re4uire the use of sensitivecor!orate or !atient level information +hen you are in a !u*lic area, ie air!orts, air!lanes, hotel lo**iesCom!uter screens can easily *e vie+e from *esie or *ehin you

Sening 7ata /utsie the Practice: :ll e.ternal transfer of ata must *e associate +ith an officialcontract, non2iscloser agreement, or a!!ro!riate usiness :ssociate :greement 7o not give or transfer any !atient level information to anyone outsie the Practice +ithout the +ritten a!!roval of yoursu!ervisor

,= DISPOS#L O2 P#P%R #ND1OR %FT%RN#L 0%DI#

Shreing :ll !a!er +hich contains sensitive information that is no longer neee must *e shree*efore *eing is!ose 7o not !lace in a trash container +ithout first shreing :ll em!loyees +orkingfrom home, or other non2Practice +ork environment, >BST have irect access to a shreer

7is!osal of -lectronic >eia :ll e.ternal meia must *e saniti6e or estroye in accorance +ith HIP::com!liant !roceures

• 7o not thro+ any meia containing sensitive, !rotecte information in the trash

• Return all e.ternal meia to your su!ervisor

• -.ternal meia must *e +i!e clean of all ata The Privacy /fficer or a!!ro!riate !ersonnel has

very efinitive !roceures for oing this so all e.ternal meia must *e sent to them• The final ste! in this !rocess is to for+ar the meia for is!osal *y a certifie estruction agency


36/96



Title: SP%CI2IC PROTOCOLS #ND D%(IC%S P!P ": IS2"?


%ffective Date: Date;Information Tec&nology'T(S))+

Specific Protocols and Devices

,* 6IR%L%SS S#


37/96

,- S% O2 TR#NSPORT#BL% 0%DI#

Trans!orta*le meia inclue +ithin the sco!e of this !olicy inclues, *ut is not limite to, S7 cars,7'7s, C72R/>s, an BS key evices

The !ur!ose of this !olicy is to guie em!loyees$contractors of the Practice in the !ro!er use oftrans!orta*le meia +hen a legitimate *usiness re4uirement e.ists to transfer ata to an from Practicenet+orks -very +orkstation or server that has *een use *y either Practice em!loyees or contractors is!resume to have sensitive information store on its har rive Therefore !roceures must *e carefullyfollo+e +hen co!ying ata to or from trans!orta*le meia to !rotect sensitive Practice ata Sincetrans!orta*le meia, *y their very esign are easily lost, care an !rotection of these evices must *earesse Since it is very likely that trans!orta*le meia +ill *e !rovie to a Practice em!loyee *y ane.ternal source for the e.change of information, it is necessary that all em!loyees have guiance in the

a!!ro!riate use of meia from other com!anies

The use of trans!orta*le meia in various formats is common !ractice +ithin the Practice :ll users must*e a+are that sensitive ata coul !otentially *e lost or com!romise +hen move outsie of Practicenet+orks Trans!orta*le meia receive from an e.ternal source coul !otentially !ose a threat toPractice net+orks Sensitive data inclues all human resource ata, financial ata, Practice !ro!rietaryinformation, an !ersonal health information (1PHI3) !rotecte *y the Health Insurance Porta*ility an

:ccounta*ility :ct (1HIP::3)

BS key evices are hany evices +hich allo+ the transfer of ata in an easy to carry format They!rovie a much im!rove format for ata transfer +hen com!are to !revious meia formats, likeiskettes, C72R/>s, or 7'7s The soft+are rivers necessary to utili6e a BS key are normally inclue+ithin the evice an install automatically +hen connecte They no+ come in a rugge titanium format

+hich connects to any key ring These factors make them easy to use an to carry, *ut unfortunately easyto lose

Rules governing the use of trans!orta*le meia inclue

• No sensitive data shoul ever *e store on trans!orta*le meia unless the ata is

maintaine in an encry!te format

• :ll BS keys use to store Practice ata or sensitive ata must *e an encry!te BS key

issue *y the Privacy /fficer or a!!ro!riate !ersonnel The use of a !ersonal BS key isstrictly !rohi*ite

• Bsers must never connect their trans!orta*le meia to a +orkstation that is not issue *y

the Practice

• Non2Practice +orkstations an la!to!s may not have the same security !rotection

stanars re4uire *y the Practice, an accoringly virus !atterns coul !otentially *e

transferre from the non2Practice evice to the meia an then *ack to the Practice+orkstation

-.am!le 7o not co!y a +ork s!reasheet to your BS key an take it home to

+ork on your home PC

• 7ata may *e e.change *et+een Practice +orkstations$net+orks an +orkstations use

+ithin the Practice The very nature of ata e.change re4uires that uner certainsituations ata *e e.change in this manner


38/96

-.am!les of necessary ata e.change inclue

7ata !rovie to auitors via BS key uring the course of the auit

• It is !ermissi*le to connect transfera*le meia from other *usinesses or iniviuals into

Practice +orkstations or servers as long as the source of the meia in on the Practice :!!rove 'enor list (:!!eni. 7)

• efore initial use an *efore any sensitive data may *e transferre to trans!orta*le

meia, the meia must *e sent to the Privacy /fficer or a!!ro!riate !ersonnel to ensurea!!ro!riate an a!!rove encry!tion is use Co!y sensitive data only to the encry!tes!ace on the meia Non2sensitive ata may *e transferre to the non2encry!te s!aceon the meia

• Re!ort all loss of trans!orta*le meia to your su!ervisor or e!artment hea It is

im!ortant that the CST team is notifie either irectly from the em!loyee or contractor or*y the su!ervisor or e!artment hea immeiately

• hen an em!loyee leaves the Practice, all trans!orta*le meia in their !ossession must

*e returne to the Privacy /fficer or a!!ro!riate !ersonnel for ata erasure that conformsto BS 7e!artment of 7efense stanars for ata elimination

The Practice utili6es an a!!rove metho of encry!te ata to ensure that all ata is converte to aformat that cannot *e ecry!te The Privacy /fficer or a!!ro!riate !ersonnel can 4uickly esta*lish anencry!te !artition on your trans!orta*le meia

hen no longer in !rouctive use, all Practice la!to!s, +orkstation, or servers must *e +i!e of ata in amanner +hich conforms to HIP:: regulations :ll trans!orta*le meia must *e +i!e accoring to thesame stanars Thus all trans!orta*le meia must *e returne to the Privacy /fficer or a!!ro!riate!ersonnel for ata erasure +hen no longer in use


39/96



Title: R%T%NTION 1 D%STRCTION of P#P%RDOC0%NTS

P!P ": IS2"@


%ffective Date: Date;Information Tec&nology'T(S)-)? T(S)-*+

*) Retention 1 Destruction of 0edical Information

>any state an feeral la+s regulate the retention an estruction of meical information The Practice

actively conforms to these la+s an follo+s the strictest regulation if$+hen a conflict occurs

Recor Retention 2 7ocuments relating to uses an isclosures, authori6ation forms, *usiness !artnercontracts, notices of information !ractice, res!onses to a !atient +ho +ants to amen or correct theirinformation, the !atients statement of isagreement, an a com!laint recor are maintaine for a !erioof < years8o#

Recor 7estruction 2 :ll harco!y meical recors that re4uire estruction are shree using NIST ?##2?? guielines


40/96



Title: DISPOS#L O2 %FT%RN#L 0%DI# 15#RD6#R%

P!P ": IS2""#


%ffective Date: Date;Information Tec&nology'T(S)-)? T(S)-*+

** Disposal of %4ternal 0edia 1 5ard$are

**,* DISPOS#L O2 %FT%RN#L 0%DI#

It must *e assume that any e.ternal meia in the !ossession of an em!loyee is likely to contain either!rotecte health information (1PHI3) or other sensitive information :ccoringly, e.ternal meia (C72R/>s, 7'7s, iskettes, BS rives) shoul *e is!ose of in a metho that ensures that there +ill *e noloss of ata an that the confientiality an security of that ata +ill not *e com!romise

The follo+ing ste!s must *e ahere to

• It is the res!onsi*ility of each em!loyee to ientify meia +hich shoul *e shree an to utili6e this

!olicy in its estruction

• -.ternal meia shoul never *e thro+n in the trash

• hen no longer neee all forms of e.ternal meia are to *e sent to the Privacy /fficer or

a!!ro!riate !ersonnel for !ro!er is!osal

• The meia +ill *e secure until a!!ro!riate estruction methos are use *ase on NIST ?##2??

guielines

**,- R%@IR%0%NTS R%


41/96

• /ler machines are use as *acku!s for other !rouction e4ui!ment• /ler machines are use +hen it is necessary to !rovie a secon machine for !ersonnel +ho travel

on a regular *asis

• /ler machines are use to !rovie a secon machine for !ersonnel +ho often +ork from home


42/96



Title: C5#N


43/96



Title: #DIT CONTROLS P!P ": IS2""%


%ffective Date: Date;Information Tec&nology'T(S)*.? T(S)*;? T(S)*+

*. #udit Controls

Statement of Policy

To ensure that Practice im!lements har+are, soft+are, an$or !roceural mechanisms that recor ane.amine activity in information systems that contain electronic !rotecte health information (1ePHI3)

:uit Controls are technical mechanisms that track an recor com!uter activities :n auit trailetermines if a security violation occurre *y !roviing a chronological series of logge com!uter eventsthat relate to an o!erating system, an a!!lication, or user activities

The Practice is committe to routinely auiting users0 activities in orer to continually assess !otentialrisks an vulnera*ilities to ePHI in its !ossession :s such, the Practice +ill continually assess !otentialrisks an vulnera*ilities to ePHI in its !ossession an evelo!, im!lement, an maintain a!!ro!riateaministrative, !hysical, an technical security measures in accorance +ith the HIP:: Security Rule

Procedure

" See !olicy entitle Information System :ctivity Revie+ for the aministrative safeguars for

auiting system activities

% The Information Technology Services shall ena*le event auiting on all com!uters that !rocess,

transmit, an$or store ePHI for !ur!oses of generating auit logs -ach auit log shall inclue, at

a minimum user I7, login time an ate, an sco!e of !atient ata *eing accesse for each

attem!te access :uit trails shall *e store on a se!arate com!uter system to minimi6e the

im!act of such auiting on *usiness o!erations an to minimi6e access to auit trails

8 The Practice shall utili6e a!!ro!riate net+ork2*ase an host2*ase intrusion etection systems

The Information Technology Services shall *e res!onsi*le for installing, maintaining, an u!ating

such systems


44/96



Title: IN2OR0#TION S/ST%0 #CTI(IT/ R%(I%6 P!P ": IS2""8


%ffective Date: Date;Information Tec&nology'T(S)*;? T(S)*A? T(S)*+

*; Information System #ctivity Revie$

Statement of Policy

To esta*lish the !rocess for conucting, on a !erioic *asis, an o!erational revie+ of system activityincluing, *ut not limite to, user accounts, system access, file access, security incients, auit logs, anaccess re!orts Practice shall conuct on a regular *asis an internal revie+ of recors of system activityto minimi6e security violations

Procedure

" See !olicy entitle :uit Controls for a escri!tion of the technical mechanisms that track an

recor activities on Practice0s information systems that contain or use ePHI

% The Information Technology Services shall *e res!onsi*le for conucting revie+s of Practice0s

information systems0 activities Such !erson(s) shall have the a!!ro!riate technical skills +ith

res!ect to the o!erating system an a!!lications to access an inter!ret auit logs an relateinformation a!!ro!riately

8 The Security /fficer shall evelo! a re!ort format to ca!ture the revie+ finings Such re!ort

shall inclue the revie+er0s name, ate an time of !erformance, an significant finings

escri*ing events re4uiring aitional action (eg, aitional investigation, em!loyee training

an$or isci!line, !rogram a5ustments, moifications to safeguars) To the e.tent !ossi*le,

such re!ort shall *e in a checklist format

9 Such revie+s shall *e conucte annually :uits also shall *e conucte if Practice has reason

to sus!ect +rongoing In conucting these revie+s, the Information Technology Services shall

e.amine auit logs for security2significant events incluing, *ut not limite to, the follo+ing

a Logins Scan successful an unsuccessful login attem!ts Ientify multi!le faile login

attem!ts, account lockouts, an unauthori6e access

* Aile accesses Scan successful an unsuccessful file access attem!ts Ientify multi!le

faile access attem!ts, unauthori6e access, an unauthori6e file creation, moification,

or eletion


45/96

c Security incients -.amine recors from security evices or system auit logs forevents that constitute system com!romises, unsuccessful com!romise attem!ts,

malicious logic (eg, viruses, +orms), enial of service, or scanning$!ro*ing incients

Bser :ccounts Revie+ of user accounts +ithin all systems to ensure users that no

longer have a *usiness nee for information systems no longer have such access to the

information an$or system

:ll significant finings shall *e recore using the re!ort format referre to in Section % of this !olicy an!roceure

" The Information Technology Services shall for+ar all com!lete re!orts, as +ell as

recommene actions to *e taken in res!onse to finings, to the Security /fficer for revie+ The

Security /fficer shall *e res!onsi*le for maintaining such re!orts The Security /fficer shall

consier such re!orts an recommenations in etermining +hether to make changes to

Practice0s aministrative, !hysical, an technical safeguars In the event a security incient is

etecte through such auiting, such matter shall *e aresse !ursuant to the !olicy entitle

-m!loyee Res!onsi*ilities (Re!ort Security Incients)


46/96



Title: D#T# INT%


47/96



Title: CONTINonay through Ariay, an incremental *acku! of allservers containing ePHI shall *e *acke u! to ta!e /n Saturay, a full *acku! of allservers containing ePHI shall *e *acke u! to ta!e The *acku! ta!es are taken each+eek off site *y the IS >anager or his$her esignee to ensure safeguar of Practicesata /ne month of *acku! ata +ill *e maintaine at all times in a remote locationacku! meia that is no longer in service +ill *e is!ose of in accorance +ith the7is!osal of -.ternal >eia$Har+are !olicy

c The Security /fficer shall monitor storage an removal of *acku!s an ensure all

a!!lica*le access controls are enforce

The Security /fficer shall test *acku! !roceures on an annual *asis to ensure that e.actco!ies of ePHI can *e retrieve an mae availa*le Such testing shall *e ocumente*y the Security /fficer To the e.tent such testing inicates nee for im!rovement in*acku! !roceures, the Security /fficer shall ientify an im!lement such im!rovementsin a timely manner

% 7isaster Recovery an -mergency >oe /!erations Plan


48/96

a The Security /fficer shall *e res!onsi*le for evelo!ing an regularly u!ating the +rittenisaster recovery an emergency moe o!erations !lan for the !ur!ose of

i Restoring or recovering any loss of ePHI an$or systems necessary to makeePHI availa*le in a timely manner cause *y fire, vanalism, terrorism, systemfailure, or other emergency an

ii Continuing o!erations uring such time information systems are unavaila*leSuch +ritten !lan shall have a sufficient level of etail an e.!lanation that a!erson unfamiliar +ith the system can im!lement the !lan in case of anemergency or isaster Co!ies of the !lan shall *e maintaine on2site an at theoff2site locations at +hich *acku!s are store or other secure off2site location

* The isaster recovery an emergency moe o!eration !lan shall inclue the follo+ing

i Current co!ies of the information systems inventory an net+ork configurationevelo!e an u!ate as !art of Practice0s risk analysis

ii Current co!y of the +ritten *acku! !roceures evelo!e an u!ate !ursuantto this !olicy

iii :n inventory of har co!y forms an ocuments neee to recor clinical,registration, an financial interactions +ith !atients

iv Ientification of an emergency res!onse team >em*ers of such team shall *eres!onsi*le for the follo+ing

" 7etermining the im!act of a isaster an$or system unavaila*ility onPractice0s o!erations

% In the event of a isaster, securing the site an !roviing ongoing!hysical security

8 Retrieving lost ata

9 Ientifying an im!lementing a!!ro!riate 1+ork2arouns3 uring suchtime information systems are unavaila*le

; Taking such ste!s necessary to restore o!erations

v Proceures for res!oning to loss of electronic ata incluing, *ut not limite toretrieval an loaing of *acku! ata or methos for recreating ata shoul*acku! ata *e unavaila*le The !roceures shoul ientify the orer in +hichata is to *e restore *ase on the criticality analysis !erforme as !art ofPractice0s risk analysis

vi Tele!hone num*ers an$or e2mail aresses for all !ersons to *e contacte inthe event of a isaster, incluing the follo+ing


49/96

" >em*ers of the immeiate res!onse team,

% Aacilities at +hich *acku! ata is store,

8 Information systems venors, an

9 :ll current +orkforce mem*ers

c The isaster recovery team shall meet on at least an annual *asis to

i Revie+ the effectiveness of the !lan in res!oning to any isaster or emergencye.!erience *y Practice

ii In the a*sence of any such isaster or emergency, !lan rills to test theeffectiveness of the !lan an evaluate the results of such rills an

iii Revie+ the +ritten isaster recovery an emergency moe o!erations !lan anmake a!!ro!riate changes to the !lan The Security /fficer shall *e res!onsi*lefor convening an maintaining minutes of such meetings The Security /fficeralso shall *e res!onsi*le for revising the !lan *ase on the recommenations ofthe isaster recovery team


50/96



Title: S%CRIT/ #6#R%N%SS #ND TR#ININ< P!P ": IS2""<


%ffective Date: Date;Information Tec&nology'T(S))>+

*A Security #$areness and Training

Statement of Policy

To esta*lish a security a+areness an training !rogram for all mem*ers of Practice0s +orkforce, incluingmanagement

:ll +orkforce mem*ers shall receive a!!ro!riate training concerning Practice0s security !olicies an!roceures Such training shall *e !rovie !rior to the effective ate of the HIP:: Security Rule an onan ongoing *asis to all ne+ em!loyees Such training shall *e re!eate annually for all em!loyees

Procedurea Security Training Program

i The Security /fficer shall have res!onsi*ility for the evelo!ment an elivery of

initial security training :ll +orkforce mem*ers shall receive such initial trainingaressing the re4uirements of the HIP:: Security Rule incluing the u!ates to HIP::regulations foun in the Health Information Technology for -conomic an Clinical Health(HIT-CH) :ct Security training shall *e !rovie to all ne+ +orkforce mem*ers as !artof the orientation !rocess :ttenance an$or !artici!ation in such training shall *emanatory for all +orkforce mem*ers The Security /fficer shall *e res!onsi*le formaintaining a!!ro!riate ocumentation of all training activities

ii The Security /fficer shall have res!onsi*ility for the evelo!ment an elivery ofongoing security training !rovie to +orkforce mem*ers in res!onse to environmentalan o!erational changes im!acting the security of ePHI, eg, aition of ne+ har+areor soft+are, an increase threats

* Security Reminers

i The Security /fficer shall generate an istri*ute to all +orkforce mem*ers routinesecurity reminers on a regular *asis Perioic reminers shall aress !ass+orsecurity, malicious soft+are, incient ientification an res!onse, an access controlThe Security /fficer may !rovie such reminers through formal training, e2mailmessages, iscussions uring staff meetings, screen savers, log2in *anners,ne+sletter$intranet articles, !osters, !romotional items such as coffee mugs, mouse !as,sticky notes, etc The Security /fficer shall *e res!onsi*le for maintaining a!!ro!riateocumentation of all !erioic security reminers


51/96

ii The Security /fficer shall generate an istri*ute s!ecial notices to all +orkforcemem*ers !roviing urgent u!ates, such as ne+ threats, ha6ars, vulnera*ilities, an$orcountermeasures

c Protection from >alicious Soft+are

i :s !art of the aforementione Security Training Program an Security Reminers, theSecurity /fficer shall !rovie training concerning the !revention, etection, containment,an eraication of malicious soft+are Such training shall inclue the follo+ing

a) Duiance on o!ening sus!icious e2mail attachments, e2mail from unfamiliarseners, an hoa. e2mail,

*) The im!ortance of u!ating anti2virus soft+are an ho+ to check a+orkstation or other evice to etermine if virus !rotection is current,

c) Instructions to never o+nloa files from unkno+n or sus!icious sources,

) Recogni6ing signs of a !otential virus that coul sneak !ast antivirussoft+are or coul arrive !rior to an u!ate to anti2virus soft+are,

e) The im!ortance of *acking u! critical ata on a regular *asis an storing theata in a safe !lace,

f) 7amage cause *y viruses an +orms, an

g) hat to o if a virus or +orm is etecte

Pass+or >anagement

i :s !art of the aforementione Security Training Program an Security Reminers, theSecurity /fficer shall !rovie training concerning !ass+or management Such trainingshall aress the im!ortance of confiential !ass+ors in maintaining com!uter security,as +ell as the follo+ing re4uirements relating to !ass+ors

a) Pass+ors must *e change every @# ays

*) : user cannot reuse the last "% !ass+ors

c) Pass+ors must *e at least eight characters an contain u!!er case letters, lo+er

case letters, num*ers, an s!ecial characters

) Commonly use +ors, names, initials, *irthays, or !hone num*ers shoul not *euse as !ass+ors

e) : !ass+or must *e !rom!tly change if it is sus!ecte of *eing isclose, orkno+n to have *een isclose


52/96

f) Pass+ors must not *e isclose to other +orkforce mem*ers (incluing anyoneclaiming to nee a !ass+or to 1fi.3 a com!uter or hanle an emergency situation) or iniviuals, incluing family mem*ers

g) Pass+ors must not *e +ritten o+n, !oste, or e.!ose in an insecure mannersuch as on a note!a or !oste on the +orkstation

h) -m!loyees shoul refuse all offers *y soft+are an$or Internet sites toautomatically login the ne.t time that they access those resources

i) :ny em!loyee +ho is irecte *y the Security /fficer to change his$her !ass+orto conform to the aforementione stanars shall o so immeiately


53/96



Title: S%CRIT/ 0#N#


54/96

ii) 7etermine +hether the ata is create *y the organi6ation orreceive from a thir !arty If ata is receive from a thir !arty, ientify that!arty an the !ur!ose an manner of recei!t

iii) 7etermine +hether the ata is maintaine +ithin the organi6ationonly or transmitte to thir !arties If ata is transmitte to a thir !arty, ientifythat !arty an the !ur!ose an manner of transmission

iv) 7efine the criticality of the a!!lication an relate ata as high,meium, or lo+ Criticality is the egree of im!act on the organi6ation if thea!!lication an$or relate ata +ere unavaila*le for a !erio of time

v) 7efine the sensitivity of the ata as high, meium, or lo+ Sensitivityis the nature of the ata an the harm that coul result from a *reach ofconfientiality or security incient

vi) Aor each a!!lication ientifie, ientify the various security controlscurrently in !lace an locate any +ritten !olicies an !roceures relating to suchcontrols

e) Ientify an ocument threats to the confientiality, integrity, an availa*ility (referreto as 1threat agents3) of ePHI create, receive, maintaine, or transmitte *yPractice Consier the follo+ing

i) Natural threats, eg, earth4uakes, storm amage

ii) -nvironmental threats, eg, fire an smoke amage, !o+er outage,

utility !ro*lems

iii) Human threats

a :cciental acts, eg, in!ut errors an omissions, faultya!!lication !rogramming or !rocessing !roceures, failure to u!ate$u!graesoft+are$security evices, lack of ae4uate financial an human resources tosu!!ort necessary security controls

* Ina!!ro!riate activities, eg, ina!!ro!riate conuct, a*use of !rivileges or rights, +ork!lace violence, +aste of cor!orate assets,harassment

c Illegal o!erations an intentional attacks, eg,eavesro!!ing, snoo!ing, frau, theft, vanalism, sa*otage, *lackmail

-.ternal attacks, eg, malicious cracking, scanning, emonialing, virus introuction

iv) Ientify an ocument vulnera*ilities in Practice0sinformation systems : vulnera*ility is a fla+ or +eakness in security !oliciesan !roceures, esign, im!lementation, or controls that coul *e accientallytriggere or intentionally e.!loite, resulting in unauthori6e access to ePHI,


55/96

moification of ePHI, enial of service, or re!uiation ( i"e"! the ina*ility toientify the source an hol some !erson accounta*le for an action) Toaccom!lish this task, conuct a self2analysis utili6ing the stanars anim!lementation s!ecifications to ientify vulnera*ilities

f) 7etermine an ocument !ro*a*ility ancriticality of ientifie risks

i) :ssign !ro*a*ility level, ie, likelihoo of a securityincient involving ientifie risk

a 'ery Likely (8) is efine as having a !ro*a*le chance ofoccurrence

* Likely (%) is efine as having a significant chance ofoccurrence

c Not Likely (") is efine as a moest or insignificantchance of occurrence

ii) :ssign criticality level

a High (8) is efine as having a catastro!hic im!act on themeical !ractice incluing a significant num*er of meical recors +hich mayhave *een lost or com!romise

* >eium (%) is efine as having a significant im!act

incluing a moerate num*er of meical recors +ithin the !ractice +hichmay have *een lost or com!romise

c Lo+ (") is efine as a moest or insignificant im!actincluing the loss or

info security policy template v1 0

Documents