Blanchard Valley Health Association

Midwest Medical Center Galena, Illinois

Approval Date: ______Administrator ______

Date: ______Department Head ______

Developed: December 2004

Revised

Reviewed

Policy: Workstation Use

Subject: Appropriate Use of Workstations within Midwest Medical Center

Objectives: This policy reflects Midwest Medical Center’s commitment to appropriately use and protect its workstations. This policy also reflects Midwest Medical Center’s commitment to prevent unauthorized physical access to workstations that can access EPHI while ensuring that authorized workforce members have appropriate access.

POLICY 1. Midwest Medical Center workstations must be used only for authorized purposes: to support the research, education, clinical, administrative, and other functions of Midwest Medical Center.

2. All workforce members who use Midwest Medical Center workstations must take all reasonable precautions to protect the confidentiality, integrity, and availability of EPHI contained or accessed by the workstations.

3. Workforce members must not use Midwest Medical Center workstations to engage in any activity that is either illegal under local, state, federal, or international law or is in violation of Midwest Medical Center policy.

4. Activities that workforce members must not perform while using Midwest Medical Center workstations include, but are not limited to:

 Violations of the rights to privacy of protected healthcare information of Midwest Medical Center’s patients.  Violations of the rights of any person or company protected by copyright, trade secret, patent, or other intellectual property or similar laws or regulations. This includes, but is not limited to, the installation or distribution of "pirated" or other inappropriately licensed software products.  Unauthorized copying of copyrighted material, including but not limited to digitization and distribution of photographs from magazines, books, or other copyrighted sources and copyrighted music.  Purposeful introduction of malicious software onto a workstation or network (e.g., viruses, worms, Trojan horses).  Actively engaging in procuring or transmitting material that is in violation of Midwest Medical Center sexual harassment or hostile workplace policies.  Making fraudulent offers of products, items, or services. Page 1 of 3  Purposefully causing security breaches. Security breaches include, but are not limited to, accessing electronic data that the workforce member is not authorized to access or logging into an account that he or she is not authorized to access. Midwest Medical Center associates that perform this activity as part of their defined job are exempt from this prohibition.  Performing any form of network monitoring that will intercept electronic data not intended for the workforce member. Midwest Medical Center associates that perform this activity as part of their defined job are exempt from this prohibition.  Circumvent or attempt to avoid the user authentication or security of any Midwest Medical Center workstation or account. Associates that perform this activity as part of their defined job are exempt from this prohibition.

5. Access to all Midwest Medical Center workstations containing EPHI must be controlled with a username and password or an access device such as a token.

6. Access to all Midwest Medical Center workstations with EPHI must be authenticated via a process that includes, at a minimum:

Unique user IDs that enable users to be identified and tracked.  Shared IDs may only be used to access Midwest Medical Center workstations not containing EPHI.  The prompt removal of workstation access privileges for workforce members whose employment or contracted service with Midwest Medical Center has ended.  Verification that redundant user IDs are not issued.

7. All password-based access control systems on Midwest Medical Center workstations must mask, suppress, or otherwise obscure the passwords so that unauthorized persons are not able to observe them.

8. Midwest Medical Center workforce members must not share passwords with others. If a Midwest Medical Center workforce member believes that someone else is inappropriately using a user-ID or password, they must immediately notify their manager.

9. Where possible, the initial password(s) issued to a new Midwest Medical Center workforce member must be valid only for the new user's first logon to a workstation. At initial logon, the user must be required to choose another password. Where possible, this same process must be used when a workforce member’s workstation password is reset.

10. Midwest Medical Center workstations containing EPHI must be physically located or secured in such a manner as to minimize the risk that unauthorized individuals can gain access to them.

11. The display screens of all Midwest Medical Center workstations containing EPHI must be positioned such that information cannot be readily viewed through a window, by persons walking in a hallway, or by persons waiting in reception, public, or other related areas. The use of privacy screens should be considered when appropriate.

12. Midwest Medical Center Information Security office approved anti-virus software must be installed on workstations to prevent transmission of malicious software. Such software must be regularly updated.

13. Midwest Medical Center workforce members must activate their workstation locking software or sign-off whenever they leave their workstation unattended. Midwest Medical Center workforce members must log off from or lock their workstation(s) when their shifts are complete.

14. Connections from one workstation to another workstation must be logged off after the session is completed. At the end of each shift users should close or log off from all applications that access ePHI prior to leaving.

Page 2 of 3 15. Workstations removed from Midwest Medical Center premises must be protected with security controls equivalent to or more restrictive to those for on-site workstations.

16. Special precautions must be taken with portable workstations such as laptops. The following guidelines must be followed with such systems:

 EPHI must not be stored on a portable workstation unless such information is appropriately protected. Midwest Medical Center security office approved encryption should be used.  Laptops that access ePHI should be locked if unattended.

Midwest Medical Center portable workstations must be carried as carry-on (hand) baggage when workforce members use public transport. They must be concealed and/or locked when in private transport (e.g., locked in the trunk of an automobile).

Violations of the workstation use policy can lead to written or verbal warnings, or termination of employment from Midwest Medical Center.

Page 3 of 3