6. dial up modems are not supported. - mchodessa.com · f:\2013\remote users\remote request...

$: 6. Dial Up modems are not supported. - mchodessa.com · F:\2013\Remote Users\Remote Request Forms\Vendor Remote Access Request for HIM.docx MEDICAL CENTER HOSPITAL REMOTE ACCESS First$
F:\2013\Remote Users\Remote Request Forms\Vendor Remote Access Request for HIM.docx

MEDICAL CENTER HOSPITAL REMOTE ACCESS

First three pages are for Vendor records; please do not return with application. In order to comply with Medical Center Hospital policy 1044 regarding remote access to the hospital computer systems, please fill out, print and sign the form below. Policy 1044 requires all users to submit access requests in writing to the Information Technology Steering Committee. Medical Center Hospital reserves the right to do random reviews and spot checks to ensure compliance with this policy and proper patient confidentiality is being maintained. Medical Center Hospital is not responsible for maintenance of any hardware or software. A computer security agreement must be signed before access can be obtained. Minimum requirements for a remote access connection: It is your responsibility to have anti-virus software installed and to keep it updated.

1. A company email address. ISPs like Yahoo, gmail, hotmail etc., are not allowed.

2. Pentium 400 or better with 256MB of RAM or more. (512MB RAM is recommended)

3. Microsoft Internet Explorer 6.0 or better.

4. Windows 2000 or better 5. Broadband internet connection (DSL, Cable, Wireless, or better)

6. Dial Up modems are not supported.


STRONG PASSWORD RULES

MCH is serious about protecting patient privacy. Passwords are the entry point to our network, so they must be strong. A weak, stolen, or misused password can give intruders or unauthorized people access to information they have no right to know. Strong password Do’s and Dont’s:

Do make your password 7 or more characters long Don’t have a password that contains any part of your name Don’t use terms that anyone familiar with you could guess Don’t include personal information, names, addresses or phone numbers. Avoid words that are in the dictionary as these create weaker passwords. Include mixed case, numbers, and punctuation in the password. These increase the password's strength. You can make a password stronger without making it longer by breaking up alphabetic characters with

numbers and punctuation. Using mixed case within strings of alphabetic characters is also helpful. Use a passphrase rather than a password. A passphrase is difficult for an attacker to guess: Sii2apd-

(stands for: Security is important to access patient data). Including misspelled words in the phrase makes it an even stronger password. (i.e. Igo2colege; Iwerk4MCH;.)

To create a strong password, use 3 of the 4 character classes listed below:

Upper Case Lower Case Numbers Special Characters

Examples of strong passwords:

Original Password Strong Password CocoBeach CoCo_Beach UpdateRecords Upd8Rec$ I work for MCH Iwerk4MCH

Ideas for passwords might come from a phrase such as “A good password is hard to figure out.” This could be translated into a strong password such as “Agpih2f0” Letters can also be substituted for numbers (and vice versa) by other sets of simple rules. For instance: 1 looks like a lowercase letter L; 2 looks like a Z; 3 looks like a backward E; 4 looks like an A; 5 looks like an S; 6 looks like a G; 7 looks like a T; 8 looks like an R; 9 looks like a backward P; and zero looks like an O. To make all of your passwords at MCH compatible, start your password with a letter.


POLICY MEMORANDUM

POLICY SUBJECT: Remote Access of Hospital Computer Systems

POLICY NUMBER: MCH-1044

JCAHO FUNCTION AREA: Leadership

POLICY APPLICABLE TO: All Users of MCH Computer Systems

POLICY EFFECTIVE DATE: January 24, 1995

POLICY REVIEWED: 12/1/97; 11/20/00; 3/4/02; 1/29/07

POLICY REVISED: 12/1/97; 3/23/01; 1/20/05; 4/26/07; 8/18/10; 3/1/11

POLICY STATEMENT: 1. All computer users who need remote access to any Medical Center Hospital (MCH)

computer system must submit a Remote Access Request Form. This form must be submitted to the Chief Information Officer for approval. Once approval is given, instructions for setting up the account will be provided to the user. The necessary forms can be obtained from the I.T. Department or from the MCH Intranet.

2. MCH reserves the right to do random reviews and spot checks to ensure compliance with policies and procedures and to ensure proper patient confidentiality is being maintained.

3. Anyone requesting remote access must supply their own computer equipment.

4. MCH will provide instructions for configuring the remote account.

5. Safety and security of the computer and information accessed is solely the responsibility of the user.

6. MCH employees using computer equipment remotely must have completed PC Orientation and training on the applications they will be using.

7. Remote users are bound by the same rules that apply to personal computers used at MCH.

8. Remote users will be required to change their passwords according to the rules governing the application(s) being used.

9. MCH does not condone, allow or accept responsibility for unauthorized, unlicensed or pirated software.

10. MCH is not responsible for maintenance of any hardware or software used in conjunction with remote access.

11. The use of regularly updated anti-virus protection is required

12. The Remote Access Request Form must be signed before access can be obtained.

AUTHORIZING SIGNATURE(S)

William W. Webster Chief Executive Officer

END OF POLICY


ADMINISTRATION

POLICY MEMORANDUM POLICY TITLE: COMPUTER SECURITY

POLICY NUMBER: MCH-1046

TJC FUNCTION AREA: Leadership

POLICY APPLICABLE TO: Employees, medical staff, volunteers, contractors, consultants, temporaries and other users including those affiliated with third parties who access the MCH network

POLICY EFFECTIVE DATE: 3/20/95

POLICY REVIEWED: 12/1/96; 6/1/99; 12/22/99; 12/1/01; 9/15/03; 1/19/05; 1/2006; 3/2008; 03/28/11

POLICY REVISED: 9/22/97; 6/1/99; 12/22/99; 12/1/01; 9/15/03; 1/19/05; 3/14/2007; 03/29/11; 6/15/11

POLICY STATEMENT:

This policy statement establishes guidelines and responsibilities for the protection of information assets. It addresses basic computer security, access control and data integrity. The primary goals are to prevent misuse alteration, or loss of information assets; maintain employee accountability for protection of information assets; and to maintain the integrity and confidentiality of sensitive information, including protected health information (PHI) in accordance with the most rigorous protection standards while providing access to the right level of information to the correct person(s).

All information utilized in the course of business is considered an information asset, and as such, everyone accessing MCH’s computer systems are responsible and accountable for its protection. It is further our responsibility to maintain information security and integrity through administration of appropriate controls so as to protect information from unauthorized disclosure, modification, destruction or use.

This policy applies to all computer systems, desktop systems, laptop, handheld devices, infrastructure devices and any other device upon which information is stored or may be accessed or upon which it is maintained.

1) ACCEPTABLE USE:

a) By using hardware, software and network systems belonging to MCH, the user assumes personal responsibility for their appropriate use and agrees to comply with this policy and other applicable policies as well as city, state, and federal laws and regulations.

2) COMPUTER USERS ARE PROHIBITED FROM:


a) Attempting to operate equipment without specific authorization and/or instruction from the Information Technology Department (IT);

b) Demonstrating the operation of computer equipment or software to anyone without specific authorization;

c) Disclosing any portion of MCH’s computerized systems to any unauthorized person;

d) Attempting to obtain system privileges to which a user is not entitled;

e) Bringing outside equipment into MCH and attaching to the MCH network;

f) Using, installing, or copying any illegal, unlicensed or personally owned software onto any MCH computer;

g) Using the computing and networking resources for unsanctioned, personal or private commercial purposes or financial gain;

h) Using sniffer hardware and/or software. Exception: IT personnel are authorized to use sniffer hardware and/or software for diagnostic purposes only.

i) Formatting their own computers.

3) NOTIFICATION OF VIOLATIONS OF POLICY

a) Anyone aware of violations to this policy may report them through the Ethics Hotline (640-3844), the Compliance Line (1-800-805-1642) or by calling extension 1385 and asking for Computer Security Officer, Computer Security Analyst, and/or Assistant Computer Security Officer.

b) Penalties for violating this policy will vary depending on the nature and severity of the violation. Violators may be subject to disciplinary action as described in the employee handbook, including but not limited to reprimand, suspension and/or termination of employment; civil or criminal prosecution under federal and/or state law.

4) PRINCIPLES FOR COMPUTER INFORMATION SECURITY MANAGEMENT

a) Information will be acquired, stored, protected, shared and used in the best interest of MCH and the customers we serve.

b) Information assets, whether hardware, software, middleware or data, must be protected by unauthorized use, interruption, damage or loss.

c) All decisions involving administrative controls, data access tools and database design will consider the necessary balance between ease of access and appropriate information protection.

d) Information will be managed so that it can be shared in a flexible, timely, convenient, cost effective, and secure manner.

e) The Computer Security Office initiates and oversees the implementation of policies and procedures to protect PHI by the Compliance Office.


f) The use of a password or security code does not constitute a right to privacy. MCH reserves the right to change a password or security code at any time in order to access a computing device on its network.

g) Use of computer systems at MCH signifies consent to monitoring and monitoring does occur.

h) By virtue of employment, all employees receive access to the network, email and time and attendance once a notice of employment has been received from Human Resources. Access beyond this basic set of applications must be applied for by using the I.T. Education/Security Request. Requests must come from the department director or their designee.

i) By virtue of employment, clinical employees also automatically receive access to the clinical applications HOM, HED, Teletracking and the Physicians Portal once a notice of employment has been received from Human Resources. Access beyond this basic set of applications must be applied for by using the I.T. Education/Security Request. Requests must come from the department director or their designee.

5) GENERAL ACCESS CONSIDERATIONS

a) Security requirements for access to MCH information assets will be based on the following factors:

i) The role of the user within the organization;

ii) Context of the user in relation to the data/information being accessed;

iii) Physical security and environment at the users workplace;

iv) Knowledge, training, and security awareness of the user;

v) Existence of effective security access and control software;

vi) Existence of audit resources

vii) Business risk and the offsetting benefits.

6) AVAILABILITY

a) To facilitate as much up-time as possible, the information infrastructure has built-in redundancy including mirroring and RAID whenever possible. Uninterruptible power supplies are attached to critical systems; backups are performed daily, kept away from the data center and rotated according to IT protocols; and a tested business recovery plan exists.

b) Whenever possible, downtime is planned a week in advance and users notified repeatedly until the downtime occurs.

c) When an application or system fails (goes down without notice), it is the top priority of IT to restore that application or system as quickly as possible with as little impact as possible.

d) An Unscheduled Downtime Report is required when a system failure or unexpected downtime occurs. This report, describing the reason for the downtime, what the problem


was, what was affected and what was done to fix the problem is filed in the Computer Security Office.

e) Emergency downtime is considered to be downtime scheduled with less than one days advance notice. An Unscheduled Downtime Report is required to be filled out after the downtime. This form is helpful in auditing and trending occurrences.

f) The IT Technology Recovery Plan is the master document for backup and recovery. Available in the IT Department and also stored off-site in a fire-proof vault, this living document has a hierarchy of applications, lists of vendors and software companies as well as the information needed for data recovery.

g) In order to minimize risk, computers that possess the ability to automatically log off users will be set to terminate the current connection after a prescribed period of time. The period of time has to be determined by users of the application after careful consideration of the risk involved, the type of information on the computer and the location of the computer(s). Best practice is thought to be 15 minutes.

7) CLASSIFICATION OF DATA

a) The IT Department at MCH follows the guidelines for classification of data provided by MCH, the Health Information Management Department and The Joint Commission Information Management Team.

8) DISPOSAL OF DATA

a) All paper-based (hard copy) information that contains personally identifiable patient information, personal or employment-related employee information should be disposed of in a manner to ensure the confidentiality and security of that information. The recommended method of secure disposal is shredding. The hospital also provides locked storage bins into which personal or employment-related information can be discarded. The locked bins are removed by a hospital contracted vendor.

b) Electronic media such as tapes, diskettes; tape cartridges or removable memory devices that contain confidential information should be disposed of in a manner to ensure the confidentiality and security of that information. Options for disposal of electronic media include, but are not limited to: diskettes to be discarded must be cut into pieces; microfilm or microfiche must be cut into pieces; shredded or chemically destroyed; and computer tapes and hardware must be written over or demagnetized (degaussed) to make it harder for someone to recover data. The hospital also provides locked storage bins into which personal or employment-related information can be discarded. The locked bins are removed by a hospital contracted vendor.

c) Audit records, confidentiality statements and general documentation not covered by state or federal laws are kept for six years then destroyed.

9) USER REGISTRATION:

a) Users of any part of the network which permits sharing of sensitive information with other users will be formally registered and assigned a unique user identifier (user id). This ID provides a means for access control and also serves to verify the user’s authorization to access specific information.


b) Exception: The McKesson Information Systems Series software on the AS/400 provides an additional layer of authentication called a security code. A shared ID/password can be used on this system due to the additional layer of security the security code provides. Direct access to patient identifiable information is controlled with the security code, not the password.

10) NON-EMPLOYEE USERS

a) Users of the MCH network who are not employees of MCH must be sponsored by the appropriate data owner. The data owner must assure that a nondisclosure agreement is obtained. A determination must be made as to whether or not a HIPAA business associate agreement and data use agreement are required. Guidance must be provided in the use of the network in accordance with MCH policies and standards.

b) Non-employees who use the network, whether working on MCH premises or remotely, are permitted only the access required to perform their job assignment and only for the duration of their assignment.

c) Non-employees are not permitted to act in roles that give them the authority to control access to MCH information assets.

d) Non-employees are bound by the same rules that apply to employees.

e) Access for temporary employees is at the discretion of the data owner. The data owner must instigate the request, provide justification for the access and provide an ending data for revocation of the access.

11) PASSWORDS AND SECURITY CODES

a) MCH is serious about protecting patient privacy. Passwords are the entry point to our network so they must be strong. A weak, stolen or misused password can give intruders or unauthorized people access to information they have no right to know.

b) Passwords must be a minimum of seven (7) characters in length and must contain three (3) of the four (4) character sets available on the keyboard. Character sets are: upper case letters (i.e., A, B, C, D); lower case letters (i.e., a, b, c, d); numbers (i.e., 0, 1, 2, 3) and special characters (i.e., @, #, $, &).

c) Only the Computer Security Officer, Computer Security Analyst, or Assistant(s) may ask you for your password or security code.

d) Do not give your passwords or security code out to anyone else; do not write down your passwords nor post them where others may see them.

e) A password or security code is obtained only after successful completion of applicable computer training.

f) All computer users at MCH must attend PC Orientation before they may have access to the network or take any other course.

g) Anyone who wants access to any part of the MCH Information Systems must sign a confidentiality statement before being granted access.


h) It is the exception to the rule that an employee may be granted rights to use the information network prior to training. If classes are not available or a proven job-related need exists, the employee’s department head/supervisor must request access prior to training. The statement requesting access must include the understanding that the employee will attend the first available class. Rights may be revoked the day after notification of a missed class. Reinstatement will not occur until the appropriate class is attended.

i) Requests for passwords or security codes may be sent by the department head through the hospitals approved email program using the education/security request.

j) The Security Office issues the password and/or security code and confidentially notify the employee.

k) The employee is responsible for continued confidentiality. Disclosure of a password or security code is considered a serious matter and may result in disciplinary action.

l) Passwords are to be changed every 180 days unless specifically stated rules in the departments’ security plan call for deviation from this. (Note: Group user passwords on the AS/400 McKesson systems never change because a secondary level of protection, the security code, also exists.)

m) In the event of suspected compromise of confidentiality it is that person’s responsibility to report the compromise. Notification may be made to the Department Manager/Director or to the ethics hotline. The situation is then reported to the Computer Security Office for investigation. The employee will immediately change their password or security code using the appropriate procedure.

n) Any employee who works in a sensitive area and wishes a periodic change of password may do so by notifying the Computer Security Office.

o) Supervisors, Managers, or Directors will not be made aware of their employee’s codes.

p) Passwords or security codes are not to be transmitted electronically (such as in email).

q) Administrative level accounts will not have a blank password and will be changed away from the default password.

12) PASSWORD OR SECURITY CODE ACCESS ALTERATIONS

a) Approval to make alterations to a password or security code may come only from the appropriate authorizing individuals (data owners). The data owner may designate, in writing, others such as managers, assistants or supervisors who may act in the data owner’s place. Data owners are officially considered to be department heads.

b) The request should be emailed and contain the employees name, the department, job classification, the desired program name(s), the appropriate menu(s) (when applicable) and the date access is desired.

c) The computer security officer reserves the right to delay or deny any request deemed questionable until further investigation is conducted.


d) If approval is given, the computer security officer will add the requested function to the individual’s security code or access rights. If access is denied by the data owner, the data owner is responsible for notifying the requestor.

e) The computer security officer will note all changes in the departments security file and notify the requesting data owner when the change has been made.

13) PRINTED SECURITY CODES

a) Individual employees printed AS/400 security codes will consist of four characters.

b) The printed security code will consist of two of the employee’s initials and the department code.

c) In case of duplication within a department, the order of the combinations (initials and code) will be altered in the following manner:

i) First initial of first name, first initial of last name, department

ii) Department, first initial of first name, first initial of last name

iii) First initial of first name, first initial of last name, department, and the numeral “2”

iv) First initial of first name, first initial of last name, the department and the numeral “3”

v) **Exception: Certain productivity reports key on the department code being the last 2 characters. When duplication exists, the second character of the code will be replaced with a numeral.

d) Remote or VPN users other than employees (such as vendors, contract personnel, etc.) printed security codes will consist of the persons 2 initials and 2 numbers as described below:

i) 00 – contract personnel

ii) 10 – vendors

iii) 20 – temporaries

iv) 30 – consultants

e) Records of these transactions will be kept in the computer security office for six years. This information may be made available to managers/directors/officials/governmental agencies for investigation purposes.

14) TRANSFERS, TERMINATIONS AND LEAVES OF ABSENCE

a) Transfers: When a user’s information access requirements change, the supervisor of the employee or sponsor of the non-employee is responsible to ensure that on-going information access authorizations are appropriate based on the users new role and context.

b) Voluntary termination: If an employee voluntarily terminates their employment, the involved employee will provide the computer security officer with the Human Resources


Termination Checklist to be signed, acknowledging deactivation of their personal security profile. Codes will be deactivated within 24 hours of notification of the employee’s separation.

c) Involuntary termination: If an employee is terminated involuntarily, the department managers/director must immediately call the Computer Security Office requesting immediate deactivation of the employee’s security profile. (If the Security Officer is unavailable during an involuntary termination, the department manager should contact IT and another member of the Security Office will be notified for appropriate action.) If the terminated employee is believed to have access to other employee’s passwords or security codes, the department manager/supervisor should specify that security for the entire department be changed. All verbal requests must be followed up in writing on the same day as the request. The Computer Security Officer will deactivate the security profile immediately. The department manager will be notified of the deactivation as soon as possible.

d) Leave of Absence: Department managers/supervisors will notify the Computer Security Officer to deactivate the passwords and security code of employees on leave of absence. On returning from a leave of absence, the employee will follow the procedure for password/security code assignment.

15) REMOTE ACCESS TO DATA

a) The primary function of remote access is to enable individuals to perform hospital related work from a remote location. Remote access is available for authorized users after approval from the Information Technology Steering Committee and appropriate training.

b) Remote access to vendors will only be allowed for predefined support or services and require, in advance, appropriate paperwork having been approved.

c) Employees with a job-related need to access the hospitals computer network remotely will fill out the appropriate request form and have it signed by their department head or their designee.

d) Communications access must not bypass established security controls.

e) Modems should not be directly attached to a PC if another method can be used. Other methods may include: email, internet, FTP or secure FTP. Methods listed here are examples and may change according to industry advances.

f) Encryption is required when access to production systems is via the internet.

g) Anyone connecting remotely to the MCH network is required to keep their virus protection up to date in order to protect the network.

16) VENDOR ACCESS TO DATA

a) When a vendor, technical support group, contractor or auditor needs access to any part of the MCH information infrastructure, it is important that their access be tracked. Tracking the vendor’s actions will allow IT to control modifications to the system, ensure quality of support and proper use of information. Vendor access must be pre- approved, scheduled in advance and documented so that all functions


and operations to be performed are known in advance. This will also help ensure appropriate notification is provided to other users of the system.

b) Vendors have their own passwords. Do not provide a vendor a password nor give them your own password. If a vendor says they do not have a password, contact the Computer Security Office immediately. You may be an attempted victim of social engineering.

c) Knowledgeable in-house systems or applications persons must monitor the maintenance work of a vendor. Where possible, all software changes must be fully documented and tested before being made part of the MCH production environment except when emergencies occur.

d) Testing must be done in a test environment except in extreme situations when a test environment does not exist. Access to production data files should be restricted or denied to vendors while doing maintenance when possible.

e) A log of all access by vendors is required when the software allows for it. The log should include, but is not limited to: the reason for access, the time, full name of the person requesting access, actions to be taken, anticipated time of problem resolution and anticipated course of action. Access should not be granted to anyone without a valid support call number. If the person is unknown, access must be denied until their identity can be confirmed.

17) NETWORK

a) All ports must be identified and documented.

b) Before a port will be activated so a device can be connected, the IT Network group must be contacted.

c) All devices must meet the minimum requirements for virus protection and security patches as defined by the IT Department.

d) After all requirements are met to the networking group’s satisfaction, the requested port will be enabled.

e) Anyone removing a device from a switch port is responsible for notifying the network group so that the switch port can be disabled and documented.

f) Requests for IP addresses must be addressed to the Network Administrator or his designee.

g) Prior to adding a computer to the network, a written plan on how operating system security patches will be maintained must be submitted. Also to be included are: a written plan on how virus protection will be maintained; a written disaster recovery plan; and a method for MCH to verify that these requirements are being completed in a timely manner. After these requirements are fulfilled, the Network Administrator will issue an IP address.

18) HARDWARE

a) Hardware devices acquired for, or on behalf of MCH, or developed by MCH employees or contract personnel on behalf of MCH are and shall be deemed company property. All


hardware must be used in compliance with applicable licenses, notices, contracts, and agreements.

b) All purchasing of MCH computer hardware devices is centralized with the Information Technology Department to ensure that all equipment conforms to hardware standards and is purchased at the best possible price and used to meet the goals of MCH.

c) Requests for hardware must be submitted to IT, via online Hardware/ Security Request where a determination of requirements can be made.

d) No outside equipment may be plugged into the network without the knowledge and approval of IT.

e) Outside equipment found plugged into the MCH network without the knowledge of IT will be immediately removed.

f) Network personnel document and administer a management plan for handling network data backup files. New plans are created when a new server is deployed.

g) New servers will not be deployed before the first backup of the data on the server and confirmation that a full restoration of data can be made from the first backup.

h) Servers going out of production must have an archive backup performed and a copy retained for a period of time as determined by the data owner or law.

19) SOFTWARE

a) Software acquired for, or on behalf of MCH, or developed by MCH employees or contract personnel on behalf of MCH are and shall be deemed company property. All software must be used in compliance with applicable licenses, notices, contracts, and agreements.

b) Only software that serves a legitimate business requirement and has been evaluated and approved for use by IT will be loaded onto MCH computers.

c) Software will be loaded by IT only. This rule exists to ensure the integrity of the computing environment. Software loaded by an individual could have far-reaching implications to the network that are unknown to the user and could potentially disrupt vital computer services to the detriment of patient care. This also ensures that all copyright laws and proper licensure is followed.

d) Computer viruses pose a threat to the integrity and availability of computer systems. Viruses are designed to deliberately cause harm by either corrupting or destroying files or damaging or degrading a computer systems performance. Therefore, IT is required to run a virus protection check on all software prior to loading it onto a computer in order to protect the computing environment.

e) Users are not allowed to sell or give MCH owned software to anyone.

f) Evaluation or demonstration software must be approved in advance by IT and removed by IT at the end of the evaluation period.

g) Shareware, freeware, public domain software and user owned personal software is prohibited from use on MCH computers without the explicit approval of IT.


h) Third party Internet Service Provider software is not allowed on any MCH owned computer without explicit approval from the I.T. Steering Committee.

i) IT is responsible for accounting for all original copies of MCH owned software. The System/Application Owners are responsible for maintaining the proof of ownership and appropriate licensure.

j) Software is susceptible to theft; therefore all software will be kept in lockable containers and access given to only those who have a proven business need. All software will be marked in manner to show MCH ownership (permanent or temporary). Dates of destruction or return should be clearly marked on all software when that date is known.

k) All removal media (such as diskettes, hard drives, CD ROMs, etc.) will be protected as if the information stored on it is confidential. Computer hard drives will not be disposed of or turned over to vendors unless they have been properly formatted. Hard drives that cannot be properly formatted will be physically destroyed. Before media can be sent to a vendor, the vendor must have filled out and returned a Vendor Confidentiality Agreement and/or Data Use Agreement to IT. The hospital also provides locked storage bins into which discarded hardware can be put. The locked bins are removed by a hospital contracted vendor.

l) MCH provides two types of wireless computer access: an external guest wireless Internet link and internal wireless access to the MCH network.

m) The external wireless Internet guest link is provided for use by patients and visitors. When requested, MCH will provide specific set up instructions but will not support the service. The guest link is behind a firewall but provides no virus protection. In order to protect our wireless guest internet link, patients and guests should update their virus protection prior to use of the guest link.

n) The internal wireless link is provided for employees as required to fulfill their work duties.

o) Attempting to connect to the internal MCH network with a wireless device, without prior approval, is expressly forbidden and will be considered an attempt to access confidential information without permission.

p) Persons who attempt to access the internal wireless network and fail will be automatically switched over to the external link.

20) ENCRYPTION:

a) Patient information transmitted outside the hospital over a public infrastructure that is otherwise not secure (i.e., the internet) is required to be encrypted. If you regularly send patient information outside the hospital, you need to contact IT for more information about how encryption works and what method to send the data. The approved MCH email encryption program is Thru. WS-FTP (secure FTP) is also available for the transfer of files.

b) Transmittal of protected health information over the internet must be for purposes of treatment, payment or healthcare operations and comply with all MCH, city, state, and federal guidelines regarding release of information.

21) VIRUS:


a) It is the policy of MCH to deploy anti-virus and anti-spyware software on all computers. Virus protection is updated hourly to help prevent infection from new strands of computer viruses and spyware.

b) Only those computers supplied by, and strictly administered by, vendors are exempt from having anti-virus software on them. Vendor supplied computers are required to have current anti-virus software loaded onto them prior to installation and the vendor is responsible for continued maintenance of those computers.

c) MCH prefers to oversee the task of administering anti-virus software but if a vendor will not allow it, the vendor will be held responsible for the task.

d) Computers without virus and spyware protection will be unplugged from the network until such time as virus software is applied.

e) Removable media are required to be virus scanned before being used on any MCH computer.

f) Due to the high risk of infection, downloads from the Internet by end- users is not allowed.

g) Email attachments with files that are executable are a major source of virus infection. If you send or receive email with a file attached to it and it contains one the listed excluded file extensions, the file attachment will be blocked by antivirus programs. Save all files to a network drive, not the computer’s hard drive (C drive). Network drives get virus scanned and the data is backed up nightly. If your file is saved to the network and becomes corrupt, it can be retrieved from a network back up. Attempts to restore corrupt files saved on the hard drive may not be possible and an extensive amount of time will not be devoted to recovery.

h) Even though all traffic on the servers is scanned there is still a possibility that a new or well-hidden virus could find its way onto a workstation and if not handled properly, the virus could infect the network. The IT Department highly encourages everyone to call 1385 if they have questions about the behavior of their computers.

i) Email attachments are the favored vehicle for infection by virus writers. Avoid attachments when possible and do not open an attachment that appears suspicious or you were not expecting it.

j) Due to the massive increase in attacks on computer networks in general, security patches are applied to operating systems as soon as possible after notification that a flaw exists. Security patch management is everyone’s responsibility. It is coordinated by the Network Section of the IT Department. Individuals are notified by the Network Specialist that a patch needs to be applied. Analysts work with the Network Specialist to get the patches applied as soon as possible to keep the network safe.

k) A computer that is turned off cannot get a virus. When your work day is over, turn your computer off before you go home. If you work in a 24/7 environment, plans must be made to ensure that each computer is turned off at least once a week, once a day is preferable.

22) EMERGENCY ACCESS:

a) IT provides around the clock computer security access. After hours, weekends, and on holidays, the on-call computer security officer can be reached by calling x1385 or if no


answer through the switchboard. Emergency access to computer systems will be granted at the request of the on-call administrator, the nursing coordinator or the data owner. Access will be tailored to the needs of the situation and access will remain in effect as required by the requestor or until the next regular business day when the appropriate notification and paperwork can occur.

23) TESTING:

a) Testing is required in order to ensure accuracy, integrity, reliability, consistent performance and the ability to detect invalid or altered records.

b) When a test environment exists, all changes are to be tested in the test environment before taking the changes to the live environment.

24) BACKUPS:

a) Software is to be backed up regularly.

b) Media must be labeled before the backup occurs in order to decrease the risk of confusion and possible data loss.

c) Unless a different time frame is selected by the data owner or state or federal law, saved data will be kept 6 years.

d) If a backup requires more than one volume, each label should be clearly marked as being part of a set. (i.e., Volume 1 of 2; Volume 2 or 2.)

e) Backup cycles and data retention will be determined in conjunction with the data owner of each application and must include an assessment of the data’s sensitivity and criticality.

f) Backups will be done when the least interruption to the user base will occur. When possible, backups should be done off-line in order to decrease the amount of downtime.

g) Desktops, notebooks and handheld computers are not backed up by IT.

h) Data should be stored on the designated network drive to ensure proper backup occurs.

i) Backups are to be stored in a secure area away from the data source.

j) IT is responsible for verification and documentation of successful completion of backups.

k) Restoration from backup tapes must be performed periodically to ensure tape and data integrity are still viable.

l) Retrieval of backup copies of user directories are on a best effort basis. In most cases, retrieval of data occurs within a 24 hours period of the request.

AUTHOR’S SIGNATURE

Kay L. Warner Computer Security Officer

AUTHORIZING


SIGNATURE(S) Gary Barnes

Chief Information Officer AUTHORIZING

SIGNATURE(S)

William W. Webster Chief Executive Officer

END OF POLICY


VENDOR: ______________________________________________ FROM: Gary Barnes, Chief Information Officer As a vendor under contract at Medical Center Hospital, it is reasonable to believe that you might come in contact with or view patient information. Information from any source and in any form, including paper records, oral communications, audio or electronic recordings is strictly confidential. Vendors will not intentionally attempt to gain access to information that is not needed for the scope of their project. Vendors will not attempt to access or connect to systems that are outside the scope of their project. Vendors will not access any MCH system, nor make changes to any MCH system, without prior approval from the appropriate MCH application analyst. Connection to the MCH system will not extend beyond the length of time it takes to complete the pre-approved work. All materials provided to the vendor by MCH or gathered by the vendor during their work project are to be used strictly for the uses spelled out in the project and are to be returned at the end of the project. No copies may be made outside of the scope of the job by you, your employees, your partners, your business associates, your friends, families, acquaintances or any other person. MCH reserves the right to monitor and monitoring does occur. MCH may, review, audit, intercept, access and disclose all matters on MCH computers at any time, with or without prior notice and that such access may occur during or after working hours. The use of a password or security code on a computer system does not restrict the right of MCH to access electronic communications. Violations of this policy may constitute grounds for termination of your contractual relationship or other terms of affiliation with Medical Center Hospital. Unauthorized release of confidential information may also have personal, civil and/or criminal liabilities and legal penalties. I have read and agree to comply with the terms of the above statement and MCH Policy 1044 (Remote Access of Hospital Computer Systems.) __________________________________________ ________________________________________ Printed Name Signature __________________________________________ ________________________________________ Title or Company Date ___________________________________________ _________________________________________ Purpose for Access Sponsoring Department within MCH


REMOTE ACCESS REQUEST FORM

Please Print.

Your Organization/Company Name*________________________________________________

Your MCH Department Contact Name*_____________________________________________

Your MCH I.T. Contact Name*___________________________________________________

Name* ___________________________ Business Phone*________________________ Business Address* ______________________________________________________________ City* ________________________________________ State* __________ Zip*__________ Email Address* ___________________________ IP Address for Company ________________ For vendors accessing servers

Personal I.D. **Generally the requesters driver’s license number or any other number that we can use to verify the person’s identity __________________________________ **Reason Access is needed (please give detailed reason): _____________________________________________________________________________ _____________________________________________________________________________ List server(s) vendor needs access to for SecureLink: ____________________________________

System accessing through Citrix (typically audits and billing):

□AS400 □HBI-group ____________________________________________________

□HPF □Practice Partner □Practice Plus □ Portal

(All access requires HIPAA training module completion every 6 months)

http://www.medicalcenterhealthsystem.com/Vendors/Pages/default.aspx

________________________________ __________________________________ / _________ Printed name of Vender Representative Signature of Vendor Representative* Date ________________________________ __________________________________/ _________ Printed name of Department Supervisor Signature of Department Supervisor* Date ________________________________ _________________________________ / __________ Printed name of MCH I.T. Contact* Signature of MCH I.T. Contact* Date

Please print sign and return signed form by fax to: 432-640-2726

After HIM signs HIM will forward to MCH IT.


CONFIDENTIALITY AGREEMENT

AGENCY PERSONNEL

This Confidentiality Agreement (hereinafter referred to as “Agreement”) is entered into by and between (Name of Contractor, hereinafter referred to as “Contractor”), and Medical Center Hospital (hereinafter referred to as “MCH”), collectively referred to as “the Parties.”

Contractor, an employee of ____________________________ (Name of Agency), providing patient care at MCH will have access to and review confidential patient information maintained in electronic and/or paper form by MCH.

Contractor acknowledges that Contractor has reviewed the MCH Data Policy and agrees to abide by MCHs Data Policy as adopted and amended from time to time.

Contractor acknowledges and understands that unauthorized access, use, disclosure or reproduction of any patient information in violation of MCH’s Data Policy or in violation of this Agreement will authorize MCH to prohibit them from providing any patient care on MCH’s premises. Contractor further understands that certain unauthorized disclosure of patient information is punishable by fines and penalties imposed by Federal and State law(s).

Contractor further understands and agrees not to access, disclose or reproduce any confidential patient information other than as necessary to fulfill Contractor’s obligation to provide patient care.

Contractor further agrees to notify MCH of any violations of any use of or disclosure of confidential patient information not provided for by this Agreement.

Contractor acknowledges and understands that if Contractor is granted specific computer system(s) access based on the nature and scope of Contractor’s assignment, Contractor is prohibited from accessing or attempting to access any computer system(s) in a manner that violates MCH’s Data Policy or is not consistent with my specifically assigned user rights.

Contractor agrees to use appropriate safeguards to prevent use or disclosure of confidential patient information other than as provided herein. Nothing herein shall preclude Contractor from making available to a patient his or her confidential patient information when appropriate for continued patient care.

Upon completion of my assignment with MCH, Contractor agrees to return any confidential patient information in Contractor’s possession.

Contractor agrees that in the event any amendments or corrections are made to the patient’s protected health information such amendments or corrections will be incorporated into such records in Contractor’s possession.

Upon request, Contractor agrees to make available Contractor’s internal practices, books, and records relating to use and disclosure of protected health information to the Secretary or an employee of the Department of Health and Human Services.

I HAVE READ AND FULLY UNDERSTAND THIS AGREEMENT. ________________________________ ________________________________ Representative of Medical Center Hospital Contractor’s Signature ________________________________ ________________________________ Date Date


AS400 Access Code

TO: All AS400 Users FROM: I.T. Computer Security

You have the ability to change your own security code on the AS400. In order to change your code, you must have a “personal I.D.” To better maintain security and to make this as easy as possible for you to remember, the Information Systems Steering Committee has chosen your driver’s license number as your personal I.D.

Your personal I.D./driver’s license number will be put into the AS400 and only the AS400 security officer will have access to your driver’s license number. The number is not displayed anywhere on the screen and this number is intended strictly for the computer to verify that you are who you say you are when you start to change your security code.

Please verify that the information below is correct. Please draw one line through the information that is incorrect and print the correct information in. Thank you in advance for your cooperation. If you have questions, please call extension 1385 and ask for computer security.

******************************COMPUTER CONFIDENTIALITY STATEMENT********************************** By accepting a security code for use on the AS/400 computer system, I understand: 1. I have a legal obligation to keep confidential all information that I have access to and will only discuss information with

employees who have a need to know the information in order to perform their job. Release of that information will result in disciplinary action taken by the hospital against me, up to and including immediate dismissal.

2. I will not intentionally attempt to gain access to areas that are not needed for the performance of my job. 3. The security code assigned to me is unique to me and it is not transferable. 4. I am solely and fully accountable for any information entered into the computer system under my security code. 5. I will notify my supervisor and/or Information Technology (I.T.) immediately if I suspect that someone has gained

unauthorized access to my security code. My signature below acknowledges that I have read and understood the conditions under which a security code has been assigned to me.

NAME: ______________________________________________________________________

TITLE: ________________________________DRIVERS LIC. #:________________________

SIGNATURE: _______________________________________________ Date: ____________________

Abstract coder initials: ____________ Assigned by: ____________________

6. dial up modems are not supported. - mchodessa.com · f:\2013\remote users\remote request...

Documents