Saint Joseph Healthcare, Inc HIPAA Security Training System

Saint Joseph Healthcare HIPAA Security Training

System Administrator Module

1 of 26

Saint Joseph Healthcare, Inc

HIPAA Security Training


May, 2005



2 of 26

I: Introduction:

This training is intended for System Administrators Saint Joseph Healthcare, Inc. It provides information about the HIPAA Security Policies in place at Saint Joseph Healthcare, Inc. The goal is to help System Administrators ensure that Information Technology resources are protected and used according to the following:

1. In a manner consistent with the Saint Joseph Healthcare, Inc. mission 2. In compliance with state and federal law, and CHI and HIPAA Security

standards 3. In a way that safeguards the confidentiality, integrity and availability of

Electronic Protected Health Information (EPHI) as required by HIPAA The content covers System Administrator responsibilities pertaining to the following:

• Use of Technology Resources

• Accountability and Ownership

• Information Authentication

• Physical and Environmental Security

• Access Controls

• E-Mail Use

• Internet Use and Access

• Workstation (PC) Security

• Remote Computer Access

• Malicious Software

• Security Incident Handling

• Security Evaluation and Testing

• Software Licenses and Copyrights



3 of 26

Contents:

• Introduction 2

• Accountability and Ownership & Use of Resources 4

• Information Authentication 5

• Physical and Environmental Security 5

• Access Controls 7

• E-Mail Use 13

• Internet Use and Access 16

• Workstation (PC) Security 19

• Remote Computer Access 21

• Malicious Software 22

• Anti-Virus Software 23

• Security Incident Handling 23

• Security Evaluation and Testing 24

• Software Licenses and Copyrights 25

• Post-Test Instructions



4 of 26

II: Accountability/Ownership and Use of Technology Resources: (ref HIPAA Security Policy 02 & 03): System Administrators are accountable for the following: • Create, issue, deactivate, re-initialize and monitor user IDs, passwords and/or

other system usage account and access codes. • Define user groups and associated access control profiles. • Ensure approval and assignment of privileged system authority and security

sensitive tools to only to individuals with a demonstrated and approved need. • Ensure proper acquisition, installation, testing, protection and use of software. • Promptly implement all security updates for software, command scripts, etc.

provided by operating system vendors, official Computer Emergency Response Teams (CERTs) and other validated third parties, unless performed by IT.

• Distribute passwords and other access codes in a discreet and secure manner using out-of-band communication, for example, face-to-face, out-of-band telephone lines, but not voice messages.

System Administrators are responsible for ensuring the following tasks are done, either by themselves or another staff member: • Maintain current inventory of hardware, software and all network connections for

each platform. • Monitor system integrity, protection levels and security-related events. • Monitor audit logs and reporting of auditable events. • Perform regular backups, recovery tests and other contingency planning activities. • Run tools or utilities as necessary, to corroborate that data has not been altered

or destroyed. • Implement a procedure to migrate backups to a secure off-site location. • Implement transaction journaling for all critical core business databases. • Run an MD5 check verification or equivalent for all updates prior to installation on

servers and desktops.

Additionally, System Administrators are responsible for ensuring that either they or another staff member train system users to: • Use all necessary measures to preserve information confidentiality, integrity and

availability. • Comply with all Saint Joseph Healthcare, Inc. user security policies, standards and

procedures. • Secure all output, for example, printed reports, screen prints, copies, diskettes,

etc. to limit information access to only individuals with a need to know. • Acquire software only through authorized channels. • Use only authorized software. • Use IT resources only for the purpose intended by Saint Joseph Healthcare, Inc.



5 of 26

• Back up user files and any desktop software required to perform assigned duties but which does not reside on the network, for example, workstation fixed-disk drives, floppy disks, etc.

• Report security violations. • Protect passwords. III: Information Authentication: System Administrators are responsible for ensuring that measures are in place to: • Limit user access to only applications and system resources that the user is

authorized to access. • Prohibit unauthorized user write, change, edit, and update access using role

based permissions. • Monitor and maintain current anti-virus signatures for operating systems and

applications. • Employ proper patch management practices. • Use database journaling to enable recovery of critical business systems if integrity

is lost. • Implement and regularly test appropriate backup and restore processes. • Implement backup media management, including off-site storage and emergency

retrieval procedures. • Configure IDs and passwords to control user access to applications. • Remove generic user accounts for applications, except as permitted per HIPAA

Security Policies. • Periodically review and log user account permissions within applications. • Where possible, rename application service accounts to obscure application

identity. IV: Physical and Environmental Security (ref HIPAA Security Policy #08): System Administrators should work with hospital management and maintenance to ensure that physical and environmental security controls exist to protect the facilities housing IT resources, including but not limited to network communication closets. Access to IT resources must be controlled through key locks, cipher locks, or computer controlled badge access systems. A. Visitors: Visitors to IT computer data centers must be escorted at all times by

an authorized employee. Examples of visitors who require escorts include former employees, employee family members, equipment repair contractors, equipment and software vendors, package delivery staff, maintenance personnel and police officers.

B. Change Management: Maintenance records/change control procedures must

be in place to ensure that repairs and modifications to the physical components that house IT resources, such as hardware, walls, doors and locks, are documented and formal change management procedures followed. Those



6 of 26

procedures should have provisions for planning, approving and logging physical configuration changes.

C. Physical Entry Controls to areas housing IT resources: Facilities that

house IT resources must be protected by entry controls to ensure only authorized Users have access. Within facilities that house IT resources, all employees must wear visible identification and are required to challenge unescorted or unauthorized visitors. Additional entry controls should also be used in each area that contain or support IT resources, such as network communication closets and sources of electrical power for IT resources. Requirements for access to IT resources, which apply to employees and all other visitors to computer data centers, are detailed below.

D. List of Authorized Persons: The Saint Joseph HealthCare, Inc. Security Official will serve as an access custodian responsible for determining who should be authorized to physically access IT resources. The access custodian will: • Maintain a list of persons authorized for access; • Review and approve access requests based on valid business requirements. • Review the security entry log of non-routine accesses daily; • Review access list regularly (at least quarterly) to delete persons who no

longer need access. • Maintain the security entry log for audit purposes.

E. Badge Access: Access to IT computer data centers with an ID badge must be limited to persons whose names are on the authorized access list. Eligibility for badge access to IT computer data centers must be limited to computer operators and other support personnel who are required to enter and exit those areas. All other persons who require access to IT computer data centers must present proper ID and sign in prior to gaining access. Member organization IT staff is responsible for ensuring that individuals sign in and out. A security entry log must be used for this purpose and must include at a minimum, the name of each person, time in, time out and reason for access.

F. “Piggybacking”: Employees must not permit unknown or unauthorized persons to pass through doors that lead to IT computer data centers at the same time an authorized person is entering. The unknown or unauthorized person must be referred to member organization management or the member organization security department.

G. Escorts: Visitors to IT computer data centers must be escorted at all times by an authorized employee. Examples of visitors who require escorts include former employees, employee family members, equipment repair contractors,



7 of 26

equipment and software vendors, package delivery staff, maintenance personnel and police officers.

V: Access Controls: Access to Saint Joseph HealthCare, Inc. IT resources is based on the principles of “least privilege” and “need-to-know”. These principles are best described as follows: Grant the fewest privileges (access, permissions, and rights), based upon the “need-to-know”, to an individual to allow them to do their job without hindrance. Defining least privilege requires identifying Users job duties, determining the minimum set of privileges required to perform those duties, and restricting Users to domains with those privileges and nothing more.

For multi-user platforms and applications, System Administrators are responsible for assigning access privileges in accordance with an access matrix that identifies, by job function, the minimum required access level for each job. A request to grant privileges, (e.g., additional functions) beyond those specified by the access matrix requires written approval of the department director responsible for the User. Any request for additional privileges must be coordinated with the Saint Joseph HealthCare, Inc. Security Official. Other System Administrator tasks related to access control:

• Confirm removal of local administrator permissions from non-IT staff or non-administrator accounts.

• Additionally, keep in mind that File and Directory level permissions for users are set according to the level of access they have been assigned in order to their job.

• Log and review all access failure events to help maintain system security. • Password protect CHI software installation files. • Restrict folder permissions of installation files. • Establish permissions and train Users to access data, applications, and the

system directory only on a need to know basis for their job function. • When possible, configure user accounts to allow users to change their own

passwords where possible. • Shred and/or otherwise securely dispose of documents containing user ID’s,

passwords, system names, Internet Protocol (IP) addresses, configuration methods or settings, and other confidential information.

A. User Identification, Authentication and Unique User ID and Password:

• Users must have a unique User ID and password when using any Saint Joseph HealthCare, Inc. IT resource (The one exception is use of generic logins as permitted by the Saint Joseph HealthCare, Inc. Security Official for special circumstances)

• Access to files, databases, computer systems and other Saint Joseph HealthCare, Inc. IT resources via shared User IDs is prohibited

• Users are responsible for all activity performed under their User IDs.



8 of 26

• Users are expected to avoid letting others use their User IDs. • Ideally, users should have a single user ID for all platforms across the

organization. While this may not always be feasible, it is a long-term goal. • Users should not discuss user ID’s, passwords, or other security information

on the telephone without first verifying the identity of the other person. • No User should have multiple user IDs on any given platform with the

exception of system administration. When multiple user IDs are created for a single user for the purpose of system administration, that user is accountable for all actions performed with all of his or her user IDs.

• Assign each user ID only to the user to whom it was originally issued to and prohibit re-use of that ID after a user leaves the organization unless the original user returns to Saint Joseph Healthcare, Inc..

• Where possible, assign a single user ID for all platforms across the organization.

• Do not use any part of a Social Security number in a user ID. • Only System Administrators are assigned multiple user IDs on any given

platform. Use of generic user IDs and passwords is prohibited, except where absolutely necessary and then only for login to the network where:

o All applications available on the workstation require a unique user ID and password for access.

o No EPHI is stored on the local workstation or on another workstation that shares storage with the workstation.

o Only controlled Internet access is allowed (meaning that a unique user ID and password is required for access).

o The system logs the user’s access to the applications for auditing. • User ID access must be changed immediately upon a User’s transfer to a

different role in the organization. • Enforce deletion of all non-System Administrator user IDs after 180 days of

inactivity. • Enforce revocation of System Administrator user IDs after 30 days of

inactivity, except under special circumstances. B. Periodic Password Changes: Configure systems to automatically force all

users to change passwords at least once every 180 days. C. Minimum Password Retention Time Period: When a password has been

changed, Users may not change their password again for a minimum of 7 days. D. Previous Password History: When changing passwords, a User must not

construct passwords that are identical to his or her previous eight passwords. E. Password Syntax Rules:



9 of 26

• Passwords must be >/= six characters long, with a minimum of four alpha and two numeric characters.

• Non-printing characters are not permitted because they may cause network or system problems.

• Characters can be repeated no more than two times in succession. • Users must use strong password conventions; Passwords must not be

related to their jobs or personal lives, users Ids or user names must not be used to construct passwords.

• The names of a User’s spouse, children or pets must not be used as a password.

• Personal information that is easily obtainable, including date of birth, license plate number, telephone number, Social Security number, make of automobile or home address must not be used as a password.

F. Limit on Consecutive Unsuccessful Password Attempts:

To prevent password guessing attacks, the number of consecutive attempts that users are able to enter an incorrect password must be limited. After three unsuccessful attempts to enter a password, the user ID must be suspended until the system administrator resets the ID. If dial-up or other external network connections are involved, the user ID must be deactivated. When a system or device does not support suspension of user IDs after three unsuccessful attempts (e.g., Cisco routers), vendors should be notified that this requirement must be added to their authentication mechanism

G. Password Confidentiality:

• Passwords must be promptly changed by the user or by the System Administrator when it is suspected that the password has been disclosed or compromised in any way.

• Deactivate the ability for software or systems to store passwords for later use. • Passwords are confidential; users must never give out their passwords. • Passwords must not be written down. • Posting passwords on or near work areas is prohibited. • Users should notify the IT help desk or system administrator when their

passwords are forgotten, revoked, suspected of being compromised, or need resetting.

H. Resetting a Password:

System Administrators will disclose passwords only in the following situations: • New user ID is assigned • User has forgotten his or her password • User is otherwise locked out and has to be re-authorized System administrators must not reveal passwords or reset previously revoked passwords unless a user personally presents suitable identification (e.g.,



10 of 26

employee identification badge) or provides definitive evidence of identification via voice telephone.

For remote users, require definitive evidence of identification in some other manner such as verification of their identity by providing: Home address, Last four digits of SS#, Middle name, Maiden name, etc.

I. Vendor Default Passwords:

• Change all vendor-supplied passwords before any computer system or software is put into operation at Saint Joseph Healthcare, Inc.

• Implement a manual process or automated system that forces all user IDs and their associated privileges and permissions to be automatically revoked after 90 days of inactivity.

• Allow initial passwords that are issued to new users and passwords reset under the following circumstances to be valid only for the user’s first on-line session:

o User forgot their previous password o User had their previous password revoked

J. Dormant User IDs All User IDs must automatically have privileges and permissions revoked after 90 days of inactivity.

K. Initial Password Expiration The initial password issued to a new user or to a user whose previous password was forgotten or revoked must be valid for the User’s first on-line session. With the first or second successful login, the user must be forced to choose a new password before access is granted.

L. Password Storage: Encrypt all passwords when held in storage or transmitted

via external networks. Prohibit passwords in electronic format from being stored in batch files, automatic login scripts, software macros, terminal function keys, computers without access control or computed located in a non-secure area where unauthorized persons might discover passwords.

M. Login Process:

• Configure systems so that if a user enters an incorrect login sequence when logging in, the system will not provide the user any feedback to indicate the source of the problem.

• Configure the system to terminate the session or to allow correct login information to be entered up to the permissible number of login attempts.

• Require each system that permits login to display a warning banner visible to all users that attempt to log in. The banner should contain language similar to the following:



11 of 26

“Access to this system is for Authorized Users Only. With continued access the User represents that they are an Authorized User.”

N. Granting System Access Privileges:

• Users who need access to restricted or confidential information must be screened prior to accessing that information. Screening may include careful checking of references, background and any criminal records.

• The system privileges granted to all users must be re-evaluated by management on an annual basis.

• All activities that may provide or increase access privileges must be coordinated with the Saint Joseph HealthCare, Inc. Security Official.

• Require documentation and approval by a user’s manager before fulfilling a request for a new user ID or to change privileges.

• To help establish accountability, require the user’s director or the appropriate System Administrator to retain the documentation for two years.

• Require all users who are granted access to IT resources to sign the Saint Joseph Healthcare, Inc. Confidentiality Agreement before being given a user ID and password.

• Privileges for temporary employees should be granted for short periods (30 days or less) and reauthorized as needed. If vendors require access to any system, they must be given a single incident password, with the appropriate member organization security coordinator permission, that will terminate after the user logs off the system.

• If there is a set time period for the vendor or contractor to be on-site, and it does not exceed 60 days, authorize access for that time period.

• If vendors require system access, obtain appropriate security coordinator or administrator authorization to provide the vendor with a single incident password that will terminate after they log off the system.

• Do not grant user IDs or privileges to use Saint Joseph Healthcare, Inc. computers or communications systems to anyone who is not a Saint Joseph Healthcare, Inc. employee, without prior written approval from the Security Officer.

• Special high-level system privileges, such as “root” privileges or default user file permissions that allow unrestricted access to computer systems, are reserved for system administration and/or system security. System administrators must perform high-level access. Such special high-level system User IDs must not be used for routine work activity.

• Assign high-level privileged system access only to full-time employees, except for approved special circumstances.

• Do not allow special high-level system user IDs to be used for routine work activity.



12 of 26

• Coordinate all activities that provide or increase access privileges with the Saint Joseph Healthcare, Inc. Security Officer.

O. Revoking System Access Privileges

• When an employee or any user vacates a position with Saint Joseph HealthCare, Inc., his or her immediate manager or supervisor must determine who should become the custodian of the employee’s files. The manager must promptly review the employee’s computer and paper files and determine the appropriate secure method for file disposition. When possible, this should be done prior to the employee’s departure.

• Revoke all privileges for a terminated employee’s user ID immediately upon notification.

• Secure authorization for all changes that affect the access privileges of contractors, consultants, vendors, etc. from the appropriate manager authorized to permit non-Saint Joseph Healthcare, Inc. personnel to access IT resources.

System administrators and department managers must maintain records that match Users to User IDs so that privileges may be revoked in the event of termination or resignation. Unless the system administrator has received a directive to the contrary, files in a user’s directories will be purged or moved to a secure location four weeks after employment ends. The system administrator should implement and maintain a method of periodically reviewing and making corrections to ensure prompt adjustment of access privileges associated with transfers, terminations and changes in contractual agreements with non-Saint Joseph HealthCare, Inc. personnel. This should include, at a minimum, (1) quarterly review of inactive User IDs (if the system or application software does not automatically revoke User IDs after 90 days of inactivity), and (2) a crosscheck between human resource files and access lists to ensure employee names are correctly associated with User IDs.

P. Involuntary Terminations of Computer Support Workers: System’s Administrators must implement a process to quickly end access for computer support workers who are involuntarily terminated. These workers include IT staff, System Administrators, and others who are in positions of significant trust and/or have special privileges that affect end users and security of electronic information. This process must include the following actions: • Physically secure all computers to which they have access. • Immediately revoke system privileges and all other access.



13 of 26

• Require the employee to return all equipment and information they have received.

• Supervise the employee while they assemble their personal belongings. • Escort them out of the Saint Joseph Healthcare, Inc. facility. • When a non-computer support employee resigns on unfavorable terms or is

involuntarily terminated, immediately terminate the employee’s system access and associated privileges.

Q. System Maintenance Workforce:

In order to help prevent unnecessary or incidental access to or disclosure of restricted or confidential information, System Administrators must authenticate users who perform technical systems maintenance before granting permission to access the system. Additionally, System Administrators (or designee) must provide adequate supervision to users who perform technical systems maintenance.

R. Emergency Access Procedures:

Access controls should not interfere with critical and timely access to patient information. System administrators who work with multi-user platforms and application systems must establish override procedures for emergency situations (e.g., to give a physician access to a medical history in an emergency.) Examples of how to implement emergency access procedures are as follows: 1. Prepare a sealed envelope with full access information and store securely. 2. Notify management as soon as reasonably possible after activating the

emergency access process. 3. Provide doctors and nurses with full access, including a login ID and

password. Conduct a full audit after a doctor or nurse uses emergency access capabilities.

4. Implement a process for on-call System Administrators to provide temporary access to an employee in an emergency.

VI: E-Mail Use: Saint Joseph HealthCare, Inc. provides e-mail for Users to

facilitate business communications. It is provided for legitimate business use in the course of assigned duties. Appropriate use of the e-mail system is for Saint Joseph HealthCare, Inc. business-related purposes and to transmit business information. Inappropriate use of the e-mail system is not allowed. This includes, but is not limited to: • Unauthorized attempts to access another User’s e-mail account • Transmission of restricted or confidential information to unauthorized

persons or organizations • Transmission or receipt of material that is fraudulent, defamatory, obscene,

embarrassing, sexually explicit, harassing, profane, intimidating or otherwise unlawful or inappropriate. Comments that would offend someone on the



14 of 26

basis of race, age, sex, sexual orientation, religion, political beliefs, national origin or disability shall not be sent by e-mail or other form of electronic communication (e.g., bulletin board systems, newsgroups, chat groups). This includes viewing or downloading such material from the Internet or other online service. Users who encounter or receive such material should immediately notify their supervisors.

A. Monitoring: Saint Joseph HealthCare, Inc. treats all messages sent, received

or stored in the e-mail system as business messages. System administrators and managers may monitor use of the e-mail system or review the contents of stored e-mail records. Monitoring is defined as checking or fine-tuning the system, system activity or event logs to ensure the system is functioning correctly and validate that messages are being delivered properly. Generally, it does not mean looking at text. However, if fraud, harassment or other inappropriate use of the e-mail system is suspected, files (including text) can and will be opened and investigated.

B. Interference: The e-mail system must not be used for purposes that could

directly or indirectly cause excessive performance degradation of any computing facility. Use of e-mail must not cause unwarranted or unsolicited interference with other Users’ use of the system. Abuse of the e-mail system includes but is not limited to: Sending or forwarding e-mail chain letters; Sending “Spam” (unsolicited e-mail); and Sending “letter-bombs” (re-sending the same e-mail repeatedly to one or

more recipients to interfere with the recipients’ use of e-mail). C. System-wide Distribution of Messages: Groups and individuals that wish

to send e-mail messages to all system Users should contact one of the following three CHI groups for assistance: • The Information Technology Group • The Communication Group • The Senior Management Leadership Team. Distribution of messages to “all system Users” prior to consulting with one or more of the aforementioned groups is prohibited.

D. Emergency Communications: E-mail should not be [solely] used for emergency communications that require immediate action.

E. Protecting Your E-mail Account: Users are responsible for their e-mail accounts and messages sent from their accounts. To prevent unauthorized use of e-mail accounts, Users must not leave their e-mail open and accessible when their workstations are unattended.



15 of 26

F. Forwarding E-mail: Users should exercise professional judgment or caution when forwarding e-mail to other persons or organizations. When in doubt, request the sender’s permission to forward the message. E-mail that contains proprietary or confidential information may only be forwarded with the permission of the sender and if the recipient is authorized to receive the e-mail. All messages should be forwarded “as is” with no changes unless the User clearly indicates areas in which the original message has been edited (e.g., using brackets or other characters to indicate changes to the text).

G. Copyright Infringement: Use of the e-mail system to copy and/or transmit documents, software or other information protected by copyright is prohibited.

H. Transmission of Restricted or Confidential Information: Restricted or confidential information must not be sent on external networks (e.g., the Internet) via e-mail unless the encryption and authentication/identification methods outlined in the Saint Joseph HealthCare, Inc. No. 11 Internet Use and Access Policy are used.

[Note: Encryption must be sufficient to protect against the cipher being readily broken and the information compromised. The length of the key and quality of the encryption framework and algorithm must be increased as new weaknesses are discovered and processing power increases.]

E-mail communications are not encrypted by default and Saint Joseph HealthCare, Inc. currently does not have a method of encrypting e-mail messages and attachments. (Note: A great deal of e-mail traffic between member organizations traverses the Internet, which is not secure. Due diligence must be used to determine that message destinations are secure. In general, use of the e-mail system for transmission of restricted or confidential information is not permitted.)

Exercise caution when transmitting restricted or confidential information over Saint Joseph HealthCare, Inc.’s internal networks, including the intranet. Users must also take care when addressing e-mail messages to make sure that they are not inadvertently sent to the wrong person. In particular, when using a distribution list, Users must make sure that all addressees are correct recipients of the information.

I. Opening E-mail Attachments: E-mail messages with attachments, such as word processing and spreadsheet documents, are frequent sources of computer viruses. E-mail attachments from unknown or non-trusted sources must not be opened and should be immediately deleted from the system.

J. Assigning Proxy Rights: A proxy right enables a User to act as another User for the purpose of performing a task or gaining access to information. Before giving proxy rights to another User, Users must request approval from their managers.



16 of 26

K. Storing and Deleting E-mail: It is every User’s responsibility to ensure that e-mail messages are stored only on an as-needed basis. E-mail generally should not be considered permanent communication or a storage repository. E-mails that contain restricted or confidential information should not be stored electronically beyond the immediate communication need. If more permanent storage for restricted or confidential information is required, e-mail messages should be printed and stored in private paper files. Users should periodically review their stored e-mail and move all unneeded mail to the “Deleted Items” folder. E-mail sent to the “Deleted Items” folder should not be kept longer than 30 days. E-mail client software should be set to automatically remove the contents of the “Deleted Items” folder upon exit.

L. Approval of E-mail Access: E-mail access will be provided after business need justification has been presented to and approved by a User’s manager, director or vice president and Saint Joseph HealthCare, Inc. IT management. The approval process can be initiated by submitting a “Request for E-mail/Internet Access” form to the Saint Joseph HealthCare, Inc. IT help desk (see Appendix A). By completing this form, Users acknowledge that they have read, understand and will adhere the requirements of this e-mail policy and that authorized individuals may monitor e-mail records

VII: Internet Access and Use: Saint Joseph HealthCare, Inc. provides Internet access to help meet the needs of management, staff, and physicians. There are issues related to the Internet regarding security, liability, resource consumption and personnel, making it critical to control our interaction with this environment. Responsible use of the Internet is a basic condition of employment. A. Internet Connectivity: All Saint Joseph HealthCare, Inc. IT resources must be

isolated from the Internet by firewall technologies. The Saint Joseph HealthCare, Inc. Internet connection, via the firewall supported by Saint Joseph HealthCare, Inc. IT support, is the only approved method for accessing the Internet

B. Monitoring: Saint Joseph HealthCare, Inc. has software and systems in place that can monitor and record all Internet use. For each User, these security measures can record each Web site visited; each chat group, newsgroup and e-mail message; and each file transfer into and out of the network. Saint Joseph HealthCare, Inc. reserves the right to record these actions at any time. Users should have no expectation of privacy while utilizing Saint Joseph HealthCare, Inc.’s Internet access. Certain Web sites may be restricted to ensure productive use of work time and because of the inappropriate nature of some Web sites.

C. Firewall Logs: Firewall logs must be reviewed daily or more frequently if necessary, to identify any misuse of services and to detect any intrusion attempts from unauthorized sources.



17 of 26

D. Appropriate Use: Internet use is intended for authorized business purposes.

E. Restricted or Confidential Information: The Internet may be used to transmit restricted or confidential information (e.g., individually identifiable patient information) as long as: • An acceptable method of encryption is used to protect confidentiality and

integrity of the information; and • Authentication procedures are used to assure that the sender and recipient of

the information are known to each other and are authorized to receive and decrypt such information.

F. Encryption, Authentication and Identification Approaches: The method used to transmit restricted or confidential information via the Internet must conform to one of the following forms of encryption and authentication or identification. (Note: Encryption must be sufficient to protect against the cipher being readily broken and the information compromised. The length of the key and quality of the encryption framework and algorithm must be increased as new weaknesses are discovered and processing power increases. For example, DES encryption will eventually be phased out with AES encryption becoming the new FIPS standard).

User authentication or identification must be combined with encryption and data transmission processes to be certain that confidential information is delivered only to authorized parties. There are a number of effective means for authentication or identification that are sufficiently trustworthy, including in-band and out-of-band methods. Passwords may be sent via the Internet only when encrypted.

G. Acceptable Encryption Approaches: Encryption protection equivalent to that

provided by Triple 56-bit DES for symmetric encryption, 1024 bit algorithms for asymmetric encryption, and 160 bits for Elliptical Curve encryption is minimally acceptable. • Software-Based Encryption includes:

Secure Sockets Layer (SSL) – at a minimum SSL Version 3.0, standard commercial implementations of PKI or some variation thereof implemented in the Secure Sockets Layer; S-MIME – Standard commercial implementations of encryption in the e-mail layer; In-stream – Encryption implementations in the transport layer, such as pre-agreed passwords; or Offline – Encryption/decryption of files at User sites before entering the data communications process. These encrypted files would then be attached to or enveloped (tunneled) within an unencrypted header and/or transmission.

• Acceptable In-band Authentication Approaches: Formal Certificate Authority-based use of digital certificates



18 of 26

Locally managed digital certificates, providing the certificates cover all parties to the communication Self-authentication as an internal control of symmetric “private” keys Tokens or Smart Cards. Inband tokens allow overall network control of token db for all parties; Biometric Devices Automatic password and encryption key generation processes (e.g., Diffie-Hellman) between systems that can use such methods.

• Acceptable Out-of-Band Identification Approaches:

Exchange of passwords and identities by voice telephone; Exchange of passwords and identities by U.S. certified mail; Exchange of passwords and identities by bonded messenger; Exchange of passwords and identities by direct personal contact between Users; or Tokens or Smart Cards. Out-of-band tokens involve local control of the token databases with the local authenticated server vouching for specific local Users.

H. Business Communications Issues: Policies that apply to other business

communications apply to the Internet. For example, the following are not allowed using Saint Joseph HealthCare, Inc.’s Internet connection: • Producing libelous statements that cause injury to a person or organization’s

reputation by ridiculing or defaming them • Writing obscene/abusive/offensive messages • Breaking the law; Under no circumstances is the Internet to be used for

illegal activity • Pursuing personal financial gain or soliciting others for activities unrelated to

Saint Joseph HealthCare, Inc. business or in connection with political campaigns or lobbying

• Conducting harassment, i.e. repeated, willful, malicious action against another individual.

• Sending e-mail to large numbers of Users who have not requested the information.

• Disclosing or transmitting restricted or confidential information for any purpose unless properly encrypted and authorized by Saint Joseph HealthCare, Inc. This information includes any patient, billing, financial, personnel or system-related information (e.g., User IDs, passwords, system/network information, etc.).

• All information transmitted via the Internet must follow the Saint Joseph HealthCare, Inc. Privacy Policies that are in effect for hard copy information.

I. Copyright Infringement: Presenting information on the Internet is akin to publishing; therefore, words, graphics, audio, video or any other created work



19 of 26

cannot be used without the permission of the author/creator. Even if permission is granted, the copyright on the original work may not cover electronic distribution. Use of the Internet to copy and/or transmit documents, software or other information protected by copyright law is prohibited. Software that is downloaded from the Internet must meet all specified software purchasing and licensing requirements. If a business need is established for downloading specific software, the copyright status must be determined in advance. In addition, the software must be checked for viruses before it is used or stored on an internal network or any personal computer with the potential to impact Saint Joseph HealthCare, Inc. computing resources. Saint Joseph HealthCare, Inc. IT personnel must be involved in downloading software.

J. Offensive Web Sites: Browsing or downloading information from offensive Web sites (e.g., pornography) is prohibited. Saint Joseph HealthCare, Inc. reserves the right to monitor Internet use and restrict access to potentially offensive material.

K. Approval for Internet Access: Internet access will be provided after a business need justification has been presented to and approved by a User’s manager, director or vice president. The approval process is initiated by submitting a “Request for E-mail/Internet Access” (See Appendix A) to the Saint Joseph HealthCare, Inc. IT help desk. Saint Joseph HealthCare, Inc. reserves the right to deny access if connectivity cannot be secured through the firewall.

L. Other Internet Usage Restrictions: All Users who utilize the Internet must have approved virus-scanning software installed and running on their workstations. Under no circumstances should a User try to obtain or configure an Internet service (e.g., America OnLine, CompuServe, etc.) that has not been approved by Saint Joseph HealthCare, Inc. Internet access, including e-mail use, is for registered and approved Users. It should not be shared or made accessible to others.

M. Large File Transfers: To the extent possible, Users should schedule communication-intensive activities, such as large file transfers or mass e-mailings, during off-peak times (i.e., after 5 p.m. and before 8 a.m. Monday through Friday, or during weekends). Because audio, video, and picture files require significant storage space and are extremely bandwidth intensive, these files may not be downloaded unless they are business related. For intensive processes (e.g., extremely large file transfers, streaming video or audio) Saint Joseph HealthCare, Inc. support staff must be consulted prior to initiating the process.

VIII: Workstation (PC) Security: Most computer workstations can access restricted or confidential information with proper credentials. Many computer screens are visible to people who should see



20 of 26

restricted or confidential information. To maximize the security of health and business information and to minimize the possibility of unauthorized access to information, System Administrators and managers must make sure that access to desktop workstations is controlled and monitored to secure access, availability and visibility. A. Password Protection:

• Passwords must not be written down. Posting passwords on or near a work area is prohibited. Users will watch to make sure that no one observes them entering their passwords.

• Sharing passwords is not allowed. Users will not login to computer systems using someone else’s password or permit anyone else to login with their passwords; nor will Users enter information under anyone else’s User ID. Users are expected to notify IT management immediately if they believe their password has become known by others.

• Where passwords are visible when entered, position computer monitors or conceal the monitor display by use of a screen or shield to ensure that the password is viewable only by the user.

B. Restricted or Confidential Information: Users may not access restricted or

confidential patient information or other business information that they do not need-to-know to perform their jobs. Nor may they disclose restricted or confidential patient information or other business information unless they are properly authorized to do so.

C. Screensavers: Workstations that access individually identifiable health

information must be set to activate a screensaver within 5 minutes of idle activity. For workstations that do not access individually identifiable health information, a screen saver must activate within 15 minutes of no input. The session can be reestablished only if the User provides the proper password. Saint Joseph HealthCare, Inc. IT management or the Saint Joseph HealthCare, Inc. Security Official must approve exceptions to this policy when necessary.

D. Surge Protectors: All workstations that are plugged into electrical power

outlets must use surge suppressors. E. Hardware and Software Modifications and Installation: No one shall

install, modify or reconfigure the hardware or software of any computer or network system without authorization from Saint Joseph HealthCare, Inc. IT management. Installation or modification of any computer resource must adhere to Saint Joseph HealthCare, Inc. policies. System administrators and Security Officials will conduct spot audits of workstations and will remove applications, information or other system changes that have been placed there inappropriately.



21 of 26

F. Moving Computer Equipment: Do not move computer equipment (e.g.

workstations, file servers, printers, routers, etc.) without the prior approval of Saint Joseph HealthCare, Inc. IT management. Computer equipment can only be moved by IT personnel or their designee(s).

G. Workstation Location: Monitors that display restricted or confidential patient

information or other business information must be positioned so that unauthorized persons cannot readily look over the shoulder of the person using the workstation. In general, workstations should be positioned or shielded so that screens are not visible to the general public or unauthorized staff.

H. Unattended Workstations: If a workstation contains or can access restricted

or confidential information, Users must not leave the workstation unattended without first logging out. Users must invoke password-protected screensavers or sign off/power off workstations when not in use, when they leave the work area and at the end of the day. Saint Joseph HealthCare, Inc. IT management or the Saint Joseph HealthCare, Inc. Security Official must approve exceptions to this policy.

I. Modems Attached to Workstations: Workstation modems are not permitted

to be utilized unless approved by Saint Joseph HealthCare, Inc. IT Department. J. System Administrators should do the following:

Conduct periodic spot audits of workstations to remove unauthorized applications and information or other inappropriate system changes.

Periodically inventory workstations and installed software for workstations connected to the Saint Joseph Healthcare, Inc. network and review for authorized configurations and software.

Establish local procedures for removing unauthorized hardware and software and for reconfiguring workstations that do not comply with CHI IT security standards.

Maintain current software updates and patches. Train Users that removable storage devices such as floppy disk drives,

Compact Disc (CD) writeable drives and Universal Serial Bus (USB) mass storage devices may be installed and used only for business purposes.

IX: Remote Computer Access: System Administrators will work with the Saint Joseph Healthcare, Inc. IT Department to ensure that third party vendors are provided with inbound access privileges only when there is a legitimate need and IT management has approved such access. Such privileges are enabled only for the time period required to accomplish an approved task. Additionally, System Administrators will:



22 of 26

• Provide vendor passwords on an individual, episodic basis • Require any future third party access to be re-authenticated and a new password

provided after each session is completed. • Train IT staff to configure remote access accounts to not use generic or

community login credentials unless specifically required by service agreement and approved by Saint Joseph Healthcare, Inc. management.

• Report all dial-up modems installed prior to the issuance of Saint Joseph Healthcare, Inc. related policies and procedures to IT management.

• Secure all existing modems to conform to Saint Joseph Healthcare, Inc. related IT security policies and procedures.

• Configure modems to have the configuration settings password protected. • Periodically audit telephone service to Saint Joseph Healthcare, Inc. to identify

and locate all telephone lines capable of supporting modem connections. • De-activate or uninstall modems not currently approved by Saint Joseph

Healthcare, Inc. management. • Take appropriate actions to prevent the introduction of viruses, worms and other

malicious software to the network when providing remote access to Saint Joseph Healthcare, Inc. IT resources.

• Train users to not transfer or upload information and files from a remote computer to Saint Joseph Healthcare, Inc. IT resources without first ensuring that a virus scan of the information and files has been completed.

• Train users that they must have updated anti-virus software running on their workstation whenever initiating a remote access session.

• Permit e-mail to be sent and received via remote access. However, scan incoming e-mail messages for viruses, Trojan horses, worms, etc.

• Maintain a file of signed request and authorization forms for all users authorized to gain remote access to Saint Joseph Healthcare, Inc. IT resources and the reason remote access is required.

Keep this file confidential and frequently updated to reflect most recent changes in conjunction with the Saint Joseph Healthcare, Inc. IT department.

• Grant Internet access via remote connection on an as-needed basis. • Authorize and train managers and/or the Saint Joseph Healthcare, Inc. IT

department to determine user requirements for remote connection. • Implement a Virtual Private Network (VPN) connection to transmit and receive

sensitive data outside of CHI. X: Malicious Software: System Administrators should take steps to ensure that users are trained: To identify and quarantine malicious software as quickly as possible to limit

damage to computer systems and information. To avoid attempting the removal of malicious software from their computer.

Viruses and worms have become very complex and need to be removed correctly and in their entirety.



23 of 26

To immediately take the following steps if they believe a computer has a virus: o Disconnect from the network cable or wireless connection o Discontinue using the computer o Call the Saint Joseph Healthcare, Inc. IT help desk to report the infection

and request assistance To report suspected computer virus or malicious software activity on their

computer immediately to IT management. Further, users may be subject to disciplinary action if an investigation reveals that they were aware their computer was infected with malicious software and did not report it. XI: Anti-Virus Software: System Administrators work collaboratively with the IT Department to ensure that (when possible): All file servers, application servers and workstations connected to the network are

run anti-virus software approved by Saint Joseph HealthCare, Inc. Anti-virus software is configured to require little or no User intervention. Anti-virus software is continuously enabled and running as originally installed on

all file servers, workstations and laptop computers. Users not disable, attempt to disable or modify anti-virus software. Users caught

disabling or attempting to disable anti-virus software will be subject to disciplinary action up to and including termination.

Anti-virus software installed on servers and workstations is configured to perform real-time virus scans. Files and executable programs must be scanned or blocked before they are opened, copied or renamed.

Laptop computers have anti-virus software loaded on the hard drive and automatically perform a scan during the boot process.

Anti-virus software be run on a User’s home workstation if the User is allowed to work at home and the home workstation is connected to the Saint Joseph HealthCare, Inc. computer network

Anti-virus software is configured to automatically scan external or removable media (e.g. floppy disk) before accessing files residing on the external or removable media.

Anti-virus software scans for the latest virus signatures, updated versions of the software must be installed within 30 days after they become available. Auto-update subscription mechanisms should be implemented when available from the software vendor.

Anti-virus software scans for the latest virus signatures, virus definition files must be updated/installed as soon as they are available. Auto-update subscription mechanisms should be implemented when available from the software vendor.

XII: Security Incident Handling: System Administrators should train employees and other computer users to report alleged or actual security incidents promptly to their supervisor. If a supervisor is not available, employees should contact the System Administrator, The IT Help Desk or the Saint Joseph Healthcare, Inc Security



24 of 26

Officer. In addition, System Administrators should ensure that procedures are in place to define the response to alleged or actual security incidents. Users must not attempt to prove the existence of security incidents or problems unless they have been specifically charged with that responsibility by Saint Joseph HealthCare, Inc. IT management.

Reporting security violations, problems, incidents and vulnerabilities to any party outside Saint Joseph HealthCare, Inc. without the prior written approval of Saint Joseph HealthCare, Inc. management is strictly prohibited.

A. Responding to Security Incidents: When evidence shows that a security

violation may have occurred, the Saint Joseph HealthCare, Inc. Security Official (or designee) completes a thorough investigation. The investigation must provide sufficient information for management to take steps to ensure that:

• Such incidents cannot take place again; • Effective security measures have been reestablished; • Relevant evidence has been obtained for prosecution or disciplinary action; and • The security incident and outcome have been documented. B. Interference With Reporting of Security Incidents: Attempts to interfere

with, prevent, obstruct, or dissuade an employee from reporting a suspected security incident or violation is strictly prohibited. Any form of retaliation against an individual reporting or investigating a suspected security incident or violation is also prohibited and cause for disciplinary action. However, if the reporting employee is responsible for the violation, then there may be disciplinary action taken against him/her for the violation, even though they reported it.

XIII: Security Evaluation and Testing: System Administrator(s), in collaboration with the Saint Joseph Healthcare, Inc. Security Officer must ensure that security testing is done to determine that security measures for computer systems used by the organization are in place and working properly. Security testing must be done in a coordinated manner to avoid being mistaken for an actual security incident. The process of security evaluation and testing should include, but not be limited to: A. Functional Testing – “Black Box testing” - A testing technique whereby the

internal workings of the item being tested are not known by the tester. The tester only knows the inputs and what the expected outcomes should be and not how the system arrives at those outputs.

B. Vulnerability Assessments – Are performed to proactively identify the vulnerabilities of computing systems and the security posture of the network to determine if and where systems can be exploited and/or threatened.

C. Implement vulnerability testing software that seeks out security flaws based on a database of known flaws, tests systems for the occurrence of these flaws, and



25 of 26

generates a report of the findings that can be used to address potential security issues.

D. Ensure that vulnerability assessments include review of both technical and non-technical security aspects (policies and procedures, physical security safeguards, etc.) relevant to security measures that have been or will be implemented.

E. Perform vulnerability assessments on all new or upgraded systems being planned for implementation into production environments.

F. Perform vulnerability assessments following significant configuration additions and changes.

G. Deliver the vulnerability assessment report to IT management for review and remediation of any identified vulnerabilities.

H. Intrusion detection testing – Put safeguards into place that monitor for attempts to intrude system security.

I. Train Users to avoid installing or using hacking software or virus creation lab type software.

XIV: Software Licenses and Copyrights: System Administrators and the Security Officer, or their designees, review compliance with software licenses and copyright policies at least once a year or more frequently if needed. All software used within Saint Joseph HealthCare, Inc. must be legally licensed and used for business. Saint Joseph HealthCare, Inc. supports adherence to software vendor licensing agreements. Unless Users receive information to the contrary, they should assume that all software on Saint Joseph HealthCare, Inc. computer systems is protected by copyright. System Administrators have a role in ensuring that users comply with the following standards regarding proper acquisition and use of copyrighted software and commercial software licenses. A. Acquisition of Authorized Software: Requests to purchase new software

licenses or additional copies of existing licensed software must be approved by the appropriate department director and routed to Saint Joseph HealthCare, Inc.’s IT management office for purchase.

B. Copying, Transferring or Disclosing Software: Copying or transferring software purchased or provided by Saint Joseph HealthCare, Inc. to any storage media (e.g., floppy disk, magnetic tape, etc.) or another computer is prohibited, unless such action is specifically permissible under the software license agreement.

C. Making Additional Copies of Software: Copyrighted software owned by Saint Joseph HealthCare, Inc. must not be copied unless copying is consistent with relevant license agreements and either:

• Saint Joseph HealthCare, Inc. management has approved the copying; or • Copies are being made for contingency planning purposes.

D. Compliance Monitoring: Department directors are responsible for ensuring that employees adhere to software copyrights. System Administrators and the



26 of 26

Security Official are responsible for reviewing compliance with software licenses and copyright policies at least once a year or more frequently if needed.

Security Training Post-Test Instructions:

This completes the security training for System Administrators.

Please go to http://www.quia.com/pages/hipaasecuritytrainin.html and select the ‘hipaa security post-test for system administrators’ link to complete the post-test.

http://www.quia.com/pages/hipaasecuritytrainin.html

Date post:	03-Feb-2022
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times

Saint Joseph Healthcare, Inc HIPAA Security Training System

Documents