Oklahoma State University Center for Health Sciences
OSU-CHS Centernet

Security Policies & Procedures

Section 10 - Workstation Use

 

Title: Workstation Use Policy: SEC-10.01
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.310(b)
Standard: Workstation Use Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

Identify acceptable use for university owned computing equipment and the proper method of logging onto and off the system.

Policy

OSU will implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.  §164.310(b)

All employees of the university that are granted access to the workstation need to understand how to best use the workstation to maximize the security of its data.  The purpose of this policy is to outline what is considered to be acceptable use of university-owned computers and set guidelines for protecting data while using the computer.

Procedure

Appropriate Computer Use states what is considered to be acceptable use of university owned computer equipment.  Users should be familiar with this policy.

Documentation on applications are very specific to the function being performed and this documentation will be provided by the departments.

Every user must log off the applications on their workstation and shutdown their computer at the end of their workday.  Employees needing assistance should contact their supervisor or IT helpdesk.

All computers in Active Directory when left unattended a password-protected screensaver will be activated after 25-minutes of non-use.

Doors leading into offices with desktop/laptops should always be locked when vacated.  If the desktop/laptop is in a public area and cannot be secured by a locked door, other security mechanisms must be in place such as security locking cables or cages.

Physical Access Controls policy also addresses physical workstation locations.  Media controls:  Receipt and Removal of Hardware, Software and Media addresses the importance of users protecting their data backups.

With the exception of IT or other designated staff for auditing, or trouble shooting purposes, workstations with multiple users are to log-off when someone else needs to use the work-station or if it is no longer in use.  Any usage of a work-station under someone else’s login credentials will be a violation of this policy and IT’s Appropriate Computer Use Policy Section 1.03.  Any violation of these policies will result in sanctions against the users involved.  IT and/or their designee are to only use a workstation under someone else’s login for appropriate IT related functions, such as trouble-shooting, virus removal, etc. and must have the written or verbal approval of the logged-on user.  IT and their designee(s) should avoid this when possible.
Reference

Appropriate Computer Use Policy
Physical Access Controls
Media Controls:  Receipt and Removal of Hardware, Software and Media


top of page top

 

Title: Workstation Security Policy: SEC-10.02
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.310(a)(2)(c)
Standard: Workstation Security Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To ensure that all workstations that have access to EPHI are restricted to authorized users.

Policy

OSU will implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users.  §164.310(a)(2)(c)

Procedure

The ability to logon to a workstation is limited to those with an active Okey account.  Local accounts, which bypass logging into the domain are not to be used on machines where ePHI is located.

All users of software that contain ePHI are to have their own individual accounts.  Shared logins (multiple users logging in under one name) are not permitted under any circumstance.

The location of all workstations will be recorded and logged by IT or by the HIPAA Compliance Office.  This record is to be kept up to date as possible, and will be reviewed on no less than an annual basis.

Any loss or theft of a workstation should be reported immediately to the HIPAA Compliance Office and IT.

All workstations that contain ePHI or have the ability to view ePHI are to have the operating system locked or shut down when unattended or not in use.

All workstations that have the ability to view ePHI, and have a reasonable expectation that patients, or other unauthorized viewers may be able to access PHI are to have a privacy screen on the monitor to help protect and prevent any unauthorized viewing or misuse.

Reference

Workstation Use
Physical Access Controls


top of page top

 

OSU-CHS on Facebook OSU-CHS on Twitter OSU Medicine on You Tube