Oklahoma State University Center for Health Sciences
OSU-CHS Centernet

Security Policies & Procedures

Section 4 - Security Awareness and Training

 

Title: Security Reminder Policy: SEC-04.01
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.308(a)(5)(ii)(A)
Standard: Security Awareness & Training Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To ensure that each employee is kept informed of best practices and security procedures with PHI.

Policy

Implement a security awareness and training program for all members of its workforce (including management).  §164.308(a)(5)(ii)(A)

Each employee is to know how to safely and securely handle EPHI. All OSU employees are expected to read and follow the guidelines provided.
Procedure

OSU will provide a webpage for employees. IT will be responsible for sending out emails whenever new information or security threats are made available. The HIPAA Compliance Office or designee will send an email to employees at least each quarter with tips and/or reminders referencing the webpage.

This information is in addition to material provided in the HIPAA training.  I.T. and/or the Change Control Committee will provide the HIPAA Compliance Office with information for the HIPAA training sessions. This will include but not be limited to the following:

  • Password management and selection
  • Security incident reporting
  • Virus protection and its importance
  • New Virus Alerts
  • SUS Updates (Microsoft patches)

The OSU designated HIPAA official will periodically provide security awareness reminders to all staff.  These reminders may include, but not be limited to, verbal discussions at department or building meetings; print materials; video; internet streaming; or formal training seminars.  OSU will maintain a log of all security reminders and the recipients of the reminders.


top of page top

 

Title: Protection from Malicious Software Policy: SEC-04.02
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.308(a)(5)(ii)(B)
Standard:Security Awareness & Training Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

Ensure that workstations and servers operate within the security measures as adopted by the  university.     

Policy

Efficient use of computing resources is shared by every employee. The purpose of this policy is to outline the measures that will be taken to ensure that all network devices are operating with the configuration and standards necessary to maintain the integrity of the data and the privacy of privileged information.  Each campus must have procedures in place for guarding against, detecting, and reporting malicious software.  §164.308(a)(5)(ii)(B)

Procedure

Each PC used in a HIPAA regulated environment will have spyware/malware detection software installed. All patches/updates to the application and operating system will automatically be pushed to the devices from IT.   Antivirus is installed and automatically updated.

Malware

  1. OSU shall include in security training or via reminders information regarding malicious software, prevention of attack or inappropriate access by such software.
  2. Staff shall be informed of appropriate use guidelines of OSU.
  3. OSU staff shall be limited in use of software or access to internet sites or functions that increase the risk of malicious software
  4. OSU will be monitoring PCs to determine that appropriate safeguards are in place to prevent such software, include standards for operating systems, firewall, antivirus software and operating system updates. 
  5. Records of updates and changes in these recommendations shall be maintained by the security officer as part of the IT inventory database.

 

Antivirus

OSU is committed to taking the necessary steps to prevent computer viruses.  Employees must adhere to the policies and procedures listed below:

  • Employees must scan files attached to email messages, files downloaded from the Internet, and files on diskettes using the antivirus program supplied by OSU.
  • The System Administrator or Security Official must conduct a virus scan of the OSU computer network servers and workstations at least once a week.  Employees should be instructed to log off, but not shut down their workstations once a week so the anti-virus software program can run in the evening.
  • When OSU purchases new computer software, the System Administrator or Security Official will test the application for viruses.
  • The System Administrator or Security Official must make sure that diskettes used to store computer software programs are “write-protected” or protected against information from being saved on this disk.  This prevents viruses from being copied onto diskettes containing important information.
  • If OSU obtains a recycled computer that comes pre-loaded with software or if the hard drive is pre-formatted, the System Administrator, Security Official, or information technology consultant will scan the hard drive for viruses and other vulnerabilities.
  • All software should be acquired from reputable dealers.

top of page top

 

Title: Log-in Monitoring Policy: SEC-04.03
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.308(a)(5)(ii)(C)
Standard: Security Awareness & Training Implementation Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To ensure appropriate measures are implemented to verify access to PHI systems and report discrepancies to appropriate personnel.        

Policy

OSU will provide procedures for monitoring log-in attempts and reporting discrepancies.  §164.308(a)(5)(ii)(C)

Procedure

An audit trail within OSU Servers containing ePHI will track user id, date, and time of logon.  IT will maintain Audit logs and will be maintained for six (6) years.

These Audit logs will be run periodically to determine any non-compliance and as needed to track down possible issues.

Examples of logs:

  • Active Directory log contains: login/logoff event, computer name, user name, date and time.
  • DHCP log contains: MAC address, ip address, date, time.
  • ACS – Wireless log contains: MAC address, ip address, host name, user name, date and time.

Various healthcare related software systems will include login/logoff events, user name, dates and times including events specific to the software.


top of page top

 

Title: Password Management Policy: SEC-04.04
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.308(5)(ii)(D)
Standard: Security Awareness & Training Implementation Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To ensure that each user is required to use a secure password.

Policy

Security is an issue that is shared by each employee. All OSU employees are required to follow OSU password guidelines defined below and to keep this information secured at all times. This information should not be shared with anyone at any time.  Procedures for monitoring log-in attempts and reporting discrepancies are listed below:  §164.308(a)(5)(ii)(D)

Procedure
  • Passwords are not to be displayed or concealed on your workspace.
  • No passwords are to be spoken, written, e-mailed, hinted at, shared, or in any way known to anyone other than the user authorized to use that password. Supervisors may only obtain access through Provost approval.
  • No passwords are to be shared in order to “cover” for someone out of the office.
  • Passwords are not to be your name, address, date of birth, username, nickname, or any term that could easily be guessed by someone who is familiar with you. Use the following specifications:
    • Contain at least 1 uppercase letter
    • Contain at least 1 lowercase letter
    • Contain at least 1 number
    • Be 8 – 32 characters long
    • Not contain dictionary words
    • May contain special characters
    • Not contain Spaces
    • Not be one of the last 4 passwords used
  • Each employee, whether new or temporary, is assigned a unique and temporary password.
  • User accounts are promptly disabled upon termination or resignation. See Termination Procedures policy for further details.
  • Sharing or borrowing another users login credentials is subject to OSU approved sanctions.
  • Okey passwords expire every 120 days, users are expected to change their password at the appropriate time intervals.
Reference

Termination Procedures
IT Password Policy


top of page top

 

Title: Training Policy: SEC-04.05
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
164.308(1)(ii)(B)
Standard: Security Awareness & Training Implementation Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013
Purpose

To ensure all employees and students who may have access to PHI receive the appropriate training.         

Policy

All employees, students and volunteers paid and unpaid will receive HIPAA training regarding OSU policy and procedures with respect to protected health information.

Procedure

Procedure - Employees

  1. ALL new employees will receive HIPAA training either while filling out paperwork on their first day of employment or at orientation at Human Resources.  At that time, they will sign a Confidentiality Agreement, which will remain in the Employee file in Human Resources along with the Certificate of Completion for HIPAA Training.  
  2. Employees will complete at minimum, yearly training or as needed and/or as determined by the HIPAA Compliance Office and/or the HIPAA Steering Committee.

Procedure - Volunteers
Volunteers will receive training during orientation provided by

    • Specific department 
    • Human Resources or
    • HIPAA Compliance Office

(to be determined by Privacy Officer)

Procedure - Students - CHS

All new students will be trained during Orientation in the Fall.  The HIPAA Compliance Office will coordinate training with CHS staff regarding schedule and placement on the orientation agenda or via online methods.

Students – Extern Rotation
Students will attend an orientation session with the Manager of Health Services Education and HIPAA Compliance Officer or conduct online training.  This orientation will include:

  • Review of the Patient Care Mission
  • Review of the Clinical Expectations/ Responsibilities:  compliance contract to be signed
  • Review of the dress code/ professionalism standards
  • Review of Nursing Professionalism standards: signature required
  • Review of the OSU Confidentiality Agreement/ HIPAA review: signature required

The student will receive copies of the above.  Originals will be kept in the Nursing Manager’s office.  Copies of the Confidentiality Agreement will be stored in the Student’s file.

Procedure – Student Shadows
OSU often has student visitors who are pursuing a career in the medical field (pre-med, nursing, medical records, etc.)  Visiting students are required to complete online HIPAA training.  This applies to all student visitors who will be observing in clinics regardless of length of visit. 

It is the responsibility of the employee coordinating the visit to notify the Human Resources Department and the HIPAA Compliance Office in advance so the training may be made available to the student. 

The department the student is visiting will require the student to complete training and will require the visiting student to sign a Confidentiality Agreement, which will be kept in the HIPAA Compliance Office.


top of page top

 

OSU-CHS on Facebook OSU-CHS on Twitter OSU Medicine on You Tube