Overview

Workstations are only to be used for authorized purposes.

Purpose

To provide guidelines on the use of Medical Center workstations and personal computers that access Electronic Protected Health Information (EPHI).

Scope

This procedure applies to all Medical Center employees and customers who access Medical Center resources from HIT managed computers or remotely via personal computers.

Description

Limited personal use is acceptable when it does not impede business functions or consume excessive institutional resources. Workforce members must not use workstations to engage in any activity that is illegal under local, state, federal, or international law or is in violation of policy. See Medical Center Policy 202:Internet and Intranet Access/Usage. Access to workstations with Electronic Protected Health Information (EPHI) must be controlled and authenticated. To minimize risk, standard workstations are configured so that users have limited access to the operating system files and no ability to install new software. Temporary elevated rights can be granted by contacting the HIT Help Desk if additional software is required. In certain rare situations permanent elevated rights can be granted if a valid business need is demonstrated. Requests for permanent elevated rights are submitted by completing the Elevated Rights Customer Agreement.

Only authorized software is permitted to be installed on workstations. Workstations containing EPHI must be located in physically secure areas and their display screens must be positioned so as to prevent unauthorized viewing of EPHI. Workforce members should logoff of applications and secure the workstation when finished (see Automatic Logoff).

Workstations removed from premises must be protected with security controls equivalent to those for on-site workstations. Special precautions must be taken with portable workstations such as laptops and PDAs. The following guidelines must be followed with such systems:

EPHI must not be stored on desktops, laptops or any other portable device unless written approval has been obtained by the Vice President or Dean of the department as stated in University of Virginia IRM-015 Policy : Electronic Storage of Highly Sensitive Data and the information stored is appropriately protected utilizing encryption. See Encryption Guidelines. In addition to encryption, the following safeguards must be deployed:

  • Locking software for unattended laptops must activate after 10 minutes.
  • Laptops and all other portable devices must be carried as carry-on (hand) baggage when workforce members use public transportation. They must be concealed and locked when in private transportation.

At Home User/Workstations containing EPHI

There are two types of home user machine configurations:

a.  A desktop or laptop that is funded by the employee's department and has an HIT approved image.

b.  The user's personal device.

There are two types of at-home users:

  1. Occasional User.  Such users may use either configuration (a) or (b) but they must use VPN for secure connectivity. See Virtual Private Network (VPN).
  2. Full-time At Home.  Such users must use configuration (a) listed above, i.e., a machine provided by the department and with an HIT approved image, and must use VPN for secure connectivity. See Virtual Private Network (VPN).  They must also use a high speed connection so that HIT can manage the device.

Other guidelines for At Home use/support:

  • All maintenance and enhancements of issued equipment for configurations will be accomplished by HIT once the equipment is delivered to Stacey Hall. The employee should contact the HIT Help Desk for assistance but should not expect rapid turnaround unless HIT has the capability for providing spares.
  • No attempt shall be made by the user to correct any equipment malfunction or contact anyone outside of the Medical Center to repair a computer problem or alter configurations of a Medical Center Owned desktop, laptop or device.
  • All hardcopies displaying EPHI will be shredded as soon as the document is no longer needed. See Medical Center Policy 0266 : Records Management/Document Retention and Destruction.
  • Users are bound by institutional policies regarding access to patient information. Users will not copy retrieved data to the local hard drive or other local storage media. See University of Virginia Policy IRM-003: Data Protection of University Information and Health System Policy IT-002: Use of Electronic Information and Systems. Users staying connected thru DSL or cable modems must install a desktop firewall. Remote access will be subject to periodic random auditing.
  • Inappropriate access or failure to follow requirements may result in suspension or permanent discontinuation of remote access privileges.
  • Termination of employment will result in the immediate loss of remote access privileges and user will return equipment issued by Medical Center within 5 business days.
  • Anti-virus software must be installed on desktops and laptops (Medical Center owned and personal) and kept up to date.

Document Supporting Resources