1425 Acceptable Use of Electronic Resources
UMass Memorial Medical Center Policy
1425 Acceptable Use of Electronic Resources
Developed By: HIPAA Advisory Group & Privacy and Security Committee
Effective Date: 6/4/2012
Approved by: Jennifer Daley, MD -
Chief Operating Officer
Applicability: This policy applies to all hardware equipment, systems, applications and software that is owned, leased or maintained by UMass Memorial.
Rescission: Supersedes policy dated: 10/13/2009
Keywords: acceptable use, electronic resources, PHI, PI, e-mail, internet, data use, wireless devices, prohibited use
The purpose of this policy is to define the boundaries for the “acceptable use” of UMass Memorial Medical Center's (UMass Memorial) electronic resources, including software, hardware devices and network systems. This policy is intended to promote employee productivity and safety while recognizing that technology alone cannot protect against internal and external threats to UMass Memorial resources and assets. Other intentions of this policy include:
- Protect workforce members from discrimination and harassment.
- Prevent copyright infringement, software piracy, and other misuse of UMass Memorial electronic assets.
- Protect UMass Memorial against computer crimes, viruses, hackers, pranks, Denial of Service attacks (“DOS”), cyber terrorism, and other civil and criminal wrong doings.
- Protect UMass Memorial confidential information.
- Maintain compliance with all applicable state and federal laws and regulations, including, but not limited to, Health Information Portability and Accountability Act ("HIPAA") HITECH and Massachusetts Data Security Regulations.
- Restrict use of UMass Memorial electronic resources to acceptable UMass Memorial uses as defined in this policy.
UMass Memorial has established policies, procedures, standards and guidelines to ensure the limited use of PHI, PI, and business-sensitive information to what is allowed under the organization's policies and procedures, state and federal privacy standards, regulations and laws.
Be aware that all computer activities create audit trails. Deleted, edited and overwritten computer files often cannot be erased or may be recovered using computer forensic techniques.
This Acceptable Use Policy (AUP) includes but is not limited to:
- E-mail — Servers
- Voice mail — Desktops/Workstations
- Internet — Software
- Telecommunications devices — Computer network
- Mobile computing devices/wireless
- Text/Instant messaging — Data storage devices
Confidential information - data/information (whether in oral, written, electronic or any other form) related to the business of UMass Memorial (including finance and administration, human resources, legal, clinical, patient and research data), that is not freely disclosed; private information that is entrusted to another with the confidence that unauthorized disclosure will not occur.
Data Storage devices - is a device for recording (storing) information (data). A storage device may hold information, process information, or both (e.g. portable hard drives, flash drives, CD/DVDs, PDAs, smart phones, etc.)
Intellectual property - property rights created through intellectual and/or discovery efforts of a creator that are generally protectable under patent, trademark, copyright, trade secret, trade dress (e.g. the appearance or image of a product) or other law.
Malicious intent - includes but is not limited to any voluntary act that violates UMass Memorial policies and/or local/state/federal laws and regulations as well as hacking, cracking, bugging, virus creation/propagation, tampering with government or private data without authorization, non-secure transmission of sensitive data across the Internet or other non-secure network.
Mobile computing device -is a handheld device that combines computing, telephone/fax, e-mail and networking features (e.g. PDAs, laptops, cell phones, smartphones, Blackberries).
Personal Information (PI) -Personal Information is defined as an individual's “first name and last name or first initial and last name in combination with any one or more of the following...
- Social Security number
- Driver's license number or state-issued identification card number; or
- Financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account; provided, however, that “Personal Information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public
Protected Health Information (PHI) -all individually identifiable health information created, transmitted, received or maintained by UMass Memorial. This includes any information, including demographics, which identifies or could reasonably identify an individual, their health/condition, treatment or provision/payment for their health care.
Telecommunications devices - a device used for the electronic transfer of information from one location to another. Telecommunications or telecom refers to a mix of voice and data, both analog and digital (e.g. cell phones, pagers).
Text messaging, or texting, refers to the exchange of brief written text messages between fixed-line phone or mobile phone and fixed or portable devices over a network.
Workforce members - all employees, contractors, volunteers, trainees (including medical students, interns, residents, allied health professional and business students), members of the medical staff including employed and private physicians, temporary employees, and other persons employed, credentialed or under the control of UMass Memorial whether or not they are paid by UMass Memorial.
III. General Procedure:
A. General Provisions
1. All workforce members shall be aware of data that they create on the UMass Memorial systems is the property of UMass Memorial.
2. Only UMass Memorial approved computing assets may be used to store, process and/or transmit data used to support the clinical, administrative, research, educational and other business functions of UMass Memorial.
3. Only UMass Memorial approved computing assets may be connected to UMass Memorial systems or networks. This includes, but is not limited to, computers, network devices, portable media (such as flash drives), telecommunications devices, and wireless access points. Individual passwords must be kept secret, never shared with anyone for any reason and never written down.
4. Computer programs will not be installed onto any UMass Memorial computing resource without I.S. approval and only performed by approved individuals.
5. UMass Memorial owned assets are only for use by those workforce members who are specifically authorized.
6. UMass Memorial electronic resources will be used in compliance with all applicable organizational policies, standards, guidelines, state and federal regulations and laws.
7. Workforce members should take all necessary steps to prevent unauthorized access and disclosure of protected health information (PHI), personal information (PI), business-sensitive information, proprietary and intellectual property, and research data.
8. UMass Memorial may choose to monitor or review any or all of its IS resources at any time. These resources include, but not limited to:
- E-mail sent and received,
- Internet usage,
- Computer files, documents and faxes created, stored, deleted or distributed,
- Voice mail and messages,
- Anything stored on network resources and mobile computing and storage devices,
- UMass Memorial PHI, PI, and/or confidential information stored on approved, privately owned property (e.g. PDAs, laptops, cell phones, flash drives, etc.)
9. Any use of UMass Memorial IS resources that is not in strict compliance with this AUP can result in disciplinary action, up to and including immediate termination and/or legal action. (Policy 1421 - Breach of Confidential Information)
10. Workforce members must report any suspected and/or known violation of this AUP to the Privacy and Information Security Office.
11. Any workforce member using UMass Memorial IS resources does so subject to UMass Memorial's rights to monitor such use and are advised that if monitoring reveals possible evidence of criminal activity, UMass Memorial may provide this information to law enforcement officials.
12. Workforce members have no expectations to privacy in anything they create, store, send or receive on UMass Memorial IS resources.
13. Workforce members are to honor and respect all applicable intellectual property including, but not limited to:
a. Software c. Web content materials e. Digital certificates
b. Discoveries d. Licenses
14. Workforce members should take all necessary precautions to prevent external threats from entering the system. This includes scanning all files and other authorized material copied or downloaded from the Internet or non- UMass Memorial computers or other electronic media for viruses and malware.
15. It is the responsibility of UMass Memorial workforce members with remote access privileges to UMass Memorial's network to use their remote access connection in accordance with all applicable policies and procedures and maintain confidential information in the same manner as when using an on-site connection to UMass Memorial.
16. Management reserves the right to revoke any user's access privileges at any time for violations of this policy, any other HIPAA Security policy, or conduct that disrupts the normal operation of UMass Memorial's information systems. Any conduct that adversely affects the ability of others to use UMass Memorial's systems and networks will not be permitted.
B. Workstation Use (I.S. 05.08 Workstation Use and Security)
1. Prior to use, workforce members are obligated to secure permission from IS to download and/or install any software to their local machine.
2. Non- UMass Memorial owned hardware should not be connected to the UMass Memorial network without the submission of a request and approval by IS.
3. Access to all UMass Memorial workstations containing or having access to UMass Memorial PHI, PI, and/or confidential information will be controlled with a username and password or an access device such as a token.
4. Workforce members will use the workstation locking capability (CTRL-ALT-DEL) whenever leaving their workstation unattended.
5. Remote control connection from one workstation to another, such as those used by Information Services for remote troubleshooting will be disconnected after the session is completed.
6. Workforce members will log off from their workstation(s) when their shifts are complete.
7. UMass Memorial workstations containing or having access to UMass Memorial PHI, PI, and/or confidential information will be physically located in areas that minimize the risk of unauthorized access. The level of physical protection provided for UMass Memorial workstations containing confidential information should be commensurate with that of identified risks.
All workforce members who use UMass Memorial workstations will take reasonable measures to protect the confidentiality, integrity, and availability of confidential information accessed by the workstations. Such measures include but are not limited to:
- Unauthorized UMass Memorial workforce members will not attempt to gain electronic or physical access to workstations.
- Information Services is responsible for updating anti-virus software and virus definitions and ensuring that operating systems critical updates are installed in a timely manner.
- Devices connected remotely to the UMass Memorial network via virtual private networking (VPN) or other means must adhere to anti-virus standards and intrusion protection as outlined in the Information Services SSLVPN Customer Agreement.
- Workstations/mobile devices removed from UMass Memorial premises must be protected with security controls equivalent to those for onsite workstations. The following guidelines must be adhered to with such systems:
a. Confidential information must not be stored on a mobile device unless such information is appropriately protected by the use of a power-on password, encryption software, or other similar controls.
b. Locking controls, such as a screen saver password, should be set to automatically activate on unattended portable workstations.
c. Mobile devices must be securely maintained while in the possession of workforce members.
C. E-mail and Communications Activities (I.S. 05.25 E-mail Use, Standards and Guidelines)
1. One of the most important aspects of e-mail and other electronic material is that they constitute UMass Memorial records.
2. E-mail transmissions, both on the intranet and the Internet, may be subject to disclosure through legal proceedings or otherwise required by law.
3. Always use secured messaging when sending e-mails containing confidential information outside the UMass Memorial trusted network. Be certain to always double-check all “to” and “cc” fields prior to sending any e-mails.)
4. Protected health information may be transmitted via e-mail within the UMMMC intranet with minimal risk of external access. Providers can communicate with other providers within UMMMC trusted network for the purpose of treatment.
5. Some messages sent, received or stored on the UMass Memorial e-mail system may constitute privileged communications between UMass Memorial and its in-house or external attorneys. If you receive an e-mail labeled “Privileged Attorney-Client Communication” (or similar language), you should seek the attorney's permission before disseminating it further, as the privilege may be destroyed if the transmission is sent to a third party.
6. UMass Memorial - provided e-mail service is the only authorized method for reading and sending e- mail from a UMass Memorial owned or I.S. approved personal mobile device. All other methods of e-mail synchronization are prohibited.
7. Personal, or UMass Memorial mobile device usage will be in accordance with UMass Memorial policies.
8. Workforce member should not use personal email accounts for transacting UMass Memorial business.
9. Failure to adhere to these policies could result in the permanent removal of ALL data, without notice, residing on the mobile device.
D. Internet Use
1. The Internet is to be used in support of UMass Memorial related patient care, business, and research activities.
2. All UMass Memorial policies addressing information systems security and confidentiality apply to use of the Internet.
3. UMass Memorial workforce members who are granted access to Internet services are required to use common sense and exercise good judgment regarding their use of Internet services.
4. Internet activities are subject to review and audit and are not private or confidential.
5. All copyright laws and regulations are in effect in the online environment.
6. Users who violate copyright and/or license terms are personally liable for their actions.
7. Internet filtering prohibits access to any site in the categories of :
- Adult/Sexually Explicit
- Illegal Drugs
- Intolerance & Hate
- Spam URLs
- Intimate Apparel/Swimwear
- Personals & Dating
- Advertisements & Pop-ups
- Criminal Activity
- Tasteless & Offensive
E. Wireless and Mobile Computing Devices
1. Any workforce member requesting wireless connectivity and/or a mobile computing or storage device should call the IS Support Center at (508) 334-8800 with this request.
2. If ePHI is stored on the device, data must be encrypted whenever possible and access should be password protected.
3. If ePHI is transmitted wirelessly, then the workforce member must ensure proper user device authentication before transmission and encrypt data during transmission.
4. All mobile computing device users are responsible for the proper protection and storing of their SecurID hardware token (if used).
5. Mobile computing device users are not allowed to share their access credentials with any other persons or provide anyone else via their credentials.
6. All users will adhere to the proper procedure for accessing UMass Memorial's network, including the use of access tokens where indicated and strong passwords that are to be changed periodically.
7. Failure to adhere to these policies could result in the permanent removal of ALL data, without notice, residing on the mobile device.
8. Sending UMass Memorial confidential information to UMass Memorial display pagers is allowed, but message senders must limit confidential content to the minimum information necessary.
F. Unacceptable or Prohibited Use
The following types of activities are specifically prohibited. This is not meant to be a comprehensive list but simply a representative list of prohibited activities.
1. Creation or transmission of any offensive, obscene or indecent images, data or other material designed or likely to offend and/or annoy.
2. Use of UMass Memorial electronic assets for malicious intent, procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws, disruptive to the operation of UMass Memorial business, is disparaging to others, advocates or opposes political, religious or cultural agendas or that is used for personal gain (as in the use of chain letters requesting donations).
3. Storage or indexing of confidential UMass Memorial information (e.g. desktop search engines) on an external site without the knowledge and approval of IS and the benefit of a fully executed contract with the third party.
4. Sending confidential information outside the UMass Memorial network without encryption.
5. Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by UMass Memorial, digitization and/or distribution of photographs from magazines, books, or other copyrighted sources and copyrighted music.
6. Introduction of malicious programs onto UMass Memorial systems or networks (e.g. viruses, worms, Trojan horses, e-mail bombs, etc.).
7. Making fraudulent offers of products, items or services originating from any UMass Memorial account.
8. Affecting security breaches or disruptions of any system or network, including but not limited to disruption for malicious purposes. Security breaches include, but are not limited to, accessing data which the workforce member is not an intended recipient or logging into a server or account that the workforce member is not expressly authorized to access, unless these duties are within the scope of regular duties.
9. Security assessment software, such as port scanning or network vulnerability scanning is expressly prohibited unless conducted by Information Security staff or other personnel authorized by UMass Memorial Security Management.
10. Executing any form of network monitoring which will intercept data not intended for the workforce member's host is prohibited unless this activity is a part of the workforce member's normal job/duty.
11. Circumventing user authentication or security of any host, network or account.
12. Providing information about, or lists of, UMass Memorial employees to unauthorized parties outside UMass Memorial unless authorized by hospital or department administration.
13. Using UMass Memorial e-mail accounts, including e-mail usernames and passwords, for any purposes other than those for UMass Memorial business. The following uses (and those of similar nature) are not permitted if they are not business related:
a. chat rooms/blogs/forums
c. instant messaging
d. peer-to-peer file transfers (such as music downloads or other non-business applications)
14. Workforce members are not to save, forward or send e-mail chain letters, hoaxes, or pranks.
15. Viewing another user's e-mail without permission; send, create or receive e-mail or other information or material under another user's username; or tamper with, reveal, or change another user's password.
16. Any activity that is disruptive to the operation of UMass Memorial business or offensive to others.
17. Confidential information should not be transmitted or forwarded to outside companies or individuals not authorized to receive such information, or to UMass Memorial employees who have no business or clinical reason for such information.
18. Using an e-mail account assigned to another user to monitor, send and/or receive messages.
19. Auto-forwarding of UMass Memorial e-mail to an outside e-mail account due to potential negative impact on servers and to protect confidential information from being insecurely sent over the Internet.
20. Sending unsolicited e-mail messages, including the sending of “junk mail” or other advertising materials (e-mail spam).
21. Any form of harassment via e-mail, fax, telephone or paging whether through content, frequency or size of messages.
22. Unauthorized use, or forging of e-mail header information.
23. Enrolling any e-mail address, other than the e-mail address of the user themselves, in a system that automatically sends e-mail content to enrollee.
24. Creating or forwarding “chain letters”, “Ponzi” or other “pyramid” schemes of any type.
25. Posting non-business-related messages to Usenet or Listserv servers.
26. Workforce members are not to send messages that state or imply that their views represent the views of UMass Memorial without prior written consent of their department head.
27. Any activity which violates the rights of privacy of protected health information, personal information or other protected information of UMass Memorial's patients and workforce members.
28. Installing computer hardware or software on UMass Memorial assets, including personal software and downloads without the approval of Information Services.
29. Text messages to smartphones and pagers are not encrypted and therefore:
a. Limit the amount of information included to the minimum necessary
b. Verify the intended receiver prior to sending message
c. Delete messages from SmartPhones as soon as they are no longer needed
IV. Clinical/Departmental Procedure: N/A
V. Supplemental Materials: N/A
Policy 3000 Information Security Master Policy
Policy 1421 Breach of Confidential Information
Policy 4039 Discipline
Policy 4049 Sexual Harassment
Corporate Compliance: Code of Ethics and Business Conduct
Provider Communication Guidelines E-mail
Patient Communication Guidelines E-mail
Patient Communication Guidelines E-mail Acknowledgment