Sample Small Medical Office Computer Security Policy
This policy covers a variety of topics, including general staff responsibilities, authorization, communication, authentication, system integrity, confidentiality, mobile security, and disaster recovery.
Written by a IT security expert, who also happens to be an internist in private practice.
- All employees must read, understand and sign an acknowledgment of this Policy upon employment.
- As an employee, your computer system use may be monitored at any time.
- Administrator will educate employees at least quarterly on maintaining the Confidentiality, Integrity, and Availability of computer data and systems.
- Any intrusion or suspected breach of security should be privately and immediately reported to the Administrator.
- No employee, vendor, or IT personnel may install software or “inappropriate files” on a computer or local network device in this office without prior, written permission from the network Administrator. The Administrator for this practice is: ______________________
- “Inappropriate files” include non-business-related MP3s, GIF files, games, executables, document files, and any other employee-installed software not approved by the Administrator. Not only do such files consume valuable storage space and bandwidth, but they can also introduce damaging viruses into the network.
- All emails from patients will be printed and placed in the chart. Employees are not permitted to email patients in response. Instead, employees should promptly contact the patient by telephone.
- Employees are not permitted to send, receive or view personal email while at work.
- Instant messaging, chat, and Peer-to-Peer (P2P) file sharing programs are prohibited.
- All desktop computers in this office will run the most recent version of Windows XP Pro unless otherwise authorized by the Administrator.
- Each machine will have an “Administrator” account that is set up and accessed only by the Administrator. For security reasons, employees may not use the Administrator account.
- Employees must use a restricted Windows logon account as defined by the Administrator.
- Each account must be set to auto-logoff to screen saver after 20 minutes.
- Screen savers must be password protected.
- Only the default Windows screen savers are allowed.
- The administrator will define and enforce the use of strong passwords and periodic password changes.
- Employees may be responsible for updating service packs, antivirus updates, firewall updates, and vendor patches whenever they are reminded. Reminders typically come via pop-up message on the screen, by verbal reminder, or by an email memo.
- Web browsing is not permitted unless required for patient care. The Internet Explorer security zone must be set to Highest at all times.
- Each machine will run antivirus software set to update and scan at least biweekly.
- Each machine will run a spyware and/or adware checker set to update at least biweekly.
- Each machine will have an enabled, updated personal firewall.
- Each machine will have auto-updating enabled for Windows patches.
- Administrator will perform a full security policy audit of each networked machine in the office at least quarterly.
- Patient data may not be stored, removed or transmitted from the office by any media, without prior written permission from the Administrator.
- Transcriptionists will only email transcription in a secure format. The required format is Microsoft Word documents that have been zipped and encrypted with WinZip (www.winzip.com) using the 256-bit AES strong encryption setting.
- Employees must leave the built-in hard drives of scanners, copiers, fax machines disabled.
- Personal Data Assistants and mobile computing devices (PDAs, Smartphones, Laptop/Notebooks, etc.) are not permitted in the office without prior written approval from the Administrator. External drives of any kind or size are forbidden, unless approved in advance by the Administrator.
- All wireless and/or mobile devices will run security software equivalent to desktop computers in the office (including antivirus, firewall, and encryption).
- Wireless Access Points and wireless routers are not permitted in the office without prior written approval from the Administrator.
- Employees who are responsible for the patient database must be back up the database once per week on a machine separate from the server.
- Each computer will have a recovery disk and all required software available next to its location at all times. Employees may not remove this software.
- The one of the duties of the medical office manager will also store a backup CD-ROM of the database in the office safe every month.
- Every quarter, both the Administrator and office manager will store an encrypted, backup copy of the database off site (at least 5 miles away).
- Every 6 months, the office will participate in a data disaster recovery drill. This will involve restoring the database from scratch after a simulated, complete system crash.
©2006 Cyrus Peikari, M.D.