Computer Policies

From Human Oncology

DHO Computer Usage and Information Security Policy

Purpose

The purpose of this policy is to establish management direction, procedures, and requirements to ensure the appropriate protection of Department of Human Oncology (DHO) information handled by computer networks.

Scope

This policy applies to all employees, contractors, consultants, temporaries, and other employees at DHO, including those employees affiliated with third parties who access DHO computer networks. The policy also applies to all computer and data communication systems owned by and/or administered by DHO.

Violations

DHO employees who willingly and deliberately violate this policy will be subject to disciplinary action up to and including termination.

General Policy All information traveling over DHO computer networks that has not been specifically identified as the property of other parties will be treated as though it is a DHO asset. It is the policy of DHO to prohibit unauthorized access, disclosure, duplication, modification, diversion, destruction, loss, misuse, or theft of this information.

In order to accomplish this goal the following steps have been put into place.

Appropriate Use

This policy defines the “acceptable use” of DHO electronic resources, including software, hardware devices and network systems. These systems are purchased and provided by the department and are for creating, researching and processing department-related materials. By using DHO property you assume personal responsibility for their appropriate use and agree to comply with this policy and other applicable department policies, as well as UW-Madison, city, state, and federal laws and regulations. UW guidelines can be found at: http://www.doit.wisc.edu/security/policies/appropriate_use.asp

DHO Computer Support is responsible for supporting applications related to DHO use only. Any employee installed piece of software may be subject to removal if it is determined that said software is causing conflicts with legitimate approved software, This may include a fresh standard install of the operating system and applications.

DHO encourages exploration of the Internet, but if this exploration is for personal purposes, it must be done on personal, not DHO time. Likewise, news feeds, discussion groups, and other activities which cannot definitively be linked to an individual's job duties must be performed on personal, not DHO time. All users of the Internet should be aware that University firewalls and servers create a detailed audit log reflecting every request for service, both in-bound and out-bound.

HIPAA Compliance

DHO is committed to compliance with the Health Insurance Portability and Accountability Act (HIPAA). Aspects of this act establish requirements for technical security safeguards that will be used to process and transmit electronic Protected Health Information (PHI) across DHO computer systems. By using DHO computer systems you assume personal responsibility for their appropriate use and agree to comply with this act as defined by HIPPA training you receive through the University of Wisconsin. UW guidelines and training can be found at http://www.wisc.edu/hipaa/.

Further Medical School HIPAA compliance policies can also be downloaded from this location (Please note that these documents are not yet finalized):

• SMPH HIPAA Security Policies

Network ID

All users are to be uniquely authenticated/identified when accessing a computer terminal. No group logins are to be provided. People with short-term access needs (1 day, 1 week, 1 month) should be considered based on time of need and sensitivity of information needed.

Passwords

Employees must choose passwords that are at least eight (8) characters, and contain at least one character from three of the following four character sets:

1. Upper case alphabetic (A-Z)
2. Lower case alphabetic (a-z)
3. Numeric characters (0-9)
4. Special characters (!,@,#,$, etc.)

Passwords must not be written down in an obvious place. Regardless of the circumstances, passwords must never be shared or revealed to anyone else besides the authorized user and computer support staff. The authorized user is responsible for actions performed under their password.

To prevent password guessing attacks the number of consecutive attempts to enter an incorrect password will limited to five (5) unsuccessful attempts. After five unsuccessful attempts the user ID will be temporarily disabled for thirty (30) minutes.

Ownership and Use

All computers, all associated peripherals and all software are considered property of the DHO. Computers purchased by DHO are meant solely for use by the physician or support staff they were purchased for and may not be “given/loaned” to another user (i.e. lab, colleague, etc.). This includes use of DHO machines by family members.

Hardware Requirements

A minimum hardware level must be maintained to ensure compatibility and support. Current supported configurations will be posted and updated biannually on our website at http://www.humonc.wisc.edu/.

Purchasing and Installing Hardware and Software

Purchasing of all software and all hardware will be centralized with the Computer Support Team to ensure conformity with department standards. DHO cannot guarantee support for any items not purchased by this method. The computer staff will assist you in purchasing and installing software and hardware that meets your needs.

Only DHO computer support staff members are authorized to install software. DHO does not permit or condone the illegal copying of software. It is not permissible to install unlicensed software on any department network or computer. If unauthorized software is found on a departmental computer, it will result in a re-imaging of the computer back to the current department standard. Installation or use of unauthorized software is grounds for removal from the network and associated support.

An updated list of supported applications is kept by DHO Computer Support and is available on the DHO website (http://www.humonc.wisc.edu/).

Home Computers

Home computers and machines are not provided support by the DHO Computer Support Team. Home computers may not be used on the DHO network without prior written approval from DHO Computer Support.

Computer Viruses, Spyware, Worms, and Trojan Horses

To assure continued uninterrupted service for both computers and networks, all employees must keep approved virus-screening software enabled on their computers. Employees are responsible for immediately notifying DHO Computer Support whenever they believe that a system has been infected.

Spyware is data collection software that masquerades as useful software. Spyware will report back usage information about the programs, machine configuration and sites a worker visits. Some examples of spyware are Comet Cursor, Bonzi Buddy, Spinner, and WeatherBug. Other systems may not be per se spyware but have features that are enabled by default which act like spyware, these features should be disabled. Examples of these systems include: Real Player, and the Windows Media Player. Installation of spyware on DHO computer systems is prohibited.

Worms are much like viruses, but do not attach themselves to other programs. Trojan horses are unauthorized programs hidden within authorized programs. To prevent problems with viruses, worms, spyware and Trojan horses, software down-loaded from the Internet, electronic bulletin boards, shareware, public domain software, and other software from untrusted sources should not be used until it has been scanned by anti-virus software and approved by IS.

Privacy

Unless contractual agreements dictate otherwise, messages sent over DHO computer and communications systems are the property of DHO. To properly protect and manage this property, DHO Computer Support reserves the right to examine all data stored in or transmitted by these systems. Since DHO computer and communication systems must be used for a combination of academic, research, and medical purposes, employees should have no expectation of privacy associated with the information they store in or send through these systems. Exceptions to this privacy statement are superceded only by state and federal regulations.

It is strongly suggested that employees automatically employ the following verbiage on all outgoing emails. This can be done via “signature” files.

“This communication is intended only for the use of the addressee and may contain information that is privileged and confidential. If you are not the intended recipient, you are hereby notified that the unauthorized dissemination of the communication is strictly prohibited If you are not the intended recipient or the person responsible for delivering the electronic mail to the intended recipient, be advised that you have received this electronic mail in error; please immediately notify the sender by return mail.”

Computer communications must be consistent with conventional standards of ethical and proper conduct, behavior and manners and are not to be used to create, forward or display any offensive or disruptive messages, including photographs, graphics and audio materials.

Licensing

Computer Support is responsible for assuring the DHO is in compliance with all software-licensing requirements for all of the software in use on its systems. If IS determines that a piece of software is improperly licensed, IS will uninstall the software in order to achieve license compliance. In order to assist with license compliance all software and computer hardware purchases must have the approval of the Computer Support department, prior to the order being placed. Please send software and licenses to the Computer Support department for safekeeping.

File Storage

Every network user is provided with a secure, personal storage space on the network, which is backed up regularly to tape. Only departmental data is to be stored. No applications (executables) are to be installed in the area. Appropriate supported applications can be installed on your local hard drive by the computer support staff. MP3s, movies and other similar data are not allowed. Servers will be regularly purged of these files.

Departure from the Department

When you leave the department, NO ACCESS to your data or departmental data will be provided. If you need to copy some information, please contact the DHO Help Desk before your departure.

Other Security Measures

In order to protect against viruses, worms, Trojan horses, and spyware, as well as make workstation support more uniform, user rights have been assigned to the workstations which prohibit installing files into the system directory.

If there has been five (5) minutes of inactivity on a computer workstation a password protected screen saver will be activated.

Employees must NOT establish electronic bulletin boards, local area networks, modem connections to existing local area networks, or other multi-user systems for communicating information without the specific approval of DHO Computer Support. Likewise, new types of real-time connections between two or more in-house computer systems must not be established unless such approval has first been obtained. This policy helps to ensure that all DHO systems have the controls needed to protect other network-connected systems. Security requirements for a network-connected system are not just a function of the connected system; they are also a function of all other DHO connected systems.

To prevent unauthorized disclosure, employees in the possession of portable computers containing sensitive information should not leave them unattended and should not check them when traveling.

Exceptions

It is recognized that under rare circumstances, certain employees will need to employ systems that are not compliant with these policies. DHO Computer Support must approve all such instances in writing and in advance.

Guidelines

Guidelines for this policy are located at http://www.humonc.wisc.edu.