JUST THE FACTS: Protecting Computers & Electronic Information
Be sure to visit the UF HSC SPICE Program website for excellent educational resources.
- Administrative Safeguards: The Rules
- All computer access accounts must be individually assigned to current employees. Generic access accounts are not allowed.
- For multi-user computer workstations, know which individuals are authorized to use the computer and for what purposes.
- Each user must have a unique password to access the workstation and the stored electronic information.
- The workstation's screen must be set for an auto-timed screen-saver that is password protected.
- Limit logons to only one site and curtail access after a specified number of incorrect logons.
- Do not store PHI or other confidential information, including emails, on the workstation's hard-drive; relocate such information to the server. Maximum workstation retention of any data should be 5 days.
- Conduct daily data backup procedures; frequently test the backup procedures.
- Formulate and implement a specific information disaster recovery plan. Determine how you will work if the workstation is stolen, the machine crashes, or software is corrupted.
- Physical Safeguards: The Barriers
- Use privacy screens or computer hoods to protect displayed data from unauthorized viewing.
- Avoid saving PHI or sensitive data on floppy or other removable disk drives.
- Add key locks for workstation power switches.
- Employ tie-down cables, or cable-lock computers to desktops.
- Exchange glass panel access doors, particularly those near public traffic areas, with solid interior doors.
- Lock the computer room whenever you are absent, even for a few minutes.
- Power-off workstations that are not in-use.
- Use a key control system, in which keys are changed with each staff change, especially personnel terminations. If keys are lost or misplaced, re-key doors.
- Store backup copies of computer data files in a secure location.
- Escort and monitor visitors in areas that contain computer hardware and connection devices and equipment.
- Technical Safeguards: The Security Measures
- Purchase operating systems and application software that requires user authentication procedures.
- Use operating systems that only allow user access to personal files; do not permit global file access.
- Establish a procedure to regularly review and install operating system or application software patches. Update programs from vendor websites to employ the most current versions.
- Store sensitive, confidential, or proprietary information on a server that incorporates additional access protections.
- Use a screen saver that is password protected; recommended automatic closure interval: 3-5 minute range.
- Create passwords that include a minimum of eight alpha and numeric characters, use upper and lower case and punctuation symbols; change passwords every 60-90 days. Implement, as practicable, BIOS boot passwords to protect hardware.
- Employ an approved file encryption program to protect highly confidential information, like HIV or psychiatry records.
- Configure operating systems to explicitly exhibit all file extensions. Never execute a file if you do not understand the command or are unfamiliar with the file source.
- Routinely update virus protection software.
- Turn off built-in network services that you do not intend to use.
- Do not permit anonymous access to your workstation; allow remote access only by an authenticated user with a VPN account.
- Do not share files on a multi-user workstation, unless the files are secure only to authorized users.
- Control peer-to-peer sharing of workstation resources such as disk drives, directories, or folders.
- Use a standardized naming convention for files and directories, usually including a file name, file type, date and initials.
- Regularly investigate suspicious or unfamiliar files on workstation drives; eliminate unknown files.
- Delete unsanctioned software, including "instant messaging", often a source for "network sniffer" or virus programs.
- For questions, contact your IT service provider or the Privacy Office.
IF A CONFIDENTIALITY BREACH IS SUSPECTED,
NOTIFY
THE PRIVACY OFFICE IMMEDIATELY
AT 866-876-4472 OR E-MAIL
