12.3 WORKSTATION USE

12.3 WORKSTATION USE

Standard: Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information.

HIPAA security rule defines workstation as an electronic computing device, and any other device that performs similar functions, and electronic media stored in its immediate environment. This is much broader than the common definition that a workstation is an end user 's computer. This standard applies to a server, a laptop or desktop computer, pocket PC, PDA, smart IP enabled device, and any electronic medical equipment that collects and stores ePHI. Unattended equipment that could process or store ePHI, such as document management systems, image scanners , and network-based electronic equipment would also be included.

Workstation Use policy should first define what functions for a given station or a class of given stations is proper. Functions include general network access, company intranet, e-mail/internet access, mapped network drives , data feeding for other applications, and a complete list of business applications that a workstation needs to perform. A covered entity should assess the need to classify workstations into different types by functions, specify what software and applications should be running on these stations and what standards are followed for configuration, particularly, any application that can access ePHI must be specified.

All information processing facilities of a covered entity are provided for business purposes. Management should formally authorize their use. Any use of these facilities for non-business or unauthorized purposes, without management's approval, should be regarded as improper use of the facilities. If monitoring identifies such activity or other means, it should be brought to the attention of the individual's manager and dealt with appropriately. It is therefore essential that all users be aware of the precise scope of their permitted access. This can, for example, be achieved by giving users written authorization, a copy of which should be signed by the user and securely retained by the covered entity. Employees of a covered entity, and third party users, should be advised that no access might be permitted except as authorized. While logging on to a workstation, a warning message should be displayed on the monitor's screen indicating that the system being entered is private and that unauthorized access is not permitted. The user has to acknowledge and react appropriately to the message on the screen to continue with the log-on process.

The manner in which those functions are to be performed refers to an acceptable usage policy and detailed instructions on how these authorized functions are used. Guidelines should be developed to cover various technical aspects of workstation use: for example, encrypting hard drive or file of laptops or desktops that contain ePHI if physical controls cannot be implemented; installing and updating virus and other malicious code detection and eradication software, enabling personal firewalls if the device is connected to the corporate network or connected remotely or via wireless or an internet connection. Each covered entity should ensure all software in company equipment are authorized and licensed and devices that can assess its ePHI are identified and properly secured. A covered entity should also consider safeguarding the unattended equipment with proper physical and logical security controls.

Each covered entity must assess the need to restrict the use of employee's personal device (home PC, laptop, PDA and cell phones) to access the company's ePHI. If employees have Internet, e-mail or instant messaging access, detailed instructions on what is proper use should be provided. Guidelines should be created on introducing foreign software on a workstation, downloading executable files, uploading documents/creating attachments, and what may be banned through e-mail and internet content filtering facility. If ePHI is needed to transmit through internet in any way, the covered entity should assess the risks and consider using encryption.

The physical attributes or surrounding of a given station or a class of stations refers to the physical accessibility to the equipment. A covered entity should evaluate where all the workstations that can assess its ePHI are located, for example, what workstations are located in the company's secured areas, which devices are physically accessible in the public area, which workstations are from employee's home office, which stations have remote access to the company's protected network, which workstations are used for business travels in hotels or airports, and which devices use wireless LAN. Considerations on how to properly and securely use workstations under each of these situations should be given so that the same level of security is applied and the weakest link is eliminated.

Workstations should be positioned away from public view or screens blocked so that casual observers cannot view the contents displayed on a monitor. Users should be instructed to always log off a workstation or turn on password protected screen savers when leaving it unattended. It is possible that the user will be away for an extended period of time or a different user needs to use the workstation, and it may be appropriate to implement automatic logoff , required under technical safeguards set to a relatively short period of time. Awareness of one's surroundings should be considered when ePHI is used or disclosed in the course of operations.

In many institutions, guarding workstations is of secondary importance to the need to accomplish the goal of providing health care. Procedures that substantially impede the use of data entry and data retrieval will not be practical. Training users about their security responsibilities as well as functional aspects is vital . Workstation users are essentially the owners or custodians of the equipment that a covered entity assigned to them and they have the ultimate responsibility of safeguarding it and ensuring only authorized actions are taken by authorized personnel. Users can use screen savers, protected screen shielding, monitor sitting, and physical office to properly protect the workstation.

To implement this requirement, a covered entity can follow these steps:

1. Develop a formal workstation use policy:

   1. Defining the covered entity's security risk, safeguarding objectives and requirements for workstation use, and,

   2. Defining acceptable use policy for common office and business applications that access ePHI, and,

   3. Defining user's roles and responsibilities of proper workstation use and progressive sanction actions for violations.

2. Develop a formal workstation use procedure:

   1. Identifying all proper functions and use of workstations or each class of devices, and,

   2. Identifying all physical threats, vulnerabilities and risks including unauthorized disclosure, tampering and theft that the workstations are exposed to, and,

   3. Defining all safeguard methods to safeguard data including access control, physical security and location security, and,

   4. Establishing detailed instructions for proper use of functions provided by workstation, and,

   5. Identifying software and tools to monitor, evaluate and enforce proper use of workstation, and,

   6. Monitoring workstation sites for good user practices including logoff and password usage, and,

   7. Establishing automatic logoff to minimize opportunities for unauthorized use of a workstation.

3. Implement this policy and procedure:

   1. Providing security training for workstation support personnel, and,

   2. Providing security awareness education and detailed training for work force regarding proper workstation use, and

   3. Educating users about their responsibilities for workstation security.