UMMC Policy and Procedure Manual A-IP-OIS-SEC-PO-00001
Subject: Acceptable Use Policy
Old Title: Acceptable Use Policy
Revised Date: 11/11/2019 Effective Date: 4/1/2017
Prepared By:
Kim Sterdivant
Approved By:
Steve Waite

Reviewed By:
Richie Stonecypher

Purpose

The purpose of this policy is to ensure compliance with the HIPAA Security Rule (45 CFR Part 160 and  Subparts A and C of Part 164) by establishing standards, expectations, and requirements for University of Mississippi Medical Center (UMMC) in regards to safeguarding the confidentiality, integrity, and availability of UMMC's information assets, including HIPAA electronic protected health information (ePHI) and other confidential data.

Scope

This policy applies to all employees, students, contractors, and any other individuals with login credentials (Users) to UMMC information assets and related resources. This policy is available to all Users, including all individuals responsible for implementing its procedure. 

Policy

A. User Responsibilities and Acceptable Use

1. UMMC provides information technology assets as resources to the UMMC workforce. It is the user's responsibility to properly use and protect those resources.

2. Use of information technology assets owned and/or operated by UMMC imposes certain responsibilities and obligations. UMMC considers use of IT resources to be a privilege that is granted on the condition that each user respects the integrity of IT resources and the rights of other users.

3. Users shall comply with all UMMC policies, state and federal laws, regulations, and contractual obligations when accessing UMMC information technology assets.

4. Workforce members’ actions may be monitored and workforce members consent to such monitoring.

5. Users are responsible for protecting all UMMC information technology assets to which they are granted access.

6. User access to UMMC information assets shall be restricted based on need-to-know and in accordance with the minimum necessary principle.

7. Users shall be made aware of their responsibilities for maintaining effective access controls and shall be required to follow UMMC policies.

8. Users are responsible for the protection of UMMC information resources by the use of effective access controls (e.g., passwords) and safeguards for those access controls.  

9. Users are responsible for the security of their passwords and all data which they are authorized to access.

10. Users who are authorized to access confidential data are responsible for properly storing and securing it from unauthorized access as well as for securing and protecting passwords and other forms of access control.

11. The use of cut, copy, paste, move, print, and print screen commands and/or storage of sensitive data is prohibited when accessed remotely without a defined business need.

12. Users are allowed to use UMMC information technology assets:

  • To which they have been granted authorized access
  • For UMMC business, academic and research purposes only

13. Each user bears the responsibility for knowing and complying with applicable laws, policies, and rules; for appropriately securing their computers and other electronic devices from misuse or theft by others; and for avoiding any use that interferes with others’ legitimate access to and use of UMMC information technology assets.

B. Internet Access from UMMC Locations

1. Connection to the Internet or use of a website is a privilege and not a right. Any abuse of that privilege can result in legal and/or administrative action.

2. Internet access is granted to workforce members and visitors with the expectation that users will act responsibly and use good judgment.

3. Internet access may be monitored at any time by UMMC. Any website or online activity may be blocked if it is determined to be harmful, potentially harmful, or disruptive to the organization or other workforce members.

4. Access to the Internet shall only be permitted though the UMMC corporate firewall.

5. A separate network shall be established to provide Internet access to visitors. The UMMC corporate network must not be accessible from the visitors' network.

6. Individually assigned passwords and accounts must not be shared.

7. Personal and UMMC (business) passwords must be different.

8. Passwords require at least eight (8) characters which are:

  • Not easy to remember
  • Not based on anything easily guessable or obtained using personally related information (e.g., names, telephone numbers, addresses, dates of birth, etc.)
  • Not vulnerable to dictionary attack (e.g., composed of words normally included in dictionaries)
  • Free of consecutive identical characters
  • A combination of alphabetic (uppercase and lowercase), numerical, and special characters 

C. User Responsibilities for Unattended Information Technology Assets

1. Users shall ensure that unattended equipment has appropriate protection.

2. Users should terminate sessions by logging off of computer devices (as opposed to only powering off the monitor or workstation).

3. Users shall safeguard unattended information system output devices (e.g., printers) to prevent unauthorized individuals from obtaining the output.

D. Code of Conduct

Users of UMMC Information Technology Assets agree to NOT:

1. Post, use, or transmit content to which they do not have the right to post or use under intellectual property, confidentiality, privacy, or other applicable laws.

2. Post, use, or transmit unsolicited or unauthorized content, including:

  • Advertising or promotional materials
  • “Junk mail”
  • “Spam”
  • “Chain letters”
  • “Pyramid schemes”
  • Political campaign promotional material
  • Any other form of unsolicited or unwelcome solicitation or advertising
  • Material of any kind that infringes upon copyright laws, including the unauthorized downloading, copying, displaying, and/or distributing of copyrighted material. All such works should be considered protected by copyright law unless specifically stated otherwise. Any use of UMMC information technology assets (e.g., networks, email systems, websites, etc.) to access, display, send, transfer, modify, store or distribute copyrighted material (e.g., video/movies, music/audio, images, documents, software, text, etc.) is strictly prohibited.

3. Post, use, or transmit content that contains software viruses, computer code, files, or programs designed to interrupt, destroy, limit the functionality, or otherwise interfere with any computer software, hardware, telecommunications equipment, or other UMMC information assets.

4. Post or transmit content that is harmful, offensive, obscene, abusive, invasive of privacy, defamatory, hateful or otherwise discriminatory, false, misleading, illegal, in breach of obligations to any person, or contrary to any applicable laws and regulations.

5. Intimidate or harass one another.

6. Allow unauthorized use or attempt to use another user’s individual account, service, or personal information.

7. Modify workstations without IT approval or remove, circumvent, disable, damage or otherwise interfere with any security-related features.

8. Install or use unauthorized or malicious software, or obtain unauthorized data and software from external networks.

9. Transmit (e.g., instant message, email, text, etc.) confidential data over open, unprotected, wireless networks unless approved security controls such as strong encryption are in place.

10. Automatically forward confidential data, including Protected Health Information (PHI), to an external email address.

11. Use UMMC demographic data such as business email address for personal use (e.g., register for software, complete a web form).

12. Attempt to gain unauthorized access to UMMC information technology assets, other users' accounts, computing devices, or networks connected to UMMC information technology resources through hacking, password mining or any other means, or interfere or attempt to interfere with the proper working of UMMC information assets or any activities conducted through those information assets.

13. Impersonate another person or entity, or falsely state or otherwise misrepresent affiliation with a person or entity without authorization.

14. Connect personally owned devices to the UMMC network prior to putting appropriate safeguards in place.

15. Conduct any activities with the intention of creating and/or distributing malicious programs using the UMMC network (e.g., viruses, worms, Trojan Horses, etc.).

16. Fail to exercise appropriate caution when opening emails, attachments, or accessing external websites.

Policy Compliance

Enforcement  

The designated Information Security Officer (ISO) has general responsibility for the implementation and enforcement of this policy.  

Future Revisions  

UMMC periodically reviews and updates its policies and procedures as needed in response to environmental or operational changes affecting the security of ePHI. UMMC reserves the right to add, delete, or revise any provision of this policy or any other Information Security policy at any time without prior notice as long as such changes are compliant with the HIPAA Security Rule. All UMMC security policies are subject to a review process that includes, but is not limited to, designated representatives from the Office of Information Security, the Legal Department, the Office of Integrity and Compliance, and the Department of Information Systems.  

Sanctions  

Any user violating this or any security policies or applicable local, state, or federal laws while using UMMC’s computing environment is subject disciplinary actions deemed appropriate, up to and including termination. In cases in which PHI is involved, the ISO will collaborate with the Office of Integrity & Compliance to recommend appropriate sanctions.  

Exceptions  

The process to request exceptions to Information Security policies is available. Requests are documented and then evaluated based on the potential risks to business, as well as, the HIPAA Security Rule. The ISO can approve exceptions necessary to meet business or patient care needs. Alternatively, the ISO may request compensating controls and processes to ensure UMMC adherence to the HIPAA Security Rule. All approved policy exceptions will be reviewed annually for appropriateness by the ISO and may be revoked at any time.