Information Technology Standard - Clinic Workstation Configuration

PURPOSE

This standard establishes a consistent set of minimum security measures required for computer workstations used within Pacific University. This standard also addresses standards for vendor and personally owned workstations when they are connected to Pacific University’s systems and networks.

 

Overview

The elements of this standard include requirements for installation and configuration, access control, physical security, document storage, logging and monitoring, and change management. Pacific University security standards are based upon industry standards, HIPAA, National Institute of Standards & Technologies (NIST) security guidelines, and existing Pacific University policies on Information Security.

 

Scope

This standard applies to all Clinical workstation connected to the Pacific University network. All clinical workstations deployed run Windows and will be configured to policy requirements.

 

DEFINITIONS

• ePHI: Electronic Protected Health Information.
• Least privilege: The concept that requires that each subject in a system be granted the most restrictive set of privileges (or lowest clearance) needed for the performance of authorized tasks.
• Desktop computer: A computer made for use on a desk in an office or home, and is distinguished from portable computers such as laptops or tablets. Desktop computers generally do not leave the Pacific University premises.
• : Desktop, laptop, or other computer used by an employee or contractor to complete their daily tasks. Laptops by design are mobile and may leave the premises.
• Screen Saver - The term used generically to describe a locking of the screen, regardless of what is displayed when the screen is locked.
• Employee personally-owned machines: Laptops purchased using personal, grant or other funds that are not deployed, configured or managed by UIS Desktop or laptop standards.
• Student personally-owned machines: Computers owned by students that are required to meet anti-virus standards, but are not audited by UIS. These systems should never have locally stored ePHI or PII.

 

POLICY/ELEMENTS OF THE STANDARD

The following elements apply to operating systems defined in scope for this standard, noted above. Configurations and settings described below will be designed and implemented so that computer users cannot change or otherwise circumvent the control.

 

Installation and Configuration

Change default accounts: All systems should have default account passwords changed, or default accounts should be disabled and replaced by another account with similar privileges. Accounts which cannot be changed are exempt from this requirement. Systems which require default accounts or shared accounts will be noted as exceptions.

 

Standard Images: The desktop support team will define standard workstation types and corresponding configurations.

Standard images should be created for each workstation type owned and supported by Pacific:  

• A list of supported operating systems will be maintained. Only the operating system or application software version that is currently supported by the vendor will be installed, where feasible.
• The applications associated with each standard image will be documented. Requests to install non-standard software must be reviewed and approved by University Information Services for license compliance prior to installation.
• Vendor-supported systems and biomedical computer-assisted instruments may not have a Pacific University image installed.

 

Disable unnecessary services: By default, most operating systems will run more services than necessary. These unnecessary services should be identified, and disabled or set to manual start up prior to any new system being used for its end purpose.

 

Security patch updates: All Pacific University-maintained systems must have current security patches loaded in a timely manner.

• Where possible, patch management software must be configured to receive critical patch updates and security alerts for key software platforms such as operating systems, databases, servers, printer firmware, etc.
• If a critical patch is not to be implemented, justification shall be documented and periodically reviewed for re-validation of exemption.
• Workstations and servers running Microsoft Windows operating systems should be patched on a monthly basis according to the well-documented Microsoft monthly patch schedule.
• Those systems that cannot receive updates or patches due to manufacturer restrictions (e.g. to retain FDA certification), should be firewalled from the production network using a dedicated firewall or network access control list.

 

Anti-malware: All systems which can run the commercial anti-virus suite used at Pacific University will do so.

• The anti-virus installation and definition files must be kept running and up-to-date.
• Those systems that cannot run anti-virus software due to manufacturer restrictions (e.g. to retain FDA certification), must be firewalled from the production network using a dedicated firewall or network access control list.
  • Network-based antivirus will be used where possible for these systems 

 

Local administrator privileges: In order to install and configure systems and applications local administrator privileges may be required. Such privileges will only be granted to specific individuals whose duties require they have such privileges.

• Vendor support accounts may be granted local admin privileges if needed, but will expire at the end of each day.  Activation of the vendor support account requires approval by a designated Systems Manager responsible for the application that the vendor is supporting. This approval will be documented in the Pacific University Service Management System and include the unique name of the person using the account. 

 

Access Warning Banner: All Pacific University workstations must display an approved, system use notification message before granting system access informing potential users of the following:

• The user is accessing a Pacific University information system;
• The system usage may be monitored, recorded, and subject to audit;
• Unauthorized use of the system is prohibited and subject to criminal and civil penalties; and
• The use of the system indicates consent to monitoring and recording.
• The system contains confidential information which needs to be protected.

 

This notification must remain on the screen until the user takes explicit

actions to log onto the information system.

 

Internet Access: Internet Access will be filtered using Internet filtering software:

• Unauthorized file sharing / on-line storage sites will not be permitted. 
• Internet filtering software should include anti-malware capability and others deemed necessary by the University HIPAA committee.

 

Wireless Access: All workstations configured for wireless networking must connect to the network only using the approved WPA2 Wi-Fi  network.

 

Screensavers: Screensavers will be configured on all workstations. Users are required to re-authenticate when accessing a computer with the screensaver running. Users are not allowed to change screensaver settings. The following default screensaver settings will be implemented:

• Inactivity Timeout (wait setting) set to 15 minutes. All exceptions must be reviewed and documented by the Information Security department;
• Authentication required on resume.
• Workstations located in secure or access-restricted locations can have inactivity timeout set to 60 minutes. 
• Computer users are responsible to use proper judgment and manually lock the computer display if it will be unattended for an extended period of time and potentially viewable by unauthorized persons.

 

Access Control

User accounts: All workstation users will be assigned a unique network account name which will be used to logon to the Pacific University primary Windows Domain. The network account shall have an associated password which adheres to the Pacific University password policy. All activity occurring with the use of each account shall be considered to have been conducted by the assigned account owner.

• IT support staff will be granted administrator privileges on the systems hosting an application which they support.

 

Direct use of generic administrator accounts: System administrators shall only access the system by using their own network accounts rather than logging in directly as “root” or “Administrator”. A “generic” administrative account is allowed only for the purpose of administering workstations that cannot logon to the domain; the generic account name must be documented and periodically reviewed by the IT Department. The account shall have the password changed according to the Managing User Access Standard.

• For Windows based systems, the use of unique accounts having Domain Administrator privileges is required. A user should not conduct normal activities while using an account with Domain Administrator privileges. The user must either log out and back in using their uniquely assigned Domain Administrator account, or use the “Run As” command to invoke a command using their higher privileged account.
• For Unix based systems, use of the “sudo” command to run commands under the context of the root user is a required best practice.

 

Administrative interfaces/consoles: All administrative interfaces or consoles shall require the use of unique accounts and passwords. No unauthenticated administrative logins are allowed.

 

Service accounts: Applications or services running on an operating system shall not run as “root” or “Administrator” but instead will run using an account specific for its purpose. This account will only have local administrative access, unless a specific technical requirement necessitates having an Active Directory account for access to a specific file share, etc. These accounts shall not be directly used by an end user except when being first configured, unless a mechanism or procedure to tie usage of the account to a specific individual is in place. The password for these service accounts will not be provided to IT staff or vendors, and will require working with a member of the host OS system administration team to be given temporary use. 

 

Role based security: When feasible, accounts shall be granted access to data resources based on the principle of least privilege and the role of the account owner within Pacific University. Requests for access permissions to data resources must be approved by the manager of the data resource.

 

Remote Access:

• Remote access to full desktop resources on user workstations will be permitted under the following conditions:
  • Purpose for the access will be reviewed by IS team and must be approved by the employee’s manager prior to being permitted.
  • The downloading or copying of confidential information – and particularly ePHI – to personally-owned workstations is not permitted.
  • Viewing ePHI through the use of an appropriate and approved application (such as an electronic health record system) by authorized members of the workforce on a personally-owned computer is permissible, provided the data is not copied and does not reside on the personally owned computer.
• When non-Pacific University owned workstations are connected to Pacific University’s network using an approved remote access method, Pacific University may conduct a posture assessment on the client workstation to ensure compliance with workstation configuration standards. Non-compliant workstations may be quarantined or denied access until such time as the workstation becomes compliant.

 

Physical Security

Secure computing environment: For workstations which capture, process, or store patient or Pacific University confidential data, physical security controls which restrict access to the system must be present.

 

Document Storage

• Data saved to workstations will not be backed up by the Pacific University IS department. Therefore, to ensure files are backed up, users must save files to their Pacific University personal network share or to a department network share. 
• Documents containing ePHI must never be saved to a personally-owned workstation or device.
• The use of Internet online storage sites (such as dropbox.com or google docs) for saving Pacific University information – especially confidential protected health information – is prohibited.
• Mobile users should attach to the Pacific University network whenever possible. If the Pacific University network is not available, data can be saved to thumb drives. If thumb drives are used, confidential data, including ePHI, must only be saved to a Pacific University-issued encrypted thumb drive.
• Saving / copying ePHI to an unencrypted thumb drive is absolutely prohibited.

 

Logging and Monitoring

• Enable security logging: Workstations must be configured to turn on logging of security-related events (logon, failed logon, unauthorized data access attempt, etc.). These security log files shall be retained for a minimum of 180 days.
• Monitoring: Where technically feasible, log events will be regularly monitored for unusual or suspicious entries. Identified anomalies will be summarized and periodically reviewed by appropriate supervisory personnel. 

 

Change Management

• Changes to production systems: All changes to production systems should be approved by appropriate management prior to implementation and will be implemented during a scheduled downtime period.
• System retirement: All physical devices capable of storing data (computers, copy machines, servers, multi-function printers, etc.) which are being retired from use shall be provided to University Information Services staff who have been trained by the Information Security Department for destruction of storage media . When physical destruction is not appropriate or achievable, data sanitization will be performed to this standard. 

 

Vendor Provided Workstations

• When possible, Pacific University’s standard anti-virus software must be installed on vendor provided workstations. If anti-virus software cannot be installed and maintained to current levels, then vendor provided workstations must be firewalled from the production network segment using either a dedicated firewall or network access control lists.
• UIS should participate in vendor system evaluation so that security concerns are addressed and the system, once acquired, can be secured and inventoried.

 

Personally Owned Systems

• When technically feasible, personally-owned systems (owned by student/staff/faculty) will only be permitted to connect to the Pacific University network if they have current antivirus software with up-to-date virus definitions, system updates and desktop firewall is enabled.
• Personally owned computers may be used to remotely interface with Pacific University systems and applications using only approved Remote Access methods.

 

ENFORCEMENT

This standard will be enforced pursuant to Pacific University Policy. Systems will be subject to periodic testing and assessment for compliance with the aforementioned policies and this standard. This assessment may be performed by Pacific University Management, Internal Audit, Information Security, or an appropriate designee. Non-compliance will result in creation of a project and/or tasks to remediate the non-compliant aspect or completion of the exception request process.

 

Exception

Variances from security standards can be requested. Requests for a variance from any of the requirements of this standard will be submitted in writing to the Information Security Officer prior to implementation of new technology or systems.

 

 

Approved: 3/4/2014 HIPAA Committee

Reviewed: 11/9/2021 Healthcare Clinics Operations and Compliance Committee

Revised: 11/9/2021 Healthcare Clinics Operations and Compliance Committee