110-19 Use of SHCS Computing Devices, Accounts, and Software

Category: 
Administration
Sub-Category: 
IT & Communications
Subject: 
Use of SHCS Computing Devices, Accounts, and Software
Policy Number: 
110-19
Effective Date: 
November, 2014
Next Review Date: 
November, 2016
Responsible Manager(s): 
Information Systems Manager
Purpose: 

To define acceptable use and access policies for computing devices, accounts, and software supplied by Student Health and Counseling Services (SHCS) and/or UC Davis for the purpose of ensuring security and confidentiality of SHCS protected health information (PHI) while providing systems management capabilities. Computing devices are classified as either Staff Use Computing Devices or Public Use Computing Devices. Controlling access to each device class increases security, helps prevent loss of devices and reduces accidental disclosure of PHI. 

Policy: 
  1. All software installed or run on SHCS computing devices must be approved by the Information Systems Group (ISG) before installation or operation.
  2. ISG will designate computing devices as either a Public Use Computing Device or a Staff Use Computing Device.
  3. Public Use Computing Devices
    1. This class of computing devices includes:
      1. Computers placed in waiting areas (Kiosks)
      2. iPads designated for intake forms.
      3. Other devices as designated by ISG that are restricted to patient use only.
    2. Use of Kiosks is limited to Web browsing.  PDF files can be read on Kiosks, but there are no downloading or paper printing capabilities. Kiosks can be used to print documents (e.g. vaccination records) to a file, which clinical staff can then access.
    3. Posted Notice regarding the Kiosks will state access and use limitations, and a request for patients’ consideration of others who are waiting to use them.
    4. Public Use Computing Devices shall not be used for accessing staff email, nor will they be configured to access SHCS file shares or data.
    5. Public Use Computing Devices shall not to be used for staff use, with the following exceptions:
      1. Biofeedback systems.
      2. Providing assistance for patients/clients.
    6. Applications/Apps shall only be installed by ISG.
    7. Staff must report lost or stolen equipment immediately to ISG, your supervisor, and the Risk Manager.
  4. Staff Use Computing Devices
    1. Staff Use Computing Devices are not to be accessed or utilized by patients, clients, or non-SHCS employees, even if supervised.
      1. At the discretion of the ISG Manager, exceptions may be made for, e.g., students taking surveys via OpenSurvey or other software that prevents access to the Operating System or other programs and files while in use.
    2. Staff Use Computing Devices are only to be accessed by the currently logged in user, except in the case of a shared account (see section F, below).
    3. Cloud services such as Dropbox and Box.com that sync files to local user accounts are prohibited from use by SHCS employees, and such applications shall not be installed on SHCS-supplied devices.
    4. Public Use Computing Devices are not to be connected to Staff Use Computing Devices. An example of this would be connecting a tablet (e.g. iPad designated for intake forms) to a staff computer to "sync" or charge the device.
    5. Personal use of Staff Use Computing Devices is allowed for incidental personal purposes provided that such use does not:
      1. Directly or indirectly interfere with SHCS or University operations
      2. Interfere with the user's employment or other obligations to the University
      3. Burden the University with noticeable incremental costs
      4. Violate the law or University policy
    6. Portable Staff Use Computing Devices (laptops, iPads, iPhones, etc.) will have a mandatory location tracking software and associated account installed on them. Removal or disabling of this account or software is prohibited.
    7. Staff must report lost or stolen equipment immediately to ISG, your supervisor and the Risk Manager.
    8. Video Conferencing using software that is not HIPAA Certified (such as Skype) is only allowed for non-clinical purposes such as interviews or training sessions.
  5. Data Stored on SHCS Computing Devices
    1. Most data stored on SHCS computing devices is backed up. However, music and photos located in user directories may not be backed up. If users have music or photos that are necessary for their job, they must contact ISG to arrange for storage of the files in a different location on the SHCS file share.
  6. User Accounts and Passwords
    1. SHCS staff are not allowed to give out their passwords to anybody else, especially "IT" staff.
    2. Staff are not allowed to log in using credentials other than their own, or shared credentials where applicable.
    3. Storing passwords and/or login IDs in written form (e.g. Post-Its, notepads) is not allowed.
    4. Storing passwords in email messages or other non-encrypted applications is not allowed.
    5. SHCS passwords must be unique to SHCS; do not use the same password for your SHCS account as any other personal or campus accounts.
    6. ISG may update the password requirements at any time. When Password requirements change staff will be notified.
    7. SHCS Password requirements:
      1. The password must be a minimum of 8 characters in length.
      2. The password must contain at least one character from each of the following four character types: UPPERCASE letters, lowercase letters, numbers, and special characters (`~!@#$%^&*()_+-=[]\{}|;':",./<>?).
      3. The password must not contain your name.
      4. The password must not be too similar to any of your last 3 passwords.
      5. The password must not be primarily composed of common passwords found on the internet (e.g. "password" and "letmein" are bad).
      6. The password should be unique (e.g. "80kittens<mycatFELIX" is better than "Password123!").
      7. The password should be easy to remember by using mnemonics or by making it a combination of multiple words (e.g. "batteryHORSE#8stapler" is better than "847b5u3498Dfn1!argDG3R").
      8. SHCS staff must never respond to emails asking for a password.
    8. SHCS Password Expiration:
      1. Passwords of 14 characters or less will expire after 90 days.
      2. Passwords of 15 characters or greater will expire after 180 days.
  7. Shared accounts
    1. Shared accounts are accounts that use a single login ID for multiple users (e.g. the 'exam' user).
    2. ISG will designate which systems will utilize a shared account if the systems meet ISG security standards.
    3. Supervisors will provide their staff with the username and password for shared account if access is permitted.
    4. Shared accounts will follow the standard User Accounts and Passwords policy, but may be approved for extended password expiration if necessary.
    5. Applications running under a shared account will be protected by individual user account login accounts.
    6. Only staff who have been given the credentials for the shared account by their supervisor are allowed to use the shared account.
  8. External system accounts
    1. Passwords for accounts on external systems should be changed upon initial login when possible.
    2. Passwords for external accounts should meet as many of the SHCS password requirements as possible.
  9. Employee Termination
    1. Upon termination of employment with SHCS, all SHCS-supplied computing devices must be turned in to ISG by the end of the last day of employment.
    2. Employees who wish to save personal data off of their SHCS Computing Device must meet with ISG to arrange PHI scanning and transfer of such data to an external device (e.g. flash drive or hard drive). Employees are prohibited from copying data (including email) off of the SHCS Computing Device themselves prior to turning in computing devices.
    3. SHCS is not responsible for assisting users in importing or configuring personal data onto personally owned computing devices.
    4. Employee email accounts will not be forwarded to personal email addresses after termination.
    5. At the discretion of the employee's supervisor, email accounts (including all existing email messages) may be turned over to the supervisor or other designated employee after the termination date.
    6. All SHCS account access, including email, will be suspended upon termination of employment.
Definitions: 
  1. Computing devices are systems that interact with the internet or SHCS networks, including, but not limited to:
    1. Desktop Computers
    2. Laptop Computers
    3. Servers
    4. Tablets
    5. Smartphones
    6. Printers/Scanners
    7. Storage devices (e.g. USB Thumb drive)
  2. Staff Use Computing Devices are devices provided by SHCS which have access to any of the following:
    1. SHCS email
    2. SHCS Clinical Data Systems
    3. Protected Health Information
    4. Student information (e.g. Banner information) stored locally
    5. Access to SHCS file servers or data
  3. Public Use Computing Devices include:
    1. iPads designated for clients/patients utilizing Health-e-Messaging
    2. Kiosks designated for clients/patients utilizing Health-e-Messaging
    3. Self-Checkin Stations for clients/patients utilizing Checkin or Survey functions
  4. Credentials are any of the following which allow a user access to a system
    1. Usernames
    2. Passwords
    3. Shared secrets
    4. PIN codes
    5. Hardware Tokens
    6. Software Tokens
  5. Clinical Data Systems refers to any of the following
    1. Electronic Health Record System (Point-N-Click OpenSuite such as OpenChart, OpenSchedule, etc.)
    2. Propharm pharmacy system
    3. Harvest Laboratory Information System
    4. 4D CAPS Clinical Archive
    5. Other SHCS systems which contain protected health information.
  6. Protected Health Information (PHI)
    1. Individually identifiable health information, including demographic information collected from an individual that is created or received by a health care provider and relates to past, present or future physical or mental health or condition of an individual, the provision of health care to an individual or the past, present or future payment for provision of health care to an individual and identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.
Procedure: 
  1. Staff who wish to provide computing services to clients or patients must use approved Public Use Computing Devices that do not have access to the SHCS EHR or any PHI.
    1. Specific exceptions are allowed for patient access within Exam rooms, as defined above in section C.1.
  2. Staff should always lock their Staff Use Computing Device when they are away from it, or log out of systems which do not have a lock capability.
Originated: 
October, 2004
Supersedes: 
July, 2011