Sample Small Medical Office Computer Security Policy

This policy covers a variety of topics, including general staff responsibilities, authorization, communication, authentication, system integrity, confidentiality, mobile security, and disaster recovery.

Written by a IT security expert, who also happens to be an internist in private practice.

General

• All employees must read, understand and sign an acknowledgment of this Policy upon employment.
• As an employee, your computer system use may be monitored at any time.
• Administrator will educate employees at least quarterly on maintaining the Confidentiality, Integrity, and Availability of computer data and systems.
• Any intrusion or suspected breach of security should be privately and immediately reported to the Administrator.

Authorization

• No employee, vendor, or IT personnel may install software or “inappropriate files” on a computer or local network device in this office without prior, written permission from the network Administrator. The Administrator for this practice is: ______________________
• “Inappropriate files” include non-business-related MP3s, GIF files, games, executables, document files, and any other employee-installed software not approved by the Administrator. Not only do such files consume valuable storage space and bandwidth, but they can also introduce damaging viruses into the network.

Communication

• All emails from patients will be printed and placed in the chart.  Employees are not permitted to email patients in response. Instead, employees should promptly contact the patient by telephone.
• Employees are not permitted to send, receive or view personal email while at work.
• Instant messaging, chat, and Peer-to-Peer (P2P) file sharing programs are prohibited.

Authentication

• All desktop computers in this office will run the most recent version of Windows XP Pro unless otherwise authorized by the Administrator.
• Each machine will have an “Administrator” account that is set up and accessed only by the Administrator. For security reasons, employees may not use the Administrator account.
• Employees must use a restricted Windows logon account as defined by the Administrator.
• Each account must be set to auto-logoff to screen saver after 20 minutes.
• Screen savers must be password protected.
• Only the default Windows screen savers are allowed.
• The administrator will define and enforce the use of strong passwords and periodic password changes.

System Integrity

• Employees may be responsible for updating service packs, antivirus updates, firewall updates, and vendor patches whenever they are reminded. Reminders typically come via pop-up message on the screen, by verbal reminder, or by an email memo.
• Web browsing is not permitted unless required for patient care. The Internet Explorer security zone must be set to Highest at all times.
• Each machine will run antivirus software set to update and scan at least biweekly.
• Each machine will run a spyware and/or adware checker set to update at least biweekly.
• Each machine will have an enabled, updated personal firewall.
• Each machine will have auto-updating enabled for Windows patches.
• Administrator will perform a full security policy audit of each networked machine in the office at least quarterly.

Confidentiality

• Patient data may not be stored, removed or transmitted from the office by any media, without prior written permission from the Administrator.
• Transcriptionists will only email transcription in a secure format. The required format is Microsoft Word documents that have been zipped and encrypted with WinZip (www.winzip.com) using the 256-bit AES strong encryption setting.
• Employees must leave the built-in hard drives of scanners, copiers, fax machines disabled.

Mobile Security

• Personal Data Assistants and mobile computing devices (PDAs, Smartphones, Laptop/Notebooks, etc.) are not permitted in the office without prior written approval from the Administrator. External drives of any kind or size are forbidden, unless approved in advance by the Administrator.
• All wireless and/or mobile devices will run security software equivalent to desktop computers in the office (including antivirus, firewall, and encryption).
• Wireless Access Points and wireless routers are not permitted in the office without prior written approval from the Administrator.

Disaster Recovery 

• Employees who are responsible for the patient database must be back up the database once per week on a machine separate from the server.
• Each computer will have a recovery disk and all required software available next to its location at all times. Employees may not remove this software.
• The one of the duties of the medical office manager will also store a backup CD-ROM of the database in the office safe every month.
• Every quarter, both the Administrator and office manager will store an encrypted, backup copy of the database off site (at least 5 miles away).
• Every 6 months, the office will participate in a data disaster recovery drill. This will involve restoring the database from scratch after a simulated, complete system crash.

©2006 Cyrus Peikari, M.D.