Sample Computer Security Policy PDF Print E-mail
Written by Cyrus Peikari, MD   

Sample Small Medical Office Computer Security Policy

This policy covers a variety of topics, including general staff responsibilities, authorization, communication, authentication, system integrity, confidentiality, mobile security, and disaster recovery.

Written by a IT security expert, who also happens to be an internist in private practice.



    • All employees must read, understand and sign an acknowledgment of this Policy upon employment.
    • As an employee, your computer system use may be monitored at any time.
    • Administrator will educate employees at least quarterly on maintaining the Confidentiality, Integrity, and Availability of computer data and systems.
    • Any intrusion or suspected breach of security should be privately and immediately reported to the Administrator.


    • No employee, vendor, or IT personnel may install software or “inappropriate files” on a computer or local network device in this office without prior, written permission from the network Administrator. The Administrator for this practice is: ______________________
    • “Inappropriate files” include non-business-related MP3s, GIF files, games, executables, document files, and any other employee-installed software not approved by the Administrator. Not only do such files consume valuable storage space and bandwidth, but they can also introduce damaging viruses into the network.


    • All emails from patients will be printed and placed in the chart.  Employees are not permitted to email patients in response. Instead, employees should promptly contact the patient by telephone.
    • Employees are not permitted to send, receive or view personal email while at work.
    • Instant messaging, chat, and Peer-to-Peer (P2P) file sharing programs are prohibited.


    • All desktop computers in this office will run the most recent version of Windows XP Pro unless otherwise authorized by the Administrator.
    • Each machine will have an “Administrator” account that is set up and accessed only by the Administrator. For security reasons, employees may not use the Administrator account.
    • Employees must use a restricted Windows logon account as defined by the Administrator.
    • Each account must be set to auto-logoff to screen saver after 20 minutes.
    • Screen savers must be password protected.
    • Only the default Windows screen savers are allowed.
    • The administrator will define and enforce the use of strong passwords and periodic password changes.

System Integrity

    • Employees may be responsible for updating service packs, antivirus updates, firewall updates, and vendor patches whenever they are reminded. Reminders typically come via pop-up message on the screen, by verbal reminder, or by an email memo.
    • Web browsing is not permitted unless required for patient care. The Internet Explorer security zone must be set to Highest at all times.
    • Each machine will run antivirus software set to update and scan at least biweekly.
    • Each machine will run a spyware and/or adware checker set to update at least biweekly.
    • Each machine will have an enabled, updated personal firewall.
    • Each machine will have auto-updating enabled for Windows patches.
    • Administrator will perform a full security policy audit of each networked machine in the office at least quarterly.


    • Patient data may not be stored, removed or transmitted from the office by any media, without prior written permission from the Administrator.
    • Transcriptionists will only email transcription in a secure format. The required format is Microsoft Word documents that have been zipped and encrypted with WinZip ( using the 256-bit AES strong encryption setting.
    • Employees must leave the built-in hard drives of scanners, copiers, fax machines disabled.

Mobile Security

    • Personal Data Assistants and mobile computing devices (PDAs, Smartphones, Laptop/Notebooks, etc.) are not permitted in the office without prior written approval from the Administrator. External drives of any kind or size are forbidden, unless approved in advance by the Administrator.
    • All wireless and/or mobile devices will run security software equivalent to desktop computers in the office (including antivirus, firewall, and encryption).
    • Wireless Access Points and wireless routers are not permitted in the office without prior written approval from the Administrator.

Disaster Recovery 

    • Employees who are responsible for the patient database must be back up the database once per week on a machine separate from the server.
    • Each computer will have a recovery disk and all required software available next to its location at all times. Employees may not remove this software.
    • The one of the duties of the medical office manager will also store a backup CD-ROM of the database in the office safe every month.
    • Every quarter, both the Administrator and office manager will store an encrypted, backup copy of the database off site (at least 5 miles away).
    • Every 6 months, the office will participate in a data disaster recovery drill. This will involve restoring the database from scratch after a simulated, complete system crash.

©2006 Cyrus Peikari, M.D.

< Prev   Next >

Common Diseases

Swine Flu - Updates and information on H1N1 2009 (AKA Swine Influenza) pandemic.

Ankylosing spondylitis - Current protocols for diagnosis and treatment options.

Wegener granulomatosis - Autoimmune etiology and clinical course.

Diabetes - disease and management information, including diagnosis, typical treatment plans and diabetes supplies.


Medical Careers

The US medical jobs market has stayed hot for health care providers. Whether you believe that a provider shortage is in the offing or that the ratio of physicians-to-patients is too high, physician jobs and nursing jobs abound.

A wide variety of medical jobs can be found in the netdoc health care job listings. Particular strengths include permanent and locum tenens physician jobs, nursing jobs across the US, and radiology positions.

Other resources include physician salary information, medical career guidance, and the ability to post physician jobs.


When hiring your medical practice office manager, what was the most important consideration?
Copyright © 2005 - 2019 Medical Resource Group, LLC. All rights reserved.