Workstation Security (For HIPAA) Policy

1.0 Purpose

The purpose of this policy is to establish security standards and provide guidance for ~~workstation~~the ~~security~~use ~~for~~of ~~<Company Name>~~all workstations inaccessing ~~order~~organizational resources. The objectives are to ensure the ~~security~~confidentiality, integrity, and availability of information onprocessed or accessed by workstations, including sensitive data such as Protected Health Information (PHI). This policy also aims to ensure compliance with relevant regulatory requirements, such as the workstation ~~and~~security ~~information~~standards ~~the~~mandated ~~workstation may have access to.~~ ~~Additionally, the policy provides guidance to ensure the requirements of~~by the HIPAA Security Rule ~~“Workstation Security” Standard~~ (164.310(c)), ~~are~~where ~~met.~~applicable.

2.0 Scope

This policy applies to all ~~<Company Name>~~ employees, contractors, workforce members, ~~vendors~~vendors, and agents ~~with~~of athe ~~<Company~~organization ~~Name>-~~utilizing any workstation (whether organization-owned or ~~personal-workstation~~personally-owned) ~~connected~~that connects to the ~~<Company~~organization's ~~Name>~~network ~~network.~~or is used to access, process, or store organizational information.

3.0 Policy Statements

~~Appropriate~~All ~~measures~~individuals subject to this policy must ~~be taken when using workstations~~adhere to ~~ensure~~ the ~~confidentiality,~~following ~~integrity~~workstation security requirements:

3.1 General Security Awareness and ~~availability of sensitive information, including protected health information (PHI) and that access to sensitive information is restricted to authorized users.~~ Responsibility

Users

~~3.1~~must ~~Workforce members using workstations shall~~always consider the sensitivity of the ~~information, including protected health~~ information ~~(PHI)~~being ~~that~~accessed ~~may~~or displayed on their workstation, particularly PHI or other confidential data, and take active steps to prevent unauthorized viewing or access.
* Workstations are provided for authorized organizational business purposes only. Personal use should be ~~accessed~~minimal and comply with the Acceptable Use Policy.

3.2 Access Control and Physical Security

* Workstations must be physically positioned and secured to minimize the ~~possibility~~risk of unauthorized ~~access.~~

access

~~3.2~~or ~~<Company~~viewing ~~Name>~~of ~~will~~sensitive ~~implement~~information. Consider the use of privacy screen filters or other physical ~~and~~barriers ~~technical~~where ~~safeguards~~appropriate.
* ~~for all workstations that access electronic protected health information to restrict access to authorized users.~~

~~3.3 Appropriate measures include:~~

~~Restricting physical~~Physical access to workstations must be restricted to ~~only~~ authorized ~~personnel.~~

personnel

~~Securing~~only.
* ~~workstations~~Workstations must be secured (e.g., screen ~~lock~~locked or ~~logout)~~logged ~~prior~~out) towhenever ~~leaving~~the ~~area~~user toleaves ~~prevent~~the ~~unauthorized~~immediate ~~access.~~

vicinity,

~~Enabling~~even afor brief periods.
* A password-protected screen saver with a short inactivity timeout period ~~to ensure that workstations that were left unsecured will~~must be ~~protected.~~enabled. ~~The password~~Passwords must comply with ~~<Company~~the ~~Name>~~organization's Password Policy.
*

Laptops

~~Complying with all applicable password policies and procedures. See <Company Name> Password Policy.~~

~~Ensuring workstations are used for authorized business purposes only.~~

~~Never installing unauthorized software on workstations.~~

~~Storing all sensitive information, including protected health information (PHI) on network servers~~

~~Keeping food and drink away from workstations in order to avoid accidental spills.~~

~~Securing laptops that contain~~containing sensitive information bymust be physically secured when unattended, using methods such as cable locks or ~~locking~~storing ~~laptops up~~them in locked drawers or cabinets.

~~Complying~~3.3 Technical Safeguards and Configuration

* All workstations must comply with the organization's Baseline Workstation Configuration Standard.
* Only organization-approved software may be installed on workstations. Installation of unauthorized software is strictly prohibited.
* Sensitive information, including PHI, should primarily be stored on designated, secure network servers, not local workstation drives, unless explicitly permitted and adequately protected (e.g., through encryption).
* Workstations must comply with the Portable Workstation Encryption ~~Policy~~Policy, ensuring sensitive data stored locally is encrypted.
* Workstations must utilize appropriate power protection, such as a surge protector or an uninterruptible power supply (UPS/battery backup).
* If wireless network access is used, it must adhere to the security requirements outlined in the Wireless Communication Policy.

~~Complying~~3.4 ~~with~~User ~~the Baseline Workstation Configuration Standard~~Practices

~~Installing~~* ~~privacy~~Keep ~~screen~~food ~~filters~~and orliquids ~~using~~away ~~other~~from ~~physical barriers~~workstations to ~~alleviate~~prevent ~~exposing~~accidental ~~data.~~damage.
*

Before

~~Ensuring~~leaving ~~workstations~~for ~~are~~extended ~~left~~periods on(e.g., ~~but~~end ~~logged~~of ~~off~~day), inusers ~~order~~should ~~to facilitate after-hours updates.~~

~~Exit~~exit running applications and close open documents where practical, and ensure the workstation is left powered on but logged off to facilitate necessary after-hours maintenance and updates by IT personnel.

~~Ensuring~~4.0 ~~that all workstations use a surge protector (not just a power strip) or a UPS (battery backup).~~Compliance

If4.1 ~~wireless~~Compliance ~~network access is used, ensure access is secure by following the Wireless Communication policy~~Measurement

The

designated

~~Compliance~~IT ~~Measurement~~

authority

~~The~~(e.g., Precision Computer ~~team~~team) will verify compliance towith this policy through various ~~methods,~~methods. ~~including~~These may include, but are not limited to, periodic physical inspections (walk-~~thrus,~~thrus), ~~video~~review ~~monitoring,~~of ~~business~~system ~~tool~~logs ~~reports,~~and configuration settings, security audits (internal and ~~external audits,~~external), and ~~feedback~~analysis of reports from security tools. Feedback will be provided to the policy ~~owner.~~owner and relevant management.

4.2 Exceptions

Any exception to ~~the~~this policy ~~must~~requires beformal, ~~approved~~documented byjustification and advance approval from the designated IT authority (e.g., Precision Computer ~~team in advance.~~ team).

An4.3 ~~employee~~Enforcement

~~found~~

Failure by any individual subject to ~~have violated~~ this policy to adhere to its requirements may beresult ~~subject to~~in disciplinary action, up to and including termination of ~~employment.~~employment or contract, consistent with organizational procedures. Access privileges may also be modified or revoked.

Users should familiarize themselves with the following related organizational documents:

* Acceptable Use Policy
* Password Policy
*

Portable Workstation Encryption Policy

Wireless Communication ~~policy~~

Policy
*

Baseline Workstation Configuration Standard
* Data Classification Policy (Implied reference via "sensitive information")

~~HIPPA 164.210~~

~~http://www.hipaasurvivalguide.com/hipaa-regulations/164-310.php~~

~~About HIPPA~~

~~http://abouthipaa.com/about-hipaa/hipaa-hitech-resources/hipaa-security-final-rule/164-308a1i-administrative-safeguards-standard-security-management-process-5-3-2-2/~~

~~None.~~