Physician

SUBJECT:
Network Systems Administrator Security / DEPARTMENT:
ORIGINAL EFFECTIVE DATE: / DATE(S) REVISED:
APPROVED BY: DATE: / NUMBER: PAGE:
1 of 4

Oregon Medical Association Use Agreement – Please Read

This policy and procedure is part of Oregon Medical Association's HIPAA Security Rule resources, Copyright June 2008.This policy and procedure should be viewed as a tool to aid in the establishing of systems and procedures that will enhance medical privacy and information security. It is meant to be adapted to the nature of the individual practice. It does not constitute nor should be viewed as legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem.

OMA has produced this policy and procedure in electronic format as a membership benefit for your convenience. The cost of preparing this policy and procedure is borne by the Oregon Medical Association. If you provide it to others without charge you are violating copyright law and you are "stealing”.

Network Systems Administrator Security Policy & Procedure Overview

The HIPAA Security Rule addresses the need for appropriate access control, authentication and audits. This policy and procedure crosses multiple requirements because it addresses the higher level security requirements that need to be associated with network management, specifically assigning a workforce member with administrator level privileges. A workforce member with “domain level” administrator authority in essence has access to all servers, applications, data, etc. and has ultimate “technical” authority to make changes. Such access should be strictly controlled and regularly audited given the breadth of activity an individual with this level of access can control or modify.

This policy and procedure may not be appropriate for smaller practices with one individual responsible for all IT related management. If a physician does have a network that controls or connects more than one device (including wireless and remote devices), this level of policy and procedure is needed to meet HIPAA “due diligence” requirements as well as appropriate security practice.
PURPOSE:

The purpose of this policy is to define the security requirements related to administration of Physiciancomputer networks. The purpose is to establish a uniform process for assigning administrator access, appropriate use of such privileges, tracking of administrator activity and regular audit of network administrator activity. This policy governs server level security.

POLICY:

Physician computer networks represent mission critical assets to the Physician and, as such, require a higher level of security related to the management of Physician’s networks. This includes minimizing high-level access or administrator access to network resources, access controls implemented be stricter than other access control practices and periodic audits be conducted of network administrator accounts.

PROCEDURE:

  1. Local administrator level access to Physician networks will be based on the need to know, as determined by the CIO, director of IT, security officer or designee, in order to meet Physician’s business needs, state and federal regulations and accreditation requirements. Such access will be limited to the minimum number of workforce members deemed appropriate to manage Physician network resources.
  2. All workforce members granted domain administrator privileges will be assigned two logons. The first logon will provide limited system access and be used for all system activity with the exception of instances when domain level privileges are required. The second logon will allow domain privileges and will only be used when appropriate administrative maintenance is required.
  3. Domain level security will only be granted to [designated workforce members – generally network managers/administrators] and only the minimum number of workforce members as feasible.
  4. All domain or local administrator logons assigned will be unique and specific to the individual administrator. Generic logons will not be allowed for the purpose of logging into a server.
  5. All activity associated with server administrator privileges will be logged and reviewed at least bi-weekly. Special attention will be paid to domain level activity.
  6. Log activity and access will be reviewed on at least a monthly basis and following any significant incident affecting network availability, integrity or confidentiality. Such audits will be conducted by the security officer or designee.
  7. Local server administrative activity will be logged and audited on a random basis quarterly or in the event of a server failure.
  8. All requests for administrator access (local or domain) requires approval by Physician, CIO or the director of IT.
  9. Unless specifically approved and justified, third party vendors will not be assigned local administrator privileges. If the situation warrants such access, it will be closely monitored, allowed for the minimum time necessary and an audit of activity logs will be performed within one day following access. Third party vendors are prohibited from domain level access.
  10. Workforce members granted administrator level access to Physician servers are required to take due care in performance of duties to avoid impacting integrity, availability or confidentiality of networks and network resources.
  11. Inappropriate use of network administrator privileges will result in sanctions up to and including termination. Depending on the severity, sanctions may also include appropriate legal action.
  12. All administrator access will be revoked (removed) upon termination or transfer to a position not requiring such access. The manager or designee shall initiate revocation by notifying the security officer or designee prior to termination or transfer.
  13. The security officer or designee will notify the CIO or director of IT of the need to revoke administrator level access and the day and, if appropriate (such as in the event of involuntary termination), the time termination or transfer will occur.
  14. On the day of termination or transfer administrator level access shall be revoked.
  15. Administrator access will be revoked immediately prior to termination in the event of involuntary termination.
  16. Users assigned administrator privileges are subject to all other policies and procedures governing Physician computer system use and data access.

APPLIES TO:

Physician

Security Officer

CIO or Director of IT

Network administrators

Third party vendors

REFERENCES:

HIPAA Security Rule, 45 CFR164.308(a)(3), 164.308(a)(4), 164.312(a)(1), 164.312(b)

June 2008© Oregon Medical AssociationAll Rights Reserved