Michigan State University Health Information Technology

Safe computing

We are currently working on a new site to comprehensively address various issues of computer safety, privacy, and proper handling of Patient Health Information (PHI).  Please check back for more information. 

WARNING: Occasionally you may receive an email message that requests you to send personal information or click on a link. Please be advised that neither HIT nor any legitimate source would ask you to send personal information such as user ID, password, bank account numbers or Social Security numbers in an email. Also, please do not click on links contained in an email unless you are certain they are legitimate. If you are unsure of an email’s legitimacy please delete it immediately.

Security Policies

IS - 01 Acceptable Use Policy
IS - 02 Anti-Virus Software Policy
IS - 03 Data Security for Retired Equipment
IS - 04 Security Breach Policy
IS - 05 Network User Account
IS - 06 Wireless Device Security
IS - 07 Notification of Users Leaving the HealthTeam
IS - 08 Password Policy
IS - 12 Transfer of Sensitive Data
IS - 13 Data Center Access Control
IS - 14 Exchange Mailbox Limits
IS - 15 Server Log Retention for Servers with Sensitive data
IS - 16 Credit Card Policy

 

How to Protect Yourself

By following the Acceptable Use Policies, you greatly reduce the risk of all the aforementioned dangers. 

If you suspect that you have a virus, or that your computer has been compromised in some other manner, please do not try to address it yourself. Contact HIT for assistance.

 

Proper Storage of Data

1.) Do not store any institutional data on the hard drive of your assigned workstation.  Instead, store this data on your P drive or a HIT approved server, both of which are assigned a greater level of security. Institutional data is defined as data that is used in the course of business which may or may not contain any sensitive data. This is further defined at http://lct.msu.edu/guidelines-policies in the "Guidelines for Internal and External Reporting of Data System Security Breaches 25 Feb. 09 [PDF]".

2.) All electronic Protected Health Information (PHI) must be accessed and stored only thru Centricity/EMR, IDX or a HIT approved server.

3.) Sensitive data, such as Social Security Numbers, must be stored on your P drive as per MSU policy http://www.hr.msu.edu/HRsite/Documents/Uwide/Policies/ssnPrivacy.htm.

4.) If research data is not stored on any HIT or BRIC server, then it must be encrypted to be stored elsewhere.

5.) Report all suspicious behavior to HIT's Help Desk at 355-6531.

Security FAQ

• I forgot my password. Can you tell me what it is?
  We cannot give out passwords to anyone. We can reset your password if you provide us with your MSU Z-PID. Otherwise, you will need to stop into our office or have your departmental supervisor call us.

• What makes a good password?
  We suggest a minimum of 8 characters, mixed case, with at least one number or symbol.

• Is it ok to write down my password if I keep it hidden?
  We recommend that you do NOT write down passwords. However, if you do write a password down, please keep it in a locked drawer that has limited access. If you have multiple passwords to keep track of, you might want to consider software such as Password Safe (free).
   
• Do I have to change my password?
  HIT requires a periodic change of password every 365 days with four historical passwords maintained. This means you have to use a new password five times before you can begin to reuse old passwords.
   
• Is it OK to let a new employee temporarily use my password until you can activate their account?
  NO. It is never OK to allow another employee use of your password or access to your account. You may be held responsible for any wrongdoing in that situation.

• When can I get copies of my old employee's files?
  A formal request must be made in order to retrieve business related of former-employee files. We require at least 72 hours of notice to complete this request. All non-business related former-employee files to be retrieved must have the written approval of the Vice-Provost of Libraries, Computing and Technology.

• One of my employees is gone on maternity leave. Can you give me her password to get files she was working on?
  NO. We cannot give passwords or access to any user accounts. We can however, provide access to the files if proper notice is given. Access to passwords and user accounts will only be granted with specific written permission from the user.

• Is my email secure?
  There are many layers to security and email. If you transmit an email message to another user outside the HIT system (Gmail, Hotmail, msil.msu.edu, etc) then your email message is not secure and is susceptible to theft. Never transmit sensitive or patient information in an email.

• I understand that your servers are all behind a firewall, but what is being done to secure our workstations?
  Currently HIT is in the process of making sure that every workstation receives virus protection, windows firewall, and operating system security patches. If you feel that more security is needed, please call or open a support ticket online and we will assist you.

• Can I download software to use on my computer?
  All legally licensed software can be loaded. However, we have a limited amount of software that we support.

• Do I have to log off my computer every time I step a way from my computer for a few minutes?
  You are not required to log off of your workstation every time you step away, but we do require using a screen saver password or the Ctrl+Alt+Del feature to lock your workstation when it's not in use. In addition, your workstation will automatically lock when you do not use it for 45 minutes.

• We use a lot of student help in my area. Can we share a generic user account?
  No. We require an individual logon account for all network resources. Some exceptions will be made for existing EMR setups.

• Can I save work data on my local computer?
  Yes. But you are doing so at your own risk. HIT cannot guarantee the safety of data stored in this manner. If the data is patient-related, you are also bound to HIPAA storage regulations.

• Is there any restriction for loading or synching data on my laptop or PDA?
  HIT cannot be held responsible for the manner in which you choose to store your data. If the data is patient related you are bound to HIPAA data storage regulations.

• If I know someone is sharing passwords, downloading software, or otherwise breaking the rules, is there a confidential way I can report it?
  Please report all suspected situations to your supervisor.

• Is all data on the MSU HT campus network encrypted?
  No. Currently the only data that is encrypted is the data that flows across the wireless network.

• I use my computer at home to access information on the HealthTeam network. Do I need any special security software on my PC?
  If you are reviewing or transmitting patient data then you are subject to the HIPAA data security law, which states "All patient data being transmitted must be encrypted".
   
• Can I bring my home computer or laptop in and hook it up to use at work?
  Yes, but you will be able to access only the Internet and any local drives. All shared drives will be inaccessible and we will not provide support for it.
   
• How long do you keep old network accounts and email accounts active after a person leaves HealthTeam?
  Once we are informed of an employee's termination, the account is disabled immediately, and 30 days for email accounts. If business data is needed from the account, a departmental supervisor can submit a request to have it transferred to another location.
   
• Do you track who accesses my departments shared drives?
  We keep records of every user with access to a shared resource. However, we do not track access of individual files.
   
• Can you or my supervisor see my emails?
  No.

Definition of Terms

• Virus: A computer virus is a small program written to alter the way a computer operates, without the permission or knowledge of the user. A virus must meet two criteria:
  
  Firstly, it must execute itself. It will often place its own code in the path of execution of another program. Secondly, it must replicate itself. For example, it may replace other executable files with a copy of the virus infected file. Viruses can infect desktop computers and network servers alike.
  
  Some viruses are programmed to damage the computer by damaging programs, deleting files, or reformatting the hard disk. Others are not designed to do any damage, but simply to replicate themselves and make their presence known by presenting text, video, and audio messages. Even these relatively benign viruses can create problems for the computer user. They typically take up computer memory used by legitimate programs. As a result, they often cause erratic behavior and can result in system crashes. In addition, many viruses are bug-ridden, and these bugs may lead to system crashes and data loss.
   
• Worm: Worms are programs that replicate themselves from system to system without the use of a host file. This is in contrast to viruses, which require the spreading of an infected host file. Although worms generally exist inside of other files, often Word or Excel documents, there is a difference between how worms and viruses use the host file. Usually the worm will release a document that already has the "worm" macro inside the document. The entire document will travel from computer to computer, so the entire document should be considered the worm. PrettyPark.Worm is a particularly prevalent example.
   
• Phishing Email Attacks: Fraudulent e-mail or website claiming to be legitimate seeking indentifiable information. Phishing is an attempt to steal your personal data.
  
  Occasionally you may receive an email message that requests you to send personal information or click on a link. Please be advised that neither HIT nor any legitimate source would ask you to send personal information such as user ID, password, bank account numbers or Social Security numbers in an email. Also, please do not click on links contained in an email unless you are certain they are legitimate. If you are unsure of an email’s legitimacy please delete it immediately.
   
• Spyware: Spyware is any program that gathers information about a person or organization without their knowledge. Also called a "spybot" or "tracking software", spyware is programming that is put in someone's computer to secretly gather information about the user and relay it to advertisers or other interested parties. Spyware can get in a computer as a virus or as the result of installing a new program. Spyware is often installed without the user's consent, as an automatic download, or as the result of clicking some option in a deceptive pop-up window.
   
• Trojan: Trojans are impostors--files that claim to be something desirable, but in fact are malicious. A very important distinction from true viruses is that they do not replicate themselves as viruses do. Trojans contain malicious code that when triggered, cause loss or even theft of data. In order for a Trojan Horse to spread, you must in effect, invite these programs onto your computers--for example, by opening an email attachment.
   
• Hoax: Virus hoaxes are messages, almost always sent by email, that amount to little more than chain letters. These hoaxes commonly contain false warnings and scary phrases such as:

  "If you receive an email titled [email virus hoax name], do not open it! Delete it immediately! It contains the [hoax name] virus. It will delete everything on your hard drive and [extreme and improbable danger specified here]. This virus was announced today by [reputable organization name here]. Forward this warning to everyone you know!"