Computers / Email / Technology
- Authorized By: George Moore, Co-Interim District Director of Health
- Initial Effective Date: 3/22/2019 (LMS)
- Replaces: Computer Use Policy, dated 3/22/2019
- Reviewed:
- Revised: 8/16/2021, Moved to Google Sites 8/12/2021, 10/1/2022 (GM+SD), 1/29/2024, 3/1/2024, 5/1/2024 (PJM)
- Contact: Deputy Director of Health
Purpose
To assure adherence to health department regulations regarding computer, internet and e-mail use and secure hardware and sensitive data, the following procedures are established.
Policy
This policy defines what staff can and cannot do with the information systems, including computers, internet and email.
All Staff Roles and Responsibilities for Security/Access/Daily Use
Users must read this policy and the Commonwealth Office for Technology (COT) Policy CIO-060.
Users are responsible for proper use and access to the equipment and for helping safeguard the integrity of the network. NKY Health can monitor server, hard drive, internet and e-mail use at any time.
Security breaches or information system compromises are to be reported immediately to supervisors. Supervisors are to report these instances to the Information Systems Analyst and the HIPAA Security Officer.
All staff will have a computer made available to them (some will have their own and others will have access to shared computers). Computer/internet/email use is restricted to appropriate work-related uses required by your job responsibilities.
Do not allow others to view or have access to confidential or personal health information (PHI), except for authorized work-related purposes. Do not take confidential or PHI data off-site without prior authorization from your supervisor and be sure to adequately secure data/equipment if you must have this data off-site.
Lock or re-start your computer if you will be stepping away from your computer for an extended period of time. To lock your computer: Press the Ctrl, Alt, and Delete keys at the same time, and then select “Lock this Computer”. This is especially important if your computer is in an area where visitors or patients might be able to access it.
Unless directed otherwise by the Information Systems Analyst, please do the following at the end of each work day:
Monday through Thursday: Re-start your computer, which allows updates to be completely loaded, and protects your computer from being used by an unauthorized user and a good time to complete this task is as you leave your workstation for the day or to go to lunch; just start the restart process and leave, as it is not necessary to wait for it to finish (no need to log back in).
Friday: Shut down your computer (unless needed to be left on for remote access).
No programs/executables are to be loaded onto any NKY Health computer or computer run on the NKY Health data network without authorization from the employee’s supervisor, after consultation with the head of Information Systems. No games are to be loaded on any NKY Health computer. Please contact Information Systems if removal is needed.
Do not open e-mails/attachments from unknown sources/senders as this is a common way for malware to spread. There is always the possibility of viruses. When in doubt, contact the Information Systems Analyst to investigate.
No unauthorized or unlicensed programs are to be installed on NKY Health computers or computers connected to the NKY Health network. If your computer is in violation of this, you will be notified of the issue and Information Systems Staff will remove the programs and notify your supervisor.
The head of Information Systems is responsible for the removal of any NKY Health computer that will no longer be in service. Any computer that will be disposed of, traded-in or donated is to have no data remaining on the hard drive or in any other drives/storage devices. Information Systems Staff will “scrub” (erase all data from the hard drive) prior to transfer of the computer(s).
Supervisors are to notify the head of Information Systems of an employee’s last day of employment. This ensures that network/internet/e-mail access can be cancelled appropriately. Contact the head of Information Systems if access needs to be denied for any other reason.
Blocked Internet Sites - If, for work-related purposes, you need access to a blocked internet site, please do the following: Forward your request, which needs to document the legitimate business reason, to your Division Director who then needs to approve the request by forwarding your request to the District Director of Health. If the District Director of Health approves, he/she will forward the approved request to the head of Information Systems asking that the site be unblocked.
Refer to 6.14 of NKY Health's Guide to Personnel Policies.
Passwords
Purpose
The purpose is to minimize the risk of inappropriate access to or disclosure of NKY Health information.
Password violations are the number one security problem on networks today. This policy is designed to ensure that all Public Health and individual data stored on the network are protected through reasonable and appropriate use of password security. This policy is part of compliance requirements of the Health Insurance Portability and Accountability Act (HIPAA), a federal statute intended to assure the privacy and confidentiality of patient identifiable information
Policy
The Department for Public Health (DPH) and all local health departments (LHDs) shall have a computer security program that includes the periodic changing of computer access passwords.
Users who violate this policy will be held responsible for a breach of security, will be subject to disciplinary action, and will be accountable for any impact a violation may have on the integrity of data or performance of the network.
Anyone using NKY Health's technology shall become familiar with and comply with the Commonwealth Office of Technology (COT) Enterprise Policies.
Initial Password Assignment
An initial password is chosen for the user at the time they receive their account. For access, a user is expected to change the password during the first login. This action provides secure access to the NKY Health Domain.
Selecting Passwords
Required considerations when selecting a password - reference CIO-072 with the Commonwealth Office of Technology (COT) Enterprise Policies.
Passwords should not contain:
Repeated letters or numbers or sequences of letters or numbers.
A word contained in any English or foreign language dictionaries.
A common phrase.
Names of persons, places, or things.
The User ID.
Repeating letters with numbers that are indicative of the month; i.e., vmPtm$01 in January, vmPtm$02 in February.
Passwords must:
Be eight (8) or more characters.
Contain uppercase letter(s).
Contain lowercase letter(s).
Contain a number.
Contain a special character.
Tips for Good and Bad Passwords
Below are recommendations to follow when selecting passwords.
Non-obvious passwords are more assured if they:
Are 8 characters or more.
Consist of a mixture of upper-and lower-case letters.
Contain at least one digit (0-9) and one special character.
Suggestions for selecting GOOD passwords:
Passwords should be easy to remember so they don’t need to be written down.
The user should be able to type their password quickly, so no one looking over their shoulder can steal it.
Put together an acronym.
Make a sentence: UrOK4me
Use a phrase or song acronym: 2B0ntbT!tQ (to be or not to be, that is the question)
Examples of BAD Passwords:
Any proper name (like Smith or John).
A place or proper noun (like Duluth).
Any word in the English or Foreign dictionary.
A street name, telephone number, license number.
A birthday or anniversary date.
Passwords with the same letter (like aaaa).
Simple patterns of letters from the keyboard (like QWERTY).
Any of the above spelled backward.
Any of the above followed by a single digit.
Easily associated with the user or their interests.
Keeping Passwords Secure
Passwords must be:
Kept confidential.
Changed at least every 90 days unless otherwise approved
Changed whenever there is a chance that the password or the system could be compromised.
Encrypted when held in storage or when transmitted across the network when the path is connected to an external network.
Passwords must not be:
Reused.
Shared with other users.
Kept on paper unless it is securely stored.
Included in a macro, script or function key to automate the log-in.
Stored in any file, program, command list, procedure, macro, or script where it is susceptible to disclosure or use by anyone other than the owner.
Vendor default passwords (default passwords must be changed immediately upon use);
Visible on a screen, hardcopy, or any other output device.
Hard coded into software developed (unless permission is obtained by the agency security office).
Stored in dial up communications programs or internet browsers at any time.
Recorded in system logs unless the password is encrypted in the log.
Examples of activities, which will jeopardize a user’s privilege to access the computer resources, include:
Writing down their password and posting it in the work area.
Sharing their password (in person, by email or by phone) with other individuals whether known or unknown.
Keying in their password for others to use.
Sending their password over the Internet or through E-mail.
Including their password in a macro or function key to automate the log-in;
Store their password in any file, program, command list, procedure, macro, or script where it is susceptible to disclosure or use by anyone other than the owner;
Vendor default passwords (default passwords must be changed immediately upon use);
Hard code password into software developed (unless permission is obtained by the agency security office);
Store their password in dial up communications programs or internet browsers at any time;
Record their password in system logs unless the password is encrypted in the log.
Although discouraged, if the user writes down their password, follow these precautions:
Do not identify it as a password.
Do not attach it to ANY part of the computer or work area.
Make the written version different from the original.
Do not include the computer or account name.
Attempt to store in a secured location.
Changing Passwords
Self-initiated change of password:
Log onto the computer.
Press Ctrl-Alt-Del.
Select Change Password. A dialog box labeled “Change Password” will appear.
In the box labeled Old Password, type in your old password.
Type a new, valid password in the box labeled New Password.
Retype the new password in the Confirm New Password box and click OK. A message will indicate successful completion.
To respond to an automated prompt for change of password:
The automated system will alert the user when it is time to change his/her password, prior to the expiration date. The notice will appear when the user first logs on to the computer system.
It will ask the user if they want to change their password.
If the user says no, the prompt will disappear and the logon will continue.
If the user says yes, they will be prompted to type in a new password and will then be asked to type it in a second time, and then click on OK. At that point, the new password is in place.
If the user says no, the same prompt will appear again each day when the user logs on until the user changes it or until expiration date.
Passwords are required to be changed every 90 days as a routine practice. The computer system will alert you prior to expiration.
Compromised Password Procedure
Should a password be compromised, the owner should change his/her password immediately to avoid future unauthorized access.
Immediately after making such a change, the individual must contact the head of Information Systems to report the suspected compromise.
Commonwealth Office of Technology (COT) – Applicable Policies
Electronic Records Retention
The following guidelines apply to email retention:
The integrity, reliability, and authenticity of email messages must be protected through compliance with all security and data management requirements established in the Enterprise Architecture and Standards.
Per the acceptable use policy referenced below, agencies must instruct employees and take steps to ensure that non-business related email messages are regularly deleted from email stores (inboxes and personal folders). Transitory messages, which are defined as messages that are for informational and reference purposes only and do not set policy, establish guidelines or procedures, certify a transaction, or become a receipt, must also be routinely disposed of.
Retention periods for email messages vary according to the functions they are associated with. It is the responsibility of the agency to codify retention practices through development of records schedules in cooperation with the Kentucky Department for Libraries and Archives. Retention requirements cannot be met through routine agency backups, and agency staff must be made fully aware of this and the appropriate schedules that must be created and adhered to.
EAS Appendix G, Guidelines for Managing E-Mail in Kentucky State Government, promulgated by the Department for Libraries and Archives, provides agencies with further guidance on the implementation of this standard.
The following are retention requirements:
Level 1 Data – Non-business or non-essential business emails should be deleted immediately.
Level 2 Data – Every day operational emails should not be kept over two years.
Level 3 Data – Policy directive emails, official program communications from Local, State or Federal governments, should be kept permanently, by the NKY Health sender of the email or first NKY Health receiver (when the email in reference is incoming from outside agencies.)
Storage
NKY Health servers are backed up daily with a rotation of weekly tapes/systems being sent off-site for further protection. Retrieving a mistakenly deleted or missing file from the server is predicated on employees storing their work on the server (H/S/T/Other drives). There is no guarantee that a file can be restored. It is not recommended to store work on your machine’s hard drive since these are not backed up by any regular method. Please contact the head of Information Systems for assistance in retrieving a file.
Each user will be given access to their own space on the NKY Health server. This, as with all computer actions/processes/devices, is for work related purposes only. Please regularly delete files that are no longer needed.
Each division has its own drive on the S-drive (i.e. S:\Clinical) and some sites have their own server. Additionally, the S-drive is a place where files needed by the entire NKY Health staff can be retrieved and saved. Please use these drives responsibly. Do not save files to the S-drive when only your division needs access to it. Use the appropriate storage location. Do not save your individual files on the S-drive. Use your H or division drive. Remember to regularly delete files that are no longer needed. Files identified as not belonging on the S-drive will be deleted without warning.
Data and files that are to be shared with other employees should be stored on the appropriate shared network drive. Network drives are backed up nightly for security and recovery reasons. Work related data that is not shared with other employees (for example travel forms) should be stored on the employee’s H: drive which is also backed up nightly. Any data that is stored on the C: drive or on removable media can not be backed up by the IT Department, and is also subject to theft and discovery in the event the device itself is stolen.
Sensitive and/or confidential data, such as personal client data, HIPAA-protected data and personal employee data, are not to be taken off NKY Health property or official work off-sites (electronic or otherwise). Employees should not have this data at their home or in their vehicles, be it hardcopy, external storage media, laptop/desktop or on their smartphones.
Data that is temporarily stored on the C: drive or removable media to be taken offsite for a presentation, or to be worked on by the employee while offsite is permitted, however, this should never include sensitive and/or confidential data, such as personal client data, HIPAA-protected data and personal employee data as referenced above.
Portable devices such as laptops and smartphones, if you choose to use these for NKY Health purposes or have access to NKY Health data or e-mail messages, need to be closely watched. While the monetary loss is not insignificant, having data stolen and/or made public could have catastrophic results for the Department. All such devices should be protected by a secure password and have time-out/sleep settings to be set at one-minute or less (or the lowest setting closest to one-minute) to prevent the data from being accessed in the event of loss or theft, whether the device itself is the property of NKY Health or the employee. Additionally, wi-fi connections to these devices should be secured, password–protected wireless routers whenever possible. Adherence to above guidelines for sensitive and/or confidential data or HIPAA-protected data is still required.
Any removable media (DVDs, CDs, USB drives) that contain or have contained any work related information or data should be kept under close personal supervision to ensure that the data can not be copied or deleted by any unauthorized user. Adherence to above guidelines for sensitive and/or confidential data or HIPAA-protected data is still required.
Additional Procedures for Staff with VPN Access
VPN, which stands for Virtual Private Network, technology allows authorized computer users to work from remote sites with access to the same computer and network resources they would have if they were at their workstation in the office.
Once the VPN “tunnel” has been established, all network traffic into and out of the PC is encrypted, and directed via the Internet into our internal network. For security reasons, it is recommended that, whenever possible, you use either a wired Internet connection or a secured wireless connection. This adds a second layer of encryption that would have to be cracked in the event that an unscrupulous person were able to intercept your transmission, an event that happens all too often at public Internet hotspots. An additional layer of security is also added with two factor authentication where employees use a hard token for their second form of authentication.
The following guidelines apply:
Remote users should know when it is appropriate to use the VPN, and when it is not appropriate. When a remote user needs access to resources (data, files, etc.) that are located within the NKY Health network and are not publicly accessible, the VPN is the only way to access those resources.
Always choose a hard-wired internet connection first, then a secured wireless connection as a second choice. Public internet/wi-fi “hotspots” are typically not secured and should only be used as a last resort and then only for brief periods of time (even if it means downloading the file you need locally).
When accessing the VPN from your home wi-fi, please secure your wireless at the highest level that is practical. At a minimum your wi-fi router should be password protected.
If the remote user is using files stored locally on the computer, is using the Internet, or checking email, it is not necessary to use the VPN. Using the VPN when it is not needed has two negative effects;
In the event the remote computer is breached by a hacker, if the VPN is active, the hacker would have the same access rights inside the NKY Health internal network as the remote user; the hacker would have access to private files and confidential information. ,
When the VPN is active all network traffic is routed through the VPN, over the Internet, through the NKY Health firewall, and into the internal NKY Health network. If the remote user is using the Internet or checking email, that network traffic is then routed back through the NKY Health firewall to the Internet. This can cause a delay in response time for the user, and can cause congestion in the NKY Health firewall, which could have a negative impact on users at their workstations.
Google Drive/Sites
Purpose
To encourage the use and advantages afforded by access to Google DriveDocs and Google Sites and to assure efficient use of NKY Health server space and improve performance/use.
Policy
Google DriveDocs, and Google Sites and the shareall server folder are for official NKY Health business only.
This policy outlines when staff should/could use the Google DriveDocs, and Google Sites and shareall features.
Guidelines for Using Google DriveDocs
Use Google DriveDocs (and Google Sites) for documents that need to be accessed by multiple staff (or others in an official capacity with NKY Health) and do not need to retain the special formatting embedded in other programs such as Word, Excel, Publisher, etc.
Although similar to saving/working on documents on shareall, Google DriveDocs allows multiple users to access and work on documents from a wider range of locations.
The Google Drive can be used for HIPAA-protected, confidential or sensitive information (for clients/staff/other) if a Business Associate Agreement has been made with Google. However, this information should never be included in a Google Doc or on a Google Site.
Please delete documents when no longer needed.
Google DriveDocs will be routinely checked for documents that are outdated or no longer being used. Document owners will be contacted prior to any action being taken.
Guidelines for Using Google Sites
Google Sites allow NKY Health staff to set up their own websites for their program needs.
Personnel Polices, Operational Policies and forms can be found on their respective Google sites.
Please delete sites when no longer needed.
Google Sites will be routinely checked for sites that are outdated or no longer being used. Site owners will be contacted prior to any action being taken.
Google Sites must follow the template for consistent branding and written styles.
Staff should keep a back up of data maintained on Google Sites.
To access community health service reports, please go to the specific Community Health Service Report site(s) for your program and follow the link(s).
Shareall and S Drive
Purpose
To provide guidelines on the use and maintenance of the Shareall and S-Drives, so that collaborating on files and storage of commonly used files is as effective and efficient as possible.
Policy
These guidelines are to be followed so that the Shareall and S-Drive do not become cluttered or too cumbersome to find files.
S-Drive Guidelines for Use and Maintenance
The S-Drive should only contain Divisional or Unit folders (i.e., Administration & Accounting, DDH, Population Health, Clinical, etc.) and the Shareall folder.
Files that are to be collaborated on or needed by only a particular Division should be kept in the respective Divisional folder residing on the S-Drive.
The IS Analyst (or his/her back-up) is the only person who can add folders to the S-Drive. Contact the IS Analyst for permission to add a new Divisional/Unit folder.
Shareall Folder Guidelines for Use and Maintenance
The Shareall folder is for:
Folders/files that require collaboration by multiple Divisions/Units, and
Common files that need to be accessed by multiple Divisions/Units (i.e. printer scripts, etc.).
All files must be put in a folder within Shareall (no orphan files).
Division-specific folders/files (i.e. a file that only Clinical staff would need) are to reside in their respective Divisional folder on the S-Drive.
Staff should not keep their individual work files on the Shareall (i.e. Travel Forms for their reimbursement). These should be kept on their H-Drives.
The folder structure will only be edited by the following staff:
1st Tier Folders will only be created/edited by Division Directors and Unit Heads (i.e. HR Administrator creates Applications folder).
2nd Tier Folders will only be created/edited by Division Directors, Unit Heads and Managers (i.e. Accounting manager creates an Accounting Specialist Resumes folder under the Applications folder)
3rd – 4th Tier Folders can be created by any program staff who have a valid need to create the folder.
A Purged folder will reside on the Shareall when files need to be removed from the Shareall drive. Place all files/folders no longer needed in the Purged folder.
When possible, file names should be logical, specific and easily recognizable and contain date and version so that files can be identified without opening.
File names should be under 40 characters long, including date and version.
Collaborated files should be named with the most recent date and/or version of the draft. Previous versions should be put in the Purged folder if no longer needed.
Final collaborated documents (that need to be accessed by multiple divisions) should reside in the appropriate folder so long as they are still relevant. Drafts no longer needed should be moved to the Purged folder.
Each year between mid-December to mid-January, there will be a District wide clean up of the Shareall drive. During this time, staff should review folders/files they created to make sure they are still needed on the Shareall drive. If not, they should be moved to the Purged folder.
After the clean up, the IS Analyst will move the contents of the Purged folder to a separate hard-drive/server. Annually, on or around July 15, these contents will be permanently deleted. During this time, contact the IS Analyst if you need access to a file previously moved to the Purged folder.
Division Directors and Managers are to assure staff understand the guidelines upon hire, and that the annual cleanup is performed by their staff.
How to Send an Encrypted Email
Revision Log
10/1/2022
Updated policy header.
Updated link to Commonwealth Office for Technology (COT) Policy CIO-060.
Changed IT Manager to Information Systems staff.
1/4/2024
Changed contact information to Deputy Director.
1/29/2024
Added how to send an encrypted email
3/1/2024
Updated language throughout.
5/1/2024
Passwords Google Site incorporated as a section in this policy.
Google Docs/Sites incorporated as a section in this policy and Google Docs changed to Google Drive.
Shareall and S Drive incorporated as a section in this policy.