/policies/,/policies/administrative/,/policies/administrative/uw-health-administrative/,/policies/administrative/uw-health-administrative/administration/,

/policies/administrative/uw-health-administrative/administration/104.policy

20170259

page

100

UWHC,UWMF,

Policies,Administrative,UW Health Administrative,Administration

Workstation Acceptable Use and Security Management (1.04)

Workstation Acceptable Use and Security Management (1.04) - Policies, Administrative, UW Health Administrative, Administration

1.04

Page 1 of 4


Administrative (Non-Clinical) Policy
This administrative policy applies to the operations and staff of the University of Wisconsin Hospitals and
Clinics Authority (UWHCA) as integrated effective July 1, 2015, including the legacy operations and
staff of University of Wisconsin Hospital and Clinics (UWHC) and University of Wisconsin Medical
Foundation (UWMF).
Policy Title: Workstation Acceptable Use and Security Management
Policy Number: 1.04
Effective Date: March 1, 2017
Chapter: Administration
Version: Revision

I. PURPOSE

This policy defines appropriate workforce behavior regarding use of computer workstations and related
technology resources on the UW Health computer network. It also describes the procedures for securing
workstations, a critical component of protecting the UW Health computer network from internal misuse
and external intrusion.

II. SCOPE
This policy covers UW Health user workstations. This policy does not cover mobile computing devices
that run a mobile operating system (e.g. smartphones and tablet computers). For information on these
devices please refer to UW Health Administrative Policy 1.46-Mobile Device Access to Corporate Data
Systems.
III. DEFINITIONS

A. User Workstation - a desktop computer, laptop computer, or other electronic device that performs
similar functions and runs a desktop operating system. It includes all the electronic media the
workstation contains or has access to. While not specifically included in the workstation
definition, the procedures and safeguards outlined in this policy also apply to peripheral
electronic devices connected to workstations, such as printers, scanners, external hard drives,
cameras, and videophones.
B. UW Health Workstation - Any user workstation owned or supported by UW Health.
C. Personally Owned Workstation - Any workstation owned by a user or another entity, whether
located only at the user's residence or purchased for work purposes.

IV. POLICY ELEMENTS

A. Workstations and related equipment must be used in a manner consistent with:
1. The protection of patient privacy
2. The business needs of UW Health and its affiliates, and
3. Courtesy to other workstation users
B. Appropriate workstation security procedures must be observed to:
1. Assure the security of PHI and other confidential information

Page 2 of 4

2. Maintain workstations in good working order, and
3. Protect computing systems from external intrusion or malicious software.
Any use that conflicts with these goals is explicitly prohibited.
C. Workstation Configuration Standards
1. UW Health Information Services (UWH IS) is responsible for determining configuration
requirements for workstations that are connected to the UW Health computer network.
This requirement applies to both wired and wireless network connections. Configuration
requirements will include, at minimum:
a. Hardware standards
b. Operating system standard
c. Permissible software
d. Protection from malicious software, such as viruses
2. Workstations that do not meet configuration requirements may not be connected to the
UW Health computer network unless evaluated and approved by UWH IS.
3. Users may not attempt to circumvent or disable any security protections of a workstation.

V. PROCEDURE

A. Procedures for All UW Health Workstations
1. Physical Safeguards:
a. Workstations located in public areas must be physically positioned to minimize
the risk of incidental access to PHI. Where physical positioning options are
limited, privacy screens should be used to limit the area of visual display.
b. UWH IS will apply automatic screen savers to workstations and inactivity
timeouts to applications to further mitigate the risk of incidental exposure to PHI.
The standard UW Health inactivity timeout setting is 15 minutes. Timeout
settings may be shorter in cases where it is not possible to provide adequate
physical safeguards.
c. Prior to leaving a workstation unattended, users must log off all applications and
the network, or use a workstation lock function. Users must assure no PHI
remains visible or available to others before leaving a workstation unattended.
2. Technical Safeguards:
a. UWH IS will determine the technical security protections required on
workstations to minimize risks from external intrusion or accidental misuse.
b. UWH IS staff are the only staff authorized to download or install applications
from the web or media to a workstation, unless explicitly authorized by UWH IS.
c. Users may not install or use personally acquired hardware devices on a
workstation, including modems or wireless routers.
d. Workstation users should promptly report any problems affecting the
functionality or security of a workstation, including unknown programs that
appear on a workstation, to the UWH IS Help Desk (608-265-7777).
3. Workstation Reuse or Disposal:
a. When a workstation reaches the end of its lifecycle or is no longer needed, the
workstation must be returned to UWH IS. UWH IS is responsible for assuring
any PHI or other confidential material stored on the device is destroyed prior to
disposal or reuse.
4. Storage of PHI:
a. PHI and other confidential data should be stored on network server storage space
in personal (e.g. home or H: drive) or departmental shared (e.g. U: drive)
directories. Confidential data should not be stored on a local workstation hard

Page 3 of 4

drive (e.g. C: drive), because this storage location is less secure. In addition, data
stored locally will not be backed up by UWH IS.
b. Users should carefully evaluate whether it is necessary to store PHI or other
confidential data in shared directories, and take care to do so only when
operationally necessary.
c. Users may not save or store, even temporarily, PHI or other sensitive business
data on personally owned workstations.
B. Additional Procedures for UW Health Portable Workstations -Portable workstations include
laptops, notebook computers, or other devices that run a desktop operating system that can be
easily transported.
1. Physical Safeguards:
a. When not in use, portable workstations should be physically secured inside a
locked office or locked cabinet.
b. When transported, portable devices should be safeguarded from theft or loss with
the same care provided to a personal credit card.
c. Any portable device used to store or access PHI or other confidential data should
not also be used for personal purposes that could expose the PHI to unauthorized
access, such as use by family members.
2. Technical Safeguards:
a. All UW Health workstations provided for staff to work from non-UW Health
locations, including laptops or other computers issued to staff for use at home,
will be encrypted by UWH IS.
b. Users should follow instructions provided by UWH IS to assure a portable device
regularly receives security update downloads. Devices that are not regularly
updated may become unusable until the updates are installed.
c. Authorized users of portable devices that are enabled to use home network
connections, as well as UW Health network connections, must ensure the
security of their home network and computing environment. Users who fail to
secure their home network may acquire infections on the portable device, and
transmit that infection to the UW Health network.
d. For additional information regarding remote access security, see UW Health
Administrative Policy 1.01-Remote Access to Electronic Information Systems.
C. Connecting a Workstation to the UW Health Network
1. UWH IS, or other individuals granted explicit rights by UWH IS, may connect
workstations and other devices to the UW Health computer network. Unauthorized
personnel may not attempt to establish a connection to the UW Health computer network.
This requirement applies to both wired and wireless network connections. This
requirement does not apply to separately secured segments of the network that were
created for non-UW Health populations, such as the public wireless network or UW
Health affiliate virtual local area networks.
2. Personally owned user workstations, or user workstations owned by any entity other than
UW Health, may not be physically connected to the UW Health computer network
(Authorized users can access UW Health resources via a Citrix virtualized connection on
these devices using free patient Wi-Fi).
VI. RELATED POLICIES

Administrative Policy 1.01-Remote Access to Electronic Information Systems
Administrative Policy 1.06-Electronic Media Handling, Destruction, and Disposal
UW Health Administrative Policy 1.46-Mobile Device Access to Corporate Data Systems

Page 4 of 4


VII. COORDINATION

Sr. Management Sponsor: SVP, Chief Information Officer
Author: Sr. Security Consultant

Approval Committee: UW Health Administrative Policy and Procedure Committee

SIGNED BY

Elizabeth Bolt
UW Health Chief Administrative Officer


Revision Detail:

Previous revision: 122013
Next revision: 032020