Union Health Standard for General Workstation Security and Use

Category

Standard

Physical

• Thin Client and Zero-Client workstations – clinical access to applications and the Union Health Enterprise Medical Records (EMR) system. (Operating Systems are locked down and non-accessible via centrally managed policy.)
• Desktop computers – general use systems, centrally managed by SCCM and/or Intune.
• Laptop computers – portable general use systems, centrally managed by SCCM and/or Intune.
• Portables Devices - Tablets, phones, and other portables devices should not be left unattended in public or unsecured locations. When not inuse, they should be secured  in a locked container or secure/locked area.
• All UNION HEALTH-managed workstations must be used for Union Health business.
• All UNION HEALTH-managed workstations may only be used by Union Health employees and for business purposes only.
• Be conscious of your work environment and who may be able to see a screen or printed documents, or hear calls with Restricted or Highly Restricted Data. Use privacy screens on monitors where sensitive information is visible to unauthorized viewing.

Operating System

• The UNION HEALTH-managed operating system must be used and maintained as such.
• Only required additional services will be approved and enabled.
• No workstation should be configured to run as a server of any kind.
• Administrative rights will be used only for approved Union Health business.

Applications

• Only authorized, supported, and properly licensed software can be installed.
• Any application updates and patches should be applied at frequency of release. When possible, applications should be configured to update automatically.
• File sharing software must not be installed.
• Recreational software, such as games, video downloaders, and non-work related software should never be installed on a system used for Union Health business.

Authentication

• Enterprise Active Directory must be used for authentication unless approved.
• All systems must have a password-protected with automated screenlock as configured in the UNION HEALTH system baseline, unless otherwise exempted.
• Auto-login devices must have time-outs configured in applications based on 10 minutes of inactivity.
• Badge-authenticated devices (Imprivata) must have time outs configured based on 10 minutes of inactivity.
• Authentication to workstations must be made using least-privilege accounts, using the minimum account necessary to perform job functions.

Malware Protection

• All systems must use endpoint protection software that is kept up to date as configured in the UNION HEALTH system baseline.

Network Protection

• Any home wireless networks must be configured with modern, strong security protocols (such as WPA2).
• Public networks must be used with a VPN (Secure Pulse or Global Protect).
• Ensure the default passwords for private wireless routers have been changed to a strong password.
• A router firewall should be configured to block unnecessary inbound ports.
• The workstation should be disconnected from the Union Health’s network when daily remote work is complete.

Encryption

• All laptops must utilize hard disk encryption such as McAfee Disk Encryption as configured in the UNION HEALTH system baseline.
• Removable media must not be used to store Restricted or Highly Restricted data, unless as approved on an encrypted USB storage device.
• Transmission of ePHI must utilize encrypted protocols such as HTTPS, SFTP, and encrypted email.

Data Storage

• Only supported, authorize devices and network drives may be used to store Union Health Data.  (See
• Only supported, authorized cloud storage services may be used to store UNION HEALTH data.

Data Destruction

• Any printed copies of restricted or highly-restricted data must be shredded before disposal.
• When no longer needed, hard drives and removable media must be securely sanitized or destroyed by UNION HEALTH OIT staff. 

Training

• Annual security training is required.
• Review and acknowledgment of UNION HEALTH Standards is required.
• Periodic email security training is recommended as sent by Information Systems.