Secure System Usage Memo
Please contact the DHTS Help Desk at (919) 684-2243 for any questions on the content of this pamphlet.
Stand-Alone Media Handling and Disposal
Stand-alone media is any media that is not integrated into equipment. Examples include:
- Floppy disks
- CDs
- Tapes
- Memory sticks
- Zip drives
Stand-alone media containing sensitive information must be handled securely.
If you need to dispose of any stand-alone media contact your supervisor or
manager about disposal techniques for your area.
Data Backups/Storing Sensitive Data such as Protected Health Information
Data Backups are performed on all DHTS servers. Workstations are not backed up,
so you should not store any data on the hard drive of the workstations. Always
save your work to a network drive (e.g. h:dempoid, U:).
Encryption
No form of data from any computer system will be sent outside of Duke’s protected network without encryption (i.e.
"scrambling" the data so it cannot be read by others). The approved from of
encryption for documents is via the encryption mechanism in WinZip. If you have
questions about or need training on this encryption package, contact the DHTS Help Desk for more information.
Home PC’s Accessing Duke Protected Health Information
Workstations at non-DHE locations accessing Duke Protected health Information or other sensitive information are
subject to special considerations and restrictions. Please, contact your ISSA if this applies to you.
Security Incidents
Examples of a security incident include:
- Misuse of Duke Health Enterprise proprietary information or patient information
- Misuse of information pertaining to DHE community members or staff members
- Unauthorized use of DHE systems in ways that compromise system availability, performance, or integrity
- You
suspect someone knows your password, your last date and time noted on
login screen is not correct, or your password has been locked.
- You find unexpected sensitive information on a workstation
All security problems/incidents will be reported to your ISSA via the DHTS Help Desk.
Workstation Use
It is
your responsibility to:
-
Arrange computer monitors so that, as much as possible, they are facing only you, while you are working on them.
-
Verify
that all software installed on the workstation has a valid license.
This should be obtained through proper entity/departmental procedures.
-
Observe
the login screen to determine for last login is reasonable when you do
login. If not, this should be reported as a possible security incident
immediately.
-
Not make unauthorized copies of licensed or copyrighted software.
-
Not
attach a modem to a workstation for dial-in access. Workstation remote
access will be established using appropriate remote control software
and an approved secure communication channel (e.g. VPN). Modems are to
be used for dial-out access only.
-
Retrieve printed sensitive information immediately upon printing, when the printer is shared with others.
-
Not
leave a workstation unattended in a logged state, where it can be
accessed by anyone else. Exit all programs containing sensitive
information and either log off or lock the workstation (e.g. by using a
password protected screensaver) prior to leaving the workstation
unattended. You should also save all data to a network drive before
leaving your workstation.
-
Consult with your ISSA before making any changes to the workstation configuration (software or hardware).
-
Ensure that any mobile workstation (e.g. laptop, handheld) is returned to a physically secure environment when not in use.
-
Report
any failures to follow the instructions contained in this memo by an
end user to the ISM or ISD for the area in which that user works.
-
Report any theft/destruction of workstation equipment immediately to your Department Manager as well as your ISSA.
-
Report any problems or possible security incidents to your ISSA.
Workstation Use
It is the
department manager’s responsibility to:
- Evaluate placement of equipment to unnecessary exposure to sensitive information in shared or public areas.
- Locate equipment behind locked doors where feasible.
- Utilize computer locks where computer theft is a high risk.
- Assure that employees have been educated on the proper use of accounts/passwords and appropriate workstation use.
- Monitor workstation sites regularly for good user practice, including adherence to the user responsibilities listed above.
- Have
a process for confirming that portable equipment containing sensitive
information is accounted for on a regular basis, either daily or during
each shift (based on normal department usage and hours of operation).
- Notify
the ISSA when any user leaves the Department or Duke so that their
system IDs can be deleted and any associated files can be deleted or
transferred.
- Seek assistance from the ISM in the department
in making choices related to physical security. They should see their
manager to identify the ISM.
Passwords
Passwords are an important aspect of computer security. Compromise of a
password can compromise sensitive data as well as the enterprise wide network
itself. All DHE employees (full time, part time, and temporary) and
non-employees (vendors, consultants, contractors, etc.) who obtain permission to
access and/or utilize Duke computing resources must use passwords and are
responsible for taking the appropriate steps, as identified below, to select and
secure their password(s):
- An individual account is issued to an individual and is not to be shared with any other individual or group.
- A shared password is considered to be a compromised password and must be changed immediately.
- Technical
support staff do not need your password to troubleshoot your
system. If you are approached by IS staff claiming to need your
password, contact the appropriate ISM or ISD immediately.
- Take
adequate measures to prevent unauthorized personnel from obtaining your
password, including guarding against "shoulder surfers".
- If you have been given access to several systems you may use the same password for each system.
- If you think your password has been compromised, contact your ISSA immediately.
- You will need to identify yourself using your challenge phrase when contacting the DHTS Help Desk.
Only
strong passwords, defined as follows, are permitted:
- Minimum length is 6 characters
- Contains at least 2 letters and 1 non-letter
- Must be changed at least every 180 days or when it is believed or known to have been compromised, whichever comes first
- Must not be re-used in less than three years
Do Not:
- Share your passwords with anyone, including administrative assistants, managers, and/or IS staff
- Reveal a password over the telephone to anyone
- Reveal a password in an email message
- Say a password in front of others
- Reveal a password on questionnaires or security forms
- Use a Help Desk/Initial system password more than once before changing it
- Write down a work related password
- Store an unencrypted password on any computer system (including a PDA)
- Use the same ID and password for DHE work related accounts as for non-work related accounts.
If you need assistance resetting your password contact your ISSA or the DHTS Help Desk.
Computer system security is everyone’s responsibility. Please use the information provided
in this pamphlet as a guideline while working on computer systems at the Duke Health Enterprise (DHE).
Glossary of Terms:
ISSA - Information Security System Administrator
ISM - Information Security Manager
ISD - Information Security Director
Direct all questions to your ISSA.
If you do not know who your ISSA is, please contact the DHTS Help Desk at (919) 684-2243.
HIPAA
Secure System Usage Memo
DUKEHEALTH.ORG
DUKE UNIVERSITY MEDICAL CENTER
DUKE UNIVERSITY 
All links open in a new window.
DHTS STRATEGIC WEB SERVICES