Automatic Screen Saver passwords after 15min of inactivity on all computers

*not in any particular order...some items are technical in nature.

1. Trained all users on HIPAA policies

2. Automatic Screen Saver passwords after 15min of inactivity on all computers.

3. Revised and/or created user forms for new users, rights changes and user account deletions.

4. Sent an e-mail to everyone asking any user that accesses/stores ePHI on a PDA to register it with IT and reminded them to enable a password on the device in the event the PDA is lost or stolen.

5. Reviewed current backup strategy. Decided to run backups on the weekend and to test data restores on every monthly tape to verify data/ePHI can be successfully restored. Backup To Disk is scheduled to be implemented in Fall 06. After data is written to disk, it will be immediately written to tape for off-site storage. Backup to Disk will ensure data is located in three places, original location on server, backup to disk and tape.

6. Enabled Spybot Search and Destroy on all computers and enabled a weekly scan to rid each computer of Spyware.

7. Symantec Antivirus is enabled on all computers to prevent virus infection. Pattern files are downloaded every day. Virus Scans occur every day, after the daily pattern download.

8. Automatic Updates are enabled and scheduled to download critical Windows updates each Saturday. Patchlink is used to deploy patches every night. Patchlink is capable of delivering non-Microsoft patches.

9. Enabled a security disclaimer before login on all computers.

10. Established business associate agreements with vendors.

11. Remote Access to e-mail and data stored on Departmental servers was encrypted and secured.

12. Sent an e-mail to all users to remind them of the Campus E-mail HIPAA policies.

13. Enforced strong passwords on LAN accounts and other departmental systems when possible.

14. Departmental servers are physically secured, connected to UPS', and reside in controlled environments when possible. Critical security patches are applied to all servers in a timely fashion. All critical servers are covered by a Gold warranty and have 4 hour response time for hardware failures.

15. All critical servers containing sensitive data/ePHI are protected with an Organizational firewall and locked with NOS screen savers when not using the console.

16. Document server and LAN configurations. ***continually updated

17. Maintain a hardware/software inventory of all workstations and servers.

18. Eliminated shared accounts when possible. Verified shared accounts to not provide access to sensitive information or ePHI.

19. Created a weekly checklist to review various security logs.

20. Sent out an e-mail to all users asking them to review the security of PHI on departmental servers and to report any subsidiary applications. Also distributed HIPAA - It's good Medicine and a link to our Departmental HIPAA page.