Effective: 10-07-21
Supersedes: HR 436
Purpose: To provide a security framework that will ensure the protection of Brewster and EasCare Ambulance Service Information from unauthorized access, loss or damage. This policy will establish minimum criteria for access, controls, use and security of Brewster and EasCare Ambulance Service computer, networks and Information Systems.
Policy: Brewster and EasCare Ambulance Service data and information stored on its Information Systems is considered confidential. Access to Company Information Systems involves both trust and responsibility. Users must ensure that private or sensitive information is not disclosed to unauthorized individuals or organizations that do not have a legitimate reason for access to the information. The purpose of this policy is to provide a security framework that will ensure the protection of Company information.
Procedure:
Passwords
The company has an obligation to effectively protect the intellectual property and personal and financial information entrusted to it by employees, patients and partners. Using passwords that are difficult to guess is a key step toward effectively fulfilling that obligation.
Any password used to access information stored or maintained by the company must not contain the user's account name or parts of the user's full name that exceed two consecutive characters, be at least eight (8) characters long and contain characters from three of the following four categories:
· English uppercase characters (A through Z)
· English lowercase characters (a through z)
· Base 10 digits (0 through 9)
· Non-alphabetic characters (for example:!,$, #, %)
Passwords expire after 180 days and must be reset. When a password expires or a change is required, users should create a new password that is not identical to the last three passwords previously employed. Complexity requirements are enforced when passwords are changed or created. After 5 invalid logon attempts user account will be locked with account lockout duration of 15 minutes.
Passwords stored electronically may not be stored in readable form where unauthorized persons may discover them. Passwords may not be written down and left in a place where unauthorized persons might discover them. Passwords may never be shared or revealed to anyone other than the authorized user. If a password is suspected of being disclosed or known to have been disclosed to anyone other than the authorized user, it should be changed immediately.
Logon and Logoff Process
All users must be positively identified prior to being able to use any company computer or communications system resources. Positive identification for internal company networks involves a user ID and password, both of which are unique to an individual user, or an extended user authentication system.
Modems, wireless access points, routers, switches or other devices attached to network-connected workstations located in company offices are forbidden unless they have been approved by the Information Technology department.
Any time a user leaves their terminal unattended they must lock their session or log off entirely. If there has been no activity on a computer terminal, workstation, or personal computer for a certain period of time, the system should automatically blank the screen and suspend the session. Re-establishment of the session must take place only after the user has provided a valid password. The recommended period of time is 30 minutes. An exception to this policy will be made in those cases where the suspended session interferes with the ability of an instructor to complete their classroom instructional activities.
User Provisioning / De-Provisioning
The Information Technology group is notified of all new hires, and whenever an employee leaves the company. Depending on role and job function, new employees will be given appropriate access to various computer functions. For those assigned to billing or dispatch, this generally includes minimum network share access, and default level access to the Computer Aided Dispatch (CAD) system. An account is also created in Active Directory with a one-time password which will require a reset upon initial log in. Team-members assigned to the Field will have an account created in the electronic patient care reporting (EPCR) system. All employees are also added to the time and attendance system through which they may receive email notifications and other messages.
When an employee is leaving the company, their Active Directory (if one exists) will be disabled, as well as their access to the ePCR system. Their Office365 password will be changed and logged out of any sessions, and any emails sent to their former account will be forwarded to their supervisor for response.
Bring Your Own Device “BYOD”
To ensure the security of the Brewster Ambulance Service network, the only “BYOD” device allowed are smart phones for email access only, and that is run through Office365 to permit remote log out and account removal. Brewster Ambulance Service is not responsible for loss or damage of personal applications or data resulting from the use of a personal phone connected to the company network. Upon termination of employment, or at any time on request, all company data on personal devices must be removed from the device.
Encryption
Email – using the standard Office365 encryption for traditional email communications, in addition to mail rules in place to prevent the sending of any PHI either in the email body or in an attachment. We also offer secure email services through Office365 via AppRiver/Zix for any communications that contain any PHI data.
Zoll Systems – Data is encrypted at rest and in transit. AES 256 for data at rest, and TLS 1.2 and HTTPS for data in transit.
ShadowProtect – Images are encrypted with their 256 AES Encryption.
Any externally facing web services are passed through a NGNIX Proxy server running through a SSL, our RemoteApp published applications are also through SSL.