at my own office I enabled the option to turn of a password protection
on the screen when someone walked away for more than an hour. Merely
turning off the screen isn't good enough protection when working with
client information.. I mean…duh… you are still logged in with
access to that network. Some folks really liked it and really wanted
it, some people …well let's just say I had to use the peer pressure
from the ones that liked it…..it was funny because there was a recent
thread on a Hipaa listserve about some of the flexibility you must
build into a techology/people issue.
You must protect Patient Identity
Information.. and thusly you must set up the system so that when
someone walks away from that system, it locks the access. Hipaa final
security rule (164.312(2)(iii)) requires automatic logoff…. Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity … and
while it's a standard…it's an addressable standard and thus you can
set the value for what is appropriate. Some places you need less time
to ensure that patient data is kept secure from prying eyes in public
places, some places you need more time. Make a compromise as to what
works in your environment.
Personally I think this is something that all of us that have sensitive information need to implement. All I did on my network is
enable it on group policy and made sure that it would be password
protected. I didn't even list a manditory screensaver at all.
P.S. Looking for HIPAA resources?
I'll post more tonight..but the listserve I was referring to in the
above post is the WEDI one at http://subscribe.wedi.org – specifically the security workgroup list [E-Bitz – SBS MVP the Official Blog of the SBS “Diva”]