Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

Transcription

1 Sample BYOD Policy Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

2 SAMPLE BRING YOUR OWN DEVICE POLICY TERMS OF USE This Sample Bring Your Own Device (BYOD) Policy is provided solely as a sample policy for your agency to consider and it is not intended as legal advice. You should consult with your agency s own legal counsel to properly tailor this Sample Policy for use in your organization. The Policy must also be customized to reflect your state s laws and any other applicable laws. Using the Sample Policy does not ensure that your organization is in compliance with all applicable laws; only your attorney can make an informed determination regarding your compliance with applicable laws after careful review of your BYOD policy. Attendees are urged to have the enclosed materials reviewed by their legal counsel to ensure compliance with state laws and that they are within the recommendations of the organization s legal counsel. These materials are for educational purposes only and to provide a general overview of issues discussed in the conference. The information contained in the attached materials is subject to change at any time by new laws or regulations, repeals or modifications of existing laws and regulations, court and agency decisions, and in numerous other ways. While our materials are based on official sources of information, you must consult with your legal counsel to ensure compliance with state and federal laws. Of course, we cannot be responsible to update these materials for you, nor are we responsible for any decisions you make based in whole or in part upon the attached materials. While we believe the information presented in these materials to be accurate, errors are possible. Consult your legal counsel for advice on dealing with any specific legal issues you may have. These materials are the copyright of Page, Wolfberg & Wirth, LLC. No part of this material may be duplicated, reproduced or distributed by any means. By utilizing these materials, you agree to these terms and conditions. Sample BYOD Policy Page 1 of 8

3 ABC AMBULANCE SERVICE BRING YOUR OWN DEVICE POLICY PURPOSE To ensure the confidentiality, integrity, and availability of all confidential information and protected health information (PHI) that ABC Ambulance creates, receives, maintains, or transmits and to protect against any reasonably anticipated threats to such information, including security threats and improper, unauthorized or illegal uses or disclosures of such information. POLICY Authorized staff members may, but are not required, to use authorized personal portable devices for business-related purposes. Staff members may use a personal portable device to create, receive, maintain or transmit PHI or confidential information only as authorized by this policy and only when done for a legitimate, authorized business-related purpose. All other uses or disclosures of such information using personal portable devices are strictly prohibited without the express permission of ABC Ambulance. ABC Ambulance will take appropriate disciplinary action against any staff member who violates this policy. This policy will not be applied or construed in any way that might limit or improperly interfere with any applicable legal rights of ABC Ambulance staff members, including, but not limited to, any rights under Federal or state labor laws. PROCEDURE A. Definitions Under This Policy Breach means any acquisition, access, use, or disclosure of PHI or confidential information in a manner that violates this policy, any other ABC Ambulance policy or any law. Breach also means the loss, theft or unauthorized acquisition, access or use of a personal portable device. Business-Related Purpose means an authorized activity that legitimately and directly or indirectly supports the business of ABC Ambulance and may involve the use or disclosure of PHI or confidential information. Sample BYOD Policy Page 2 of 8

4 Confidential Information means any information created, received or used by ABC Ambulance in the conduct of its business that ABC Ambulance has a legitimate legal and/or business-related interest in keeping private, such as, but not limited to: information about confidential business processes, product information, deployment strategies, information about operational systems, marketing plans, customer data, contracts, computer systems, revenues, billing systems, internal reports, confidential business policies and plans, internal business-related confidential communications, patient data, insurance information, intellectual property, employee data and trade secrets. Personal Portable Device means any portable electronic device or storage media not owned, provided by, or paid for by ABC Ambulance that is used to create, receive, store or transmit PHI or confidential information of ABC Ambulance. Examples of such devices include, but are not limited to staff member s personal: laptops, tablets, cameras, cell phones, digital recording devices, SD cards and USB flash drives. Protected Health Information or PHI means any information, whether oral or recorded in any form or medium, that relates to the past, present, or future physical or mental health or condition of an individual, the provision of healthcare to an individual, or the past, present, or future payment for the provision of healthcare to an individual that either identifies the individual, or about which there is a reasonable basis to believe the information can be used to identify the individual. Security Incident means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of PHI or other confidential information or interference with system operations in an information system. Examples of security incidents include viruses, hacking attempts, successful hacking incidents, spam, corrupted software, etc. B. Authorization to Use Devices/Revocation 1. Authorized Staff Members. Only staff members expressly authorized by management may use a personal portable device for a business-related purpose. 2. Authorized Personal Portable Devices. Only personal portable devices approved by management are permitted to be used for a business-related purpose. 3. Management Discretion. Staff members may make a request to management to use a personal portable device for business-related purposes. Management has sole and complete discretion in deciding which staff members will be authorized to use personal portable devices and what devices may be used for a business-related purpose. Sample BYOD Policy Page 3 of 8

5 4. Revocation. Management reserves the right to revoke the authority of a staff member to use any personal portable device for a business-related purpose at any time for any reason. 5. Procedures Upon Revocation/Separation. If management revokes a staff member s authority to use personal portable devices or to use any particular device, or if the staff member is terminated or otherwise separated from affiliation with ABC Ambulance: a. The staff member shall immediately discontinue the use of the personal portable device(s) for a business-related purpose and he or she may no longer use the device(s) to create, receive, store or transmit PHI or confidential information of ABC Ambulance. b. If the device was at any time used to store PHI or confidential information, of ABC Ambulance, the staff member shall provide the device to ABC Ambulance for all PHI and other confidential information to be wiped clean. C. Security Standards for Personal Portable Devices 1. Record of Devices. Authorized staff members must register any personal portable devices authorized for a business-related purpose with a person designated by management to be responsible for maintaining that registry. Authorized staff members must immediately notify this individual if they plan to discontinue the use of a registered personal portable device for business-related purposes. 2. Verification of Security Features. Authorized staff members shall allow ABC Ambulance to review their personal portable device(s) prior to their initial use of the device(s) for a business-related purpose so that the ABC Ambulance can ensure that the device(s) meets the security standards required by this policy. 3. Authorized Applications and Programs. No applications ( apps ) or programs that enable access to PHI or confidential information of ABC ambulance may be installed on a personal portable device unless approved by management. 4. Password or Other User Authentication. Personal portable devices must be protected by a password or other unique user authentication measure, such as a personal identification number (PIN) or biometric measure. a. All passwords must have at least eight characters comprised of a least one uppercase letter, one lowercase letter, one number and one special symbol such as: &. Sample BYOD Policy Page 4 of 8

6 b. Any PIN shall be a nonsequential number that is not obviously personal to the staff member, such as birth year, last four digits of telephone number, last four digits of Social Security number, etc. If a personal portable device has the capability to enable a more complex PIN (e.g., longer than a 4-digit PIN), a more complex PIN should be used. c. If a personal portable devices has the capability to enable a biometric authentication measure (e.g., a fingerprint), staff members shall use the biometric measure. 5. Encryption. Personal portable devices must be equipped to store and transmit PHI and confidential information in an encrypted format. ABC Ambulance will verify that appropriate encryption software, which enables the encryption of PHI and other confidential information at rest and while being transmitted (such as through ), is installed on the personal portable device. 6. Remote Wiping/Disabling. Personal portable devices must have installed and enabled remote wiping/disabling features so that data can be remotely erased or the device can be remotely locked if the device is lost, stolen or otherwise unaccounted for. 7. Firewall and Antivirus. Personal portable devices should be protected with up-todate firewall and antivirus software. ABC Ambulance will determine what firewall protections and antivirus software are appropriate. 8. Log-Off and Lock-Out. Personal portable devices must be configured to lock out and require a password or PIN to resume activity after a period of inactivity. ABC Ambulance will determine the appropriate period of inactivity for log-off features for devices. If a personal portable device has a security feature that permits the erasing of data after a certain number of repeated unsuccessful password/pin attempts, this feature should be enabled. 9. Updated Programs and Software. Updates to installed programs, software and applications on personal portable devices must be installed as soon as possible. Whenever possible, the user shall enable automatic updates on devices. D. General Rules Regarding Use of Personal Portable Devices 1. Legitimate Business-Related Purpose. Staff members authorized to use personal portable devices for a business-related purpose must confine their use of the Sample BYOD Policy Page 5 of 8

7 devices to the business-related purpose for which they are authorized to use the personal portable device. 2. Tracking or Serial Number. A unique name or number for identifying and tracking use of a personal portable device for a business-related purpose will be assigned to each person authorized to use a personal portable device for a business-related purpose. 3. Physical Security. Staff members authorized to use a personal portable device for a business-related purpose must secure the device at all times (e.g., keeping it on your person, storing it in a locked area, etc.) to prevent unauthorized access. Staff members should also manually lock out the device when it is not in use (e.g., by pressing Ctrl+Alt+Delete or depressing the standby button). 4. Local Storage of PHI and Confidential Information. Staff members should, whenever possible, refrain from storing PHI or confidential information locally on a personal portable device. Local storage of such information is only permitted when authorized by ABC Ambulance. PHI and confidential information should, whenever possible, be stored on storage media (e.g., servers) of ABC Ambulance. 5. Reporting Breaches and Security Incidents. Staff members authorized to use a personal portable device for a business-related purpose shall immediately report an actual or suspected breach or security incident to management and provide full details of the event known to them. For example, if a staff member learns that his or her personal portable device is lost, stolen or has been accessed by an unauthorized third party, the staff member should notify management right away and let management know what happened. Staff members shall, at the direction of management, remotely wipe and/or disable a personal portable device to protect PHI and confidential information of ABC Ambulance. 6. Secure Storage and Transmission. Staff members must store and transmit all PHI and confidential information using approved encryption methods and approved secure channels. For example, staff members should use encrypted programs, encrypted texting applications, encrypted USB drives and other secure methods to transmit and store PHI. 7. Remote Access to PHI. Staff members may only access PHI or confidential information through a secure, encrypted channel, such as a secure Wi-Fi network, VPN channel, or secure browser connection ( HTTPS ). Most public networks in airports and other locations are unsecure and should not be used to access or transmit PHI or confidential information unless the staff member is using a VPN channel or secure browser connection. Sample BYOD Policy Page 6 of 8

8 8. Compliance. All activity using a personal portable device for a business-related purpose must comport with all of ABC Ambulance s policies and procedures, HIPAA or other applicable federal and state laws. E. Specifically Prohibited Activity on Personal Portable Devices The following activities are strictly prohibited at all times using personal portable devices: 1. Creating, receiving, maintaining, or transmitting any PHI or confidential information of ABC Ambulance without authorization from ABC Ambulance, in violation of any ABC Ambulance policy or in violation of the law. 2. Online posting, sharing or otherwise disseminating PHI or confidential information of ABC Ambulance without authorization from ABC Ambulance. 3. Capturing any images or videos on a personal portable device that could potentially identify a patient without the express permission of ABC Ambulance. 4. Storing or transmitting any PHI or confidential information of ABC Ambulance in a manner the staff member knows or should know is unsecure. For example, storing PHI on an unencrypted USB drive is an unsecure method of storing patient data. 5. Permitting any unauthorized individual to access PHI or confidential information on or through the use of a personal portable device. 6. Opening s or attachments on personal portable devices from unknown or untrusted sources. F. Ownership and Control of Confidential Information and PHI 1. All PHI and confidential information of ABC Ambulance that is created, received, maintained or transmitted using a personal portable device is at all times the property of ABC Ambulance and may be considered to be part of the official records of ABC Ambulance. 2. ABC Ambulance cannot guarantee the confidentiality of PHI or confidential information of ABC Ambulance stored on any personal portable device, except that ABC Ambulance will take all steps necessary to secure PHI and confidential information in accordance with all applicable laws. PHI and confidential information stored on personal portable devices may be subject to disclosure to law enforcement or other third parties at the sole discretion of ABC Ambulance. Sample BYOD Policy Page 7 of 8

9 3. ABC Ambulance may monitor activity on our information systems and our network(s) at any time for the business-related purpose of ensuring that PHI and confidential information is not being improperly used or disclosed. This includes the ability to monitor internet activity and , as permitted by law. G. Discipline 1. Where permitted by law to do so, ABC Ambulance will investigate and take appropriate disciplinary action against staff members whenever ABC Ambulance learns about a possible or actual violation of our this policy or the law. 2. Violation of this policy or the law may result in disciplinary action up to and including termination of employment or association with ABC Ambulance. Sample BYOD Policy Page 8 of 8