Forgot your password?
typodupeerror

+ - Is this YOUR policy? Would you like it back?-> 2

Submitted by ColdWetDog
ColdWetDog (752185) writes "Recently IS at my small hospital created an "Acceptable Use Policy" for our institution. Being the sort of anal compulsive guy that I am, I actually read it. That prompted me to attempt to figure out where it came from which led me to the SANS site. This purports to be "the most trusted and by far the largest source for information security training and security certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet's early warning system — the Internet Storm Center" Be that as it may, I thought at least the Computer Use Policy had some real dumb features. I'm most concerned about the section on information ownership:

Hospital’s network administration desires to provide a reasonable level of privacy, users should be aware that the data they create on the organization’s systems remains the property of... Hospital.

Not sure how that is going to work out overall, seems a bit over arching — like what, precisely, is 'data'? But the thing that really has me annoyed because it clobbers my work flow is the fun statement:

All PCs, laptops and workstations should be secured with a password-protected screensaver with the automatic activation feature set at 10 minutes or less, or by logging-off when the host will be unattended.

My point being that a generic, hardcoded time to lock the workstation is a dumb idea, especially when many of the computers are located within a controlled environment. Logging in a couple of dozen times per day is not how I would define a productive use of my time. Has anyone else found an 'authorative" pontification of these ideas, especially in regards to healthcare systems in the US? (Hopefully the rest of the world isn't as batshit insane as we are)."
Link to Original Source

This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

Is this YOUR policy? Would you like it back?

Comments Filter:
  • by egcagrac0 (1410377) on Wednesday June 26, 2013 @02:29PM (#44116101)

    Logging in a couple of dozen times per day is not how I would define a productive use of my time. Has anyone else found an 'authorative" pontification of these ideas, especially in regards to healthcare systems in the US?

    Talk to your organization's legal department about what steps you need to be taking to comply with HIPAA (and other privacy policies) and if this is one of them.

    Geeks shouldn't make these decisions; that's for management to do (with the advice of legal). Get the directive in writing from management, file it away and comply.

  • Use Terminal Services w/ thin clients for stuff like the nursing carts. Any valid user in that department can connect to their persistent session within seconds, and the carts get better battery life than full workstations would. Use tokens / RFID if you need speed over the couple of seconds typing a password takes (yes, it's annoying to do, but it also is required for most PHI policies). Mandatory disconnect or at least Lock screen after a short period, but since the session persists on the TS it's trivial

panic: can't find /

Working...