SANS Institute 201 9 – All Rights Reserved Page 1 Consensus Policy Resource Community Bring Your Own Device (BYOD) Security Policy Free Use Disclaimer: This policy was created by or for the SANS Institute for the i nternet community. All or parts of this policy can be freely used for your organization. There is no prior approval required. Last Update Status: Updated September 2022 1. Overview The use of personal electronic devices is a part of modern culture. These devices include smart phones, laptop computers, tablets, and storage devices such as USB thumb drives and compact discs. The use of electronic health records (EHR) is now the standa rd of care in medical encounter documentation. Federal law mandates health records protections using the Health Insurance Portability and Accountability Act (HIPAA). The goal is to protect Personal Identifiable Information (PII) from being disclosed to peo ple and organizations that do not have permission to the PII. Cybersecurity is essential for protection of PII both while on and off the network. 2. Purpose The main goal of any IT security policy is to protect confidentiality, integrity, and availability ( CIA) of data. This is The purpose of this update is to provide basic computer and personal device security information to employees of the medical clinic regarding accessing, handling, transferring, and storing sensitive medical information and PII. The g oal is to protect data and instruments that connect to the internet 3. Scope This update applies to all personnel in the medical clinic to include health care providers (medical doctors, physician assistants, nurse practitioners, social workers, psychologists), nursing (registered nurses, licensed practical nurses, medical assistants) and office staff (front office, back office, referral staff, technologists , visiting staff ). Th is update addresses hardware ( phones, laptop computers, desktop computers, storage devices), use of applications online and offline, and software. This update will address use of personal devices, attachment to office networks, use of office networks, and use/attachment of storage device to the office network. SANS Institute 201 9 – All Rights Reserved Page 2 Consensus Policy Resource Community All pers onnel working in the medical office will need to complete training before accessing and using the medical office networks. All personnel will require permission before using personal devices connected to the office networks. This update will provide points of contact for addressing problems, concerns and guidance in regard to the use of personal devices and the office networks. 4. Policy The following practices are implemented by the medical clinic to provide cybersecurity. They can help to prevent compromis e of PII and to protect the user. 1. Physical security a. All employees are mandated to use situational awareness while operating network systems. This means to be aware of your environment when handling or accessing PII. When not present at your desk, you shoul d make sure that you are logged off the system. b. Personal devices may not be connected to the network in any form unless permission has been granted by the IT department or network tech. This includes storage devices in any form. 2. Devices a. Personal devices are not to be connected in any way to the clinic networks without prior permission. No storage devices may be used to connect to network systems without prior permission. 3. Applications/Software a. Employees are not to download any software or applications from the Internet while using clinic network systems. 4. Social Networks a. Employees are not to use clinic networks to access social network websites. Use of personal devices with clinic network systems. 1. Personal devices may be used by employees under certain restrictions. a. Employee device must have up to date anti - virus and anti - malware software approved by the IT department. SANS Institute 201 9 – All Rights Reserved Page 3 Consensus Policy Resource Community b. The user must consult with the IT department to configure proper firewall and security access for their personal device. c. T he user must consult with the IT department to configure proper access control for their level of accessibility. d. The user must consult with the IT department to ensure that their access to the network is properly encrypted. This is especially important fo r providers that work from home or remote locations. 5. Policy Compliance The InfoS ec team will verify compliance to this policy through various methods, including but not limited to, periodic walk - thr ough , video monitoring, intrusion detection tools, business tool reports, internal and external audits, and feedback to the policy owner. An employee that is found not to be complying with the security policy will be notified. The employee’s permissions to the network will be suspended or restricted. The employee will be required to complete remedial computer security training. If the security violation is found to be of a intentional malicious variety, the employee will be subject to disciplinary actions to include termination. 6. Related Standards, Policies , and Processes Basic Security for the Small Healthcare Practice Checklists v1.0_Cleared.doc (healthit.gov) NI ST SP 800 - 124 Rev. 2, Guidelines for Managing the Security of Mobile Devices in the Enterprise 7. Definitions and Terms CD compact disc CD - ROM compact disc read - only - memory DVD digital video disk EHR electronic health record HIPAA Health Insurance Port ability and Accountability Act IM instant message SANS Institute 201 9 – All Rights Reserved Page 4 Consensus Policy Resource Community LAN local area network NIST National Institute of Standards and Technology PC personal computer PDA Personal Digital Assistant PII Personally Identifiable Information PHI protected health information USB Universal Serial Bus 8. Revision History Date of c hange Responsible Summary of c hange August 201 9 SANS policy t eam Upda ted and converted to new format