- Home
- Information Security
- Information security regulations and privacy
- HIPAA security requirements
Personal computing best practices & HIPAA security requirements - medical campus
The goal of developing best practice implementations for personal computing devices is to increase the security of the University network and to assure the confidentiality, integrity and availability of information. The table below lists the ITS recommended best practices.
| NOTE: Medical Campus HIPAA Security *requires* that personal computing best practice recommendations are implemented on any computing device that is used to create, access, transmit or receive electronic protected health information (ePHI). |
Individuals are solely responsible for the non-technical practices, but your IT support provider can assist you with the technical requirements.
Non-technical requirements
Read and comply with Yale University’s IT and HIPAA policies
Know your IT support providers and their role in information security
Report HIPAA security incidents
Recognize when your computer may be compromised
Implement Yale password security recommendations
Ensure computing devices are physically secured
Locking Screensaver:
- Windows XP
- Winexit.scr: Windows (XP) Exit screen saver tool (useful tool in a cluster or multiple user Windows XP computing environment)
- Windows 2000
- Mac OS X
S.T.O.P. Program (Security Tracking of Office Property)
Avoid activities that may compromise security
Technical requirements
Please find your operating system and click on the Xs to learn more about and implement each recommendation. Some have been automated or centrally maintained, some are specific to the operating system, and some require active participation of the end-user.
As part of HIPAA security compliance you should use an ITS recommended or accepted operating system (OS). Please see ITS Operating System information. If you are using an OS that is not listed as recommended or accepted, please contact Information Security to discuss security safeguards that may need to be implemented to mitigate risk.
| Windows XP | Windows 2000 | MacOS X | Palm OS | Pocket PC | Smartphone | |
|---|---|---|---|---|---|---|
| Configure host in the AD (Group Policy for Win) | • | • | • | |||
| Limit Interactive Log On | • | • | • | |||
| Configure and use email securely | ||||||
| SSL | • | • | • | |||
| SpamAssassin | • | • | • | • | • | • |
| Signature file | • | • | • | • | • | • |
| Use up-to-date malware software | ||||||
| Symantec AntiVirus & Antispyware | • | • | • | |||
| Protect against macro viruses | • | • | ||||
| Use secure file transfer and configure file sharing securely | ||||||
| SSH/sFTP software | • | • | • | |||
| File transfer facility | • | • | • | |||
| Restrict open shares | • | • | • | |||
| Use centralized file services | • | • | • | |||
| Keep your operating system and application software up-to-date | ||||||
| Operating system software | • | • | • | |||
| Application software: Office | • | • | • | |||
| Application software: MS SQL | • | • | ||||
| Backup your data files | ||||||
| ITS backup service | • | • | • | |||
| Destroy data on computers and storage media | • | • | • | • | • | • |
| HIPAA and all other regulatory privacy and security requirements apply to ALL locations, including your home | ||||||
| Personal firewall protection | • | • | • | |||
| Individual software firewalls | • | |||||
| VPN information | • | • | • | • | • | • |
| Implement additional security requirements for portable or handheld, and wireless devices | ||||||
| Wireless security | • | • | • | • | • | • |
| Encryption | • | • | • | • | • | • |
Current operating systems (e.g., Windows XP & Vista, and MacOS X 10.4) provide more robust security features than others. We realize that because of applications that will only run on an earlier OS it is not always possible, but we recommend that you move to a current and supported OS as soon as possible.
If you are using a supported version of Windows operating system, some of the above workstation best practices will be automatically implemented through Active Directory (AD) policies in the MED container if your computer has been joined the AD. Contact your support provider if you need assistance in configuring your computer. There will be a separate container in the AD for special devices which must be exempt from the workstation best practices.
If you have PHI on your computer or use it to access a remote system with PHI we recommend upgrading to a currently supported version of the operating system to implement the appropriate security and privacy features.
