NYC HEALTH+ HOSPITALS

Information Security & Risk Management: Information Technology Resources Acceptable

Use Policy

Effective Date: March 15, 2016

Review Frequency: Annually

Revised: N/ A

Document Reference: NYC Health+ Hospitals_EITS_ISRM_Policy_002.1

NYC HEALTH+ HOSPITALS

1. Goal NYC Health + Hospitals provides workforce members with access to numerous information technology (IT) resources. Acceptable organizational use of IT resources and effective security requires the participation and support of all workforce members. Unacceptable use of IT resources exposes NYC Health + Hospitals, its workforce members and its patients to potential risks. The objective of this policy is to identify the NYC Health + Hospitals acceptable use standards that shall be implemented in conjunction with the acceptable use standards outlined in the NYC Health + Hospitals Privacy and Security Operating Procedures.

2. Scope This policy applies to all NYC Health + Hospitals users and to the use of any IT resources. All users are required to read and understand this policy, to conduct their activities in accordance with its terms, and to sign the acknowledgement page (pg. 8).

3. Policy Authority The NYC Health + Hospitals Chief Information Officer (CCIO) has the authority to oversee, direct and coordinate the establishment and implementation of IT policies, standards, and guidelines for NYC Health + Hospitals.

4. Definitions IT Resource: Refers to the devices, computing equipment, the infrastructure, and the information systems that comprise the NYC Health + Hospitals network and all the electronic information and communication contained within the network. IT resources include, but are not limited to, personal computers (PCs), mobile IT devices (laptops, smart phones, etc.), storage devices (external hard drives, USBs, etc.) scanners, printers, digital copiers, servers, information systems, etc.

Workforce Member: Refers to employees, volunteers, trainees, and other persons whose conduct, in the performance of work for NYC Health + Hospitals, is under the direct control of NYC Health + Hospitals, whether or not they are paid by NYC Health + Hospitals.

User: Workforce member that has been authorized and has been granted access to IT resources.

Remote Access: Refers to the ability to access IT resources from a remote (off-site) location via the use of NYC Health + Hospitals enterprise remote access solution.

2 1 Page

NYC HEALTH+ HOSPITALS

POLICY STATEMENT

5. User Privacy Expectations 1. Workforce members shall not have any privacy expectations regarding the information

they use, access, create, store, transmit or receive while using IT resources for incidental personal use.

2. NYC Health + Hospitals may record or review user access and usage of its IT resources as required.

3. NYC Health+ Hospitals reserves the right to comply with legal requests that may include, but may not be limited to, disclosing user electronic mail content, internet access or browsing activity, and electronic files without user knowledge or consent.

6. User Responsibilities 1. Users are required to protect IT resources from unauthorized access, disclosure,

alteration. or destruction at all times. 2. Workforce members shall immediately report suspected or confirmed information

security incidents, which include, but are not limited to theft, vandalism or loss of IT resources, compromised access accounts, or policy violations to management and to the Corporate Information Security & Risk Management Department: CISO@nychhc.org.

3. Workforce members who have been authorized by NYC Health + Hospitals to manage the access needs of users under their leadership shall ensure that access is consistent with workforce member's current role and service status (active, on leave, terminated, etc.) at all times.

4. In accepting access to IT resources the user in turn agrees to adhere to all NYC Health + Hospitals policies related to the use of IT resources.

7. Policy Statements Applicable to Use of All IT Resources 1 . Workforce members shall only access IT resources upon being authorized by Human

Resources or Management. 2 . Unauthorized access to, usage, storage, disclosure, distribution, alteration or destruction

of IT resources may constitute a civil or a criminal offense, and is a violation of NYC Health + Hospitals Policy.

3 . NYC Health + Hospitals information that is used, accessed, created, stored, transmitted or received via the use of the IT resources is the property of NYC Health + Hospitals.

4 . IT resources may never be used to perform any action or activity that violates Federal, State or Local Laws, including copyright laws and licensing agreements, or NYC Health + Hospitals policies.

5 . IT resources must not be deliberately used in a manner that poses an information security risk.

6. In the event of a security related concern or suspected policy violation NYC Health+ Hospitals reserves the right to suspend a workforce member's access without notice.

7. Access to IT resources will be amended or terminated as required to ensure access is consistent with a workforce member's current job function or service status.

3I Page

NYC HEALTH+ HOSPITALS

8. Workforce members must use their own uniquely assigned login credentials and may never share their login information with anyone.

9. When login technology requires the use of a password or an access code, the password or access code must comply with the NYC Health + Hospitals Password and Access Code Standard.

10. Occasional and incidental personal use of IT resources is permitted, provided such use does not attribute the user's personal activity to NYC Health + Hospitals, and does not conflict with the provisions of this policy.

11. Management reserves the right to determine whether personal incidental use is excessive or is interfering with the user's job responsibilities. Questions concerning permitted incidental personal use shall be directed to Management's attention.

12. Users who choose to store or transmit personal information while using IT resources do so at their own risk. NYC Health + Hospitals is not responsible for the loss of non-NYC Health + Hospitals information or IT resources.

8. Policy Statements Applicable to Information Technology Devices 1 . All devices that are utilized to access, use, create, store, transmit or receive IT resources

must be equipped with security configurations that comply with the NYC Health + Hospitals security configuration standard.

2 . Altering the security configuration settings of IT resources is strictly prohibited. 3. Removal of IT resources (excluding authorized portable or mobile devices, such as

laptops, smart phones, etc.) from NYC Health+ Hospitals facilities requires Management approval.

4 . Disposal or reallocation of IT resources by anyone other than EITS Team Members is strictly prohibited. .

5 . Upon termination of employment or affiliation with NYC Health + Hospitals, all IT resources issued to a user must be returned to Management or Human Resources.

9. Policy Statements Applicable to the Use of NYC Health + Hospitals Email System

1 . Access to NYC Health + Hospitals email system is granted to workforce members for the purpose of conducting the official business of NYC Health + Hospitals.

2 . Use of NYC Health + Hospitals email system to send chain letters, e-mail spam, inappropriate messages, or unapproved newsletters and broadcast messages is prohibited.

3. Personal email accounts must not be used to conduct business on behalf of NYC Health + Hospitals.

4. Any email address NYC Health + Hospitals issues to workforce members shall only be used for work related matters. Exceptions must be authorized by NYC Health + Hospitals.

41 Page

NYC HEALTH+ HOSPITALS

5. Workforce members shall not send, store, or upload NYC Health + Hospitals proprietary, confidential, sensitive, or identifying patient information to non-NYC Health+ Hospitals email accounts or domains without obtaining prior consent from NYC Health + Hospitals.

6. When a business need requires workforce members to send a message containing NYC Health + Hospitals proprietary, confidential, sensitive, or identifying patient information to authorized email accounts or domains, the email must be encrypted via the use of a NYC Health + Hospitals approved encryption standard.

10. Policy Statements Applicable to the Use of NYC Health + Hospitals Internet Access

1. Use of NYC Health+ Hospitals Internet access must be consistent with the goals of NYC Health + Hospitals business activities, or to facilitate information access or transfer of information as related to the job function of a workforce member.

2. NYC Health + Hospitals reserves the right to allow or disallow access to any site(s) that may harm or be inconsistent with the policies, practices, and goals of NYC Health + Hospitals.

11 . Policy Statements Applicable to Software 1. Downloading unauthorized software onto IT resources is prohibited. 2 . Only software approved or managed by NYC Health+ Hospitals Enterprise Information

Technology Services (EITS) Department may be installed on IT resources. 3. Unauthorized duplication of NYC Health + Hospitals software is strictly prohibited and is

subject to civil and criminal penalties.

12. Policy Statements Applicable to Social Media 1. Disclosure of NYC Health + Hospitals proprietary, confidential, sensitive, or identifying

patient information is strictly prohibited. 2 . Workforce members must comply with the NYC Health+ Hospitals 20-61 : Social Media

Use Operating Procedure at all times.

13. Compliance Penalties for violating this policy may result in:

• Termination of IT resources access privileges. • Disciplinary action up to and including termination. • Criminal or civil penalties.

14. Related NYC Health + Hospitals Operating Procedures and Information Security Policies Operating Procedures: http://sites.NYC Health + Hospita ls.org/Operations/CSS/OP/

• 20-58: Information Systems Application Access Policy & Procedure • 20-60: Limited Personal Use of HCC Office and Technology Resources • 20-61 : Social Media Use • 250-01: Security Management Process

SI Page

NYC HEALTH+ HOSPITALS

• 250-05: HIPAA Security Policy-Workstation Use • 250-06: HIPAA Security Policy-Information Access Management • 250-08: HIPAA Security Policy-Workforce Security • 250-18: HIPAA Security Policy-Person & Entity Authentication • 250-19: H~PAA Security Policy-Transmission Security • 250-20: HIPAA Security Policy-Remote Use & Access To Electronic Protected

Health Information

Information Security Policies: http://intranet.nychhc.org/lnformationTechnologyServices/CorpiTRefMaterials.html

• NYC Health + Hospitals Authority to Establish EITS Information Security Policies • NYC Health + Hospitals Password and Access Code Standard • NYC Health + Hospitals Access Control Policy

Workforce members are expected to read, understand and abide by referenced NYC Health + Hospitals Operating Procedures, Information Security Policies, and Information Security Standards upon gaining access to the NYC Health + Hospitals Intranet.

15. External Security Standards & References: • NIST.SP.800.53: Security and Privacy Controls • NIST.SP.800.53: Managing IS Security Risk • COBIT5_AP007: Manage Human Resources • New York State Policy NYS-P14-001: Acceptable Use of Information Technology

Resources Policy • The City of New York City Wide Information Security Policy - User Responsibilities

Policy

GI Page

NYC HEALTH+ HOSPITALS

16. Review & Authorization: Authored By: Information Security & Risk Management Department, EITS

• Reviewed By: The Information Security Policy Steering Committee on 10/27/15. The Committee is comprised of:

o Corporate Compliance Senior Vice President or appointed delegate(s) o Human Resources Senior Vice President or appointed delegate(s) o Office of Legal Affairs Senior Vice President or appointed delegate(s) o Enterprise IT Services Senior Vice President or delegate(s) o Enterprise IT Services, Information Security & Risk Management

EITS Service Line Leads: 07/08/15 Network Chief Information Officers: 07/08/15

Approved By: Vikrant Arora, Information Security Policy Steering Committee Chair, AVP & Corporate Chief Information Security & Risk Officer, EITS

Signature @J·

Authorized By: Sal Guid , rim Corporate Chief nformation Officer, EITS

Signature

17. Revision History

Date

6'ate /

?I Page

NYC HEALTH+ HOSPITALS

Information Technology Resources Acceptable Use Policy Workforce Member Acknowledgement Page

I hereby certify that I have read and fully understand the contents of the NYC Health + Hospitals

Information Technology Resources Acceptable Use Policy. In addition, I understand that this

policy applies to all IT resource access, current and future, that is issued to me by NYC Health +

Hospitals. Finally, I understand that violation of any of the policy statements set forth in this

policy may result in disciplinary action up to and including termination. My signature below

certifies my understanding and acknowledgement of the NYC Health + Hospitals Information

Technology Resource Acceptable Use Policy.

Workforce Member {Print Name): --- -------------------

Signature Date

8I Page