Information Technology and Systems Use

Policy: 

Information/computer technology is a vital factor in the performance of the day to day services and business at Mains'l Services, Inc.  Maintaining the integrity and security of the information, and protecting the hardware and software systems, assures the continuity and stability of the technology and the information.

Acceptable Use

The intention for publishing an Acceptable Use policy is not to impose restrictions that are contrary to Mains’l’s established culture of openness, trust and integrity.  Mains’l is committed to protecting its employees, partners, and the company from illegal or damaging actions by individuals, either knowingly or unknowingly.  

The purpose of information technology systems at Mains’l is to process information related to business.  Intranet/extranet/internet-related technology systems, includes, but is not limited to, computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and file transfer protocol (FTP.)  Also included in the information technology systems are personal communication devices and voicemail.  

Much of the information in the Mains’l computer system is confidential.  All employees using computers authorized by Mains’l will adhere to all HIPAA data privacy requirements.   In addition, whenever Mains’l Services requires the services of third parties ("business associates") to conduct its operations, all business associates (BA) will complete and sign standard HIPAA BA agreements, as required by HIPAA.
Occasionally, employees serve on boards, committees or other community forums outside of Mains’l.  Because these services relates to Mains’l business, staff may use the agency computer system to support their involvement. Employees are responsible for exercising good judgment regarding the reasonableness of personal use. Individual departments are responsible for creating guidelines concerning personal use of intranet/extranet/internet systems.  In the absence of such policies, employees should consult with their supervisor or manager.

All information developed on an agency system or introduced to an agency system is the property of Mains’l, not the employee, regardless of where it was created.  Similarly, all information developed by a Mains’l employee on computers outside of Mains’l, if in conjunction with their employment with Mains’l, is agency property.  Copies of all such files will be provided to the agency, which has exclusive rights to retain, maintain and modify these files.

All users are responsible for managing a regular process of deleting outdated files that are no longer of value to the organization.

All computer hardware, software, and peripherals are owned by Mains’l.  Information Technology personnel are responsible for the purchase and installation of the computer software and hardware, and for maintaining the equipment.  Mains’l complies with all software copyrights and adheres to the terms of all software licenses to which the organization is a party.

Mains’l employees should use caution and care with the computer equipment.  Employees are expected to be professional in their use and transmission of information and correspondence and abide by licensing and copyright provisions of the software.  Any illegal activity is strictly prohibited.

Specific issues that are managed and addressed in the Computer Use Procedure are:

  • Hardware and Software User Authorization and Installation
  • Training, Use, and Care of Hardware and Software
  • Network and Data Security
     
Procedure: 

Hardware and Software Authorized Users and Installation

End User Hardware

Computers are provided to those employees requiring such technology to perform day to day services and business at Mains’l Services and its subsidiaries.

Desktops are routinely provided to office personnel and 24-hour program site locations.  Laptops are provided to those employees whose position requires mobility. Employees who are authorized to use laptop computers are required to sign a “Portable Equipment Agreement” before equipment is authorized for use (see “Portable Equipment Agreement.”)  Use of personal computers is permitted with limited access to agency information via terminal servicers and website only; personal computers are not supported by IT personnel.

All computer hardware and peripherals, whether desktop or laptops, are owned by Mains'l and are set up and installed by information technology (IT) department personnel.  

Employees authorized to use computer equipment owned by Mains’l include those given possession of the computer (senior leadership team members, directors, senior managers, managers, office personnel, etc.)  Other employees who may operate the technology include support coordinators and direct support professionals; however, the accountability of the computer remains with those employees who have been given possession.  Any users of computer equipment owned by Mains’l are expected to comply with this Information Technology Use Policy and Procedure.  

People who receive services from Mains’l may use computers which are owned by the agency, at the discretion of the manager and their supervisor.  The manager is responsible for any and all computer use at their site.

Server Hardware

Mains’l Services currently uses Cloud technology to deliver database services, applications, e-mail, file storage, and public services.  See IT Plan for specifications.

Software

Mains’l complies with software copyrights and adheres to the terms of all software licenses to which the organization is a party.  Employees may not copy or duplicate any software for use in other Mains’l locations, or for their personal use, as it may subject Mains’l and/or the employee to civil and criminal penalties. In addition, only software approved by the IT department may be used on Mains’l computers. Software is installed exclusively by IT department personnel. Standard software installed includes Microsoft Office Suite:  Microsoft Word, Excel, and Outlook.  Other programs installed may include Access, Provider Pro, Publisher, internet access software, or other approved software.  If unauthorized programs are used on Mains’l computers, discipline, restitution, and/or employment separation may result.

Assistive technology needs are addressed on an individual basis.  Employees will discuss needs with their supervisor, who will notify IT personnel of any necessary adaptations.

Training, Use, and Care of Hardware and Software

Training

All authorized computer users will receive initial orientation/training from IT department personnel.  Employees will be directed to receive training on this policy and procedure within two weeks of receiving equipment.  Employees are expected to have general knowledge of computer technology.  Employees are also expected to independently obtain additional training classes appropriate to their level of competency/job description requirements.  Classes
may be provided by IT department personnel on an individual or group basis; outside coursework may be obtained independently by authorization of the employee’s supervisor.

Care of Equipment

All users are expected to treat agency computers as fragile and valuable property.  Users are expected to:

  • Protect computers they use from theft, undue shock, or similar physical damage.  
  • Extreme care is required with food and beverages, which cannot be permitted to spill onto or near computers or system components. 
  • Contact IT department immediately if malfunction of equipment is suspected. 
  • Notify IT department if desktop computer equipment needs to be removed for any reason.
  • Not store laptops and other peripheral equipment in very hot or cold environments for extended periods of time, such as car trunk.

If equipment is damaged during the user’s possession, and it is the determination of the IT department that damage was caused by user misuse or neglect, the user is responsible to fully reimburse Mains’l for repairs.  The human resources and finance departments are responsible to ensure payment is received.

If equipment is lost or stolen, outside of a Mains’l owned facility/leased property; employee is responsible for the replacement costs.  The human resources and finance departments are responsible to ensure payment is received.  User will receive temporary equipment until the replacement can be procured.

Network and Data Security

Information is considered an important asset of Mains’l and restrictions are imposed for controlled data access.  Mains’l considers it important to allow access to information to authorized users only, with information being accessed only by those who need it.                            

1. Access to the Network – Office and Remote Access

Access to the Mains’l network permits the user to access their e-mail, automation applications, office (word processing, spreadsheet and presentation graphics), and any specialized applications which have been configured for their use, whether they are in the office or off-site.   Pre-determined security access rights to information (user groups) have been created based on position responsibilities.  Each user has a confidential password.  Passwords are not to be shared with anyone for any reason.  Those employees assigned a Mains’l computer have the authority to allow other users access to their computer.  However, a generic account is provided for their access; this Technology and Systems Use Procedure will be reviewed by the manager before computer access is given, and a signature record is completed and placed in their personnel file by the manager.
        
Password Security Policy

All Mains’l employees who access our network file system are required to change their password for security purposes, as dictated by domain services.  Employees are required to update their password every 90 days.    

The current password requirements are:

  • At least six (6) characters long
  • Include a combination of letters and numbers
  • May not be reused for a period of two (2) years

Employees will not write down passwords.  Employees will not share passwords with others.  If access to information is required, and access is available only through another employee’s account, permission needs to be obtained by the employee’s supervisor.  Supervisor will contact the IT department for direction and assistance in obtaining necessary information.   Password will then be reset by IT department personnel.  If passwords or security is breached, or believed to be breached (stolen equipment, hackers/viruses may have compromised security, etc.), employee will notify the IT department immediately for protection resolution.

2.     Access to the Network – Wireless

Wireless access to the Mains’l network is protected by the Wi-Fi Protected Access II (WPA2) security protocol.  Employees/authorized users are provided access to the network according to their personal access limits. Guest users are provided wireless access to the internet only.  

3.    Permissions within the Network
Upon gaining access to the network, the user’s access and ability to view, add or modify information is governed by permissions.  These permissions allow access to information which is appropriate to his or her job responsibilities and/or on a need to know basis.  Access rights are configured by the IT department.

4.    Virtual Private Network
Communication between Minnesota and satellite offices exists through firewalls configured to communicate through the internet by using secure Virtual Private Network connections (VPNs).  All VPN connections are configured by IT department personnel.

5.    Firewalls
Mains’l Services uses Watchguard firewalls as the agency’s defensive barrier to unapproved ports.   IT department personnel are the only authorized employees to configure port access.

Mains’l adapts to HIPAA data privacy requirements (see Notice of Privacy Practices for Employees, and Notice of Privacy Practices for Consumers.)   Data is stored in appropriately apportioned folders within the Mains’l network. Data for people receiving services is not stored on external disks, with the exception of media for back up purposes.  All computers owned by Mains’l are configured to auto lock when not in use/are idle after ten (10) minutes. 

All information is permanently removed by an IT department professional, before any computer equipment is removed from agency use/inventory, including laptops, desktops, fax machines, smartphones, copier/scanner/multifunction units, etc.

HIPAA Business Associate Agreements
When Mains’l requires the services of third parties ("business associates") to conduct its operations, all business associates (BA) will complete and sign standard HIPAA BA agreements, as required by HIPAA.  Agreements for any information technologies services will be attained by IT department personnel, and will be filed by director of human services.

Please refer any questions concerning the necessity for a BA agreement in a particular situation to the director of human resources, who acts as the privacy officer. 

Back Up

Data is secured with a daily back up, performed by IT department personnel, or appointed designee.   Full backups are run on a daily basis; backup tapes are maintained offsite by IT department personnel.  Monthly backups are stored off site in a secure location.  All documents created by employees are saved and stored on the Mains’l server/intranet; documents are not to be stored on individual drives, as they are not backed up.

Document Imaging

Mains’l uses Fortis document imaging software to store and archive electronic documents and information.  Electronic filing provides for faster search and retrieval of documents, reduces lost or misfiled documents, and reduces the amount of physical space needed to store hard copy documents. Stored information is maintained in accordance with state and federal government guidelines.  The federal government guidelines supersede all state requirements.

Audit controls are built within the Fortis system, with the ability to track, with date and time, those persons who have viewed or modified documents, as stated by HIPAA. Access to view, print, and modify documents are determined by user groups.  User groups are authorized by the senior leadership team, are set up by the IT department, and administered by the support services specialist.                         

Electronic Filing/Scanning Process:
1.    Management personnel, including managers, directors, and senior leadership team members, receive training within three months of employment.  
2.    Employees authorized to electronically file documents will routinely manage the records from their department and scan as required.  Each person will scan their department documents when the document(s) are no longer active documents.
3.    Employees scan documents directly into the document imaging software at the main office.  After scanning is complete, employees preview the pages to ensure all documents are scanned appropriately and are legible.
4.    Employees add indexing requirements for each document type as required by each department’s guidelines, along with any additional information in the notes field on the indexing menu.
5.    Documents have to be admissible in court, and will remain in effect as the agency’s retention schedule dictates.

Anti Virus

The agency’s computer systems contain information significant to Mains’l.  Computer viruses endanger this information.  The agency has established the procedures and policies in this document to help reduce this risk.   In addition, all networked computers have software that helps the agency reduce the risk of viruses, automatically detects and deletes viruses, and is monitored by the IT department.   

Internet

Mains’l provides internet access at the office and program site locations.  If employees wish to work at home or away from the 24-hour site locations, internet access costs are incurred by the employee.

The use of the internet to gain access to external and internal resources should be carefully managed.  Access is based on appropriate business need.  Users may only download (copy) word processing documents, electronic spreadsheets, and text files.  User may never download program files, without authorization from the IT department.  This includes free software such as screensavers, wallpapers, toolbars, free antivirus, and performance enhancing software.  All internet configurations are set up and maintained by IT department personnel. 

E-Mail

All those authorized for computer use are assigned an e-mail address by IT department personnel.   All e-mail messages are the property of Mains’l and should be used for business related purposes only.   E-mail addresses become part of a global address list.  Other users will assume they can send e-mail to all persons in the global address list; therefore, each e-mail user should check regularly, and respond to e-mails within 24 hours.
Employees have access to their e-mail accounts without accessing the file system via the www.mainsl.com web site.

Viruses infiltrate the network through e-mail attachments from e-mail addresses with whom you typically are not familiar.  Employees receiving e-mails and/or attachments they believe are suspicious should forward the message (without opening the attachment) to IT department personnel.

Employees will use caution when transmitting internal e-mail.  E-mail messages will not contain offensive material. It is prohibited to transmit any inflammatory material; material with abusive language; sexually, culturally, or racially offensive or insulting material; or obscene, vulgar, or profane material.  If unacceptable use of e-mail is confirmed on Mains’l computers, discipline, restitution, and/or termination may result.

All users are responsible for managing a regular process of deleting outdated e-mail correspondence that is no longer of value to the organization.

E-Mail Encryption

Mains’l Services uses ZixCorp services for all outbound external e-mail transmissions, which automatically encrypts private information within text documents.  For those documents containing private information within non-text documents (PDF files), typing the word SECURE (in capital letters) in the Subject line will encrypt e-mail transmission, as well. Private information includes, but is not limited to, Personal Health Information (PHI), including dates of birth, addresses, social security numbers, etc.

Voicemail

Voicemail boxes within the Mains’l telephone system are issued to personnel who require a method for others to leave messages when they are not available.  Voicemail boxes should be protected by a PIN which cannot be the same last four digits of the telephone number of the voicemail box.  Employees will routinely delete saved voicemail messages that are no longer relevant.  Once voicemail messages are deleted, they are not retrievable.

Personal Communication Devices

Mains’l is committed to providing excellent service to both employees and customers.  In order to provide 24-hour communication, personal communication devices (PCDs) are issued to managers, directors, senior leadership team members, and other personnel as identified (nurses, maintenance, navigators, etc.)  PCDs are either cellular phones or smart phones, which enable users to access the internet, including e-mail.  Employees will meet with IT department personnel to receive a PCD during the first two weeks of employment.  

PCDs are issued for Mains’l business.  Employees are responsible for exercising good judgment regarding the reasonableness of personal use. 

All employees who are issued PCDs will protect their device, using passwords, patterns, and/or biometrics, depending on the individual device.

PCD invoices payable by Mains’l are monitored by IT department personnel and authorized for payment by the executive assistant.  

Mains’l’s current MN and CA cellular plan includes unlimited voice and text messages; and 360GB of data. Overage costs include downloads (i.e., ring tones), international calls, and application subscriptions.   All cell phone overages/charges over $5.00, for non-business purposes, will be paid by the employee.  The Systems Administrator will notify the employee of any necessary payment.  The employee will complete an Employee Payroll Telephone Deduction form and submit to the payroll department.  

Mains’l’s current cell phone contract renews every two (2) years.  At this time, employees are eligible for upgrades. All employees will receive a device of their choosing up to $100.00 dollars in value.  If employees choose to upgrade past the standard replacement device, employees will be required to pay the difference.  Additionally, employees are reimbursed for a phone case (up to $20.00 dollars) and a screen protector (up to $10.00 dollars)

Any expenses incurred by employees using their personal cellular phone or PCD are required to be authorized, in advance, and approved by the employee’s management supervisor. All Expense Reimbursement Procedures will be followed.

Utilizing PCDs while driving can be a safety hazard.  Texting, surfing the internet, or answering e-mail is illegal, even at a stop light.  Drivers should use PCDs while parked or out of the vehicle.  If employees need to use PCDs while driving, Mains’l recommends the use of hands-free enabling devices.

Care of Communication Devices

If communication devices are damaged or lost during the user’s possession, the user may be required to reimburse Mains’l for replacement. If the phone/line is eligible for replacement, employees will receive a standard replacement; if the phone/line is not eligible for an update at time of incident, employee is responsible for the replacement cost. A Portable Equipment Agreement will be signed by employee before receiving a PCD.

When an employee having possession of a PCD terminates employment from Mains’l, the communication device will be returned to the employee’s supervisor.  If the employee purchased their own device, the phone number and company data are removed and the device is returned to the employee.

Bluetooth

Hands-free enabling devices, such as Bluetooth, may be issued to authorized personnel.  Caution shall be taken to avoid being recorded when connecting Bluetooth adapters; Bluetooth 2.0 Class devices have a range of 330 feet.

Enforcement

Any employee found to have violated this policy and procedure may be subject to disciplinary action, up and to including termination of employment.

Disaster Recovery Plan

Mains’l has a Disaster Recovery Plan that is updated annually, at a minimum.  The Disaster Recovery Plan is built on the foundation that preparation and precautions are created and implemented to prevent disasters to the greatest extent possible.
 

Reference: 

Portable Equipment Agreement
Cell Phone Agreement
Authorization for Payroll Deduction for Telephone Expense
Authorization for Payroll Deduction
Disaster Recovery Plan
Notice of Privacy Practices for Consumers