End users and screensavers

On August 10, 2005, in Security, by

Recently at my own office I enabled the option to turn of a password protection on the screen when someone walked away for more than an hour.  Merely turning off the screen isn’t good enough protection when working with client information.. I mean…duh… you are still logged in with access to that network.  Some folks really liked it and really wanted it, some people …well let’s just say I had to use the peer pressure from the ones that liked it…..it was funny because there was a recent thread on a Hipaa listserve about some of the flexibility you must build into a techology/people issue. 

You must protect Patient Identity Information.. and thusly you must set up the system so that when someone walks away from that system, it locks the access.  Hipaa final security rule (164.312(2)(iii)) requires automatic logoff….  Implement electronic procedures that terminate an electronic session after a predetermined time of inactivityand while it’s a standard…it’s an “addressable standard” and thus you can set the value for what is appropriate.  Some places you need less time to ensure that patient data is kept secure from prying eyes in public places, some places you need more time.  Make a compromise as to what works in your environment. 

Personally I think this is something that all of us that have sensitive information need to implement.  All I did on my network is enable it on group policy and made sure that it would be password protected.  I didn’t even list a manditory screensaver at all.

P.S.  Looking for HIPAA resources?  I’ll post more tonight..but the listserve I was referring to in the above post is the WEDI one at  http://subscribe.wedi.org – specifically the security workgroup list


2 Responses to End users and screensavers

  1. Robert says:

    Not sure if anyone else his experienced this, but I’ve noticed that when using Remote Desktop and the client machine goes into screen saver mode, sometimes when it comes out of screen saver mode, it shows a "ghost" image from prior Remote Desktop usage that could potentially be "embarrasing"if it is the wrong stuff. It’s hard to reproduce, but I see it frequent enough.

  2. Nicole Calinoiu says:

    You might want to watch out for that non-mandatory screensaver. There are some screensavers that echo (with "special effects" or not) the desktop contents (not that I can happen to find an example at the moment, of course <g>), so you might want to at least use written policy to "suggest" that such beasties not be used.