The Cook County Health and Hospitals System (CCHHS) intentions for publishing these rules are not to impose restrictions that are contrary to our established culture of openness, trust, and integrity. CCHHS is committed to protecting the public, our employees, partners, and CCHHS itself from illegal or damaging actions by individuals, either knowingly or unknowingly. The 21st century environment of connected technologies offers many opportunities for malicious or unknowing people from all over the world to anonymously attack, damage, and corrupt vital information and to disrupt our ability to communicate effectively and accomplish the mission of this hospital. Effective security is a responsibility and a team effort involving the participation and support of every employee who deals with information and/or information systems. It is the responsibility of every employee to know, understand, and adhere to security policies, procedures, standards, and rules and to conduct their activities accordingly. These rules shall be used to provide guidance and protection to CCHHS employees and to safeguard the information resources our patients entrusted to us.

Based on the International Organization for Standardization (ISO) 17799:2000 Standards for Information Security, these standards and rules were created to be clear, concise, and easy to understand. It is also important that standards and rules do more than dictate another layer of rules and regulations that we all must follow. They must be educational and speak to the most important aspects of our existence, which are the public good and our employees. Thank you in advance for your support as we do our best to create a secure environment and fulfill our mission.

1. ACCEPTABLE USE OF INFORMATION RESOURCES

   These rules are in place to protect the public, our employees, and CCHHS. Inappropriate use of our information resources exposes CCHHS to risks, including virus attacks, compromise of network systems and services, and legal issues. CCHHS resources are made available to employees to conduct official business, and not to be used to conduct personal business, business related to outside employment, or for personal benefit. Employees are advised that there should be no expectation of privacy when using any CCHHS information resources. To ensure safety and security:

   • Users must not share their user account(s), passwords, Security Tokens (i.e., Smartcard), or similar information or devices used for identification and authorization purposes.
   • Users must not attempt to access any data or programs contained on CCHHS systems for which they do not have authorization or explicit consent.
   • If an employee is sent, delivered, or inadvertently accesses inappropriate or prohibited material, or the material contains confidential information that the employee does not have "need-to-know" access to, or authority to receive; the employee is required to immediately secure the material from view and notify his/her supervisor.
   • Users must not make unauthorized copies of copyrighted software.
   • Users must not install or use nonstandard software, shareware, or freeware software, including games.
   • Users must not attempt to circumvent approved antivirus software or make any changes to accepted configuration of antivirus software.
   • Users must not download, install, or run security programs or utilities that reveal or exploit weaknesses in the security of a system.
   • Users must report any weaknesses in CCHHS computer security, any incidents of possible misuse, or violation of this agreement to the information security officer at 708-633-2042.

2. INTERNET USE

   In addition to being an excellent resource for information, and a revolutionary way to communicate with the world, the Internet is a rapidly changing and volatile place that can accurately be referred to as "The Wild West." The following rules are intended to provide guidance and protection while still making available this useful business tool to CCHHS employees. The following rules apply when using the Internet:

   • All software used to access the Internet must be part of CCHHS standard software suite. This software must incorporate all vendor-provided security patches.
   • Software for browsing the Internet is provided to authorized users for business and research use only, except where otherwise noted in the incidental use section.
   • Users must not download or install any software from the Internet without authorization of the Information Systems department.
   • Non-business-related purchases or sales made over the Internet are prohibited.
   • All user activity on the Internet is subject to logging and review.

3. EMAIL USE

   E-mail use has become the standard method of communication. Email is inherently insecure and messages can easily be intercepted, read, or changed. Additionally, email is the number one doorway to viruses and worms that infect and destroy valuable information. E-mail is subject to the following rules:

   The following activities are prohibited as they conflict with CCHHS Code of Ethics:

   • Sending e-mail that is intimidating or harassing.
   • Using e-mail for purposes of political lobbying or campaigning.
   • Violating copyright laws by inappropriately distributing protected works.
   • Posing as anyone other than oneself when sending or receiving e-mail.

   The following activities are prohibited because they impede the functioning of network communications and the efficient operations of our email system:

   • Sending or forwarding chain letters.
   • Sending unsolicited messages to large groups except as required to conduct hospital business.
   • Sending excessively large messages.
   • Sending or forwarding e-mail that is likely to contain computer viruses.
   • Email users must not give the impression that they are representing, giving opinions, or otherwise making statements on behalf of CCHHS.
   • Individuals must not send, forward, or receive confidential or sensitive CCHHS information through non CCHHS email accounts. Examples of non CCHHS e-mail accounts include, but are not limited to, consumer oriented products like Hotmail, Yahoo mail, AOL mail, and email services provided by other Internet Service Providers (ISPs). Users of these products should not use nor expect support for these products on CCHHS networks.
   • Individuals must not send, forward, receive, or store confidential or sensitive CCHHS information utilizing non CCHHS accredited mobile devices. Examples of mobile devices include, but are not limited to, Personal Data Assistants (PDA), two-way pagers, and cellular telephones.
   • Email messages and Internet sites accessed are not private but are property of CCHHS. CCHHS may print and review e-mail messages and Internet sites accessed by an employee's system.
   • Report suspicious emails to the Information Systems department. Do not open them.

4. INCIDENTAL USE OF INFORMATION RESOURCES

   As a convenience to CCHHS user community, incidental use of information resources is permitted. Only brief and occasional use is considered to be incidental. The following rules on incidental use apply:

   • Incidental personal use of email, Internet access, fax machines, printers, copiers, and so on, is restricted to CCHHS approved users; it does not extend to family members or other acquaintances.
   • Incidental use must not result in direct costs to CCHHS.
   • Incidental use must not interfere with the normal performance of an employee's work duties.
   • Incidental use of CCHHS information resources must not involve solicitation in any form, must not be associated with any outside business or employment activity, and must not potentially embarrass or offend CCHHS.
   • Storage of personal email messages, voice messages, files, and documents within CCHHS information resources must be nominal.
   • All messages, files, and documents - including personal messages, files, and documents - located on CCHHS information resources are owned by CCHHS, may be subject to open records requests, and may be accessed in accordance with this statement.

5. PASSWORD

   All of the work being conducted at CCHHS to secure confidential information will be ineffective if the most important aspect of information security, the daily users of our information resources, share passwords that access critical, confidential, or sensitive information. Think of passwords as a “shared secret” between you and CCHHS information resources. The following rules apply to password use:

   • All passwords, including initial passwords, must be constructed and implemented according to CCHHS accepted and approved standards.
   • User account passwords must not be divulged to anyone at any time or for any reason.
   • If passwords are forgotten or disclosed or if the security of a password is in doubt, the password must be changed immediately by contacting the Help Desk at 773-864-HELP.
   • Administrators must not circumvent the password guideline for the sake of ease of use.
   • Whenever possible, users must not circumvent password entry with auto logon, application remembering, embedded scripts, or hardcoded passwords in client software.
   • Computing devices must not be left unattended without enabling a password protected screensaver, locking the workstation, or completely logging off of the device.
   • If passwords are found or discovered on documents of any kind, the following steps must be taken:
     • Take possession of the passwords and protect them.
     • Report the discovery to the Help Desk.
     • Transfer the passwords to an authorized person as directed by the Help Desk.

6. PORTABLE COMPUTING

   Laptop computers, PDAs, and other portable computing devices are a great convenience and are becoming more and more a part of doing business. They also come with many risks, including ease of theft, operation in unsecured environments, and easily intercepted wireless communications. To protect our valuable information, users of portable computing devices must follow these rules of use:

   • Only CCHHS approved portable computing devices may be used to access CCHHS information resources.
   • Portable computing devices must be password-protected.
   • CCHHS data should not be stored on portable computing devices.
   • However, if there is no alternative to local storage, all sensitive CCHHS data must be encrypted using approved encryption techniques.
   • CCHHS data must not be transmitted via wireless to or from a portable computing device unless approved wireless transmission protocols along with approved encryption techniques are utilized.
   • All computer systems accessing CCHHS resources from an external location must conform to CCHHS standards for configuration and connectivity.
   • Unattended portable computing devices must be physically secure. This means they must be locked in an office, locked in a desk draw or filing cabinet, or attached to a desk or cabinet via a cable lock system.
   • Personal devices not owned by the hospital (PDA’s, laptops) are not allowed to be connected to the CCHHS network or connected to CCHHS computers.
   • Use of portable storage devices (thumb drives, flash drives) must be authorized by the Information Security Officer.

7. STANDARD DEFINITIONS

   Ownership of Information

   All documents generated as a result of a CCHHS business activity stored anywhere on or off CCHHS premises; and electronic files created, sent, received, or stored on information resources owned, leased, administered, or otherwise under the custody and control of the CCHHS are the property of CCHHS.

   Privacy

   Electronic files created, sent, received, or stored on information resources owned, leased, administered, or otherwise under the custody and control of CCHHS are not to be considered private.

   Information Resources

   Any and all computer printouts, online display devices, magnetic storage media, and all computer-related activities involving any device capable of receiving e-mail, browsing Web sites, or otherwise capable of receiving, storing, managing, or transmitting electronic data including, but not limited to, mainframes, servers, personal computers, notebook computers, handheld computers, personal digital assistants (PDAs) pagers, distributed processing systems, telecommunication resources including cell phones and voicemail systems, network environments, telephones, fax machines, printers, and service bureaus. Additionally, it includes the procedures, equipment, facilities, software, and data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information.