Acceptable Use Guidelines

  1. Burrell College of Osteopathic Medicine has established a three-tier Data Classification Standard to identify the security requirements for how data should be handled. The three tiers are Sensitive, Restricted, and Public.
  2. Sensitive Electronic Information, or SEI, refers to data that Burrell College of Osteopathic Medicine must protect by law, or that Burrell College of Osteopathic Medicine protects to reduce institutional risk. Some important examples of SEI include:
    1. Protected Health Information, or PHI. Refer to the Uses and Disclosures of Protected Health Information Policy and the HIPAA FAQs for more information on identifying and managing PHI.
    2. Social Security Numbers, or SSNs.
    3. Credit/debit card numbers and other financial account information.
    4. Student information, as defined by the Federal Educational Rights and Privacy Act (FERPA).
    5. Other Personally Identifiable Information, or PII, as may be defined by New Mexico Statute.
  1. Strong passwords must be used to secure access to critical systems and data. A single compromised password can lead to a significant data breach. Burrell College of Osteopathic Medicine relies upon you to protect your passwords at all times.
  2. Everyone using the College’s IT resources must create and use passwords that comply with the College’s Password Standard.
  3. Your Burrell College of Osteopathic Medicine passwords are never to be shared with another individual, including Help Desk staff and administrative assistants.
  4. Never use your Burrell College of Osteopathic Medicine password on a non-Burrell College of Osteopathic Medicine system (e.g. for personal email, banking, or social media site).
  5. Avoid writing your passwords on paper (e.g. sticky / post-it notes).
  1. Phishing refers to the act of a malicious individual attempting to gain access to sensitive information, such as usernames and passwords, by impersonating a trustworthy party. Burrell College of Osteopathic Medicine users frequently are targeted by phishing emails and phone calls. It is critical for everyone to be on the lookout for suspicious communications.
  2. Think before you click on links and attachments in emails. Inspect email addresses for non-College emails, and web site URLs for contents that point to unfamiliar sites, and be suspicious of any that ask for your Burrell College of Osteopathic Medicine username or password. Email attachments and downloaded files, particularly Office documents (Word, Excel, PDF, etc.), archive files (e.g. .zip, .rar, etc.), and executable files (e.g. .bin, .exe, .run, etc.) should be accessed with extreme caution.
  3. Never open an email attachment if you do not trust the source, or if you were not expecting the file. Contact the Help Desk to report any suspicious behavior.
  4. Never provide your password to anyone. If you receive a request to supply your password via email or phone, it should be considered fraudulent and reported to the Help Desk at (575) 674-2390.
  1. Never uninstall or alter the configuration or operation of any systems management agent or anti-virus software that is installed on your Burrell College of Osteopathic Medicine workstation or laptop.
  2. Discontinue use of any system that shows signs of being infected by a computer virus (also referred to as malware). See the “Recognizing and Reporting Security Incidents” section below for more information.
  3. Arrange computer monitors so that, as much as possible, they are facing only the individual using them. If available to you, consider the use of screen filters to limit visibility to those directly in front of the screen. You are responsible for ensuring that unauthorized individuals are not able to view your screen.
  4. Log off or lock your workstation or laptop if leaving the system unattended. Screen locks should be configured to automatically lock a screen after a maximum of 15 minutes, and requiring that your password be entered to unlock the screen. Laptops can be locked by pressing the Windows Key + ‘L’ Key.
  5. Ensure that laptops are stored in secure locations when unattended. If possible, never leave them in a car, and if you must, place them in a locked hidden location, like a trunk.
  6. Provisions for installing hardware or software on workstations and laptops:
    1. For all workstations and laptops, extreme caution should be used when installing any new hardware or software. Contact the IT Help Desk before making any hardware or
      software changes to your system.
  1. When connecting your mobile device to Burrell College of Osteopathic Medicine’s email system, a basic set of security controls will be enforced on your device. These include the following:
    1. Requiring the use of a passcode to lock the device when it is idle for more than three minutes. Numeric passcodes are the minimum requirement; alphanumeric are recommended. A password history is maintained to prevent the successive re-use of passcodes.
    2. Automatically wiping the device after ten successive failed attempts to use a passcode to unlock the device.
    3. Encryption is enabled on the device and for any external storage cards (e.g. SD Cards) on Android devices.
  1. You are responsible for applying software updates to your device and any installed applications as soon as practical after being made available by the vendor.
  2. Do not “jail break” or “root” your device. Doing so disables basic security controls on the device, and increases the chance of a malware infection.
  3. Only install apps from legitimate sources, such as the Apple App Store or Google Play.
  4. If your device has been lost or stolen, please note that Burrell College of Osteopathic Medicine reserves the right to remotely wipe the device to prevent the loss of PHI.
  1. With the exception of explicitly approved uses such as receiving Burrell College of Osteopathic Medicine email on personal smartphone or tablet, do not store the College’s SEI on non-College owned systems or devices, such as personal computers at home.
  2. PHI and other SEI that has been approved for storage on mobile devices or removable media (e.g. portable hard drives, memory sticks, flash drives, CD/DVDs, etc.) must be encrypted in accordance with the Burrell College of Osteopathic Medicine IT Standards.
  3. Use of file sharing or cloud-based services for data containing SEI (e.g. Dropbox, SkyDrive, Google Drive, etc.) is not allowed without prior approval from the Burrell College of Osteopathic Medicine CIO. Your Burrell College of Osteopathic Medicine OneDrive or Sharepoint may be considered, but is not allowed without prior approval from the Burrell College of Osteopathic Medicine CIO
  4. Clinical data may not be shared with vendors or other third parties who perform services on behalf of Burrell College of Osteopathic Medicine unless there is a signed agreement governing data security and usage. This may only be signed by the CIO.
  5. Research data collected from Burrell College of Osteopathic Medicine clinical activities under an IRB-approved protocol must be stored on Burrell College of Osteopathic Medicine managed servers, not any other third party servers, unless (a) it has been fully de-identified or anonymized, (b) outlined in an informed consent, or (c) a Data Transfer Agreement has been put in place to allow the third party to receive that data.
  6. When sending clinical data, research data, or other SEI outside of the Burrell College of Osteopathic Medicine network, SSLencrypted protocols such as HTTPS, SFTP, or SCP must always be used.
  7. User devices, including workstations, laptops, and other mobile devices, are generally not backed up. Any data stored on a user device may be permanently lost in case of a system failure or the loss of the device. Instead, store data on Burrell College of Osteopathic Medicine servers through network shared drives.
  8. Dispose of all old storage media, including but not limited to hard drives and backup tapes by returning them to the IT Help Desk.
  9. External data recovery services (e.g. to recover data from failed hard drives) may not be used unless approved by the CIO.
  10. If you have any questions about how to securely store, manage, or transfer data, please contact the IT Help Desk for assistance.
  1. Email containing SEI that is sent outside of Burrell College of Osteopathic Medicine must be sent using the Secure Email feature in the Burrell College of Osteopathic Medicine E-mail system. This may be done using the “Sensitive Electronic Information” button in Outlook. For more information on using Secure Email, contact the IT Help Desk.
  2. Only use a Burrell College of Osteopathic Medicine approved email system for the College communications. Currently approved email systems include the College Exchange server and Burrell College of Osteopathic Medicine’s Microsoft Office 365 email solution. Personal email accounts through services such Gmail, Yahoo, and Hotmail, or external sites that aggregate email accounts, may not be used to conduct College business.
  3. Burrell College of Osteopathic Medicine email containing PHI or SEI may not be forwarded to a non-College email account.
  4. The Burrell College of Osteopathic Medicine Electronic Communications Policy provides further requirements for securing electronic communications, including faxing and text paging.
  5. PHI must never be posted on social media sites such as Facebook, Twitter, online forums, and other sites unless they have been specifically approved for PHI.
  6. Extreme caution must be used with photography and videography inside of clinical facilities to prevent inadvertent disclosures of PHI. Please refer to the Burrell College of Osteopathic Medicine Video Release Form.
  1. Retrieve printed sensitive information immediately upon printing. When disposing of hardcopy, use bins that have been marked for the disposal of confidential documents. Please ask your Supervisor where these bins are located. If those are not available, use a crosscut shredder.
  2. Report unauthorized or unknown people that appear in non-public areas to a manager or facilities security officer.
  3. In areas that require badge access, do not allow others to follow you through a door without badging in.
  1. A security incident is an event that may result in the confidentiality, integrity, or availability of Burrell College of Osteopathic Medicine information systems or data being compromised. Indications of a security incident may include the following:
    1. The intentional or unintentional misuse of (a) patient information, (b) information pertaining to Burrell College of Osteopathic Medicine faculty, faculty, or students, (c) Burrell College of Osteopathic Medicine computer systems, or (d) other information that is classified as sensitive or restricted.
    2. Theft or loss of a computer or mobile device (e.g. smartphone or tablet) that is either owned by Burrell College of Osteopathic Medicine or possibly stored or had access to Burrell College of Osteopathic Medicine patient information or other sensitive data.
    3. Observing odd behavior or other signs that a computer may have been infected with malware or otherwise compromised by an intruder.
    4. Clicking on a link or opening an attachment in a suspicious email.
    5. Finding evidence that a Burrell College of Osteopathic Medicine system, application, or data set may have been modified or accessed without authorization.
    6. Storing patient information or other sensitive data in an insecure manner on a workstation, computer media (e.g. flash drive or CD/DVD), or unauthorized web site (e.g. file sharing sites such as DropBox).
    7. Leaving printed output containing patient information or other sensitive data in a location where unauthorized individuals may view it.
    8. If you suspect someone knows your password, your last date and time noted on the login screen is not correct, or your account has been locked out.
    9. Faxing, mailing, or emailing patient information or other sensitive data to an incorrect phone number or address.
  1. If you believe that you have observed an information security incident, please take the following steps:
    1. Report the incident immediately to the IT Help Desk by calling (575) 674-2390.
    2. If the incident involves your computer: Discontinue using it until the IT Help Desk has evaluated the situation.
    3. If the incident involves the loss or theft of a computer or mobile device, contact the IT Help Desk, who will assist you in filing a police report.