9 minute read
NIMH IT Policy
NIMH IT Policy
Internet access is provided primarily to support the clinical services, teaching and business activities of NIMH and its workforce to meet its institutional objectives.
NIMH takes seriously its responsibility for ensuring the confidentiality, integrity and availability of information and information systems provided over the Internet and used for its intended purposes.
The wide range of information and other material available over the Internet raises concerns about the security and appropriateness of access to certain web content and the implications for NIMH and its staff as inappropriate use of the Internet can cause problems ranging from minor distractions up to and including legal claims being made against staff and/or NIMH if a national or international law is violated.
Should do
a. Be aware of who you are allowed to share information with and how it is shared b. Report any information security incident/breaches including malicious websites and phishing emails to manager, Hospital Information and Digital Health (HIDH) Department, NIMH. c. Behave in a responsible manner when using the NIMH's Internet systems.
Should not do
a. Ignore, turn off or bypass any information security controls put in place or recommended by
NIMH b. Download or install software from the Internet without informing and prior approval of HIDH
Department. c. Automatically expect privacy when using NIMH's Internet systems for personal matters. d. Using any kind of VPN without prior approval from the manager, Hospital Information and
Digital Health (HIDH) Department, NIMH.
NIMH will lawfully monitor and report Internet use and investigate suspected policy breaches or unlawful behaviour ensuring that;
a. Internet access is justified and cost effective b. There is established and documented good practice in place for the distribution of information through the Internet c. The confidentiality and security of NIMH information is not compromised d. Where limited and reasonable, personal use of the Internet is permitted, as long as such access complies with NIMH policy.
Definition
a. The Internet is a general term that covers access to numerous computers and computer systems worldwide that are accessed electronically. Such systems include the World Wide Web (WWW), email, File Transfer Protocol (FTP), newsgroups, Gopher, etc. b. NIMHnet (the NIMH Local Area Network) c. NIMH intranet (NIMHweb) is the NIMHt‘s internal intranet system used to access information. d. Junk-mail or spam messages - refers to unsolicited commercial web mail, jokes, chain letters or advertisements.
Roles and Responsibilities
Committees
Information Technology Governance (ITG) Committee.
Individual Officers
Health Informatics Officer (HIO)
Medical Officer – Health Informatics
All staff ● The ITG Committee is responsible for ensuring that this policy is implemented, including any supporting guidance and training deemed necessary to support its implementation. ● The committee will ensure that the standards and requirements for information and acceptable internet are understood across NIMH whilst also ensuring that appropriate and effective mechanisms are in place for the identification, reporting and mitigation of risks relating to internet use to ensure the highest level of safety and security for all staff and the IS systems of
NIMH. ● The ITG Committee reports to the Directors
Administration.
● Health Informatics Officer is responsible for ensuring that comprehensive audit tools are in place which enforce the policy and monitor Internet usage. ● The (HIO) will authorize audits investigating any serious incidents requiring investigation. ● (HIO) is responsible for periodically monitoring
Internet use to ensure compliance with this policy and to assist HR in any disciplinary investigations regarding Internet use.
● All staff must adhere to this policy.
Policy and/or Procedural Requirements
1. Where the policy refers to ―staff‖ or ―user‖ this means all members of staff employed by NIMH, any person carrying out work activities on NIMH occupied premises who are not directly employed by
NIMH e.g. students, work placements or volunteers, or any person providing a service to NIMH under contract.
2. Internet access is provided primarily to use for clinical/ patient care services, research, teaching and training and business of NIMH to develop the skills and knowledge of its workforce to the benefit of its intended objectives. NIMH considers the Internet as an important means of communication and
recognizes the importance of proper Internet content and speedy replies in conveying a professional image and delivering good customer service.
3. Acceptable Internet Usage
3.1 Use of the Internet by staff is permitted and encouraged where such use is suitable for intended purposes and supports the goals and objectives of NIMH. The Internet is to be used in a manner that is consistent with the NIMH‘s standards of service, training and business conduct and as part of the normal execution of an employee's job responsibility i.e. to communicate with other NIMH affiliated/ related organizations, to research relevant topics and obtain useful health-care-related information.
3.2 Whilst reasonable personal use of the Internet is permitted, staff should be aware that NIMH monitors the use of the network and NIMH reserves the right to withdraw personal use of NIMH network resources.
3.3 Reasonable personal use is defined as use that is not in work time, is not excessive and does not interfere with the users‘ ability to complete their work. Also, any personal use should be such that it does not interfere with the performance of the IT systems or staff duties and is not for personal financial gain. If staff are in any doubt about what constitutes acceptable and appropriate use, they should seek the advice and guidance of the HIDH Manager.
3.4 Staff should not assume privacy in their use of NIMH systems, even when accessing the systems in their personal time, i.e. out of working hours; however, NIMH will recognize staff‘s privacy and will not intentionally access information considered to be, or marked ―personal‖ or ―private‖ but reserves the right to do so if there are:
3.4.1 Credible grounds to suspect that they may reveal evidence of any unlawful activity, including instances where there may be a breach of NIMH policy constituting gross misconduct.
3.4.2 Where there is reason to suspect a file that contains harmful material such as a computer worm or virus etc.
3.4.3 Where the law requires it, or any other reason as outlined in section 4 (Unacceptable Internet Usage)
4. Unacceptable Internet Usage
4.1 While the NIMH‘s Content Filtering software will block. (If staff accidentally access material/ sites unblocked by the system but they feel may be considered to be of an offensive nature or otherwise unacceptable to access, they should note the time and website address and exit from the site and then inform the MIM Services Helpdesk.)
4.2 The activities below constitute unacceptable use of the NIMH‘s Internet.
4.2.1 Downloading or keeping Any offensive, obscene or indecent images, data or other material.
4.2.2 Any data capable of being transformed into obscene or indecent images or material. (This includes obscene language, pornography, hostile material relating to gender, sex, race, sexual orientation, religious, political convictions, disability or information that would cause or promote incitement of hatred, violence or any other intimidatory material that is designed or could be used to cause offence, annoyance, inconvenience, needless anxiety or which would contravene any NIMH policy, in particular equal opportunities or harassment, or break any law.)
4.2.3 Staff must not display any kind of sexually explicit image or document on any NIMH system (other than for properly authorized or lawful research). In addition, sexually explicit material may not be archived, stored, distributed, edited or recorded using NUH network or computing resources.
4.2.4 Staff must not create, download or transmit (other than for properly authorized and lawful research) any defamatory, sexist, racist, offensive or otherwise unlawful images, data or other material.
4.2.5 Staff must not, under any circumstances, use interactive chat applications (e.g. MSN, Viber, Whatsapp etc) this includes all web-based interfaces for Instant Messaging applications and social network applications (e.g. Facebook, Tweeter etc.) other than in the areas authorized by NIMH.
4.2.6 Staff must not, under any circumstances, use audio/ video streaming software applications (e.g. youtube) other than in the areas and VLANs authorized by NIMH.
4.2.7 NIMH staff must not, under any circumstances, use torrent applications (P to P) for downloading. If the staff requires any bulky downloads, they can contact Manage HIDH to get it done.
4.2.8 Staff must not use NIMH‘s Internet and computing facilities to violate the laws and regulations of Sri Lanka or any other nation in any material way. Use of any NIMH resources for such illegal activity is grounds for disciplinary action and NIMH may be required to report such activity as well as cooperate with legitimate law enforcement agencies.
4.2.9 Staff must not use Internet of NIMH and computing facilities to knowingly conduct downloads or uploads which may have adverse implications for NIMH, including the;
4.2.9.1 Download or distribution of pirated software or copyright data, documents, images, videos etc.; any software must be properly licensed and/or registered and must only be used within the terms of its license.
4.2.9.2 Use of the NIMH‘s Internet facilities to download entertainment software or games, or to play games against opponents over the Internet.
4.2.9.3 Upload of any software licensed to the NIMH or data owned or licensed by NIMH without proper authorization.
4.2.9.4 Propagation of any virus, worm, Trojan horse, trap-door or other malicious program code for the purpose of corrupting or destroying other user‘s data or hardware.
4.2.9.5 Creation or transmission of ―junk-mail‖ or ―spam‖ messages.
4.2.9.6 Download/streaming of video or audio material for entertainment (non- work related) purposes.
5. Staff must not use NIMH‘s Internet facilities to disable, defeat or overload any computer system or network, or to circumvent any system intended to protect the privacy or security of any NIMH IT security facilities as well as any activity that would risk bringing NIMH into disrepute or place the
NIMH in a position of liability.
6. Staff must not reveal confidential NIMH information or data (i.e. personal, patient, research, teaching, sensitive or business critical) and any other material covered by existing NIMH policies and procedures on the Internet.
7. Staff must not share user IDs or passwords obtained for access to Internet sites. Staff are reminded that they are solely responsible for any Internet activity conducted under their individual username and password and must not, under any circumstances, let another person know or use their password to gain access to any part of NIMH‘s systems. If you wish to access Internet facilities and find that a previous user has left their session open/logged in - do not use this session - you must logout and begin your own session.
8. Staff must not use the Internet to conduct private or freelance business for the purpose of commercial gain including passing trade secrets to a competitor or supplier. All of the above includes internet access from VPN or via remote access to NIMH's network.
9. Only those staff who are authorized to give media statements may write or present views on the
Internet on behalf of NIMH. Non-ICT Services staff that have been granted ‗admin rights‘ should seek appropriate advice from ICT Services technical colleagues before downloading and installing any software from the internet.
10. If experiencing any sort of abnormal behavior it should be informed to MIM immediately.
11. All internet activities (VPN, download, torrent, online streaming and social media) is monitored from 27th December 2018 onward, and identified device MAC addresses will be permanently remove from the NIMH network.
