• Non-company-provided equipment is expressly prohibited on AccrueCMS’s networks and/or connecting to our networks from remote.

• Personal storage devices represent a serious threat to data security and are expressly prohibited on CMS’s network.  USB “flash” and storage devices are especially susceptible to security issues.  Before plugging anything into your computer, please check with IT first.  This is very important.

• Installation of non-company-supplied programs, software and applications is prohibited.

• The AccrueCMS offices do not allow wireless connectivity to its network or systems. Our office only utilizes “wired” connectivity, and does not include a wireless router anywhere within it’s network. This is for security purposes to help firewall our systems.

Do not change any of your settings on your PC without approval from someone in the IT department.  While it’s okay to personalize your Desktop environment, please do not change any settings that could affect the operation of your computer. This includes changes to system passwords, Anti-Virus settings, Malware settings and computer startup scripts, etc..

Some PC functions are configured to optimize and safeguard our network and should not be changed. We also manage some PC settings via global policies as determined through best security practices.

If you have any questions or need assistance, please let us know and we will be happy to help.

• Websites that include any potentially harmful content and/or activities that are considered illegal under local, state, federal or international law should never be accessed under any circumstances.

• Download and/or Uploads are never allowed unless authorized and monitored by someone in IT.

• Never “allow” any website to install any file or application.  Our network monitoring software will let us know which applications and add-ons have been allowed, and we may remove or inquire as to the purpose of the app at any time.  Before you can install most web-based files and add-ons, our firewall will typically warn you.  In most instances you should never allow an application to install.  If you have any questions – always ask someone in IT first.

• The company does not allow any remote assistance from any outside party.  If you are requested to install any remote assistance software, please notify someone in our IT department.

• Browser website, email, chat, instant messaging and all other forms of internet communication and connectivity history must always be “ON”.  Do not remove or disable history or clear cache unless requested by someone in IT.  All communication on company devices and networks are not private and are considered company property. This includes communication via email, chat, website portals, and instant messaging.

• Never use any type of incognito mode or private website viewing that doesn’t record website browsing history. This includes any type of tunneling using VPN and/or other methods that hide your activity.

• Do not install any browser add-ons.  This includes Google or Desktop add-ons without direct authorization.

• Our primary browsers that we allow on AccrueCMS devices are Google Chrome and Microsoft Edge. Both are okay to use, although keep in mind some websites are limited and can only use one type of browsers.

• The company in some instances will allow you to use the internet for non-business and personal use as long as it doesn’t cause any side-effects or security threats to our primary business.  Private internet use should only occur during designated times of the day (during breaks or outside of normal business hours), and are subject to change at any time. Please check with your manager or direct report to determine what is allowed.  Personal use can include checking personal emails, and other minor functions that do not use company bandwidth.  Video, music streaming and similar high-bandwidth applications can affect our network speed, and are currently disallowed unless authorized by someone in IT under some circumstances.  Instant Messaging is also disallowed for personal use. We also periodically disable and block some websites that have a pattern of misuse and potential disruption to the office, network and/or security.

• Wireless connections are not offered in any of our offices due to strict rules that govern the nature of our business and regulations that we are required to meet with employer, state and federal compliance and audits. Personal devices are not allowed to connect to our network unless specifically authorized from IT.

• Public wifi connections are never allowed for company work outside of the office unless other safeguards are in place through secure tunneling connections that have been installed and authorized in advance. If you’re not sure if you’re connecting to a safe connection please check with our IT department for assistance when attempting to use wifi in a public setting. Devices/computers that are used for company business must have their wifi always set to NOT allow auto-connect to networks. Always make sure your wifi is set to OFF, and only turn on if you are connecting securely. The same rules apply to bluetooth and other wireless type connections.

• Office visitors should not be allowed to access the internet using their own device connected directly to our network unless their device has been reviewed and checked for potential security issues by our IT team.

As mentioned in the CMS Employee Handbook, all email is stored as it is received and sent.  Please use the company email for business purposes only.  The company is the owner of any email (and other communication) that transmits through our email server.

If you ever have any questions what-so-ever about a potential suspicious email or attachments, please contact someone within CMS’s IT department for assistance. Our suggested company policy is to contact the sender via a quick phone call to their actual phone number we have on record (not necessarily the phone number on the email) to verify if the particular email was actually sent to you before clicking on any links or documents included on the email. In some instances you can also get a good idea where a link is attempting to send you by just hovering your mouse over the line without clicking on it. For most of our customers the domain name that shows just before the last “.” (dot) indicates the server. The characters to the right of the (dot) can also sometimes be observed to know whether the URL is outside of the United States. Most other countries use a 2 character suffix country code (for example, China is “.cn”, Russia is “.ru”, Ukraine is “.ua”, etc..).

If you notice anything out of the ordinary or suspect you’ve inadvertently opened or followed a suspicious link, we will probably want to scan your computer for any embedded malicious code or infections. If your computer is running slow, or anything else that doesn’t appear normal, please let us know. The sooner we can review – the better for everyone.

All email communication that includes PHI data must be sent encrypted email. It’s best to send 2 separate emails; one with general communication describing what’s in the second email. The second encrypted email should include just the attachment with the PHI data.  We are currently using ZixMail for the secure email.  Most employees will have this addon included with their MS Outlook email client. We also have Zix included on most Google Mail users. In both instances please err on the side of caution with PHI that’s included in your emails and always encrypt the message if you have any question at all whether the information might be subject to HIPAA PHI rules. Partial SSNs aren’t necessarily safe to send without encrypting first (if) there are other PHI identifiers present in the file like Name and/or DOB, etc..  It’s always better to encrypt if you have any concerns about the data included in your message.

Make sure you save important emails that pertain to customer communications and/or group setup in appropriate folders that are available on our servers. Check with your manager for further instructions.

All email that you receive encrypted should be unencrypted and saved for future reference.

And, as mentioned previously – all communication on company devices and networks are not private and are considered company property.

Never share your Solo/Maxim (or CP, WEX, etc..) passwords with anyone else inside or outside of the company.  If you ever think that your password has been compromised, please let us know as soon as possible, and we will issue a new one.

While most computers in our office are configured to allow sharing in the event that an employee is not available, there are some computers that are configured at a higher security level with unique passwords. Please check with your supervisor to determine which computers can be shared from your respective department and position within the company.

It is extremely important that you do not change your company computer/device’s password unless it’s been authorized by a manager or IT rep. If you need to change your password please make sure that it’s communicated and added to our company password depository and library so that our IT and management departments can log into it when needed in your absence.

• Please remember to “lock” your computers if you plan on being away from it for more than just a minute or so.  You just need to log off using WINDOWS + “L” on your keyboard.

• All non-employee personnel in our office must always be escorted, and signed in and out with name badges where appropriate. No personnel should ever go into the computer room without involving someone from IT. We have a logbook that must always be signed if anyone accesses that room. Access to the rest of the office should always adhere to HIPAA best practices, including signing the office logbook located near the front door.

• All visitors, including building maintenance, vendors and anyone else are required to sign the log book at the front door, and wear a name badge while in the CMS office.

• When a visitor is present in the office, make sure that all material that contains any HIPAA information is protected and not exposed for viewing. This includes documents left on the copier and printers within the office.

• Clean up your desk area at the end of the day. Do not leave any HIPAA related documents exposed for anyone that might be in the office afterhours.  We have a cleaning crew that comes in every night, and they should not have access to anything with HIPAA information.

Visitors should not be allowed access to our equipment, computers and/or devices that connect to our network without authorization and direction from management and/or IT.

All of our computers and networks are protected using an enterprise endpoint version of McAffee that will protect most “known” viruses, infections and malware. In addition to the known threats, there are many situations that are not accounted for or identified as threats. One of these is called “zero day threats”. This is malicious code that exploits unkown security holes that are present across all systems, internet and software. What that means to you, is always be careful when opening email (and accessing websites).

In addition to McAffee enterprise, we also try to include Malware Bytes, Windows Defender and other company installed firewall and anti-virus applications on every production computer. They should always be left on.

We also prevent any access to our primary file servers in our office from any outside source. This is accomplished with our firewall software and equipment that resides at the frontend of our internet connection. Our local network is also isolated from the internet through the use of firewalls. In addition to our local network, we also secure our cloud based data using similar technology. They continuously protect all of our data from outside attacks. We also scan our networks and web applications/servers using penetration testing on an aggressive schedule to make sure they’re always secure. Even with this protection, the greatest vulnerability we have is from employees who are careless.

One of the most prolific attacks that is currently occurring in the wild is the “ransomeware” attack that is currently in the news. There’s no single organization that is immune to this kind of attack – no matter how secure their network and/or systems are. We have taken precautions for this type of malicious activity, but it’s important to review and follow important safety assurances.

• As an example, If the email is supposedly coming from a bank, please verify with your bank if the message is legitimate. If the email came from a personal contact, confirm if your contact sent the message. Do not rely solely on trust by virtue of relationship, as your friend or family member may be a victim of spammers or malware as well.
• There are obvious factual errors or discrepancies that you can spot. Example, if your bank or a friend claims that they have received something from you, try to go to your recently sent items to double-check their claim. Such spammed messages can also use other social engineering lures to persuade users to open the message.
• In general, clicking on links in email should be avoided. It is safer to visit any site mentioned in email directly. If you do this make sure you type in the correct URL for the site into your browser address.
• There is no known tool to decrypt the files encrypted by “CryptoLocker” Ransomware. One good safe computing practice is to ensure you have accurate backups of your files. Make sure you save anything important to the G or Z or Y drive to increase the chances that it is backed up in realtime. We also attempt to include Microsoft Onedrive as another backup option running concurrently.

All data that resides or is communicated  on or through CMS resources is owned by the company. Please review the CMS Employee Handbook for more information related to this issue.

There are very specific requirements and instructions pertaining to data exposure and breach as defined under both the HIPAA and HITECH rules. Each individual in the office is required to report to their supervisor any potential exposure of data that falls within the definition of ePHI and/or PHI. It is important that this be reported as soon as you’re aware of the potential exposure. An action plan will be put in place to determine whether there really was an incident that requires action on our part.

Any vendor, business, individual and/or non-employee that is defined as a “business associate” according to the HIPAA Final Rules, will be required to sign and agree to the CMS Business Associates Agreement. This should be handled by your supervisor and/or someone in management. If you’re unsure what is considered a Business Associate, please ask.

HIPAA Training is required to take place for all new hires within a reasonable amount of time before or after the new employee begins work with our sensitive data. A logbook must be updated everytime the training has occurred. HIPAA training will also be conducted on a periodic basis for all employees as required by the Final Regulations.

The CMS IT department keeps detailed Disaster Recovery documentation that describes steps that can be taken to address most known scenarios that could potentially cause a disruption to our business. While the documentation is very specific to the needs of the information technology department, there are components of the policy that can be used by all personnel in the office.

Each office has access to the building disaster recovery documentation provided to each location. It includes detailed information to specific situations that could cause disruption or access to the building itself. We have a designated “Fire Marshall” that has access to this documentation. It’s important that you review this material at your convenience. Also know what to do in the event of a building disaster or emergency.

Along with the documentation, we also try to make sure that our entire infrastructure has some type of redundency in place if any one of the components fail at any time. This includes most hardware, software, backups, facilities and personnel. In the event that the building is inaccessible or if there’s a regional issue that prevents you from accessing the office, we need to keep your contact information up to date. As a part of the Disaster Recovery documents, your basic contact information is included. Please let Finance or HR and/or IT know if changes might occur to your phone number and/or address so we can keep accurate records in the event we need to activate our disaster recovery plan and utilize alternative emergency “hot office” or remote office locations.

CMS has strict rules in place for storing and naming files that are saved to the server and backup drives. In general, make sure that you keep the file name as short as possible. There are Microsoft Windows and network backup limitations for the length, and the type of special characters that should be used when naming a file. Make sure that you don’t use special characters when saving the files. If you can eliminate anything beyond 0-9 and A-Z, that would guarantee best practices, and ensure that the file will be backed up and kept for prosperity. Characters outside of the normal characterset might cause some files to not be recognized by our backup system.

The CMS Backup is a realtime backup. It runs 24/7 continuously, and backs up the data (encrypted) to multiple offsite storage facilities in highly secure and redundant locations within the continental U.S.  The network backup will only check for files that are saved on either the Z or Y drives. Alternatively, the G drive is also backed up according to Google’s policies.   We also utilize the Microsoft OneDrive backups to assist with local data that is in one of the 2 OneDrive folders – your Desktop, and your Documents folders. It’s important to make sure that  Office OneDrive is always on and running on your company devices. You are responsible for making sure that anything that is important locally on your Desktop (including email) is also backed up on the network backup drives at all times. If you’re not sure, please contact IT for verification.

We also backup the Frisco Server on a 24/7 continuous cycle using the same technology and backup that’s used with the Bellevue Server. This backup is limited to shared folders only.

If you ever accidentally delete or lose a file that was once saved to the Z or Y drives, we can sometimes assist with restoring this information. Please notify IT if you need assistance in this matter.

Remote Access

• AccrueCMS has a separate Remote Access Policy that you are required to comply with if you are allowed to connect remotely to any of our systems/networks. Please check with your direct report and/or our IT team for additional information.
• Remote Access is allowed based on very specific criteria, and must be authorized in advance. Remote Access can only be performed using devices that are issued and owned by AccrueCMS. All devices will be reviewed periodically – and at issuance – for security protocols and requirements.

Devices

• All company issued/owned devices must always reside in secure locations with secure credentials. Company devices are never allowed to be used by anyone outside of the company at any time.
• All company devices must be logged off anytime you are not using the device.
• All company devices must be shutdown at the end of your work shift, and when not using.
• If the company device is not within your secure work area, it must be locked up in a safe location.
• When traveling with a company device, it must always be in your possession or in a secure locked environment.
• Public wifi is not allowed. You must use a secure wifi or ethernet connection that has a strong router password.
• If you’re not sure about your remote connection security, please check with AccrueCMS IT before connecting.
• Company devices are pre-set with specific configurations. Do not change any of the settings without consulting IT. This includes upgrading applications and operating system major releases.