MEMORANDUM TO: FROM: RE: Employee Human Resources MISSISSIPPI DEPARTMENT OF HEALTH COMPUTER NETWORK AND INTERNET ACCESS POLICY Please find attached the above referenced policy that is being issued to each employee. The policy is designed to educate, inform and notify MDH employees as to what the MDH considers to be proper, and improper, usage of the computer network and the Internet. All previous editions of the MDH policies related to computer/information technology usage are hereby canceled. Please read the attached policy statement very carefully, and direct any questions you may have to your immediate supervisor. Questions or concerns that cannot be resolved by your immediate supervisor should be addressed to your Office Director or to your District Administrator. This is to acknowledge that I have received a copy of the Mississippi Department of Health Computer Network and Internet Access Policy, and that I have read and understand its provisions. This acknowledgement shall be placed in your personnel file. Please Print Name Social Security Number Signature Date s/s/signature Date 04/15/05 Rev. date 01/18/07 Enclosure
Mississippi State Department of Health Computer Network and Internet Access Policy Disclaimer The internet is a worldwide network of computers that contains millions of pages of information. Users are cautioned that many of these pages include offensive, sexually explicit, and inappropriate material. In general, it is difficult to avoid at least some contact with this material while using the Internet. Even generals search requests may lead to sites with highly offensive content. Additionally, having an e-mail address on the Internet may lead to receipt of unsolicited e-mail containing offensive content. Users accessing the Internet do so at their own risk and the Mississippi State Department of Health (MDH) is not responsible for material viewed or downloaded by users from the Internet. To minimize these risks, use of the Internet at MDH is governed by the following policy: I. Definitions A. Computer Network All components including switches, routers, firewalls, computers, printers, PDAs, laptops, network cabling, or other devices used as a technology solution within the MDH. B. Firewall A system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users form accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria. C. Internet A global network connection millions of computers. More than 100 countries are linked into exchanges of data, news, and opinions. D. Intranet a network based belonging to an organization, usually a corporation, accessible only by the organization s members, employees, or others with authorization. An intranet s Web sites look and act just like any other Web sites, but the firewall surrounding an intranet fends off unauthorized access. E. Remote Access Server (RAS) A server that is dedicated to handling users that are not on a local area network but need remote access to it. The remote access server allows users to gain access to files and print services on the Local Area Network (LAN) from a remote location. For example, a user who dials into a network from home using an analog modem will dial into a remote access server. An authenticated user can access shared drives and printers as if physically connected to the office LAN. F. Users Any employee, contractor, vendor, contract employee, or other entity performing work on the MDH computer network for any purpose. G. Virtual Private Network (VPN) - A network that is constructed by using public wires to
connect nodes. For example, there are a number of systems that enable the creation of networks using the Internet as a medium for transporting data. These systems use encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted. II. Permitted Use of Internet and MDH Computer Network The computer network is the property of the MDH and may only be used for legitimate business purposes. Users are provided access to the computer network to assist them in the performance of their job duties. Users may also be provided with access to the Internet through the computer network. All users have a responsibility to use the MDH s computer resources and the Internet in a professional, lawful, and ethical, manner. Limited, occasional, or incidental use of electronic media (sending or receiving) for personal non-business purposes is understandable and acceptable and all such use should be done in a manner that does not negatively affect the computer network use for business purposes. All items related to the Computer Network Use Limitations identified in the following section must be followed even with personal use. However, users are expected to demonstrate a sense of responsibility and not abuse this privilege. Abuse of the MDH computer network or the Internet may result in disciplinary action as defined in the Disciplinary Action section of this policy and/or restriction of Internet access/usage. III. Computer Network Use Limitation A. Prohibited Uses. Without prior written permission from the MDH Office of Health Informatics, the MDH computer network may not be used to disseminate, view, or store commercial or personal advertisements, solicitations, promotions, destructive code (e.g., viruses, self-replicating programs), political material, pornographic text or images, or any other unauthorized materials. Users may not use the MDH s Internet connection to download games or other unauthorized entertainment software (including screen savers), or to play games over the Internet. Additionally, the computer network may not be used to display, store, or send (by e-mail or any other form of electronic communication such as bulletin boards, chat rooms, Usenet groups, instant messaging, streaming media) material that is fraudulent, harassing, embarrassing, sexually explicit, profane, obscene, intimidating, defamatory, or otherwise inappropriate or unlawful. Furthermore, anyone receiving such materials should notify their supervisor immediately. Without prior written permission from the MDH Office of Health Informatics, a user may not be attached to any device, including the network, printer, computer, or other device. B. Software Licensing and Uses. Users may not illegally copy material protected under copyright law or make that material available to others for copying. Users are responsible for complying with copyright law and applicable licenses that may apply to software, files, graphics, documents, messages, and other material users wish to download or copy. Users may not agree to a license or download any material for which a registration fee is charged without first obtaining the express written permission of the MDH Office of Health Informatics. Users may not download software from any external source and install it on an MDH computer or a computer that will be functioning within the MDH computer network.
C. Communication of Trade Secrets. Unless expressly authorized to do so, users are prohibited from sending, transmitting, or otherwise distributing proprietary information, data, trade secrets, or other confidential information belonging to MDH. Unauthorized dissemination of such material may result in severe disciplinary action, as well as substantial civil and criminal penalties under state and federal laws. MDH must function under privacy and security laws that pertain to health information both electronic and paper-based, including but not limited to, HIPAA and local, stat, and federal privacy laws. IV. Duty Not To Waste or Damage Computer Resources A. Accessing the Internet and/or Network. To ensure security and avoid the spread of viruses, users accessing the Internet through a computer attached to MDH s network must do so through the MDH firewall or other security device as approved by the MDH Office of Health Informatics. Bypassing MDH s computer network security by accessing the Internet directly by modem or other means is strictly prohibited unless the computer the user is using is not connected to the MDH s network and prior written approval is obtained form the Office of Health Informatics. Access to the MDH network via dial-up must only be done through the MDH Remote Access Server (RAS). Dial-up to and/or from individual modem lines is strictly prohibited. B. Frivolous Use. Computer resources are not unlimited. Network bandwidth and storage capacity have finite limits, and all users connected to the network have a responsibility to conserve these resources. As such, the user must not deliberately perform acts that waste computer resources or unfairly monopolize resources to the exclusion of others. These acts include, but are not limited to, sending mass mailings or chain letters, spending excessive amounts of time on the Internet, playing games, engaging in online chat groups, uploading or downloading large files, accessing streaming audio and/or video files, or otherwise creating unnecessary loads on network traffic associated with non-businessrelated uses of the Internet. C. Virus Detection. Files obtained form sources outside the MDH, including disks brought from home; files downloaded from the Internet, newsgroups, bulletin boards, or other online services; files attached to e-mail; and files provide by customers or vendors may contain dangerous computer viruses that may damage the MDH s computer network. Users should never download files from the Internet, accept e-mail attachments form outsiders, or use disks from non-mdh sources without first scanning the material with MDH-approval virus checking software. Notify the MDH Service Desk immediately upon any suspicion that a virus has been introduced into the MDH network. V. No Expectation of Privacy Users are given computers and Internet access to assist them in the performance of their job duties. Users should have no expectation of privacy in anything they create, store, send or receive using the MDH computer equipment. The computer network is the property of the MDH and may be used only for MDH purposes. All data, documents, printouts, or other work products are the property of the MDH.
A. Waiver of Privacy Rights. User expressly waives any right of privacy in anything they create, store, send, or receive using the MDH computer network or Internet access. User consents to allow MDH personnel access to and review of all materials created, stored, sent, or received by user through any MDH network or Internet connection at any time. B. Monitoring of Computer and Internet Usage. The MDH has the right to monitor and log any and all aspects of its computer system, including, but not limited to, monitoring Internet sites visited by users, monitoring chat and newsgroups, monitoring file download, and all communications sent and received by users. C. Blocking Sites with Inappropriate Content. The MDH has the right to utilize software that makes it possible it identify and block access to Internet sits containing sexually explicit or other material deemed inappropriate in the workplace. D. Encryption. The Office of Health Informatics can supply users with encryption software to safeguard sensitive or confidential business information. encrypted files stored on a Mississippi State Department of Health computer network device must provide the Office of Health Informatics Information Resources Management with a sealed hard copy record (to be retained in a secure off-site location) of all of the passwords and/or encryption keys necessary to access the files. VI. Disciplinary Actions Any violation of this policy may be subject to disciplinary action up to the maximum defined in the Mississippi State Personnel Board Employee Handbook, as well as civil and criminal action at the local, state, and federal level. The destruction of any evidence related to this policy will be grounds for disciplinary action; and if the case warrants, all materials will be turned over to governing and law enforcement entities for further action.