...
All workforce members in the covered entity must take the official UofI HIPAA training annually. If they use laptops to access these systems, the devices must utilize full disk encryption. All laptops and workstations they use for this work must also employ password protected screen savers that automatically lock after a period of inactivity.
Removable media may not be brought into, connected to or used in the ACHE environment without explicit permission of the Security Office. If removable media is approved for use in the ACHE environment it must be encrypted in accordance with the BAA agreement and the Security Office. Currently this is AES currently employing 128 bit crypto key length.
The Security Office will verify compliance to the ACHE policy through various methods, including but not limited to, periodic physical inspection, video monitoring, security and business tool reports, internal and external audits.
Violations
The NCSA Security Office has the right and responsibility to take systems offline that are either attacking or causing harm to others. It also has the right and responsibility to take the systems offline of those persons violating NCSA security policies. While due effort is made to notify system owners before taking a host offline, this is not always possible in an emergency.
...