UAMS ADMINISTRATIVE GUIDE

NUMBER: 7.3.02
DATE: 04/30/02
REVISION: April 2007

SECTION: INFORMATION TECHNOLOGY
AREA: NETWORK SECURITY
SUBJECT: GENERIC ACCOUNTS

Scope

 
UAMS workforce

 Definitions

Generic account, generic access, generic identification, generic logon terms refer to definition and implementation of user authentication information (such as user ids and passwords) and procedures which are designed so that they do NOT require specific information associated with a unique individual but accept some nonspecific identification information to enable access.

 

UAMS Workforce means for purposes of this Policy, physicians, employees, volunteers, trainees, and other persons whose conduct, in the performance of work for UAMS, is under the direct control of UAMS, whether or not they are paid by UAMS.

Policy

The purpose of this policy is to establish provisions for the creation and management of generic accounts on UAMS IT workstations and generic access to UAMS information systems and to ensure that best practice security methodology is followed.

 

These procedures may not apply to publicly accessible library workstations (which will be implemented on a virtual LAN) or to other workstations where a clear need can be defined and an alternate method of security implemented (examples include logging of access & changing of passwords). Limited internet access may be available from generic logons on the above workstations, but Protected Health Information Applications will not.

Procedure

  1. Domain generic accounts will be utilized by UAMS in cases where multiple users must access one workstation to perform given duties. 
  2. Domain generic account access to workstations will occur only in protected areas where public access is supervised and/or restricted and the account will be locked for specific use on the individual workstation.
  3. Domain generic accounts will be allowed unrestricted access to Intranet resources & non-patient applications and products as needed. 
  4. Requests for all generic accounts will be reviewed and approved or disapproved as appropriate by the IT Security office.
  5. Domain generic accounts will be audited on a regular schedule for appropriateness of access and ongoing need.
  6. All Protected Health Information Applications installed on generic workstations will be accessed through non-generic, individually password protected logons.  Audit trails are required on all patient information systems & the audit logs will be reviewed on a regular schedule. Domain generic accounts can never be allowed access to data containing confidential information, including ePHI.