We’ve gone through all the areas of user access security that relate not only to compliance in healthcare, but general good security practice. The following checklist should offer you an easy guide to whether your organisation is compliant with HIPAA, the DPA on any of the NHS’ documented security policies. It should be remembered that even if the checklist tells you you are compliant, achieving a ‘tick’ for everything on the list is the ideal for complete best practice.

On-boarding employees

Show Research & Guidance
  • Is security training given to new employees on start?

  • Are new employees shown a security policy?

  • Are new employees asked to sign a security policy?

  • Do employee contracts include agreement to security policy?

  • Are background checks run on new employees?

Training, awareness and procedure

Show Research & Guidance
  • Is there a documented security policy?

  • Is use of secure passwords enforced?

    Strengthen network credentials far beyond native Windows Active Directory functionality with UserLock’s access restrictions and real-time monitoring.
  • Are any additional forms of access authentication (e.g. security tokens, biometric data such as fingerprint) used?

    See how UserLock can verify that authenticated users are who they say they are, and protect against authenticated users who have access and rights but carry out the kind of bad or careless behavior that often leads to security breaches.
  • Are employees given regular security awareness training?

    To help support IT professionals’ efforts to raise user security awareness, IS Decisions have developed ‘The Weakest Link: A User Security Game’. Free to play, it has been developed with the the input from security experts and analysts and the community on IT social network Spiceworks.
  • Are there clearly defined roles with regards to responsibility for security?

  • Does senior management bear responsibility for information security?

  • Is there a clearly defined process for reporting potential security breaches?

  • Are regular security audits or reports conducted?

    IS Decisions offer comprehensive auditing on all access events across the Windows Server based network. UserLock records, centralizes and audits all network logon events. FileAudit audits all access and access attempts to files and folders.
  • Is there a swift response process for identified potential breaches?

  • Are penalties in place for employees?

Network access

Show Research & Guidance
  • Are employees given user logins?

  • Are those logins unique IDs for each user?

    Unique User Identification is a required HIPAA regulation relating to access control and can only be achieved in Windows Systems with the solution UserLock.
  • Are users automatically logged off the network following a period of inactivity?

  • Are concurrent logins restricted, meaning users cannot login from more than one device?

    With no way to control concurrent login in Windows native functionality, UserLock allows organizations to prevent or limit concurrent and multiple logins.
  • Are users restricted from sharing logins?

    The need for technical controls to stop users sharing credentials: How UserLock can eliminate the issue of network login sharing.
  • Are unique user IDs also used for remote network access?

  • Is access to the network monitored?

    Monitor in real-time all users logon and logoff activity across Windows Server Networks with UserLock. The new risk indicator helps identify suspicious access behavior at a glance.
  • Can actions on the network be attributed to individual users?

    UserLock helps verify all user’s identity to ensure access to critical assets is attributed to individual employees, making users accountable for any activity (malicious or not).
  • Is access to network limited to specific locations (specific workstations, departments)?

    Control, restrict and enforce where users may logon. UserLock goes beyond native Windows controls and restrict users and groups to workstation or device, IP range, department, floor or building.
  • Is access to network restricted to specific times? (i.e. business hours)

    UserLock controls the time when authenticated users can logon in a Windows domain. Enforce by group and force logoff to ensure manageable login controls.

Data access and necessity

Show Research & Guidance
  • Are levels of user network access attributed according to the necessities of roles?

    Set and enforce granular access rules to restrict and control employees access to the network (and the data within) across each session type (including Wi-Fi and VPN). UserLock helps secure access for a remote and mobile workforce.
  • Are specific files or folders restricted according to job role?

  • Are specific actions (copying, moving, deleting) on files and folders monitored?

    FileAudit enables IT professionals to proactively monitor access to company sensitive files and folders on Windows systems and in the cloud in real-time.
  • Is access to specific files and/or folders monitored?

    FileAudit constantly examines and records read/write/delete accesses (or access attempts), file ownership changes and permission modifications – in real time - so IT or management can immediately address any inappropriate accesses.

Moving jobs or roles

Show Research & Guidance
  • Is there a process in place for the management of temporary access to the network?

    UserLock strengthens user access control policy by enabling administrators to securely manage temporary changes to users’ network access rights.
  • Is there a process in place for the review of network access when employees change roles?

    Centralized access control with UserLock means network restrictions can be easily set and changed by user, user group or organizational unit.
  • Is there a process in place for when employees leave the organisation?

  • Is user access to the network deactivated when employees leave the organisation?

  • Is there a formal de-registration process in place for employees that leave the organisation?