uconn health center photo of the uconn health center

patient care
education
research and clinical trials
about us
administrative services
 graduate school
Quick Links
Graduate School Home
Prospective Students

Current Students

Faculty

Alumni

Upcoming Events

FAQs

Contact Us

Site Map

Current Students
Ph.D. 1st Year Lab Rotation Info
Grad Student/ Postdoc News
Billing
Financial Support
Housing
Health Insurance
Graduate Student Organization (GSO)
Graduate Student Handbook
Academic Calendar
Milestones/Timeline
International Students
Career Resources
Library
Blackboard
PeopleSoft

 
Current Students

Graduate Student Handbook

Policy K: Computing Policies, Procedures and Standards

I. Introduction
The Information Technology Department (ITD) in conjunction with a special subcommittee of the Computer Users Advisory Committee has developed the following guidelines in order to foster a safe and productive computing environment that supports the mission of the University of Connecticut Health Center (UCHC). This document represents our best efforts to establish guidelines and protocols for the use of computing resources here at the Health Center. Great care was taken to establish a fairly minimal set of regulations that would not be viewed as unnecessarily proscriptive. It should be clearly recognized that as employees of the University of Connecticut Health Center we are bound by the policies of the University of Connecticut and statutes of the State of Connecticut. There are various University and State policies that govern the use of computing technology and all faculty and staff are encouraged to obtain and read them.

II. Applicability
This policy is applicable to all UCHC faculty, staff, and students and to all other individuals to whom use of UCHC computing resources is granted. The policy applies to all computing and networking facilities owned, leased, operated, or contracted by UCHC including, but not limited to, word-processing equipment, personal computers, workstations, mainframes, and their associated peripherals and software.

III. Privacy/Confidentiality
The operating principle of the UCHC is that information stored on computers, electronic mail, information passing over the UCHC network, and information stored in user accounts are afforded the same level of confidentiality as paper documents stored in conventional files, unless the user intentionally makes that information available to other groups or individuals.

The trapping and monitoring of network based traffic are considered to be in direct conflict with the academic and patient care missions of the University. Thus, it should be understood that network "sniffing" or other attempts to access secured information on the campus network is strictly forbidden. Although various types of information must be accessed by system personnel for the purpose of backups, network management, and similar support functions, the content of user-files and network transmissions will not be viewed, monitored, or altered, or disclosed without the express permission of the user except in the following circumstances:

1. UCHC has reason to believe that an account or system has been breached and is being used by someone other than the authorized user.

2. UCHC has received a complaint that an account or system is being used to gain unauthorized access or to attempt to gain unauthorized access to another network site,

3. UCHC has reason to believe that an account or system is being used in violation of University Policy, Federal or State Law.

4. UCHC has a legitimate mission-related need for information and there exists no practical method to notify the user.

Currently, there are three methods by which the content of and/or specific logs of user-files and information can be accessed without the specific permission of the user. The first is by court order. The second is via requests made under the Freedom of Information Act. For both of these methods, the specific policies and procedures currently in place, which apply to written documents, also apply to electronic media. The third method pertains to requests for disclosures generated within the UCHC. Such requests require the submission of a completed "Application for Obtaining Password Protected Information in Electronic Communications and/or Databases" to IT or to the appropriate internal service provider. Except when inappropriate (e.g., compromise of a criminal investigation), computer users will receive prior notice of any disclosures.

Users are cautioned that levels of security among non-IT Department systems within UCHC may vary. For example, some operating systems allow all users access to current logs of e-mail traffic on those systems. Users of such systems are encouraged to ask their system administrators about the specifics of the types and levels of security provided. Still, it is the case that access to restricted or secured information on non-ITD systems will require the submission of a completed "Application for Obtaining Password Protected Information in Electronic Communications and/or Databases" form to the system’s administrator.

Caution should be exercised when storing or transmitting information because the confidentiality of electronic media cannot be guaranteed. Currently, the policy of the State of Connecticut is not to regard network transmissions and information generated and stored via state-operated facilities as confidential or private. Finally, users should be aware that BBN Planet, the commercial Internet services provider for the UCHC may, in fact, monitor any and all network traffic leaving and entering the facility.

Special statement regarding confidentiality/security of patient information:

Pending publication of a comprehensive policy on patient information, the following policy applies:

The transmission of confidential patient information via electronic mail is allowed only within secured e-mail systems. For systems maintained by IT, the NSO MS-Mail system is the only vehicle with adequate security (including encryption) to allow the transmission of confidential patient information. Users of the NSO MS-mail system are allowed to transmit confidential patient information to other NSO MS-mail users only. Confidential patient information must not be sent to outside (SMTP) addresses. Insecure (SMTP) addresses appear in all capital letters followed by [SMTP] in the NSO MS-mail global address list.

IV. General Usage Policy

The UCHC encourages individuals to utilize electronic media in a responsible fashion. Users must respect the rights of other users, respect the integrity of the systems and related physical resources, and observe all relevant laws, regulations, and contractual obligations.

A. Violations of UCHC policy

Violations of the usage policy fall into three broad categories that involve the use of UCHC electronic resources to:

1. Harass, threaten, or otherwise cause harm to specific or groups of individuals

For example:

  • Sending an individual repeated and unwanted (harassing) e-mail or using e-mail to threaten or stalk someone

Displaying obscene, lewd, or pornographic images or text on a public computer facility and/or in plain sight

2. Impede, interfere with, impair, violate the rights, or otherwise cause harm to the activities of others

For example:

  • Accessing, or attempting to access, another individual's data or information without proper authorization (e.g. using another's ID and password to look at their personal information)
  • Tapping phone or network lines (e.g., running network "sniffers" without authorization)
  • Preventing others from accessing services
  • Sending forged messages under someone else's ID (e.g., sending hoax messages, even if intended to be a joke)

Unauthorized access to data or files even if they are not securely protected (e.g., breaking into a system by taking advantage of security holes)

3. Download or post to University computers, or transport across University networks, material that is illegal, proprietary, in violation of University contracts, or otherwise is damaging to the institution and/or its resources.

For example:

  • Releasing a virus, worm or other program that damages or otherwise harms a system or network
  • Making more copies of licensed software than the license allows (i.e. software piracy)
  • Posting a University site-licensed program to a public bulletin board
  • Sending a crippling number of files across the network. All broadcast messages (e-mail and voice mail) must be coordinated via the Office of Communications to reduce traffic and better target intended audiences.
  • Using University resources for unauthorized purposes (e.g. using personal computers connected to the campus network to set up web servers for illegal, commercial or profit-making purposes).
  • Distributing child pornography via the web
  • Unauthorized use of University resources (e.g. using someone’s access to a system or borrowing their ID and password to access a system)
  • Knowingly or carelessly performing an act that will interfere with the normal operation of computer terminals, peripherals, or networks.
  • Knowingly or carelessly running or installing on any computer system or network, or giving to another user a program intended to damage or to place excessive load on a computer system or network.
  • Deliberately wasting/overloading computing resources, such as printing too many copies of a document.
  • Initiating or propagating electronic chain letters. Inappropriate mass mailing. This includes multiple mailings to newsgroups, mailing lists, or individuals, e.g., "spamming," "flooding," or "bombing."

Prolonged and/or continuous access to streaming media (e.g., RealAudio) for purposes not directly related to the missions of the UCHC.

B. Examples of activities that are not violations of UCHC policy

  • Unsolicited e-mail or "junk" e-mail

The amount of unwanted or unsolicited e-mail ("junk" mail) has been increasing as more people join the Internet community. This form of speech is usually protected under the first amendment, even though some individuals may judge some of the content objectionable. UCHC does not monitor or censor e-mail and therefore cannot prevent the flow of junk e-mail. When you receive ordinary junk e-mail, you may be tempted to retaliate by flooding the sender with numerous or large e-mail messages in an attempt to disrupt their site (also known as "mail bombing"). However, mail bombing constitutes a violation of the University policy. This is because, more often than not, mail bombing will result in straining UCHC resources resulting in a disruption of access to service for a large number of users

Many people have asked why the UCHC does not put a stop to junk mail. Most junk e-mail comes from sites beyond our facility. No control is exercised over what these sites send. Thus, unwanted mail cannot, a priori, be distinguished from e-mail that is desired. Unwanted e-mail must be prevented at its source. If junk e-mail becomes illegal, it will then become a violation of UCHC policy as well because any illegal activity constitutes a violation of policy.

The University Administration routinely distributes e-mail messages to its employees and users its of computing resources. The IT Department has attempted to ensure that the technical capability exists to transmit messages to as many groups as possible. Mechanisms have been established to screen broadcast messages to ensure they will be of value and that they target the proper audience. None of these mechanisms are perfect and, undoubtedly, users will occasionally receive broadcast messages that they deem irrelevant.

  • Breaches of network etiquette

UCHC is not in a position to control network etiquette ("netiquette"). Off-topic postings to lists and news groups, advertising by posting the same message to numerous lists (also known as "spamming"), rude or impolite behavior, heated arguments ("flame wars"), and some forms of hate speech will often annoy others. The Internet spans the globe as well as numerous diverse cultures and societies. What is acceptable in one may be totally inappropriate in another. Keep in mind that it is easy to misunderstand electronic communications due to the lack of personal contact involved.

In some cases, rude behavior can cause disruptions. As stated above, any behavior that interferes with the ability of others to access or use a system is a violation of UCHC policy.

V. Enforcement

Suspected violations of the UCHC policy should be reported to the Chief Information Officer and will be investigated according to procedures defined by the University and State of Connecticut. Extreme incidents (e.g., felonies, destruction of property) may be turned over to local and/or federal law enforcement agencies, as appropriate.

Standards of Operation

I. Desktop Computing Policies

Standard Network Desktop

  • The term "Standard Network Desktop" refers to a specific set of desktop software configured, sold, and supported by the Network Services Organization (NSO) of the Information Technology Department.
  • Standard Network Desktop software can be installed on PC’s/Mac’s not owned by UCHC given it is to be used for UCHC mission related purposes only. Departments making such requests must provide a signed "use at home" letter of justification along with the work order to the NSO (available via the WWW or MS-Mail shared folders). Any associated costs must be funded from UCHC sources (via FRS coding).

If users wish to receive e-mail on their personally owned PC's, they or their department must purchase the appropriate software. For Standard Network Desktop users, the purchase of MS-mail Remote for Windows is required (available from the NSO via work order for $50). Users must also have existing MS-Mail accounts.

II. WWW/Internet Policies

A. UCHC Web

  • The UCHC Webmaster in coordination with the Office of Communications maintains the UCHC Main and first level pages.
  • Requests for links to the UCHC Web should be made in writing or via e-mail to the UCHC Webmaster. Requests must include/comply with the requirements below:
    1. The URL of the page being added
    2. The text description for the link anchor to appear on the UCHC main pages
    3. Primary technical contact
    4. Pages must contain contacts responsible for content questions

B. Confidentiality/Security of Patient Information

The Information Technology Department recommends that Web-site owners and users follow the following guidelines with respect to displaying clinically related information via the World Wide Web:

  • The owners of the servers and/or data be responsible for training.
  • Access to Web pages that contain confidential patient information should be password protected.
  • Security Administration policies for password assignment should be consistent with UCHS standards, these include:
    1. A security administrator be responsible for assigning and tracking of usernames/passwords.
    2. No common or shared usernames should be used.
    3. Periodical password changes should be required (not to exceed 6 months).
    4. Breaking detection auditing should be enabled.
    5. Auditing of breaking detection reports be done periodically (weekly).
  • Users should sign the UCHS confidentiality statement.
  • Access to Web pages that contain clinical information should be filtered at the UCHC Internet gateway unless the market benefits of such access outweigh the increased security risks. If public Internet access to those pages is deemed necessary, the following additional security measures are recommended:
    1. No DNS name translation entry should exist for the WWW Server

Clients should be registered and authorized via their physical IP address in addition to their username/password.

III. Network Policies

A. Access

  • Dial-in access to UCHC-Net (either via ITD or individual department supported services) are to be password protected. Service providers are to keep records of authorizations granted.
  • Extension of UCHC-Net to outside agencies or groups not fully owned or operated by UCHC is forbidden (i.e., providing dedicated network connections to area schools, etc.).

The following excerpt from our Internet Service provider’s ( BBN Planet’s ) Internet Access Acceptable Use Policy relates to this restriction: Unless otherwise authorized in writing by BBN Planet, Customer (a) shall limit access to and use of the IA Service to its employees (and in the case of a Customer which is a non-profit educational institution to employees and students), and (b) shall not resell access to the IA Service to third parties.

  • The use of network resources by individuals not associated with the mission of UCHC is forbidden.

B. UCHC Network Standards

  • UCHC Backbone is full counter-rotating FDDI Ring (100Mb/s)
  • User network connections are 10Base-T ethernet (10Mb/s)
  • Newly installed station cabling is level 5 twisted pair.
  • Network connections to UCHC-Net are to be one device per 10Base-T connection (no daisy chaining of connections will be allowed on 10Base-T connections).
  • Departmental networks must be bridged to UCHC-Net.
  • Users requesting a network connection only must provide ITD with the information required on the "NSO Port Activation Request" form before a TCP/IP address will be assigned and the network port activated.
  • Departmental networks must register their TCP/IP number assignments with ITD.
  • As of this writing ITD will disable all unused network connections. However, ITD is working on a plan that will allow open ports to remain active while ensuring the stability and security of the network.
  • Allowable protocols on UCHC-Net are:
    1. TCP/IP
    2. AppleTalk
    3. DecNet
    4. LAT
    5. Netbeui
    6. Dec LAVC

IV. E-Mail Policy

A. Broadcast Message Policy

  • Users wishing to transmit "Broadcast Messages" (messages sent to pre-defined groups of NSO MS-Mail e-mail users) must coordinate the transmission of such messages through the department of Communications.

B. Auditing/Security

  • UCHC E-mail service providers will use reasonable measures to ensure their users have UCHC mission related affiliations.
  • The Information Technology Department will supply traffic logs of outgoing SMTP/Internet messages from its NSO MS-Mail system only upon submission of a completed "Application for Obtaining Password Protected Information in Electronic Communications and/or Databases" form as detailed in section III of "Policy and Procedures".
  • Requests to change passwords on accounts will only be authorized upon presentation of positive identification (UCHC Badge).
  • Requests by managers to access an employee’s e-mail account for the purpose of accessing vital information requires the submission of a completed "Application for Obtaining Password Protected Information in Electronic Communications and/or Databases" form (see section III of Policy and Procedures)

C. Standards

  • The standard UCHC e-mail protocol is Simple Mail Transfer Protocol (SMTP).
  • The standard SMTP binary attachment protocol is Uuencode.

The common directory for publication of e-mail addresses is the SQL Telecommunications directory (accessible via the WWW at http://www11.uchc.edu/). Users are responsible for publication and maintenance of their preferred e-mail address (updates accessible via the WWW). ITD will maintain e-mail addresses for users with accounts on their e-mail servers (IDX, SUN and NSO MS-Mail servers).

 

<Previous | Next >
home connecticut health events calendar employment options for giving directory directions contact us
Home | Patient Care | Education | Research & Clinical Trials | About Us | Administrative Services | Connecticut Health |
Events Calendar | Employment | Options for Giving | Directory | Directions | Contact Us

© University of Connecticut Health Center. All rights reserved.
Disclaimer | Privacy Notice | Site Index | UConnWeb