OHSU

Why the auto-screensaver?

 The risk environment
The security of electronic information exists in a landscape of increasing risks. These risks pose serious concerns and present substantial consequences that include increasing regulatory fines and potential damage to public perception of the University and the hardworking community within it. According to a leading identity theft website, in the last five years about 500 million records stored in government and corporate databases containing personal identifying information were compromised in some way. In conjunction with lost data, the Office of Civil Rights (OCR) cites lack of adequate safeguards as one of the top five privacy complaints. Without a doubt, we need to implement the best, albeit sometimes inconvenient, security measures available. The auto screensaver is one of those tried-and-true measures we know works.

The "locked door" misconception
Recent policy language suggests that a locked office door is an adequate control. In fact, locked offices still allow access to rooms by master keys and other furtive methods. Information Security Directive 700-00005 has been edited to remove the locked door as an acceptable control for protection of electronic data. This means the auto screensaver is still the best option against security breaches even for those who work within the sanctity of a room with a lockable door.

Email and shared drives
Last, the screen saver itself was implemented University-wide following the rollout of the Outlook email client. Outlook does not require a second logon from a computer that is already in an active session. When active computers are left unattended, unauthorized users may access the email of the signed-on user without permission. In addition, personal "H" drives and departmental "X" drives are available without additional logon. A number of faculty members complained about this lack of security and, along with executive leadership, supported the implementation of the screen saver to decrease the security risk presented by active but unattended computers.

 

Please feel free to contact the Integrity Office at 503 494-8849 or oioeduc@ohsu.edu.

This new measure, reviewed and approved by the Information Security and Privacy Committee, will help enforce Information Security Directives 00005 and 00012, required to prevent unauthorized access to email, department files and any other restricted information. It will affect only ITG-managed Windows computers, and not Macs, Citrix/controlled or auto-login workstations.