Medical instrumentation devices that will be using the CUIMC/NYP network must be set up, configured, and administered by the department or their designated agent in accordance with governing Columbia University IT Policies and CUIMC Information Security Procedures.

A Modality is a type of medical data acquisition device, such as X-Ray, MRI, or ophthalmology imaging device, which is used in patient care. Medical devices that collect, maintain, and/or communicate ePHI must be in compliance with HIPAA rules. Note that devices acting as a Server or a System should refer to those policies.

Requirements 

As with Computer Use requirements, medical instrumentation devices must complete the following prior to connecting to the data network(s).

1. Install Operating System and Software Updates
   Critical security updates and patches must be installed on the computer’s operating system and software programs.
   Security updates must be installed on an ongoing basis as the OS/software vendors release patches for vulnerabilities that can lead to data leaks, malicious attacks, attempts to infect other systems on the network and other risks to institutional information and resources.
2. Run Security (Antivirus and Antispyware) Software
   Credible security programs that prevent infection by viruses, spyware and other malicious programs must be:
   1. Installed
   2. Receiving regular updates
   3. Performing regular scans of the device
   NOTE: It is the responsibility of the department to keep software patched and security programs operating properly; the department should verify with the device vendors that such updates or patches do not interfere with the core functionality of the devices. In case of conflict, details of the updates or patches that are not installed must be provided to CUIMC IT.
3. Register for the Wired Network and provide contact information
   The system’s unique MAC/hardware address is used to recognize and assign it a network address. The department should provide CUIMC IT the device vendor's and/or administrator's current contact information.
   Procedure
   Once all critical updates and security software programs have been implemented, submit the Wired IP Address request form. IP related forms can only be accessed and submitted by staff in a CUIMC Certified IT Group via ServiceNow. To avoid delays in processing registration please include all pertinent information regarding the device’s business use and its ability to comply with security policies. 

Access and Login Requirements

• Any vendor or client accessing the device (whether via VPN, dial-up or other methods) must have a Business Associates Agreement with CUIMC.
  • This is required for any third party who will be working on a system that stores or otherwise connects to protected health information.
  • If not, the vendor or client will need to contact the CUIMC IT Service Desk at extension 5-Help (212-305-4357), option 5, and request that a remote session be started.
    • The CUIMC IT staff will login and invite the vendor to a remote session.
    • The CUIMC IT technician will remain on the line until the vendor has completed the remote access session.
  • Hourly charges for Desktop support will apply. If dispatch of a CUIMC IT technician is required, travel time must be billed as well.
• System Logins
  • Domain access
    • Whenever possible it is recommended that a device on the wired network is also joined to CUIMC’s MC (Medical Center) domain.
    • This allows for a higher level of security in addition to being able to assign individual login(s) to anyone needing to use the device via a MC domain account.
    • Once joined to the MC Domain, the device should only be accessed by users with an domain account using their assigned individual credentials and a strong password.
  • Devices not joined to the MC domain
    • Devices are required to be locked with an administrator password to prevent unauthorized access.
    • Any users accessing the medical device must be provided with individual log on credentials that have unique user names and strong passwords.

Additional Security Requirements

• Devices must be kept in a secure location accessible only by users authorized by the Department.
• Devices that require file transfer or file sharing should only be connected via private network.
• Access to the web is not allowed.
• The use of external drives to load and move files is not allowed.
• All external ports are must be locked by the vendor.
• Devices that transmit, store or access sensitive data (including PHI or PII) must be properly encrypted.

For more help see Information Security FAQs.