Acceptable Use Policy

Overview
This access carries certain responsibilities and obligations as to what constitutes acceptable use of the Carestream Vue Cloud network.

Purpose
The purpose of this policy is to detail the acceptable use of Carestream information technology resources for the protection of all parties involved.

Scope
The scope of this policy includes any and all use of corporate information resources.

Network Access
As the user will be given access to the Vue Cloud network and other IT resources, Carestream expects the user to use these resources in a responsible manner.

The user must make a concerted effort to avoid accessing network data, files, and information that are not directly related to his or her job function. Existence of access capabilities does not imply permission to use this access.

Unacceptable Use
The following actions shall constitute unacceptable use of the corporate network. This section is not exhaustive, but is included to provide a frame of reference for types of activities that are deemed unacceptable.

Prohibited Actions
The user may not use the corporate network and/or systems to:

  • Engage in activity that is illegal under local, state, federal, or international law (see section “Use for Illegal Activities” for more information).
  • Engage in any activities that may cause embarrassment, loss of reputation, or other harm to the Department.
  • Download, store, or distribute violent, pornographic, obscene, lewd, or offensive material.
  • Disseminate defamatory, discriminatory, vilifying, sexist, racist, abusive, rude, annoying, insulting, threatening, obscene or otherwise inappropriate messages or media.
  • Engage in activities that cause an invasion of privacy.
  • Engage in activities that cause disruption to the workplace environment or create a hostile workplace.
  • Make fraudulent offers for products or services.
  • Reveal personal or network usernames or passwords to others, including coworkers, family, friends, or other members of the household when working from home or remote locations.

 

Circumvention of Security
Using computer systems to circumvent any security systems, authentication systems, user-based systems, or the escalation of privileges is expressly prohibited. Knowingly taking any actions to bypass or circumvent Carestream security systems is expressly prohibited. This includes disabling or tampering with any security software, such as antivirus/anti-malware software, firewall software, or remote access software.

Use for Illegal Activities
No Carestream owned systems may be used for activities that are considered illegal under local, state, federal, or international law. Such actions may include, but are not limited to, the following:

  • Unauthorized Port Scanning.
  • Unauthorized Network Hacking, including: packet sniffing, port scanning, packet spoofing, denial of service (DoS), wireless hacking.
  • Any act that may be considered an attempt to gain unauthorized access to or escalate privileges on the system.
  • Acts of Terrorism.
  • Cybercrime, extortion, or Identity Theft.
  • Downloading, storing, or distributing any material prohibited by law.
  • Downloading, installing, or distributing unlicensed or "pirated" software.
  • Sending unsolicited bulk email or other messages deemed illegal under applicable regulations.

 

Where illegal activities are discovered, Carestream will take all necessary steps to report the activities to the relevant authorities and will cooperate with any resulting prosecution.

Copyright Infringement
The Carestream network must not be used to download, upload, or otherwise handle illegal and/or unauthorized copyrighted content. Any of the following activities constitute violations of the Acceptable Use Policy, if done without permission of the copyright owner: A) copying and sharing images, B) posting or plagiarizing copyrighted material; and C) downloading copyrighted files which employee has not already legally procured. This list is not meant to be exhaustive, copyright law applies to a wide variety of works and applies to much more than is listed above.

Monitoring and Privacy
Carestream reserves the right to monitor any and all use of the Vue Cloud network. To ensure compliance with department policies this may include inspection of data stored and monitoring of network / system usage.

Information Security Officer: Michael Romansky
Phone: 1-585-627-6287
Phone: 1-800-328-2910 24x7
Phone: 1-585-290-0008 current security issues
Email: michael.romansky@carestream.com  

Reporting of a Security Incident
If a security incident or breach is discovered or suspected, the user must immediately notify Carestream Vue Cloud Services.

Examples of incidents that require notification include:

  • Suspected compromise of login credentials (username, password, etc.)
  • Suspected virus/malware/Trojan infection
  • Loss or theft of any device that contains password information
  • Any attempt by any person to obtain a user's password over the telephone or by email
  • Any other suspicious event that may impact the Carestream's information security

 

Users must treat a suspected security incident as confidential information, and report the incident to Carestream. Users must not withhold information relating to a security incident or interfere with an investigation.

Password Policy

Overview
A solid password policy is an important security control for this environment. Since the responsibility for choosing good passwords falls on the users, a detailed and easy-to-understand policy is essential.

Purpose
The purpose of this policy is to specify guidelines for use of passwords. Most importantly, this policy will help users understand why strong passwords are a necessity, and help them create passwords that are both secure and useable. Lastly, this policy will educate users on the secure use of passwords.

Scope
This policy applies to every person who is provided an account on the Carestream Vue Cloud network or systems, including: employees, guests, contractors, partners, vendors, customers.

Construction
The organization mandates that users adhere to the following guidelines on password construction:

  • Passwords must be at least 8 characters.
  • Passwords must be comprised of 1 numeric character.
  • Passwords can be comprised of a mix of upper and lower case characters.
  • Passwords must not have 2 consecutive characters
  • Passwords must not be the same as the last 3 passwords
  • Passwords must not be comprised of an obvious keyboard sequence (i.e., qwerty)
  • Passwords must not include "guessable" data such as personal information about yourself, your spouse, your pet, your children, birthdays, addresses, phone numbers, locations, etc.

 

Creating and remembering strong passwords does not have to be difficult. Substituting numbers for letters is a common way to introduce extra characters - a '3' can be used for an 'E,' a '4' can be used for an 'A,' or a '0' for an 'O.' Symbols can be introduced this was as well: an 'S' can become a '$' or an 'i' can be changed to a '!.'

Confidentiality
Passwords are considered confidential data and treated with the same discretion as any of the organization's proprietary information. The following guidelines apply to the confidentiality of organization passwords:

  • Users must not disclose their passwords to anyone.
  • Users must not share their passwords with others (co-workers, supervisors, family, etc.).
  • Users must not write down their passwords and leave them unsecured.
  • Users must not check the "save password" box when authenticating to applications.
  • Users must not use the same password for different systems and/or accounts.
  • Users must not send passwords via email.
  • Users must not re-use passwords.

 

Change Frequency
In order to maintain good security, passwords must be periodically changed. This limits the damage an attacker can do as well as helps to frustrate and slow brute force attempts. At a minimum, users must change passwords every 90 days. We enforce this policy by expiring users' passwords after this time period. When selecting a new password, users must not select a password that is substantially the same as, or similar to, the previous 3 passwords.

Incident Reporting
Since compromise of a single password can have a catastrophic impact on network security, it is the user’s responsibility to immediately report any suspicious activity involving his or her passwords to Carestream.

Information Security Officer: Michael Romansky
Phone: 1-585-627-6287
Phone: 1-800-328-2910 24x7
Phone: 1-585-290-0008 current security issues
Email: michael.romansky@carestream.com

Any request for passwords over the phone or email, whether the request came from organization personnel or not, must be expediently reported. When a password is suspected to have been compromised, Carestream will request that the user, or users, change all his or her passwords.

Notice

This Software is confidential and proprietary information of Carestream Health, Inc. ("Carestream") and/or its suppliers. This Software can be used only by authorized licensees of Carestream. Your use of this Software is subject to the terms and conditions set forth in the Carestream Software License Agreement provided with the purchase of the Software. Unauthorized or improper use of this system may result in administrative disciplinary action and civil and criminal penalties. LOG OFF IMMEDIATELY if you are not an authorized licensee.

 

Disclaimer

IN NO EVENT WILL Carestream OR ITS SUPPLIERS OR DEALERS BE LIABLE TO YOU FOR ANY DIRECT, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, INCLUDING ANY LOST PROFITS, LOST SAVINGS OR OTHER DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, NOR SHALL Carestream BE LIABLE FOR ANY BODILY INJURY AND/OR PROPERTY DAMAGE ARISING FROM THE USE OF THE SOFTWARE. Some states and countries, including Australia, do not allow the limitation or exclusion of liability for incidental or consequential damages, or have legislation which restricts the limitation or exclusion of liability, so the above limitation may not apply to you.

Privacy notice:

Unauthorized use is prohibited. By Use of or Access to this system, users consent to monitoring and review of their use in accordance with the policies and procedures of the owning institution.

Version 1.3
December 20, 2013