# Workstation Security & Device Management
This module covers hands-on workstation security requirements for PHI environments.
## Workstation configuration checklist
Before your first access to any PHI-bearing system, verify:
- [ ] **Full-disk encryption** is enabled (FileVault on macOS, BitLocker on Windows, LUKS on Linux)
- [ ] **Auto-lock** is set to ≤ 5 minutes of inactivity
- [ ] **Password manager** is installed and in use (1Password company account)
- [ ] **MFA** is enabled on all work accounts (GitHub, Google, cloud services)
- [ ] **Automatic OS updates** are enabled
- [ ] **Screen sharing** is disabled unless required for a specific support session
## Password requirements
- Minimum 16 characters, unique per service
- Use a password manager — memorizing passwords is not the standard
- Never share credentials, even with managers
- Rotate credentials immediately if you suspect compromise
## Mobile devices
- Work email/apps on personal phones require device encryption and passcode/biometric
- Do not download PHI to mobile devices unless explicitly authorized
- Company-issued mobile devices require MDM enrollment
## Removable media (USB drives, external drives)
PHI must NOT be stored on removable media unless:
1. The media is encrypted (e.g., VeraCrypt container), AND
2. Security Officer approval is on file
## Device loss or theft — act immediately
1. Change all passwords accessible from the device
2. Revoke SSH keys and API tokens
3. Initiate remote wipe if device has MDM enrollment
4. Report to Security Officer for breach assessment
5. Document: what data was on the device, last known location, discovery time
## Clean desk policy
When leaving your workstation unattended:
- Lock your screen (Cmd+Ctrl+Q on macOS, Win+L on Windows)
- Do not leave PHI visible on screen in shared or public spaces
- Shred printed documents containing PHI; do not discard in open trash
## Attestation
Completing this module confirms your workstation meets these security requirements.