ADPH Security Manaul - Alabama Department of Public Health

ADPH Security Manaul - Alabama Department of Public Health
September 15, 2014
Security Manual
Alabama Department of Public Health
i
Contents
I.
Introduction ....................................................................................................................1
 I.A. Purpose of the Security Policy Manual ............................................................1
 I.B. Overview ...........................................................................................................3
 I.C. How to obtain a copy of the manual ................................................................6
II. Administrative Safeguards .............................................................................................7
 II.A. Overview .........................................................................................................7
 II.B. Security Management Process .........................................................................9
 II.C. Assigned Security Responsibility ..................................................................17
 II.D. Workforce Security .......................................................................................18
 II.E. Information Access Management ..................................................................23
 II.F. Security Awareness and Training ..................................................................30
 II.G. Security Incident Procedures .........................................................................38
 II.H. Contingency Plan ..........................................................................................41
 II.J. Business Associate Contracts and Other Arrangements Policy .....................52
III. Physical Safeguards .....................................................................................................54
 III.A. Overview ......................................................................................................54
 III.B. Facility Access Control ................................................................................56
 III.C. Workstation and State Electronic Equipment Use Policy ............................64
 III.E. Device and Media Controls ..........................................................................74
IV. Technical Safeguards ...................................................................................................82
 IV.A. Overview ......................................................................................................82
 IV.B. Access Control .............................................................................................84
 IV.D. Integrity Controls .........................................................................................95
 IV.E. Person or Entity Authentication ...................................................................96
 IV.F. Transmission Security ..................................................................................98
V. Other ADPH Security Policies...................................................................................100
 V.A. Overview .....................................................................................................100
 V.B. Electronic Signature ....................................................................................101
 V.C. Copier Policy ...............................................................................................103
VI. Glossary ........................................................................................................................ A
VII. Appendices ................................................................................................................... M
 APPENDIX A – Security Officer Job Description ................................................. N
 APPENDIX B – Mission Criticality ....................................................................... P
 APPENDIX C – Remote Access and Confidentiality Agreement.......................... U
ii
I
Introduction
I.A. Purpose of the Security Policy Manual
The purpose of this manual is to define the ADPH policies relevant to HIPAA Security, Federal
Tax Information security, as well as general security policies so as to provide employees and
supervisors with clear guidelines for protecting information.
The Manual will be reviewed by all ADPH departments at least every three hundred sixty-five
(365) days.
A meeting will be held of the ADPH Risk Management Committee to discuss proposed changes
to the manual submitted by ADPH personnel. The approved changes will be made to the current
Manual displayed in the document library and an updated copy distributed to all ADPH
personnel within one (1) month of the Risk Management Committee’s meeting in which the
changes were approved.
This Manual consists of eight (8) sections as follows:
Section 1—Introduction. Presents an overview of the HIPAA Security Rule, overview of the
Internal Revenue Service (IRS) Publication 1075 Tax Information Security Guidelines for
Federal, State and Local Agencies, purpose of this Manual and its organization.
Section 2—Administrative Safeguards. Describes the overall department Security Policies for
Administrative Safeguards.
Section 3—Physical Safeguards. Describes the overall department Security Policies for
Physical Safeguards.
Section 4—Technical Safeguards. Describes the overall department Security Policies for
Technical Safeguards.
Section 5—Other ADPH Security Policies. Provides other relevant ADPH policies.
1
Section 6—Glossary. Defines key terms that are used in this Manual.
Section 7—Appendix. Contains related documents.
The Manual will be accessible to all ADPH workforce members in the Document Library.
Additional information may be obtained from the ADPH Information Security Officer.
2
I.B. Overview
I.B.1 Overview of the HIPAA Security Rule
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the US
Department of Health and Human Services (HHS) to adopt national standards for safeguards to
protect the confidentiality, integrity, and availability of Protected Health Information (PHI).
On January 25, 2013, U.S. Department of Health and Human Services (HHS) Office for Civil
Rights issued a final rule that implements a number of provisions of the Health Information
Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American
Recovery and Reinvestment Act of 2009, to strengthen the privacy and security protections for
health information established under the Health Insurance Portability and Accountability Act of
1996 (HIPAA). Those provisions are referenced throughout this manual.
The requirements of the HIPAA Security Rule are scalable and flexible. The HIPAA Security
Rule defines standards that make good business sense. The HIPAA Security Rule has 18
standards and 42 implementation specifications. The HIPAA Security Rule’s requirements are
contained in three major security safeguard sections:
•
•
•
Administrative Safeguards,
Physical Safeguards, and
Technical Safeguards
The HIPAA Security Rule and this Manual are effective on and after the implementation of
the 2014 HIPAA Privacy and Security Policy.
The HIPAA Privacy Standards require that PHI be safeguarded against unauthorized disclosure.
The standards address who can have access to PHI and how PHI can be used and disclosed. The
Privacy Standards apply to all PHI regardless of whether it is in oral, written, or in electronic
form (e-PHI).
The HIPAA Security Rule provides guidance on protecting e-PHI, whether it is:
•
•
•
•
electronically created;
electronically received;
“at rest”(maintained in a storage device such as a computer hard drive, disk or CD); or
“in transit” (being transmitted through a system, application or outside the network).
PHI not in electronic form before transmission is not e-PHI. This includes information shared by
person-to-person telephone calls, copy machines, paper-to-paper fax machines, or voice mail.
De-identified information is not e-PHI.
The HIPAA Security Rule requires covered entities to implement processes to safeguard e-PHI
against unauthorized access or modification. ADPH has developed Administrative, Physical, and
3
Technical Safeguards that will reasonably protect e-PHI from intentional and unintentional uses
or disclosures that violate the HIPAA Security Rule.
As with PHI under the Privacy Rule, under the HIPAA Security Rule, ADPH must protect the ePHI of its participants and their family members in accordance with HIPAA and state law.
ADPH generally will use e-PHI generally for health plan payment activities and operations, and
in other circumstances, such as electronic health records or when it is required for law
enforcement and public health activities.
When e-PHI is shared with Business Associates providing services to the Department, they are
required to agree in writing to maintain procedures that protect the e-PHI from improper uses and
disclosures in accordance with HIPAA by utilizing Business Associate Agreements.
Fines for violations are determined on a case-by-case basis depending on the nature of the claims
and the circumstances under which they were presented; the degree of culpability, history of
prior offenses and financial condition of the person presenting the claims; and such other matters
as justice may require. The fines range from $100 to $50,000 for each violation with a maximum
fine for all violations of an identical provision in a calendar year of $1,500,000.
For more information the HIPAA Security Rule can be accessed online at
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/.
4
I.B.2 Overview of the IRS Publication 1075 Tax Information Security Guidelines for
Federal, State and Local Agencies.
The Internal Revenue Service (IRS) Publication 1075 Tax Information Security Guidelines (Pub
1075) for Federal, State, and Local Agencies requires ADPH to adopt standards for safeguards to
protect the confidentiality, integrity, and availability of Federal Tax Information (FTI).
Sections 7213, 7213A and 7431 of the Internal Revenue Code (IRC) provide the basis for
protecting taxpayers’ information that is provided to the IRS. The items called out in these
sections are:
• Criminal penalties for Federal and State employees and other who make illegal
disclosures of federal tax returns and FTI (felony offense);
• Penalties for unauthorized inspection of FTI (misdemeanor offense);
• Prescription of civil damages for the unauthorized inspection or disclosure.
The IRS issued Publication 1075 (Pub 1075) to provide guidance in ensuring that the policies,
practices, controls, and safeguards employed by recipient agencies or agents and contractors
adequately protect the confidentiality of the information they receive from the IRS.
Pub 1075 also directs that organizational security policies shall address the purpose, scope,
responsibilities, and management commitment to implement all applicable security controls. The
guidelines outlined in Pub 1075 apply to all FTI, no matter the amount or the media in which it is
recorded.
Within this Manual, the term “sensitive data” will be used to define all information that must be
secured. Security must occur at the level of the most important pieces of information held within
a system. For ADPH this means protecting Personally Identifiable Information (PII), PHI (in all
formats), and FTI.
5
I.C. How to obtain a copy of the manual
This manual is available in the ADPH document library. Contact the Information Security
Officer or your Security Coordinator for assistance.
6
II
Administrative Safeguards
II.A. Overview
The HIPAA Security Rule Administrative Safeguards and IRS Publication 1075 require
documented policies and procedures governing day-to-day operations; managing the behavior of
employees in relation to sensitive data; and managing the selection, development,
implementation, and use of security controls.
In the following sections, each of the nine standards included under the HIPAA Security Rule
Administrative Safeguards are discussed. Within each section, any additional information
required by Pub 1075 will be noted.
Section II.B – Security Management Process
The Security Management Process forms the foundation for all of the other standards by
requiring a covered entity to prevent, detect, and correct security violations. This standard
requires a risk analysis, ongoing risk management, implementation of a sanction policy to
address violations of the entity’s policies and procedures, and an information services activity
review.
Section II.C – Assigned Security Responsibility
This standard requires that a covered entity designate a single individual with overall
responsibility for the development and implementation of the policies and procedures governing
the security of sensitive data.
Section II.D – Workforce Security
A covered entity must implement workforce security measures to assure that all personnel with
access to sensitive data have the appropriate access authority and clearances, and to prevent
access by those who do not.
Section II.E – Information Access Management
This standard requires establishment, adoption, and maintenance of documented policies and
procedures defining access control for all personnel authorized to access sensitive data and
prescribing how access is granted and modified.
7
Section II.F – Security Awareness and Training
This standard requires that the covered entity implement a security awareness and training
program for all personnel with access to sensitive data.
Section II.G – Security Incident Procedures
This standard requires the implementation of policies and procedures to handle security
incidents.
Section II.H – Contingency Plan
This standard requires that the covered entity have a contingency plan for responding to
emergencies that affect systems containing sensitive data, as well as related facilities and
operations.
Section II.I – Evaluation
This standard requires that the covered entity demonstrate and document ongoing compliance
with its security policy through periodic technical and non-technical evaluations. These
evaluations are based on the requirements of the HIPAA Security Rule, and also address the
covered entity’s response to environmental or operational changes.
Section II.J – Business Associate Contracts and Other Arrangements
As defined in the HIPAA Security Rule, a covered entity may permit a business associate to
create, receive, maintain, or transmit sensitive data on its behalf, only if the covered entity
obtains a written contract or other documented arrangement with the business associate. The
contract or documented arrangement must provide satisfactory assurances that the business
associate will appropriately safeguard the protected information. While many covered entities
developed business associate agreements while pursuing HIPAA privacy compliance, it is likely
that these agreements will need to be reviewed and perhaps revised to achieve HIPAA security
compliance.
Each of these standards and the associated implementation specifications are outlined in detail in
the following sections.
The policies that follow have been modified to include not only e-PHI, but, FTI and all other
protected information.
8
II.B. Security Management Process
II.B.1 Risk Analysis Policy
Applies To
Information Technology
Purpose
The purpose of the Risk Analysis Policy is to empower the ADPH Information Security
Officer (ISO) to perform periodic security Risk Assessments (RAs) to identify areas of
vulnerability, and to initiate appropriate remediation.
The information ADPH gathers through the security risk assessment (RAs) provides insight
for determining the measures needed to eliminate or minimize all types of risks and
vulnerabilities: natural, environmental, technical, or human.
Scope
The procedures for RAs will be conducted on any information system, including applications,
servers, and networks, and on any process or procedure by which these systems are
administered and/or maintained. HIPAA security RAs must consider all hardware and
software used to store or transmit sensitive data.
Policy
It is the policy of the Alabama Department of Public Health to conduct assessments of the
potential risks and vulnerabilities to the confidentiality, integrity, and availability of sensitive
data.
Procedural Responsibilities
Information Technology
Procedure(s)
For FTI:
For all systems that receive, store, process or transmit FTI, ADPH will ensure that an
assessment of the security controls of the system will be conducted at least every three
hundred sixty-five (365) days, whenever there are significant changes to the information
system or ADPH environment, or any other condition that may impact the security of the
ADPH network in accordance with the guidelines of IRS Pub 1075.
Results of any assessment will be reviewed prior to the next assessment, but no later than
every 365 days.
Security Authorizations will be provided for all ADPH systems that receive, store, process or
transmit FTI upon the completion of an initial assessment.
Prior to any assessment, System Owners will attest in writing that the security controls for the
system have been adequately implemented to protect FTI.
Security Authorizations provided will be updated:
- At least every three (3) years;
9
-
When substantial changes are made to the system;
When changes in requirements result in the need to process data of a higher sensitivity;
When changes occur to authorizing legislation or federal requirements;
After the occurrence of a serious security violation which raises questions about the
validity of an earlier security authorization; and
Prior to expiration of a previous security authorization.
For All other systems:
1. A risk assessment will be performed by the ISO and the owning IT division(s) for all new
applications or systems during the system design phase to identify security requirements.
All systems or applications repositories containing sensitive data must be identified and
documented; potential threats or vulnerabilities must be identified; each repository must
be assigned a level of risk; and, as appropriate, the risk must be mitigated.
2. A risk assessment will be performed by the ISO and the owning IT division(s) for all
existing applications or systems to identify potential threats or vulnerabilities. Each
repository containing sensitive data must be assigned a level of risk; and, as appropriate,
the risk must be mitigated.
3. ADPH Information Technology will contract with an outside consultant to perform a
system-wide risk analysis every two years. The analysis will include, but not be limited
to:
a) External Auditing
i) Foot printing – To gather and develop information to create a complete profile of
ADPH’s security posture.
ii) Penetration testing – To test the ability of the network to withstand or thwart and
attack.
iii) Vulnerability Mapping – To map specific security attributes of a system or
network to an associated vulnerability or potential vulnerability. Techniques used
will include, but not be limited to: manually mapping specific system attributes
against publicly available sources of vulnerability information, using public
exploit code posted to various security mailing list and hacker sites, and using
automated vulnerability scanning tools to identify true vulnerabilities.
b) Internal Auditing
i) Logical Security Controls
(1) Network boundaries (subnets)
(2) Routing boundaries
(a) Corporate network
(b) Internet access
(c) Dial-in access
(3) VLAN’s
ii) Logical Access Controls
(1) Preventative controls – uniquely identify every authorized user and deny
unauthorized users
(2) Detective controls – log and report activities to systems, programs, and data
iii) Firewall Rules
(1) Directions of traffic
10
(2) Traffic origin
(3) IP address
(4) Port numbers
(5) Authentication
(6) Application content
iv) Network Services
(1) Email
(2) Telnet
(3) DNS
(4) Others
Form(s)
None
Reference(s):
HIPAA Security Rule, CFR §164.308(a) (1) Standard: Security Management Process,
Implementation Specification: Risk Analysis (Required)
Contact
Send e-Mail to Security Team
11
II.B.2 Risk Management Policy
Applies To
Information Technology
Purpose
To implement policies and procedures for risk management related to the implementation of
security measures. Risk management activities must be sufficient to reduce risks and
vulnerabilities to a reasonable and appropriate level.
Scope
The procedure for risk management is for overall security review, risk assessment (RA),
selection, and evaluation of safeguards, cost benefit analysis, management decision-making,
implementation of safeguards, and review of the effectiveness of safeguards.
Policy
It is the policy of the Alabama Department of Public Health to implement changes based on
findings and recommendations from the RA review, including information on correction of
any deficiencies or recently completed corrections or upgrades.
Procedural Responsibilities
Information Technology
Procedure(s)
1. The ISO will schedule risk assessments on all systems and review findings from the risk
assessments.
2. The ISO will make recommendations to mitigate any risk identified by the risk
assessment.
3. The ISO will work with the owning IT division to remediate these risks.
4. The ISO will monitor progress toward mitigation on a quarterly basis.
5. The ISO will maintain an inventory of all sensitive data repositories.
6. The ISO will maintain records of all risk assessments performed. These will include the
date the risk assessment was conducted, who performed the assessment, the methods used
in the assessment, a statement of how any identified risks relate to the requirements for
sensitive data confidentiality, integrity, and availability determined for the system, and
findings or recommendations from the review, including information on correction of any
deficiencies or recently completed corrections or upgrades.
Form(s)
None
Reference(s):
HIPAA Security Rule, CFR §164.308(a) (1), Standard: Security Management Process,
Implementation Specification: Risk Management (Required)
Contact
Send e-Mail to Security Team
12
II.B.3 Sanction Policy
Applies To
All ADPH Employees and Contractors
Purpose
The purpose of this policy is to outline sanctions for noncompliance with the ADPH security
policies and procedures.
Scope
The procedures cover sanctions against workforce members who fail to comply with the
security policies and procedures; sanctions may be progressive, escalating from verbal to
written warnings or other disciplinary measures followed by suspension or termination.
Policy
It is the policy of the Alabama Department of Public Health that all employees and all
persons working under contract with the Alabama Department of Public Health shall abide by
all policies included in the Alabama Department of Public Health Security Policy Manual.
Workforce members who fail to comply with the security policies and procedures will be
disciplined in accordance with ADPH Policy 2012-010, Alabama Department of Public
Health Discipline Policy. Contract employees who fail to comply with security policies and
procedures will be handled in accordance with the contract governing their services.
ADPH will not apply sanctions against employees who file a complaint with an entity about a
security violation or risk.
Procedural Responsibilities
All ADPH Employees and Contractors
Procedure(s)
1. Any employee desiring to report suspected violation or risk of any policy within the
ADPH Security Policy Manual should contact their immediate supervisor. The ADPH
Information Security Officer (ISO) may be contacted directly if the employee is
concerned about retaliation by their immediate supervisor.
2. The supervisor will contact the ISO.
3. The ISO or their designee will investigate the suspected violation or risk.
4. The ISO will offer suggestions to the party/parties involved and their supervisors to
mitigate the problem.
5. The ISO will maintain records of all suspected violations.
6. The ISO will inform ADPH Human Resources when applicable.
Form(s)
None
Reference(s):
HIPAA Security Rule, CFR § 164.308(a) (1), Standard: Security Management Process,
Implementation Specification: Sanction Policy (Required)
ADPH Discipline Policy, #2012-010
13
Contact
Send e-Mail to Security Team
14
II.B.4 Information System Activity Review Policy
Applies To
Information Technology
Purpose
The purpose of this policy is to protect data from accidental or malicious alteration or
destruction and implement measures to monitor and identify such risks. Once security events
are detected, the key elements and pertinent information regarding the potential breach must
be reported to the ADPH Security Officer.
Scope
The procedures address the regular review of records of information system activity, such as
audit logs, access reports, and security incident tracking reports to identify security events.
Policy
It is the policy of the Alabama Department of Public Health to monitor all computer systems
for security related events.
Security-related events include, but are not limited to:
Port-scan attacks;
Evidence of unauthorized access to privileged accounts; and
Occurrences that are not related to specific applications.
Procedural Responsibilities
Information Technology
Procedure(s)
1. Each system administrator is responsible for reviewing logs weekly for security-related
events.
2. System administrator will notify the Information Security Officer (ISO) if they suspect a
security-related event has occurred.
3. The ISO will investigate the suspected security-related event.
4. The ISO will record the suspected event and recommendations and report to IT
Management.
5. Corrective measures will be prescribed as needed.
6. All security-related events on critical or sensitive systems must be logged and audit trails
saved as follows:
7. All security related logs will be kept online for a minimum of 1 week.
8. Weekly full backups of electronic logs will be retained for at least 1 month.
9. Monthly full backups will be retained for a minimum of 2 years.
Form(s)
None
Reference(s):
HIPAA Security Rule, CFR §164.308(a) (1), Standard: Security Management Process,
Implementation Specification: Information System Activity Review (Required)
15
Contact
Send e-Mail to Security Team
16
II.C. Assigned Security Responsibility
Applies To
ADPH Administration
Purpose
The purpose of this policy is to designate a Security Official who will be responsible for
enforcement of the HIPAA Security Rule within ADPH, including developing,
implementing, and maintaining policies and procedures that meet the requirements of the
HIPAA Security Rule.
Scope
An Information Security Officer and an alternate will be designated as Information
Technology’s focal points for all information security issues. Specific questions about the
policies described here can be directed to the Information Security Officer.
Policy
It is the policy of the Alabama Department of Public Health to appoint a primary and
alternate security official to be responsible for enforcement of the HIPAA Security Rule
within ADPH, including developing, implementing, and maintaining policies and procedures
that meet the requirements of the HIPAA Security Rule.
A job description for this position is in Appendix A of this Manual.
Procedural Responsibilities
State Health Officer
Procedure(s)
1. The State Health Officer will sign a letter appointing a primary and alternate Information
Security Officer.
2. If the ADPH Security Official is unable to meet the requirements or responsibilities under
the Security Rule, or is no longer affiliated with ADPH, then the State Health Officer will
assign a new Security Official within 30 days.
Form(s)
None
Reference(s):
HIPAA Security Rule CFR §164.308(a) (2), Standard: Assigned Security Responsibility
(Required)
Contact
Send e-Mail to IT-Administration
17
II.D. Workforce Security
II.D.1 Authorization and/or Supervision
Applies To
All ADPH Employees
All ADPH Supervisors
Purpose
The purpose of this policy is to implement procedures for the authorization and/or
supervision of workforce members who work with sensitive data or who work in locations
where this protected data might be accessed.
Scope
This policy addresses control of individuals who have access to systems with sensitive data.
Policy
It is the policy of the Alabama Department of Public Health to ensure that all workforce
members be adequately supervised and/or have authorization when working with sensitive
data or in locations where this protected data resides.
Procedural Responsibilities
All ADPH Supervisors
Procedure(s)
1. Supervisors will ensure that all employees/workforce members are granted appropriate
authorization when working with sensitive data or in locations where this protected data
resides. Supervisors will periodically review authorization and withdraw or modify
authorization when necessary.
2. Supervisors will frequently monitor employees and contractors to ensure that sensitive
data is not compromised.
3. Supervisors or their designee will be present when maintenance work is being performed
by non-ADPH personnel in a secured area or an area where sensitive data resides.
Form(s)
None
Reference(s):
HIPAA Security Rule, CFR §164.308(a) (3)(ii)(A), Standard: Workforce Security,
Implementation Specification: Authorization and/or Supervision (Addressable)
Contact
Send e-Mail to IT-Administration
18
II.D.2 Workforce Clearance Procedure
Applies To
All ADPH Supervisors
Purpose
The purpose of this policy is to implement procedures to determine that the access of a
workforce member to sensitive data is appropriate, and to ensure measures to prevent
workforce members from obtaining unauthorized access to this protected information.
Scope
The procedure applies to all types of information generated, used or held by ADPH that are
used within the scope of ADPH business processes in all formats, including electronic,
magnetic, paper or other.
Policy
It is the policy of The Alabama Department of Public Health to verify applicant/employee
information and perform reference checks on individuals hired to perform work pertaining to
any form of sensitive data.
All individuals who have been granted access to ADPH information systems, including but
not limited to full-and part-time employees, contractors, temporary workers, those employed
by others to perform ADPH work, and others granted access are covered by this policy and
shall comply with this and associated policies, procedures and guidelines.
Most of the positions in the ADPH are in the “classified service” category. All employees in
the classified service category are under the State Merit System, and recruitment of
employees for positions in the classified service must be accomplished in accordance with the
Rules for the State Personnel Board. Applicants are interviewed by the supervisor in the
section where the position exists. It is the responsibility of each supervisor to verify the
information on the applicant’s application. Information may be verified through reference
checks and by verifying the applicant’s credentials (e.g., educational degrees earned, prior job
history).
Procedural Responsibilities
ADPH Supervisors
Procedure(s)
1. Supervisors will verify the information on the applicant’s/employee’s application through
reference checks and by verifying the applicant’s credentials (e.g., educational degrees
earned, prior job history) before granting access to sensitive data.
2. Supervisors may want to verify information on existing employees, depending on the
level of access required.
3. Supervisors will continue to monitor behavior and performance of employees and will
withdraw access to sensitive data for high risk individuals.
19
4. Supervisors will ensure language in the contract that designates the contractor as
responsible for checking their employee references and will check references on
temporary workers before granting access to sensitive data.
5. For students and volunteers, a chart entitled, “Students/Volunteers Authorized to
Receive/Access Protected Health Information” shall be maintained. Refer to the ADPH
Policy #2013-003, HIPAA Privacy and Security Policy; Students/Volunteers, for more
information and a copy of the chart.
Form(s)
None
Reference(s):
HIPAA Security Rule CFR §164.308(a) (3) (i) Standard: Workforce Security, (ii)
Implementation specifications: Workforce Clearance Procedure (Addressable)
ADPH Policy #2004-017, Utilization of Volunteer Workers for Emergency Events
ADPH Policy #2013-003, HIPAA Privacy and Security Policy; Students/Volunteers
Contact
Send e-Mail to Personnel
20
II.D.3 Termination Procedures
Applies To
All ADPH Employees
Contract Employees
SOBRA Workers
Interns
Volunteers
Purpose
The purpose of this policy is to implement procedures for terminating access to sensitive data
when the employment of a workforce member ends, or as required by determinations
specified in the ADPH Workforce Clearance Procedure. Termination procedures are
important because of the potential risks associated with unauthorized acts by former
employees or contractors, such as acts of retribution or use of proprietary information for
personal gain.
Scope
The procedures apply to any ADPH workforce member whose employment is terminated.
Policy
It is the policy of the Alabama Department of Public Health to terminate computer access for
any employee leaving the service of the Alabama Department of Public Health. This applies
to merit employees, contract workers, Medicaid SOBRA workers, interns, and volunteers.
Procedural Responsibilities
All ADPH Supervisors
All Security Coordinators
Information Security Officer
Information Technology
Procedure(s)
When a worker leaves employment with the Alabama Department of Public Health or
transfers within the Alabama Department of Public Health:
1. The appointing authority or designee must complete a Computer Access Removal Form
and submit to the ADPH Support Desk when an employee’s resignation has been
accepted. The Computer Access Removal Form must be obtained by call the ADPH
Support Desk at 334-206-5268.
2. When Human Resources receives a Form 11 indicating a transfer or resignation, the
responsible security coordinator must complete a Computer Access Removal Form and
submit it to the ADPH Support Desk.
3. Upon receipt of the removal form, the security coordinator will complete all highlighted
areas of the form and email it back to the Help Desk employee who provided the form.
It should be noted on the form if the employee had access to FTI.
4. A work order will be created in the ADPH Help Desk Work Order System for each
Computer Access Removal Form that is received.
21
5. The form will be processed on the effective date and all computer access, including
email, will be removed. The actions taken will be documented on the form and the
completed work order will be retained in the Work Order System.
6. The form will be routed to the appropriate IT units to remove access to all computer
files, as well as the employee’s email account. If an employee is transferring within the
department, access will be removed from the current unit and, upon receipt from the
unit they are transferring to, appropriate access will be granted.
7. A notice will be sent to the initiating work unit when the request has been completed.
8. Work orders are archived and are available upon request.
9. The Information Security Officer or designee will review the monthly personnel report
which provides a listing of all terminated personnel in the department to determine if
users’ access should be terminated, and will notify the responsible security coordinator
to obtain a removal form.
10. All employees and employers must follow the responsibilities defined in the ADPH
Policy 2012-012, Human Resources Policy Manual, Revised 2012, Chapter 10,
Separation and Other Personnel Actions, upon the termination of an employee.
Form(s)
Computer Access Removal Form (To obtain, contact the Support Desk at 334-206-5268)
Reference(s):
• HIPAA Security Rule CFR § 164.308(a) (3) (i) Standard: Workforce Security, (ii)
Implementation specifications: Termination Procedures (Addressable)
• Policy 2012-012, Human Resources Policy Manual, Revised 2012, Chapter 10,
Separation and Other Personnel Action, Separation of Employment
Contact
Send e-Mail to Security Team
22
II.E. Information Access Management
II.E.1 Isolating Health Care Clearinghouse Functions
Not applicable; ADPH does not perform clearinghouse functions.
Reference(s):
HIPAA Security Rule CFR § 164.308(a) (4) (i) Standard: Information Access Management,
(ii) Implementation specifications: Isolating Health Care Clearinghouse Functions (Required)
23
II.E.2 Access Authorization
Applies To
ADPH Supervisors
Local Security Coordinators
IT Support Desk
Systems Administrators
System Owners
Purpose
The purpose of this policy is to implement policies and procedures for granting or denying
access to sensitive data, e.g., through access to a workstation, transaction, program, process,
or other mechanism. Access authorization involves system controls that limit and monitor
who has access to a system and the level of access an individual has to the information
contained within the system.
Access authorization policies and procedures will include proper security and controls to
ensure data, system, network, and application integrity and security, as well as data, system,
network and application availability to the staff responsible for sensitive data.
Scope
The Systems Administrators will grant access privileges to electronic information based on
an individual’s “need to know” as approved by the Owner of the information. The default
universal access for all datasets will be NONE.
Policy
It is the policy of The Alabama Department of Public Health to limit access of electronic
information only to individuals who have a need to use or view the information.
Procedural Responsibilities
ADPH Supervisors
Local Security Coordinators
IT Support Desk
Systems Administrators
System Owners
24
Guidelines
For FTI:
1. Federal Tax Information (FTI) will not be disclosed to any person without authorization.
This includes, but is not limited to:
Eligibility & Enrollment Applicants
Information Requestors
Off-shore contractors
2. Remote access to systems containing FTI will not be permitted for any reason.
Reference(s):
IRS Publication 1075 (11.1): Disclosure to Other Persons
Internal Revenue Code § 6103(a)(2): Confidentiality and Disclosure of Returns and
Return Information
For all other access:
1. Supervisor submits request for computer access or removal of access to the local security
coordinator. When job duties change, supervisor should reassess the access needs of the
employee to ensure that the employee has proper access for their job duties.
2. Local security coordinator submits request to the IT Support Desk.
3. IT Support Desk sends request to the System Administrator.
4. System Administrator requests approval from the Owner.
5. System Administrator grants access if approved by Owner.
6. System Administrator notifies the local security coordinator when access is granted.
7. It is the responsibility of the ADPH employees, contractors, vendors and agents with
remote access privileges to the ADPH network to ensure that their remote access
connection is protected in the same manner as the user’s on-site connection to the ADPH.
8. The ADPH employee bears responsibility for the consequences should the access be
misused.
9. The ADPH employees and contractors with remote access privileges must ensure that
their the ADPH-owned or personal computer or workstation, which is remotely connected
to the ADPH network, is not connected to any other network at the same time, with the
exception of personal networks that are under the complete control of the user.
10. The ADPH employees and contractors with remote access privileges to the ADPH
network must not use non-ADPH email accounts (i.e., Hotmail, Yahoo, AOL), or other
external resources to conduct the ADPH business, thereby ensuring that official business
is never confused with personal business.
11. Reconfiguration of a home user’s equipment for the purpose of split-tunneling or dual
homing is not permitted at any time.
12. Frame Relay must meet minimum authentication requirements of DLCI standards.
13. Non-standard hardware configurations must be approved by Remote Access Services, and
Information Security must approve security configurations for access to hardware.
25
14. All hosts that are connected to the ADPH internal networks via remote access
technologies must use the most up-to-date anti-virus software, this includes personal
computers. Third party connections must comply with requirements as stated in the Third
Party Agreement.
15. Personal equipment that is used to connect to the ADPH networks must meet the
requirements of the ADPH-owned equipment for remote access.
16. Organizations or individuals who wish to implement non-standard Remote Access
solutions to the ADPH production network must obtain prior approval from Remote
Access Services and Information Security.
Form(s)
None
Reference(s):
HIPAA Security Rule, CFR § 164.308(a) (4) (i) Standard: Information Access Management,
(ii) Implementation specifications: Access Authorization Policy (Addressable)
Contact
Send e-Mail to Security Team
26
II.E.3 Access Establishment and Modification
Applies To
ADPH Supervisors
Local Security Coordinators
IT Support Desk
Systems Administrators
System Owners
Purpose
The purpose of this policy is to implement policies and procedures (based on ADPH’s access
authorization policies) to establish, document, review, and modify a User’s right of access to
a workstation, transaction, program, or process including maintenance personnel.
Scope
The procedures are for granting appropriate access to sensitive data, such as granting access
upon employment, job classification, changes in job classification, and maintaining a record
of access authorizations.
Policy
It is the policy of the Alabama Department of Public Health to assign one unique user ID to
each employee and to grant a level of access to the level needed to do their job. This will be
done through assignment of roles. System administrators will assign user roles for each User
ID so each user will be able to accomplish the functions they are authorized to perform.
Procedural Responsibilities
ADPH Supervisors
Local Security Coordinators
IT Support Desk
Systems Administrators
System Owners
Procedure(s)
1. To Request a User ID
a. The employee’s supervisor will contact the Security Coordinator assigned to their
section and provides information as to what access the employee requires.
b. The Security Coordinator will contact the ADPH Support Desk.
c. The Support Desk will forward the appropriate access form to the Security
Coordinator.
d. The Security Coordinator will complete the form and returns the form, via e-mail, to
the Support Desk.
e. The Support Desk will assign the request to the appropriate work unit.
f. System Administrator will request approval from the Owner.
g. System Administrator will grant access if approved by Owner.
h. System Administrator will notify the local security coordinator when access is
granted.
27
2. Adding a User (IT Only)
a. Log onto the domain as an administrator or account operator.
b. Using User Manger for Domains, copy an existing user from the same group as the
new user. The following fields will be copied from the existing user to the new user:
description, groups, logon script name, home directory location, and logon hours.
c. Enter the username and full name. Change the description if necessary. If the user
needs to print to a different printer from the existing user’s printer, add the user to the
corresponding printer group and remove the user from the existing printer group.
3. Miscellaneous (IT Only)
a. One user ID will be assigned per client.
b. The Information Security Officer or their designee will assign all new users of
systems one standard User ID that will be used for every system the individual
accesses, including PHALCON, AS/400, ISD Mainframe, Oracle database, Lotus
Notes, and the network.
c. Previously assigned User IDs will be changed as system upgrades occur to bring them
into conformance with this policy.
d. All User IDs will be logged and assigned from the primary domain server to avoid
duplication.
e. The User ID will always have six or more digits.
f. The System Administrator will add new User IDs to the network domain server,
AS/400, and ISD Mainframe as required by the user.
g. The System Administrator will provide the User ID to the Oracle Database
Administrator and the Lotus Notes Administrator.
h. System administrators will also assign user roles for each User ID so each user will be
able to accomplish the functions they are authorized to perform.
4. Moving a User to a New Location (IT Only)
a. Log onto the domain as an administrator or account operator.
b. Using User Manager for Domains, remove the user from their existing departmental
and printer groups and add them to their new groups.
c. Change the location of the user’s home directory to the new server.
d. Move any existing files from the user’s old home directory to their new home
directory.
5. Creating a New Departmental Group (IT Only)
a.
b.
c.
d.
e.
Log onto the domain as an administrator or account operator.
Using User Manger for Domains, create a new Global Group for the new department.
Add all users to the new group and remove them from their existing group.
Add the new departmental group to all appropriate local/resource groups.
Edit the logon script and add the group name to the “IF MEMBER” statement for the
local server.
28
Form(s)
None
Reference(s):
HIPAA Security Rule CFR § 164.308(a) (4) (i) Standard: Information Access Management,
(ii) Implementation specifications: Access Establishment and Modification (Addressable)
Contact
Send e-Mail to Security Team
29
II.F. Security Awareness and Training
II.F.1 Security Training
Applies To
All ADPH Employees
Contract Employees
SOBRA Workers
Purpose
The purpose of this policy is to provide security training and periodic security updates/reminders
to all members of the workforce.
Scope
The procedure applies to all workforce members.
Policy
It is the policy of the Alabama Department of Public Health to provide security training for all
employees and personal service contractors utilizing a variety of methods to remind and inform
individuals of their security responsibilities (e.g., e-mail reminders, pamphlets, or copies of
security policies and procedures). ADPH will distribute security reminders such as notification
regarding possible viruses at appropriate intervals and procedures for reporting potential security
incidents.
Procedural Responsibilities
ISO
IT Support Desk Manager
IT Technical Support
Procedure(s)
All employees and personal service contractors will be required to attend security awareness
training prior to receiving user access to any system within ADPH.
All security awareness training will be based on the role(s) the employee is going to fulfill.
Employees assigned to multiple roles will receive the training associated with the role that
provides the most access to application and system data. Training specific to FTI and an
employee’s roles may be incorporated into existing training. The acknowledgement form must
indicate that FTI training was outlined.
Security Awareness training will also include information on incident response and how the
employee’s role could be affected.
All employees will sign a security awareness training acknowledgement form once they have
received initial training. This form is to be placed in the personnel file, along with any
subsequent acknowledgements, and retained for at least five (5) years.
All employees will be given refresher training on security policies and procedures during their
annual appraisal and will be required to sign the Departmental Rules & Policies for Review at
Annual Performance Appraisal form (Form ADPH-PER-63) stating that they have reviewed
these policies and procedures.
30
The Information Security Officer (ISO) will develop and provide frequent reminders concerning
security and use media such as Satellite Training, Alabama’s Health, E-Mail, videos, webcasts,
etc.
Form(s)
None
Reference(s):
HIPAA Security Rule CFR §164.308(a) (5) (i) Standard: Security Awareness and Training, (ii)
Implementation Specifications, Security Reminders (Addressable)
Contact
Send e-Mail to Security Team
31
II.F.2 Protection from Malicious Software
Applies To
Information Technology
Purpose
The purpose of this policy is to implement procedures for guarding against and detecting
malicious software.
Scope
The procedures are for providing, maintaining, and ensuring that workforce members use
appropriate and updated virus protection software.
Policy
It is the policy of the Alabama Department of Public Health to install and maintain enterprisewide virus protection software.
Procedural Responsibilities
IT Technical Support
IT Virus Team
Procedure(s)
Technical Guidelines for Systems Development
All software development and software maintenance activities performed by in-house staff must
subscribe to IT standards and conventions. Among other things, these standards and conventions
include the proper testing, training, and documentation. Systems Development will develop and
update their standards and conventions to keep them current at all times.
Systems Development workers will review these standards and conventions annually as part of
continued training.
Technical Guidelines for IT Technical Support
Operating System configuration should be in accordance with approved Information security
guidelines.
Services and applications that will not be used must be disabled where practical.
Access to services should be logged and/or protected through access-control methods.
The most recent security patches and hot fixes must be installed on the system as soon as
practical, the only exception being when immediate application would interfere with business
requirements.
Trust relationships between systems are a security risk, and their use should be avoided. Do not
use a trust relationship when some other method of communication will do.
Always use standard security principles of least required access to perform a function.
If a methodology for secure channel connection is available (i.e., technically feasible), privileged
access must be performed over secure channels, (e.g., encrypted network connections using SSH
or IPSec).
Servers should be physically located in an access-controlled environment.
Form(s)
None
Reference(s):
32
HIPAA Security Rule, CFR § 164.308(a) (5) (i) Standard: Security Awareness and Training, (ii)
Implementation Specifications, Protection from Malicious Software (Addressable)
Contact
Send e-Mail to IT–Technical Support
33
II.F.3 Log-in Monitoring
Applies To
ADPH Information Technology
Purpose
The purpose of this policy is to implement procedures for the monitoring of log-in attempts, the
reporting of discrepancies, and the correct safeguards to take in regard to ADPH system User
IDs.
Scope
The procedures are to ensure that all ADPH system User IDs are used in an authorized manner.
Policy
It is the policy of the Alabama Department of Public Health to monitor log-in attempts on ADPH
systems weekly, monthly, and quarterly utilizing system audit reports.
Procedural Responsibilities
IT Technical Support
Lotus Notes Administrator
AS/400 Administrator
Data Operations Manager
Procedure(s)
Each system administrator will review logs weekly, monthly, quarterly, for security events.
If an event(s) is identified, the system administrator will notify the Information Security Officer
(ISO) to investigate.
All findings will be submitted in writing for management review.
Form(s)
None
Reference(s):
HIPAA Security Rule CFR § 164.308(a) (5) (i) Standard: Security Awareness and Training, (ii)
Implementation Specifications, Log-in Monitoring (Addressable)
Contact
Send e-Mail to Security Team
34
II.F.4 Password Management
Applies To
IT Technical Support
IT Systems Development
IT Database Administration
Purpose
The purpose of this policy is to implement procedures for creating, changing, and safeguarding
Passwords.
Scope
The procedures apply to passwords used by workforce members to access systems containing
sensitive data and the networks, servers, databases, back-up systems, and other technical systems
and mechanisms supporting the storage, transmission, or utilization of sensitive data.
Policy
It is the policy of the Alabama Department of Public Health for employees of the ADPH to create
secure passwords for logging in to electronic systems and to change passwords at least every
sixty days. All individuals must safeguard this information to ensure system integrity. Technical
Support will implement procedures in which passwords will expire sixty days after creation.
Procedural Responsibilities
All ADPH employees
Chuck Langley
Guidelines
General
All system-level passwords (e.g., root, enable, administrator, application administration accounts,
etc.) must be changed at least every six [6] months. User accounts that have system-level
privileges granted through group memberships or programs such as “pseudo” must have unique
user identification from all other accounts held by that user. All user-level passwords must be
changed at least every 60 days.
Passwords must not be inserted into e-mail messages or other forms of electronic
communication.
Where SNMP (Simple Network Management Protocol) is used, the community strings must be
defined as something other than the standard defaults of “public,” “private”, and “system” and
must be different from the passwords used to log in interactively. A keyed hash must be used
where available (e.g., SNMPv2).
All user-level and system-level passwords must conform to the guidelines described below.
FTI (Systems containing FTI)
Organizational users with access to FTI that have been locked out must have their password
unlocked/reset by an authorized system administrator.
Remote access will not be granted for any reason.
35
Remote Access Requirements
Secure remote access must be strictly controlled. Control will be enforced via one-time
password authentication or public/private keys with strong pass-phrases.
Storage of Data Base User Names and Passwords
Database user names and passwords may be stored in a file separate from the executing body of
the program’s code. This file must be encrypted.
Database credentials may reside on the database server. In this case, a hash number identifying
the credentials may be stored in the executing body of the program’s code.
Database credentials may be stored as part of an authentication server (i.e., an entitlement
directory), such as an LDAP server used for user authentication. Database authentication may
occur on behalf of a program as part of the user authentication process at the authentication
server. In this case, there is no need for programmatic use of database credentials.
Database credentials may not reside in the documents tree of a web server.
Pass through authentication (i.e., Oracle OPS$ authentication) must not allow access to the
database based solely upon a remote user’s authentication on the remote host.
Retrieval of Database User Names and Passwords
If stored in a file that is not source code, then database user names and passwords must be read
from the file immediately prior to use. Immediately following database authentication, the
memory containing the user name and password must be released or cleared.
The scope into which you may store database credentials must be physically separated from the
other areas of your code, (e.g., the credentials must be in a separate source file). The file that
contains the credentials must contain no other code but the credentials (i.e., the user name and
password) and any functions, routines, or methods that will be used to access the credentials.
For languages that execute from source code, the credentials’ source file must not reside in the
same searchable or executable file directory tree in which the executing body of code resides.
Access to Database User Names and Passwords
Every program or every collection of programs implementing a single business function must
have unique database credentials. Sharing of credentials between programs is not allowed.
Database passwords used by programs are system-level passwords.
Developer groups must have a process in place to ensure that database passwords are controlled.
This process must include a method for restricting knowledge of database passwords to a needto-know basis.
Account Policy
Parameter
Maximum Password Age (system-level)
Maximum Password Age (user-level)
Minimum Password Age
Minimum Password Length
Password Uniqueness (history)
Account Lockout Threshold
Lockout Duration – No FTI Access
Lockout Counter Reset – No FTI Access
Lockout Duration – FTI Access
Setting
6 Months
60 Days
15 days
8 alphanumeric characters/symbols
13
Lockout after 3 bad attempts
2 Hours
2 Hours
Permanent – must be unlocked manually
36
Form(s)
None
Reference(s):
HIPAA Security Rule CFR § 164.308(a) (5) (i) Standard: Security Awareness and Training, (ii)
Implementation Specifications, Password Management (Addressable)
Contact
Send e-Mail to IT-Technical Support
37
II.G. Security Incident Procedures
II.G.1 Security Incident Response and Reporting
Applies To
All ADPH Employees and Contractors
Purpose
The purpose of this policy is to establish a formal procedure for identifying and responding to
suspected or known security incidents; mitigating, to the extent practicable, harmful effects of
security incidents that are known to ADPH; and documenting security incidents and their
outcomes.
Scope
The procedures are for reporting security incidents and establishing feedback processes to ensure
that persons reporting incidents are notified of results after the incident has been resolved and
closed.
Policy
It is the policy of the Alabama Department of Public Health for all employees to report
violations, or suspected violations, of computer policy. All computer policy violations will be
investigated.
Procedural Responsibilities
All ADPH employees and contractors
Information Security Officer
IT Technical Support Staff
IT Virus Team
IT Network Manager
IT Network Engineers
IT Director
ADPH General Counsel
Procedure(s)
Report suspected criminal cyber attacks, virus attacks, or physical compromises by completing
an Automated Report of Incidents and Accidents (ARIA) by going to the ADPH website OR by
contacting the IT Security Team or ADPH Support Desk.
E-mail address: Security Team
Main Telephone Number: 334-206-5264
Support Desk Telephone Number: 334-206-5268
The Information Security Officer determines which procedure should be implemented.
In the event of a security incident, the Information Security Manager (or his or her designee will:
•
•
assess the severity of the compromise;
if feasible, make a backup of the infected system(s) or application(s) to prevent attacker
from removing evidence of his or her activities;
38
•
•
if feasible, determine if the hacker has left any programs or files on the infected
system(s); and
check all logs for any suspicious activity.
For Cyber Attack:
1. Information Security Officer will notify the Technical Security Manager
2. Technical Security Manager will access the IDS upon notification of suspicious network
activity
3. Technical Security Manager will monitor security logs for servers
4. Technical Security Manager will identify any unusual activity
5. Technical Security Manager will gathers data on activity
6. Technical Security Manager will initiates security measures to identify and neutralize
attack
7. Technical Security Manager will prepares report on actions taken and results achieved
8. Technical Security Manager will present report to Security Management
For Virus Infection:
1. Virus team leader will utilize antivirus console to inspect servers and systems at least
once a week
2. Systems not cleared from antivirus console are noted and given to the respective network
team
3. Network team members will make a visit to “uncleared” system and resolve problem
4. Network team members will get advanced support from the Antivirus Team leader for
unusual situations or those events that span more than one area of responsibility
5. Virus Team leader will present report to Security Management
For Physical Compromise:
1. IT Security Team will meet with Network manager for Tower (or County) to lay out plan
of action
2. Network management and their engineers will investigate to ascertain the facts of the
situation and report back to the IT Security Team
3. Based on discoveries of network management, the IT Security Team will brief the
Technical Support director and IT director
4. Computer Security Team will contact the General Counsel and notify them of the
situation and provide all relevant facts
5. General Counsel will contact the individual’s immediate supervisor and any other
personnel in that person’s chain of command
6. General Counsel will determine if any outside law enforcement authorities should be
alerted
7. Present Report to Security Management
8. Noncompliance with ADPH’s employee computer policy may result in discipline up to,
and including, termination. Employees that report violations or suspected violations of
company policy will be protected from termination, discrimination, harassment, and any
other form of retaliation. Hackers, snoopers, password stealers, virus installers, data
erasers, and anyone involved in such activity will be disciplined.
39
Form(s)
Automated Report of Incidents and Accidents (ARIA) located on the ADPH website,
https://www.adph.org/Extranet/Forms/Form.asp?ss=s&formID=4276
Reference(s):
HIPAA Security Rule CFR § 164.308(a) (6) (i) Standard: Security Incident Procedures, (ii)
Implementation Specification, Response and Reporting (Required)
Contact
Send e-Mail to Security Team
40
II.H. Contingency Plan
II.H.1 Data Backup Plan
Applies To
IT Data Operations
Purpose
The purpose of this policy is to implement procedures to create and maintain retrievable exact
copies of sensitive data and all other computer systems.
Scope
The procedures are to backup and maintain retrievable exact copies of sensitive data when
there is a need to do so.
Policy
It is the policy of the Alabama Department of Public Health to create and maintain retrievable
backups of all electronic files. Further, Information Technology has responsibility for the
backup of centralized systems and the counties and/or individual users have responsibility for
backup of self-maintained systems/files.
Procedural Responsibilities
IT-Operations
Procedure(s)
1. To protect IT’s information resources from loss or damage, microcomputer users are
responsible for backing-up the information on their microcomputers.
2. For multi-user computer and communication systems, Data Operations is responsible for
making periodic back-ups.
3. If requested, the IT Technical Support Division will install, or provide technical
assistance for the installation of back-up hardware and/or software.
4. All CONFIDENTIAL, valuable, or critical information residing on IT computer systems
and networks must be periodically backed-up. Owners must define which information
and which machines are to be backed-up, the frequency of back-up, and the method of
back-up based on the following guidelines:
a. If the system supports more than one individual and contains data that is
critical to the day-to-day IT operations, then back-up is required daily.
b. If the system is used to support job-related functions and contains key data
critical to the day-to-day operation of that job, then back-up is required
weekly.
c. If the system is primarily used as a personal productivity tool and contains no
data that would be classified as job or departmental in nature, then back-up is
at the discretion of the individual user.
41
5. Save files containing sensitive or critical data to a designated location on the server.
Servers are regularly backed up, so this will ensure that the sensitive/critical data will be
retrievable.
Form(s)
None
Reference(s):
HIPAA Security Rule CFR § 164.308(a) (7) (i) Standard: Contingency Plan,
(ii) Implementation Specifications, and Data Backup Plan (Required)
See also Section III.E.4 (Data Backup and Storage).
Contact
Send e-Mail to IT–Operations
42
II.H.2 Disaster Recovery Plan
Applies To
Information Technology
Purpose
The purpose of this policy is to document how ADPH disaster recovery planning addresses
the preservation of data, systems, applications, and networks in the face of major disruptions
to normal business operations.
Scope
The procedures are for emergency response, extended back-up operation, and post-disaster
recovery in the event that a computer installation experiences a partial or total loss of
computer resources and physical facilities.
Policy
It is the policy of the Alabama Department of Public Health to create and maintain a disaster
recovery plan addressing the preservation of data, systems, applications, and networks.
Procedural Responsibilities
Information Technology
Bureau Directors
Area Administrators
County Administrators
Guidelines
1. A disaster is an event, or set of events, that result in the inability of IT to provide the
information services needed for ongoing operations. Disaster conditions can occur at a
variety of levels ranging from the “very minor” isolated hardware outage to the complete
loss of services.
2. Owners are responsible for the compilation, regular maintenance, and testing of
contingency plans for systems handling information for which they are responsible. The
Data Management Division will prepare, maintain, and test the Contingency Plan for
recovery and continued data processing service after a disaster or emergency.
3. The Information Security Manager is responsible for providing technical guidance for all
information systems contingency planning efforts.
4. Data Management will train all workers in the Information Technology on their
responsibilities in case of activation this plan.
5. Each Bureau/Area/County leadership must have a written contingency plan to cover the
following disaster definitions.
The degree of the outage experienced, Level 1, Level 2, or Level 3 directly corresponds to the
impact on information services. The definition of levels is as follows:
43



Level 1 – the outage involves a limited portion of the business function and usually
revolves around the malfunction of an isolated piece of hardware with the expectation
of having full function restored in a time frame not to exceed one – three working
days.
Level 2 – the outage involves a significant portion of a business function. The damage
incurred is minor to moderate, but the time frame until serviceability can be restored
for critical applications may continue for up to 24 calendar days.
Level 3 – the outage involves major damage or the complete destruction of
information services in the RSA Tower (Tower) or a county.
Form(s)
None
Reference(s):
• HIPAA Security Rule CFR § 164.308(a) (7) (i) Standard: Contingency Plan,
• (ii) Implementation Specifications, and Disaster Recovery Plan (Required)
Contact
Send e-Mail to IT-Data Administration
44
II.H.3 Emergency Mode Operation Plan
Applies To
Bureau Directors and Area Administrators
Purpose
The purpose of this policy is to establish (and implement as needed) procedures to enable
continuation of critical ADPH business processes for protection of the security of sensitive
data while operating in emergency mode.
Scope
The procedures are for the Disaster Response Team to follow in the case of an emergency.
Policy
It is the policy of the Alabama Department that, in the event of a disaster, the Disaster
Response Team (DRT) will be initiated to assess the current situation and develop an action
plan to rectify existing problems. The protection of sensitive data must be a consideration
while operating in emergency mode.
Procedural Responsibilities
Bureau Directors
Area Administrators
Disaster Response Team (DRT)
Procedure(s)
1. When an outage is detected that affects the service levels of IT, the Disaster Response
Team (DRT) will convene in Suite 800 of the Tower or an off-site location, such as the
Folsom Building, determined by the Director of Information Services.
2. The team will review conditions surrounding the outage, the type and degree of outage,
and information concerning the criticality and number of application functions impacted
to determine the impact on the Department.
3. This information will be passed to the State Health Officer who will, if needed, declare a
disaster and announce the current “Disaster Level” based on the DRT’s report.
4. The Disaster Response team will coordinate this information with the Bureau and Office
Directors to ensure all are involved in responding properly to the disaster.
5. The DRT will develop a “Current Operations Plan” to restore operations based on the
criticality and severity of the disaster. They will estimate the time frame necessary to
recover the systems. This Current Operations Plan will be based upon the situation and
the pre-developed contingency information in this plan.
6. Once the Current Operations Plan is completed, the DRT will carry out the actions
specified in the plan.
7. The DRT will meet as required to update status, direct new actions, and inform the State
Health Officer, Bureau and Office Director, Area and County Administrators, etc. until
operations are returned to normal.
45
Form(s)
None
Reference(s):
• HIPAA Security Rule CFR § 164.308(a) (7) (i) Standard: Contingency Plan, (ii)
Implementation Specifications, and Emergency Mode Operation Plan (Required)
• ADPH Contact List for Emergency Personnel
Contact
Send e-Mail to IT-Administration
46
II.H.4 Testing and Revision Procedures
Applies To
Information Technology
Purpose
The purpose of this policy is to implement procedures for the periodic testing and revision of
Contingency Plans. Contingency Plans permit continuity of mission-critical functions in the
event of a catastrophic event.
Scope
The procedures are to ensure that all critical functions can be recovered in the event of a
disaster situation.
Policy
It is the policy of the Alabama Department of Public Health to review and test the
Information Technology contingency plan on an annual basis.
Procedural Responsibilities
Information Technology Team Leaders
Procedure(s)
1. Information Technology staff will create a scenario in order to test the contingency plan.
2. IT will conduct desktop planning and discussion sessions to address what would be done
for that scenario by following the contingency plan.
3. The following method(s) may be used to test the plan:
a. Checklist Test. Copies of the plan are distributed to each involved functional
area.
b. Simulation Test. All operational and support personnel expected to perform
during an actual emergency meet in a practice session.
c. Parallel Test. Full test of the recovery plan. However, processing at the main
data processing facility does not stop.
d. Full-Interruption Test. Full test in which a disaster is simulated and data
processing at the main facility stops.
4. IT will perform a self review following the exercise to note lessons learned and modify
the contingency plan accordingly.
Form(s)
None
Reference(s):
HIPAA Security Rule CFR § 164.308(a) (7) (i) Standard: Contingency Plan,
(ii) Implementation Specifications, Testing and Revision Procedures (Addressable)
III.B.1, Contingency Operations Policy
Contact
Send e-Mail to Security Team
47
II.H.5 Applications and Data Criticality Analysis
Applies To
All Data Owners
Purpose
This policy addresses assessing the relative criticality of specific applications and data in
support of other Contingency Plan components.
Scope
The procedure is to identify the specific locations/sites and criticality of systems statewide.
Policy
It is the policy of the Alabama Department of Public Health to review all program areas to
determine the “Mission Critical” systems and the impact if the system is lost and to maintain
a Mission Criticality Spreadsheet.
Each system/application will be rated using the following:



Essential – Loss would cause interruptions to service but the Department could
continue to operate successfully. Can be restored after 7 days.
Critical – Loss would severely impair the ability of the Department to provide
services. Must be restored within 7 days.
Fatal – Loss would stop the Department from providing services. Must be restored
within 24 hours.
48
Procedural Responsibilities
Area Administrators
Bureau Directors
Information Technology Data Management Division
Procedure(s)
1. IT will identify, with the aid of Area Administrators and Bureau Directors, all systems
and assist them with determining criticality of an application function or system to
determine the order of emergency restoration and recovery.
2. IT will maintain a spreadsheet of all applications/systems deemed mission critical, the
criticality, and the impact if that application/system is lost.
Form(s)
Mission Criticality Spreadsheet (Appendix B)
Reference(s):
HIPAA Security Rule CFR § 164.308(a) (7) (i) Standard: Contingency Plan,
(ii) Implementation Specifications, Applications and Data Criticality Analysis (Addressable)
Contact
Send e-Mail to IT- Data Operations
49
II.I. Evaluation
Applies To
All ADPH Supervisors
All ADPH Directors
IT Technical Support
Purpose
The purpose of this policy is to ensure that ADPH conducts periodic technical and nontechnical evaluations to establish the extent to which ADPH’s security policies and
procedures meet the requirements of the Security Rule.
Scope
The procedure encompasses assessing whether all vulnerabilities have been addressed and
verifying that all compliance requirements have been met.
Policy
It is the policy of the Alabama Department of Public Health to perform periodic technical and
non-technical evaluations, based on the standards set forth in the HIPAA Security Rule, to
ensure that the ADPH’s policies and procedures are updated as warranted by changes in the
ADPH’s environmental or operational conditions affecting the security of sensitive data.
Procedural Responsibilities
All ADPH Supervisors
All ADPH Directors
IT Technical Support
Information Security Officer
Procedure(s)
1. The ADPH Information Security Officer will have oversight over the HIPAA Security
compliance evaluations.
2. Supervisors will report any changes to their environment that have impact on the security
rule.
3. Technical Guidelines for IT
The types of operational changes that would typically call for an updated evaluation
include new purchases of computers, servers, IT lines or other connections to a system;
changes to systems or hardware housing sensitive data; changes in the Owners or
Custodians of the sensitive data; and changes to the law or regulations of the HIPAA
Security Rule.
a. The ADPH Information Security Officer will randomly test security measures
statewide.
b. IT Technical Support will perform technical evaluations on all computer systems
(see II.B.1, Risk Analysis Policy).
50
Form(s)
None
Reference(s):
HIPAA Security Rule CFR § 164.308(a) (8) Standard: Evaluation (Required)
Contact
Send e-Mail to IT – Security Team
51
II.J. Business Associate Contracts and Other Arrangements Policy
II.J.1 Written Contracts or Other Arrangements
Applies To
General Counsel
All ADPH Supervisors
All ADPH Directors
Purpose
The purpose of this policy is to implement procedures for the review and update of all ADPH
Business Associate Agreements to document satisfactory assurances that the Business
Associate(s) will appropriately safeguard sensitive data created, received, maintained, or
transmitted on ADPH’s behalf. In addition, all Business Associate Agreements must specify
that security incidents must be reported to ADPH.
Scope
The procedures encompass all ADPH Business Associate Agreements and written contracts
with Business Associates that create, receive, maintain, or transmit sensitive data on behalf of
ADPH.
Policy
It is the policy of the Alabama Department of Public Health to ensure that all business
associates properly safeguard sensitive data created, received, maintained, or transmitted on
ADPH’s behalf by inserting the HIPAA Clause contained in the “Standard Clauses Required
for Professional Services Contract” document in all Business Associate Agreements.
Procedural Responsibilities
Bureau/Office with contracts
General Counsel
Procedure(s)
1. The responsibility for the security of the equipment deployed by external service
providers will be specified in the contract with the service provider and security contacts,
and escalation procedures documented. Contracting departments are responsible for third
party compliance with this policy.
2. At minimum, contracts with third parties who are “Business Associates” of ADPH or any
of its component parts, will include provisions requiring the Business Associate to do the
following:
a. Implement administrative, physical, and technical safeguards that reasonably and
appropriately protect the confidentiality, integrity, and availability of sensitive
data that it creates, receives, maintains, or transmits on behalf of ADPH.
b. Ensure that any agent, including a subcontractor, to whom it provides such
information, agrees to implement reasonable and appropriate safeguards to protect
it.
c. Report to ADPH any security incident of which it becomes aware.
52
d. Authorize termination of the contract by ADPH if ADPH determines that
Business Associate has violated a material term of the contract.
Form(s)
Standard Clauses Required for Professional Services Contracts (Contact General Counsel for
current requirements)
Reference(s):
HIPAA Security Rule CFR §164.308(a) (8) (b) (1) Standard: Business Associate Contracts
and Other Arrangements (Required)
Contact
Send e-Mail to General Counsel
53
III
Physical Safeguards
III.A. Overview
Purpose
Physical Safeguards include security measures, policies, and procedures that ADPH implements
to protect its electronic Information Systems and related facilities and equipment from natural
and environmental hazards, unauthorized intrusion, and other threats. These physical safeguards
are in addition to standard safeguards that address fire, water damage, utility failure, and
structural damage to a facility.
Physical Safeguards define the physical operations (processes) that control access to the Facility
when ADPH is implementing the plans developed under the Administrative Safeguards outlined
in the Security Rule at CFR § 164.308.
Standards
Physical Safeguards include four standards. These standards are detailed in following sections of
this Manual and include:
Section III.B – Facility Access Controls
Policies and procedures that limit physical access to electronic Information Systems and the
facilities in which they are housed, while ensuring that properly authorized access is allowed.
Section III.C – Workstation and State Electronic Equipment Use
Policies and procedures that specify the proper Workstation functions to be performed, the
manner in which those functions are to be performed, and the characteristics of the physical
surroundings of Workstations that can access sensitive data.
54
Section III.D – Workstation Security
Physical Safeguards for all Workstations that can access sensitive data designed to restrict access
to authorized Users.
Section III.E – Device and Media Controls
Policies and procedures that govern the receipt and removal of hardware and electronic media
that contain sensitive data into and out of a Facility and the movement of these items within the
Facility.
55
III.B. Facility Access Control
III.B.1 Contingency Operations
Applies To
Area Administrators
Bureau Directors
Purpose
The purpose of this policy is to implement procedures that allow ADPH facility access in
support of restoration of lost data under the Disaster Recovery and Emergency Mode
Operations Plans.
Scope
The procedures are to be used by workforce members in the event that ADPH facilities
and/or operational systems are unavailable for use due to an emergency or a natural disaster.
Policy
It is the policy of the Alabama Department of Public Health to allow the Disaster Response
Team (DRT) to have access to facilities during emergency mode operations.
Procedural Responsibilities
Area Administrators
Bureau Directors
Procedure(s)
1. Refer to section II.H Contingency Plan of this policy manual for policy on Contingency
Operations. Specifically within that section refer to II.H.2 Disaster Recovery Plan and
II.H.3 Emergency Mode Operation Plan.
2. All facilities managers will be notified as to whom will be aiding them in the recovery
process.
Form(s)
None
Reference(s):
HIPAA Security Rule, CFR §164.310(a) (1) Standard: Facility Access Controls;
Implementation Specifications: Contingency Operations (Addressable)
Contact
Send e-Mail to IT-Administration
56
III.B.2. Facility Security Plan
Applies To
Facilities Managers
Purpose
The purpose of this policy is to implement procedures to safeguard ADPH facilities and their
equipment from unauthorized physical access, tampering, and theft by utilizing such things as
fences, security guards, security cameras, and locking mechanisms.
Scope
The procedures cover limiting access to facilities and equipment therein.
Policy
It is the policy of the Alabama Department of Public Health to safeguard ADPH facilities and
their equipment from unauthorized physical access, tampering, and theft.
Procedural Responsibilities
Facilities Managers
Guidelines
All ADPH facilities must have written procedures.
Facility security procedures include, but are not limited to, the following items:
 Protection of mobile and portable systems, such as laptops or handheld devices
including items including, but not limited to:
• secure storage of sensitive data;
• access to system(s), application(s), and data in the event of theft; and
• encryption of data, passwords, and other sensitive information.
 Locking doors during non-business hours with limited access
 Locking buildings
 Use of personal password for building access by each individual with authorization to
access sensitive data
 Use and distribution of keys to the building
 No duplication of keys
 Use of fence, well lit with security lights
 Use of security guards or cameras for fence
 Use of combination locks
 Monitor security alarm systems (e.g., by Simplex)
 Secure equipment access
 Security monitoring
57



Security system – access limited to personnel with keyless coded entries
Issue log of keys
Issue log of passwords
Form(s)
None
Reference(s):
• HIPAA Security Rule, CFR §164.310(a) (1) Standard: Facility Access Controls,
Implementation Specification: Facility Security Plan (Addressable)
• II.F.2, Protection from Malicious Software Policy
• II.H.1, Data Backup Policy
• II.H.2, Disaster Recovery Plan Policy
• III.C, Workstation and State Electronic Equipment Use Policy
• Information and Rules at the RSA Tower (found on the ADPH Website at
http://www.adph.org/facmgmt/Default.asp?id=732)
Contact
Send e-Mail to Facilities Management Administration
58
III.B.3. Physical Access Control and Validation Procedures
Applies To
Facilities Managers
All ADPH Employees
All Contractors
Purpose
The purpose is to implement procedures to control and validate ADPH workforce personnel’s
access to facilities based on their role or function, including visitor control and control of
access to software programs for testing and revision.
Scope
The procedures are to make employees need to be aware of the ADPH protocol for accessing
facilities and electronic systems.
Policy
It is the policy of the Alabama Department of Public Health to limit access to ADPH facilities
and access to software programs.
Procedural Responsibilities
Facilities Managers
All ADPH Employees
Procedure(s)
1. Physical security is key to protecting computer and computer information from loss and
damage.
a. Store floppy disks and other sensitive information in a locked drawer.
b. Office doors must be locked after work hours or during prolonged absences of 1
day or more.
c. All file servers will be locked when not in use.
d. Server rooms must have a door and be locked at all times and only have limited
access by authorized IT personnel. If the servers are not in a lockable room, they
must have the ability to be physically locked (either by door built on server or
locked in a cabinet).
2. Theft Protection
a. All offices are secured after duty hours.
b. During normal duty hours, workers will be aware of visitors and will challenge
anyone appearing to take equipment from the offices.
c. Computer and network gear may not be removed from offices except by
authorized personnel.
59
3. All ADPH employees and contractors must wear external badges on their outer garments
so that both the picture and information on the badge are clearly visible when in Public
Health buildings or facilities.
4. All visitors must show proper identification and sign in prior to gaining access to
restricted areas controlled by the department. Visitors must be escorted at all times by an
authorized employee, consultant, or contractor. Visitors may be issued Visitor ID badges.
5. Any manuals/documentation containing sensitive data or privileged information must be
kept in locked cabinets when not in use.
6. All workers should challenge any strangers you see on the premises that are not properly
identified. (i.e. no badge). If you notice and unescorted visitor inside a restricted area,
the visitor must be immediately questioned about the purpose for being in restricted areas.
The visitor must then be directly accompanied to a manager, a guard station, or the person
they came to see. If they cannot promptly produce a valid badge, they must be escorted
to the proper authorities.
7. IT Only - All systems development documentation and manuals must be stored in the
Systems Development office and the doors to the Center will be locked after duty hours.
This documentation must be regarded as CONFIDENTIAL and protected from
unauthorized access. Only employees with a “need to know” will be allowed to access
the documentation. During normal duty hours, workers will be aware of visitors and will
challenge anyone who is not authorized to do so taking documentation from the offices.
Documentation may not be removed from IT offices unless the involved person has first
obtained a property pass from the Systems Development Director.
IT Only - The doors to the operations room will be kept locked at all times. Employees
who regularly require access into the operations room will be issued a card key. Visitors
include anyone else who enters the operations room. Visitors will be escorted within the
operations room by authorized personnel at all times until they depart. Visitors will
register using the Visitor Log located in the Computer Room. The Visitor Log will log
the visitor’s name, signature, assigned work area, escort name, purpose of entry, and time
and date of entry. The Visitor Log will be retained for six (6) years.
8. All Departments/Divisions - Physical access control and validation procedures are to
include, at minimum, the following items:
a. Use of ADPH employee ID badges;
b. Requirements for passwords/codes limiting access to computers with sensitive
data;
c. Secure computers by employees when away from work areas;
d. Watch for visitors and monitor exits;
e. Escort of visitors to the designated area or person, where applicable;
f. Keys to be signed for by the cleaning crew;
g. Require all persons entering the building to stop at the front office;
h. Performance of maintenance only during business hours;
i. All repair and maintenance crews to be required to report to the front office upon
arrival and to be verified by Office Manager (e.g., with their packing slips, etc.);
j. Limited distribution of alarm keys for alarm systems;
k. Employees of outside agencies to provide ID upon arrival;
l. Control of access to software;
60
m.
n.
o.
p.
q.
r.
s.
Use of door codes;
Access to be given by supervisor;
Use of keyless entry at doorways;
Issue log of keys;
Issue log of passwords;
Front entrance to be monitored;
All doors to be kept locked except front and back entrances.
Form(s)
None
Reference(s):
HIPAA Security Rule, CFR § 164.310(a) (1), Standard: Facility Access Controls,
Implementation Specification: Access Control and Validation Procedures (Addressable)
Contact
Send e-Mail to Facilities Management Administration
61
III.B.4. Maintenance Records
Applies To
Facilities Managers
Purpose
Formal procedures need to be established to address documentation of repairs and
modifications to the physical components of a facility (for example, hardware, walls, doors,
alarm systems, and locks).
Scope
The procedures are for all facilities managers to maintain logs of when maintenance is
performed at their facilities.
Policy
It is the policy of the Alabama Department of Public Health that facilities managers will
maintain records of all maintenance performed at their facility.
Procedural Responsibilities
Facilities Managers
Procedure(s)
1. Tower
Procedures for Maintenance Requests are addressed in “The Retirement Systems of
Alabama, Montgomery Properties Tenant Handbook.”
Maintenance requests are made through Facilities Management. If there is an
emergency maintenance situation, a building staff person may be paged during or
after regular business hours. The Building Maintenance Service Request form
records the request for service work. The invoice prepared at the completion of the
work describes the services performed and will serve as the maintenance log.
2. County Facilities
Facility managers will keep records on file of any maintenance performed. These
records should include the date, the time, a description of the work performed, and the
person(s) performing the work.
Form(s)
None
Reference(s):
HIPAA Security Rule, CFR §164.310(a) (1), Standard: Facility Access Controls,
Implementation Specification: Maintenance Records (Addressable)
62
Contact
Send e-Mail to Facilities Management Administration
63
III.C. Workstation and State Electronic Equipment Use Policy
Applies To
All ADPH Employees and Contractors
Purpose
The purpose of this policy is to implement procedures for the proper use of ADPH workstations
and ADPH provided information technology resources by workforce members.
The intent of this policy is to assure that:



The uses of IT resources are related to, or for the benefit of ADPH,
State-provided IT resources are used productively,
Disruptions to ADPH activities, because of inappropriate use of state-provided IT
resources are avoided.
It is also the intent is to create an environment where communication can flow freely and
with a minimum of policing. This policy should not discourage the Department from using
these resources.
Effective use of IT resources is important to the Alabama Department of Public Health. To
help improve the effectiveness of your use of these resources, incidental and occasional
personal use is permitted, as long as such use does not;
 Adversely affect the employee’s performance of duties,
 Interfere with existing rules or policies pertaining to the agency,
 Overburden the communications system,
 Create significant additional cost to the Department of Public Health,
 Involve a for-profit personal business activity,
Has the potential to harm or reflect adversely on the state, including but not limited to uses
involving pornography, chain letters or jokes, advertising, soliciting or selling, improper handling
of confidential information, or
Involve illegal activities.
Warning: When using state resources for personal use, the department will not be held
responsible for personal information that is disclosed to other parties through e-mail use,
internet use, or other means. Email sent using ADPH Lotus Notes to outside email
accounts is not encrypted and is not secure.
If it is unclear about the acceptable “personal” use of a state-provided resource or wish to use the
resource for what may be considered as a good cause, seek authorization from your Information
Technology (IT) representative.
Scope
64
The scope of this policy is to define what the proper use of ADPH workstations and other ADPH
provided information technology resources are for workforce members. Proper use includes
security measures, e-mail use, Internet access, and installation of computer software.
Policy
It is the policy of the Alabama Department of Public Health to implement procedures for the
proper use of ADPH workstations and ADPH provided information technology resources by
workforce members.
Procedural Responsibilities
All ADPH Employees and Contractors
Procedure(s)
Use of Personal Computer (PC) Software/Hardware
The Alabama Department of Public Health licenses the use of copies of computer software from
a variety of outside companies. The Alabama Department of Public Health does not own the
copyright to this software or its related documentation and, except for a single copy for backup
purposes or unless expressly authorized by the copyright owner(s), does not have the right to
reproduce it for use on more than one computer. With regard to software usage on local area
networks, the Alabama Department of Public Health shall use the software only in accordance
with the applicable agreement.
The Alabama Department of Public Health employees are not permitted to install their own
copies of any software onto the Alabama Department of Public Health computers.
The Alabama Department of Public Health employees are not permitted to install their own
hardware of any kind without exclusive written permission from Senior Management of the
Alabama Department of Public Health. The ADPH employees are not permitted to copy
software from the ADPH computers and install it on personally owned computers, or any other
computers.
ADPH employees learning or knowing of any improper use of software or related documentation
within the department shall notify IT Technical Support. According to U.S. Copyright law,
unauthorized reproduction of software is a federal offense. Offenders can be subject to civil
damages, criminal penalties, and imprisonment.
Any ADPH employee who knowingly makes, acquires, or uses unauthorized copies of computer
software on equipment owned or leased by the ADPH shall be subject to immediate termination
of employment.
The ADPH does not condone and specifically forbids the unauthorized duplication of software.
Internet Access and Use
In compliance with law and the guidelines provided in this policy, employees of the Alabama
65
Department of Public Health are encouraged to use the Internet to its fullest potential to further
the ADPH mission, to provide customer service of the highest quality, to discover new ways to
use resources, to enhance customer services, and to promote staff development.
For employees that receive access to the Internet, the following guidelines should be observed:
The ADPH employees should use the Internet, when appropriate, to accomplish job
responsibilities more effectively. The Internet provides access to a wide variety of information
resources that can aid the ADPH employees in the performance of their jobs.
Use of the Internet by the ADPH employees is a privilege, not a right. This privilege may be
revoked at any time for inappropriate conduct. The ADPH employees have an obligation to use
their Internet access in a responsible and informed way, conforming to a network etiquette (e.g.,
netiquette), customs, and courtesies. Use of the Internet encompasses many different
interconnected networks and computer systems. Many of these systems are provided free of
charge by universities, public service organizations and commercial companies. Each system has
its own rules and limitations, and guests on these systems have an obligation to learn and abide
by the rules. Users should identify themselves properly when using any Internet service. They
should also be careful about how they represent themselves, given that what they say or do could
be interpreted as the ADPH opinion or policy. Users should be aware that their conduct could
reflect on the reputation of the ADPH and its employees. Examples of inappropriate conduct
include, but not limited to:
use of the Internet for unlawful activities;
misrepresentation of oneself or the ADPH; and
employees shall respect intellectual property rights at all times when obtaining information over
the Internet. Illegal or unauthorized downloading, uploading, copying, or distribution of
copyrighted works is strictly prohibited. Employees should be aware that such actions could
result in legal liability for the ADPH.
Refrain from using “streaming media.” Streaming media” are multimedia that are constantly
received by and presented to an end-user while being delivered by a provider. This includes
listening to radio stations, watching movies/television shows, and viewing the weather for
extended periods of time. Streaming media can overburden our communications system.
Viewing approved training videos and video conferencing required for work are exceptions to
this.
Employees should take all necessary steps to prevent unauthorized access to
Internet/Intranet/Extranet-related systems information.
Keep passwords secure and do not share accounts. Authorized users are responsible for the
security of their passwords and accounts. System level passwords should be changed every six
months; user level passwords should be changed every sixty days.
All PCs, laptops, workstations, PDAs, and any other electronic equipment will be secured with a
password-protected screensaver with the automatic activation feature set at 15 minutes or less, or
by logging-off when the host will be unattended.
Because information contained on portable computers is especially vulnerable, special care
should be exercised. [See III.D Workstation Security Policy, Item 2, Laptop Security]
66
Postings by employees from ADPH e-mail address to newsgroups should contain a disclaimer
stating that the opinions expressed are strictly their own and not necessarily those of the ADPH,
unless posting is in the course of business duties.
All hosts used by the employee that are connected to the ADPH Internet/Intranet/Extranet,
whether owned by the employee or the ADPH, shall be continually executing approved virusscanning software with a current virus database. Unless overridden by departmental or group
policy.
Users must have their own internet provider to access email via i-Notes. The department does
not provide personal internet services.
E-mail Use Guidelines
Employees should check e-mail daily.
E-mail will be blocked when it contains certain file extensions, including .exe.
All e-mail will be scanned for viruses and spyware. E-mail will be deleted if a virus or spyware
is detected.
E-mail sent to accounts outside of the ADPH Lotus Notes mail system containing protected
information will be blocked and returned to sender. Allowances can be made for e-mail sent to
patients, as stated in the HIPAA Privacy and Security Policy (Policy # 2013-003).
Never use automatic forwarding with your ADPH email account.
Always verify the recipient’s address to ensure that you have entered the address correctly.
Be aware that e-mail is not private communication. Others may be able to read or access e-mail.
E-mail may be best regarded as a postcard rather than as a sealed letter. Refrain from sending email containing personal or protected information from the ADPH Lotus Notes system to
personal e-mail accounts.
Encrypt e-mail and attachments containing protected information. (IV.B.4. Encryption and
Decryption)
The maximum size of an e-mail with attachments will be 10 Megabytes.
If a message could be perceived as ADPH’s business or opinion, add a disclaimer to the signature
block when not officially representing the ADPH. An example of a disclaimer is: “the opinions
expressed herein are my own and do not necessarily represent those of the ADPH.”
Use signature blocks at the bottom of electronic mail messages. Signature blocks should be
short; preferably not more than six lines, and should include the user’s name, e-mail address,
phone number and postal address. Anything additional, such as pictures, personal notes,
quotations, etc, is not allowed.
Delete unwanted messages or files immediately because they take up valuable disk storage space.
Keep e-mail messages stored in mailboxes to a minimum.
Keep e-mail messages short and to the point. Generally limit messages to one subject.
Act in a professional and courteous manner. Avoid gossip and remember that statements about
others may find their way back to them. Be patient with new users.
Be clear and concise. Re-read and spell check messages before sending them to be sure they will
not be misunderstood. Read all messages carefully before replying.
Be aware of the potential audience in any discussion group and address them accordingly.
Be careful when using sarcasm and humor. Identify intended humor with standard statements
(e.g., “only joking”), and through the use of emotions (e.g., ☺ happy face for humor).
67
Give cites and credit for all quotations, references, and sources. Do not engage in plagiarism.
Give proper credit to the correct sources to avoid potential legal issues surrounding information
ownership.
Do not violate the privacy of individual users by reading e-Mail or private communications
unless you are specifically authorized to maintain and support the system.
Do not represent yourself as someone else, fictional or real.
General IT Resource Guidelines
Leave the “mattress tag” as installed by IT.
Leave the desktop settings as installed by IT.
Access only files and data that are your own, are necessary for the performance of your duties,
are publicly available, or to which you have been given authorized access.
Use IT resources efficiently and productively. Refrain from monopolizing systems, overloading
networks with excessive data, or wasting computer time, connect time, disk space, printer paper,
or other IT resources.
Be responsible for the use of your program data files. Under no condition should you give your
passwords to another person. Guard yourself against unauthorized access to your system. When
you are away from your desk, take precautions to protect your data files. Print out and file paper
copy of documents needed for long-term records.
Report to your supervisor and the IT representative for your area if you:
Receive or obtain information to which you are not entitled (Note: Also notify the owner or
sender of such information),
Become aware of breaches of security, or
Know of any inappropriate use of state-provided IT resources.
Seek the advice of your IT representative for any state-provided IT resource if you are in doubt
concerning your authorization to access that resource.
Adhere to copyright law regarding use of software, information, and attributions of authorship.
Conduct yourself as a representative of both the state agency and state government as a whole.
As a minimum, this means that you will not use IT resources to:
Distribute offensive or harassing statements; disparage others based on race, national origin, sex,
sexual orientation, age, disability, or political or religious beliefs.
Distribute statements which might incite violence or describe or promote the use of weapons or
devices associated with terrorist activities.
Distribute or solicit sexually oriented messages or images.
Any documents stored encrypted on any ADPH owned equipment must also be stored on a
server. This is to ensure that the data/documents are accessible and can be recovered in the event
of emergency.
Form(s)
None
Reference(s):
HIPAA Security Rule CFR §164.310(b), Standard: Workstation Use (Required)
HIPAA Privacy and Security Policy, Policy # 2013-003, E-Mail Procedures, Sending E-mails to
Patients
Contact
68
Send e-Mail to IT-Administration
69
III.D. Workstation Security Policy
Applies To
All ADPH Employees and Contractors
Purpose
The purpose of this policy is to implement procedures for physical safeguards for all ADPH
workstations that access sensitive data and restrict workstation access only to authorized
Users.
Scope
Procedures for Workstation Security define what measures workforce members must take to
ensure the safety and security of workstations and laptops for which they are responsible.
Policy
It is the policy of the Alabama Department of Public Health that all ADPH employees and
contractors will implement procedures for securing workstations having access to sensitive
data.
Procedural Responsibilities
All ADPH Employees, Contractors, and Visitors
Procedure(s)
1. Security and Proprietary Information
a. Employees should take all necessary steps to prevent unauthorized access to
Internet/Intranet/Extranet-related systems information.
b. Keep passwords secure and do not share accounts. Authorized users are responsible
for the security of their passwords and accounts. System level passwords must be
changed every six months; user level passwords must be changed every sixty days.
c. All PCs, laptops and workstations will be secured with a password-protected
screensaver with the automatic activation feature set at 15 minutes or less, or by
logging-off (control-alt-delete for NT users) when the host will be unattended.
d. Because information contained on portable computers is especially vulnerable, special
care should be exercised.
e. Electronic data vital to the department stored on laptops must be encrypted and
transmitted in an encrypted state.
f. All laptops must have firewalls installed.
g. Postings by employees from ADPH e-mail address to newsgroups should contain a
disclaimer stating that the opinions expressed are strictly their own and not
necessarily those of the ADPH, unless posting is in the course of business duties.
h. All hosts used by the employee that are connected to the ADPH
Internet/Intranet/Extranet, whether owned by the employee or the ADPH, shall be
70
i.
j.
k.
l.
m.
continually executing approved virus-scanning software with a current virus database.
Unless overridden by departmental or group policy.
Employees must use extreme caution when opening e-mail attachments received.
Department, bureau, section property managers will be responsible for seeing that
loaner systems are logged into the master database at least once a month and checking
the current status of antivirus and security patches.
Users of laptops are responsible for logging into the master database at least once a
month, checking the current status of antivirus and security patches on laptops
assigned to them.
Property managers are responsible for updating the antivirus and security patches on
laptops before issuing them to a user.
Once per month users and property managers will connect to the network and update
the master inventory database.
i.
This is done by double-clicking the “Logit” icon which writes to a log file on
the system and updates the master database.
ii. Next, open the antivirus program and check the date of the Virus definitions.
If more than a month old, leave the laptop connected to the network for thirty
minutes and recheck the date. If date has not changed, submit a work order to
the Support Desk to have system examined.
iii. Last, select “Windows Update” from Start Menu and let Microsoft website
scan system to determine which security patches need to be upgraded.
iv.
When asked what type of install desired, select “Express Install.” Any
security patches in black letters will be installed when the “Install” button is
clicked. Any service packs listed in RED are not to be installed.
2. Laptop Security
Users are responsible for damage to and/or loss or theft of loaned laptop units. In order to
avoid loss or theft, please follow these guidelines:


Airports: Never leave the laptop unattended. Do not check the laptop as baggage.
Exercise diligence in watching the laptop as it is passed through any x-ray
devices.
Cars: Keep the car locked and the laptop out of view. Ensure that the laptop is
securely stored so that it does not slide while driving. Avoid storage of the laptop
in a car during very hot or very cold weather.
If the laptop is lost or stolen, a written claim must be filed within 24 hours to IT and
notice given to the appropriate police authorities. If a laptop is lost, damaged, or stolen,
the employee responsible for that laptop must attend an investigative disciplinary hearing
where the circumstances surrounding the loss, damage, or theft will be discussed in depth.
Losing or severely damaging a laptop, or failing to take appropriate action to prevent its
theft, is a dismissible offence.
71
Users are responsible for performing their own data backups. IT is not responsible for
any files left on any laptop or for loss of, or damage to, a user’s files during the loan
period.
3. Visiting Laptops
Employees may wish to use a privately owned laptop computer at the ADPH. Visiting
laptops must have permission from IT to connect to any network port since it could be
disruptive or destructive to the network. Violation could result in permanent ban of
visiting laptop use. If an employee chooses to bring in a visiting laptop, be prepared to
provide the following information:



computer type;
planned location for use; and
plans for current and future use.
Short-term contract workers or consultants in the employ of the ADPH will be provided
with a laptop for the duration of their stay if required. If they wish to provide their own
laptop, the same visiting laptop rules apply. In the event of laptop lease from IT, the lease
of a laptop must be sponsored by a current ADPH employee overseeing the work of the
contract worker or consultant and that employee may be held partially responsible for any
damages incurred.
In general, visiting laptops are not supported by IT. This does not include visiting units
owned by the ADPH from branch locations within the company. IT will attempt to
support visiting laptops owned by short-term contract workers or consultants in the
employ of the ADPH, but does not guarantee support.
72
Form(s)
None
Reference(s):
HIPAA Security Rule, CFR §164.310(c), Standard: Workstation Security (Required)
Contact
Send e-Mail to IT–Technical Support
73
III.E. Device and Media Controls
III.E.1. Device and Media Disposal
Applies To
Information Technology Technical Support Division
When storage media are transferred, become obsolete, or are no longer usable as a result of
damage, it is important to ensure that residual magnetic, optical, or electrical representation
of data that has been deleted is no longer recoverable. Sanitization is the process of removing
data from storage media, such that there is reasonable assurance, in proportion to the
sensitivity of the data, that the data may not be retrieved and reconstructed. Once the media
is sanitized, it should be impossible or impractical to retrieve the data.
Purpose
Implement policies and procedures to address device and media handling when the media has
been identified for disposal.
Scope
These requirements apply to the disposing of all storage media owned by the ADPH.
Policy
It is the policy of the Alabama Department of Public Health to dispose of media containing
sensitive data. This can include removing the data from the media, archiving, and/or
destruction of the data or system component.
Procedural Responsibilities
IT Technical Support
Procedures
Process for IT
1. Before a computer system, desktop, or laptop is salvaged, the hard drive will be removed
and destroyed. A statement indicating that the hard drive has been removed and
destroyed shall be attached to the property transfer form and sent with the system to the
Warehouse.
2. Tapes used on the AS400 that are deemed beyond their useful service life shall be erased
with a magnetic bulk eraser before they are discarded. The Media Destruction Log will
be used to keep records of the erasure and will contain the tape label, date of erasure, and
name of the person who did the erasing. The above process is applicable to tape
cartridges used for server and mainframe backups.
74
3. Ensure that appropriate sanitization devices such as degaussers and paper and digital
media shredders are available (internally or outsourced).
4. Conduct sanitization; validate to ensure sanitization was successful.
5. Using the Media Destruction Log, document the results to record what media was
sanitized or destroyed, when, how, and the final disposition of the media to ensure proper
accountability of equipment and inventory control. Any media containing FTI that is to
be destroyed must be documented in the Media Destruction Log. The Media Destruction
Logs must be retained for at least five (5) years. The retention may be paper, imaged
electronic copy attached to the I.T.E.M.S inventory entry.
6. Periodically test sanitization devices and procedures to ensure correct operation.
7. Ensure all personnel are trained in their responsibilities and on the proper use of
sanitization devices.
Form(s)
Media Destruction Log
Located in the Document Library/Information Technology/Media Destruction Log
Reference(s):
• HIPAA Security Rule CFR §164.310(d) (1), Standard: Device and Media Controls,
Implementation Specification: Disposal (Required)
• IRS Publication 1075 (Section 6): Other Safeguards (IRC § 6103(p)(4)(D))
• Alabama Consolidated IT Policy Manual Standard 681S3-00: Media Sanitization
75
III.E.2. Media Re-use
Applies To
All ADPH Users and Contractors
IT Technical Support Division
Purpose
Implement policies and procedures to address device and media sanitization when the media
has been identified for reuse.
Scope
The procedures for sanitizing devices and media for reuse.
Policy
It is the policy of ADPH to sanitize all electronic media before the device is made available
for reuse.
Sanitization for reuse can include clearing, purging or destroying the data. All sanitization of
media will occur in accordance with NIST Special Publication 800-88.
Media containing FTI will not be made available for reuse at any time. The sanitization
method for this media will be destruction.
Procedural Responsibilities
IT Technical Support
All Users
Procedure(s)
Before a computer system, desktop, or laptop is transferred, the user will inform Technical
Support staff if it contains sensitive data or not.
Process for IT
ADPH does not generally reuse equipment, however, when equipment is reused, the
following procedures apply.
1.
If the system does not contain sensitive data and is to be transferred, then software such
as Partition Magic will be used to destroy the operating system and data partitions. A
statement to that effect shall be attached to the property transfer form and sent with the
system to the Warehouse. If the system is to be transferred to another division or section,
then the hard disk will be reimaged by the Technical Support Division prior to being
transferred.
76


If the system does contain sensitive information and is to be transferred to another work
unit, then the system will be reimaged by the Technical Support Division. Systems used
to access FTI will not be transferred for any reason and must be sanitized as outlined in
Section III.E.1.
Tapes used on the ISD 3270 Mainframe will be reinitialized before reuse.
Form(s)
None
Reference(s):
• HIPAA Security Rule CFR §164.310(d) (1), Standard: Device and Media Controls,
Implementation Specification: Media Re-use (Required)
• DoD 5220.22-M, Section C5.7 Disposition and Retention, Department of Defense
National Industrial Security Program Operating Manual
(http://www.dtic.mil/whs/directives/corres/pdf2/p522022m.pdf)
• National Institute of Standards and Technology (NIST) Special Publication 800-88:
Guidelines for Media Sanitization
• State of Alabama, Information Technology Standard 681S3-00: Media Sanitization
Contact
Send e-Mail to IT-Technical Support
77
III.E.3. Media Accountability
Applies To
All ADPH Employees and Contractors
IT Data Operations
Purpose
The purpose of this policy is to implement procedures to maintain a record of the physical
movements of media as well as any person responsible for those movements.
Scope
The procedures identify processes that workforce members must follow to account for the
distribution of sensitive data that is stored on electronic media.
Policy
It is the policy of the ADPH to maintain a record of location and movement of all media
containing sensitive data.
Electronic media containing FTI will be marked with distribution limitations, handling
caveats or applicable security markings.
Procedural Responsibilities
All ADPH Employees
IT Data Operations
Procedure(s)
Technical IT Guidance
All internal servers deployed at the ADPH must be owned by an operational group that is
responsible for system administration. Approved server configuration guides must be
established and maintained by each operational group, based on business needs and approved
by IT Technical Support. Operational groups should monitor configuration compliance and
implement an exception policy tailored to their environment. Each operational group must
establish a process for changing the configuration guides, which includes review and
approval by IT Technical Support.
1. Servers must be registered within the ADPH Information Technology. At a minimum,
the following information is required to positively identify the point of contact:
a. Server contact(s) and location, and a backup contact
b. Hardware and Operating System/Version
c. Main functions and applications, if applicable
2. Information in the ADPH enterprise management system must be kept up-to-date.
3. Configuration changes for production servers must follow the appropriate change
management procedures.
78
General Guidance
1. Any media containing sensitive data must be labeled and the location logged.
2. All removable computer storage media (e.g., CDs, memory sticks, and smart media) must
be purchased by the department and are departmental property. These items must be
returned upon employee departure. Privately owned storage media is strictly forbidden.
Removable media will not be used to store, transport, maintain or process FTI at any
time.
3. Ensure all media containing FTI is marked with either IRS Notice 129A or IRS Notice
129B. Labels may be obtained from the Information Security Officer or IT Maintenance
Manager.
4. Servers that contain FTI will have audit controls in place to identify if removable media is
inserted. An alert will be generated and provided to Technical Support so they may take
any necessary actions.
Form(s)
None
Reference(s):
• HIPAA Security Rule, CFR §164.310(d) (1), Standard: Device and Media Accountability,
Implementation Specification: Accountability (Addressable)
• IRS Publication 1075 (Section 4): Secure Storage (IRC § 6103(p)(4)(B)
Contact
Send e-Mail to IT-Data Operations
79
III.E.4. Data Backup and Storage
Applies To
All ADPH Employees
Purpose
The purpose of this policy is to implement procedures for the backup and storage of sensitive
data used by ADPH workforce members.
Scope
The procedures are to provide guidance for workforce members to follow for the backup and
storage of sensitive data.
Policy
It is the policy of the Alabama Department of Public Health to backup all critical systems and
to maintain off-site storage of these systems.
Procedural Responsibilities
All ADPH Employees
IT Data Operations
Procedure(s)
1. All personnel are responsible for backing up local PC hard drive files.
2. Any documents that are critical to the department, must be stored on a designated location
on the server.
3. All County main offices will rotate their Friday tapes once a week with their fallback
location (every Monday).
IT Only
1. Management shall designate a non-IT person or persons to be responsible for the rotation
of backup tapes of critical systems and to courier the tapes to the designated location for
safe storage. When requested, and for the purpose of performing an audit, any access
needed will be provided to evaluate that procedures are being followed properly for tape
backup rotation Form(s).
80
This access may include:
a. Access to information (electronic, hardcopy, etc.) to verify tape backup process
documentation or tapes are located in proper location and fireproof container.
b. Media Rotation
IT Data Management Division will use at least three (3) sets of back-up storage
media (tapes, CD-ROMs, etc.) to be used in rotation. Periodic archival back-up
copies should also be made every few months; these copies should be stored for
one month, depending upon the Owner’s requirements, and may be used to help
recover from system problems or data loss problems.
c. Media Storage
Secure storage of back-up media is the responsibility of the microcomputer user or
multi-user machine Systems Administrator involved in the back-up process.
Storage media from multi-user systems should be stored in fireproof safes, at a
separate location several city blocks away from the system being backed-up. All
back-up media stored off-site must be physically protected against unauthorized
access.
2. The Tower will rotate their backup storage tapes off-site on a daily basis to secured fireproof container secured at a secure location located more than 1 mile from the Tower.
3. IT will do a special backup on the 1st day of each month and mark it with Month/Year on
the label. This will be permanently stored in a fire proof container.
Tape rotation will be as followed (Tower)
Monday 1 (used on odd week of month)
Tuesday 1 (used on odd week of month)
Wednesday 1 (used on odd week of month)
Monday 2 (used on even week of month)
Tuesday 2 (used on even week of month)
Wednesday 2 (used on even week of
month)
Thursday 2 (used on even week of month)
Friday 2 – (used on 2nd Friday of month)
Friday 4 – (used on 4th Friday of month)
Thursday 1 (used on odd week of month)
Friday 1 – (used on 1st Friday of month)
Friday 3 – (used on 3rd Friday of month)
Friday 5 – (used on 5th Friday of month)
1st of each month – Special backup (permanent)
Reference(s):
HIPAA Security Rule CFR §164.310(d) (1), Standard: Device and Media Controls,
Implementation Specification: Data Backup and Storage
Forms
None
Contact
Send e-Mail to IT-Data Operations
81
IV
Technical Safeguards
IV.A. Overview
Purpose
Technical Safeguards address technology and the policies and procedures for its use that protect
sensitive data and control access to it.
Technical Safeguards are designed to guard against unauthorized access to all protected
information maintained in a system or transmitted over a communications network. The
Technical Safeguards contain the following five security standards that specify how to use
technology to protect sensitive data, and, in particular, to control access to this data.
Standards
The five standards contained in the Technical Safeguards are detailed in the following sections
and include:
Section IV.B – Access Control
Technical policies and procedures for electronic Information Systems that maintain protected
information to grant and allow access only to those persons or software programs that have
appropriate access rights.
Section IV.C – Audit Controls
Procedural mechanisms and/or processes that record and examine activity in Information
Systems that contain or use protected information.
Section IV.D – Integrity
Policies and procedures to protect all protected information from improper or unauthorized
alteration or destruction.
Section IV.E – Person or Entity Authentication
Procedures to verify that a person or entity seeking access to all protected information is who
they/it claims to be.
82
Section IV.F – Transmission security
Technical security measures to guard against unauthorized access to all protected information
transmitted over an electronic communications network.
83
IV.B. Access Control
IV.B.1. Unique User Identification
Applies To
Security Coordinators
IT Data Management
IT Technical Support
Purpose
The purpose of this policy is to implement procedures to assign a unique name and/or number
for identifying and tracking ADPH systems user identity.
Scope
The procedures include guidelines for unique user identification, User ID maintenance, and
password construction.
Policy
It is the policy of the Alabama Department of Public Health to assign a unique user ID and
password for each employee requiring access to ADPH computer systems. Users will be
required to verify their identity prior to receiving their ID and password. Identification can
be in the form of government issued picture ID.
Employees requiring access to any system that contains FTI must sign an access agreement
prior to receiving their access to the information system.
All access agreements for systems that contain FTI will be reviewed on a periodic basis or
when an employee is reassigned or transferred within the organization.
It is also the policy of ADPH to ensure that, for services performed by outsourced vendors for
Technology Services; contracting language outlined by the IRS Publication 1075 (Exhibit 7)
will be present in the final contracts prior to the contractors receiving a unique user ID.
Procedural Responsibilities
Security Coordinators
IT Data Management
IT Technical Support
Procedure(s)
1. User ID Construction – Network User ID
84
o RSA Tower – The Network ID will be the first two letters the bureau the
employee is assigned plus a number, followed by the first letter of the employee’s
first name and the first four letters of the last name.
o County – The Network ID will be “H” plus the county number, followed by the
first letter of the user’s first name and the first four letters of the last name.
o Non-departmental Users – The Network ID sill be “H” plus a two-letter identifier,
followed by the first letter of the user’s first name and the first four letters of the
last name.
2. User ID Construction - RACF IDs
o RSA Tower – The RACF ID will be “PHX” plus four random numbers.
o County – The RACF ID will be “PH” plus the county number plus four random
numbers.
3. User ID Construction - AS/400
o The first two positions identify the work unit; the third position is a number,
followed by the first letter of the user’s name, and the first four letters of the last
name.
4. General Password Construction
All ADPH personnel with access to sensitive data are subject to the following
requirements: Passwords are used for various purposes at the ADPH. Some of the more
common uses include user level accounts, web accounts, e-mail accounts, screen saver
protection, voice-mail password, and local router logins. Since very few systems have
support for one-time tokens (i.e., dynamic passwords which are only used once),
everyone should be aware of how to select strong passwords.
ADPH standard passwords will be configured as the following:







Contain both upper and lower case characters (e.g., a-z, A-Z)
Have digits and punctuation characters as well as letters e.g., 0-9,
[email protected]#$%^&*()_+|~-=\`{}[]:”;’<>?,./)
Are at least eight alphanumeric characters long.
Should not be a variation on the username.
Is not a word in any language, slang, dialect, jargon, either forward or backward,
etc.
Are not based on personal information, names of family, etc.
Passwords should never be written down or stored on-line. Try to create
passwords that can be easily remembered. One way to do this is create a
password based on a song title, affirmation, or other phrase. For example, the
phrase might be: “This May Be One Way To Remember” and the password could
be: “TmB1w2R!” or “Tmb1W>r~” or some other variation. How about your
ISO’s favorite quote: “All for one and one for all”? The password could be:
“All41&14All”!
o NOTE: Do not use these examples as passwords!
85
Form(s)
None
Reference(s):
• HIPAA Security Rule, CFR §164.312(a) (1), Standard: Unique User Identification (Required)
• IRS Publication 1075 (11.1): Disclosure to Other Persons
Contact
Send e-Mail to Security Team
86
IV.B.2. Emergency Access Procedure
Applies To
Bureau Directors
Area Administrators
Disaster Response Team
Information Technology
Purpose
The purpose of this policy is to implement procedures for obtaining sensitive data during an
emergency.
Scope
The procedures provide guidance regarding emergency access to all protected information by
ADPH workforce members before an emergency arises. Periodic review and updates are
required.
Policy
It is the policy of the Alabama Department of Public Health for the Data Management
Division to maintain, plan, and test the continuity plan for recovering and continuing data
processing service before/after an emergency has occurred.
Policy for Emergency Access is contained in the policy for Contingency/Emergency Planning
in section II.H.2 Disaster Recovery Plan.
Procedural Responsibilities
Bureau Directors
Area Administrators
Disaster Response Team
Information Technology
Procedure(s)
1. The Disaster Recovery Team (DRT) will be initiated to access the current situation and
develop and action plan.
2. The Information Security Officer is responsible for providing security guidance for all
information systems contingency planning efforts.
3. The Technical Support manager is responsible for providing technical guidance for all
information systems contingency planning efforts.
4. Data Management will train all workers in the Information Technology on their
responsibilities in case of activation this plan.
5. Each Bureau/Area/County leadership must provide IT with a contingency plan to cover
the following disaster definitions.
6. IT will maintain, at the central office, a file of all Bureau/Area/County contingency plans.
87
7. Emergency Access Procedures are covered in II.H.2 and II.H.3.
Form(s)
None
Reference(s):
• HIPAA Security Rule, CFR § 164.312(a) (1), Standard: Access Control, Implementation
Specification: Emergency Access Procedure (Required)
• II.H.2 Disaster Recovery Plan
• II.H.3 Emergency Mode Operation Plan
Contact
Send e-Mail to IT-Administration
88
IV.B.3. Automatic Logoff
Applies To
All ADPH Employees
IT Technical Support
Purpose
The purpose of this policy is to implement electronic procedures that terminate an electronic
session after a predetermined time of inactivity.
Scope
ADPH logoff procedures apply to all workforce members.
Policy
It is the policy of the Alabama Department of Public Health to automatically disconnect
electronic sessions after 15 minutes of inactivity.
Procedural Responsibilities
IT Technical Support
Guidance
1. All PCs, laptops, and workstations will be secured with a password-protected screensaver
with the automatic activation feature set at 15 minutes or less, or by logging-off when the
workstation is left unattended.
2. The VPN concentrator is limited to an absolute connection time of 24 hours.
Procedures
• IT will configure all workstations to automatically lock after 15 minutes of inactivity.
Form(s)
None
Reference(s):
HIPAA Security Rule CFR §164.312(a) (1), Standard: Access Control, Implementation
Specification: Automatic Logoff (Addressable)
Contact
Send e-Mail to IT–Technical Support
89
IV.B.4. Encryption and Decryption
Applies To
All ADPH Employees
IT Technical Support
Purpose
The purpose of this policy is to implement procedures and mechanisms to encrypt and
decrypt sensitive data.
Scope
The procedures are for encryption/decryption of all protected information to deny
unauthorized users access to information in that file and establishing control of data files at
rest or in transit.
Policy
It is the policy of the Alabama Department of Public Health that the use of encryption will be
utilized for all systems that contain, receive, store, process, or transmit sensitive data.
Encryption methods will be determined by the level of sensitivity of data contained within the
system.
Procedural Responsibilities
All ADPH Employees
IT Technical Support
Guidelines
1. Sensitive data contained on site (e.g., in servers and workstations) generally will not be
encrypted, but will be protected via the many other various safeguards applied to ADPH
premises and system access (see Facility Access Controls, Workstation Use, Workstation
Security, and Access Controls).
2. As appropriate and consistent with guidelines established by the ISO, sensitive data
stored on laptops will be encrypted during storage, and decrypted for use, in order to
reduce the vulnerability of information contained in these portable media devices.
3. Access to sensitive information will only be allowed through a single direct network
connection (e.g., a workstation) or through an encrypted remote connection (e.g.,
wireless).
4. Access to FTI will not be permitted through any remote connection.
5. Systems containing FTI will encrypt data in transit and at rest. Data in transit will be
encrypted using WS Security protocols, SSL (Secure Socket Layer) technology, and
VLAN (Virtual Local Area Network) segmentation. Data at rest will be encrypted using
tools/methods identified to be FIPS 140-2 compliant.
90
Procedure(s)
1. IT will purchase and load software to enable encryption and decryption of data.
Instructions for encrypting can be found in the ADPH Document Library in the ADPH
HIPAA Privacy and Security category.
2. ADPH will utilize SSL and VPN (Virtual Private Network) procedures to protect
sensitive data transmission.
3. Technical Guidelines (IT Only)
SSL uses RSA encryption. Symmetric cryptosystem key lengths must be at least 56 bits.
Asymmetric crypto-system keys must be of a length that yields equivalent strength.
ADPH’s key length requirements will be reviewed annually and upgraded as technology
allows.
The use of proprietary encryption algorithms is not allowed for any purpose, unless
reviewed by qualified experts outside of the vendor in question and approved by the
Information Security Officer. Be aware that the export of encryption technologies is
restricted by the U.S. Government. Residents of countries other than the United States
should make themselves aware of the encryption technology laws of the country in which
they reside.
To comply with this policy, wireless implementations must: Maintain point-to-point
hardware encryption of at least 56 bits. Maintain a hardware address that can be
registered and tracked, i.e., a MAC address. Support strong user authentication which
checks against an external database such as TACACS+, RADIUS or something similar.
Exception
A limited-duration waiver to this policy for Aironet products has been approved; specific
implementation instructions are followed for ADPH.
Form(s)
None
Reference(s):
• HIPAA Security Rule, CFR §164.312(a) (1), Standard: Access Control, Implementation
Specification: Encryption (Addressable)
• IRS Publication 1075 (4): Secure Storage (IRC § 6103(p)(4)(B)
• National Institute of Standards and Technology (NIST) Federal Information Processing
Standard (FIPS) 140-2: Security Requirements for Cryptographic Modules
Contact
Send e-Mail to IT–Technical Support
91
IV.C. Audit Controls
Applies To
ADPH Data Owners
IT Data Management
Purpose
The purpose of this policy is to implement hardware, software, and/or procedural
mechanisms that record and examine activity in Information Systems that contain or use
sensitive data.
Scope
The procedures are to establish audit controls to record any alterations of patient or tax
information, including changes, deletions, modifications, creations, and additions and to
provide an internal mechanism to track and report access to sensitive data.
Policy
It is the policy of the Alabama Department of Public Health to implement audit controls to
record any alterations, changes, deletions, modifications, creations, and/or additions to
records containing sensitive data.
Procedural Responsibilities
ADPH Data Owners
IT Data Management
Procedure(s)
For FTI:
ADPH will generate audit records, at a minimum, for the following events:
1. User account management activities,
2. System shutdown,
3. System reboot,
4. System errors,
5. Application shutdown,
6. Application restart,
7. Application errors,
8. File creation,
9. File deletion,
10. File modification,
11. Failed and successful log-on attempts,
92
12. Security policy modifications, and
13. Use of administrator privileges
14. All successful and unsuccessful authorization attempts.
15. All changes to logical access control authorities (e.g., rights, permissions).
16. All system changes with the potential to compromise the integrity of audit policy
configurations, security policy configurations and audit record generation services.
17. The audit trail shall capture the enabling or disabling of audit report generation services.
18. The audit trail shall capture command line changes, batch file changes and queries made
to the system (e.g., operating system, application, and database).
Overall network configurations will also enable logging for perimeter devices, including
firewalls and routers to include these events:
1.
2.
3.
4.
5.
6.
7.
8.
Packet screening denials originating from un-trusted networks,
Packet screening denials originating from trusted networks,
Modification of packet filters,
Application errors,
Modification of proxy services,
User account management,
System shutdown and reboot, and
System errors.
Additionally, proper logging will be enabled in order to audit administrator activities in addition
to any regularly occurring system activities.
Controls will also be configured to identify any unauthorized account creation or modification
within the administrator groups, root accounts or other system related accounts.
The audit records of any system containing FTI will be reviewed on a weekly basis for
indications of unusual activities. Findings will be reported to the System Owner for resolution.
In the event of an audit failure, the Technical Support Director will notify the System Owner so
additional actions may be taken.
Audit records will be stored on an LEM server with enough space to maintain all records.
Should additional space be necessary, the Technical Support Director will request an amount of
space large enough to ensure no records are lost. Audit records for systems containing FTI will
be retained for at least six (6) years in accordance with all State and Federal laws for records
retention.
Audit logs produced will be stored on an LEM server with enough space to maintain the
necessary records.
For all others:
1. Audit logs will be reviewed bi-annually by data owners.
93
2. Data owners will report any irregularities to IT Data Management.
3. Audit Controls will be specific to each system or application and specific to each type of
User activity. An audit process systematically tracks and reports, minimally, the
following events:
a. Log-on and log-off;
b. File and object access;
c. Use of user rights;
d. User and group management;
e. Security policy changes;
f. Restart and/or shutdown; and
g. System process tracking.
Form(s)
None
Reference(s):
HIPAA Security Rule, CFR § 164.312(b), Audit Controls (Required)
Contact
Send e-Mail to Security Team
94
IV.D. Integrity Controls
IV.D.1. Mechanism to Authenticate Sensitive Data
Applies To
IT Technical Support
Purpose
The purpose of this policy is to implement, as needed, electronic mechanisms to corroborate
that sensitive data has not been altered or destroyed in an unauthorized manner.
Scope
The procedure covers the different mechanisms used by ADPH to authenticate sensitive data.
Policy
It is the policy of the Alabama Department of Public Health to employ data reconciliation
routines to examine sensitive data for evidence of tampering, errors and omissions.
Procedural Responsibilities
IT Technical Support
Procedure(s)
1. Data reconciliation routines will be deployed at the level of the server housing sensitive
data or at an application-specific level.
2. ADPH will use RAID 5 storage and backup methodologies to assist in ensuring the
integrity of its sensitive data.
3. Users will verify via reports (i.e. reconciliation program reports) that data is accurate and
has not been altered.
Form(s)
None
Reference(s):
HIPAA Security Rule, CFR §164.312(c) (1), Standard: Integrity, Implementation
Specification: Mechanism to Authenticate Electronic Protected Health Information
(Addressable)
Contact
Send e-Mail to IT-Technical Support
95
IV.E. Person or Entity Authentication
Applies To
IT Technical Support
Purpose
The purpose of this policy is to implement procedures to verify that a person or entity seeking
access to sensitive data is the one claimed.
Scope
The procedures cover the different mechanisms used by ADPH to authenticate entities.
Policy
It is the policy of the Alabama Department of Public Health to authenticate all users and
entities seeking access to the ADPH computer systems.
Procedural Responsibilities
IT Technical Support
Guidelines
1. Dial-in access should be strictly controlled, using one-time password authentication.
2. Analog and non-GSM digital cellular phones cannot be used to connect to the ADPH
network, as their signals can be readily scanned and/or hijacked by unauthorized
individuals. Systems on the ADPH network cannot be connected to other networks via
analog and non-GSM digital cellular phones due to the same risk factors. Only GSM
standard digital cellular phones are considered secure enough for connection to the ADPH
network.
3. Approved ADPH employees and authorized third parties (customers, vendors, etc.) may
utilize the benefits of VPNs, which are a “user managed” service. This means that the
user is responsible for selecting an Internet Service Provider (ISP), coordinating
installation, installing any required software, and paying associated fees.
4. Other entities will utilize ADPH’s public FTP site to transfer files to our network. If the
information contains sensitive data, the files must be encrypted as self-extracting
executable. The entity must provide ADPH with the password to decrypt.
5. It is the responsibility of employees with VPN privileges to ensure that unauthorized
users are not allowed access to the ADPH internal networks.
6. Dual (split) tunneling is NOT permitted; only one network connection is allowed.
7. Only Information security-approved VPN clients may be used.
8. By using VPN technology with personal equipment, users must understand that their
machines are a de facto extension of the ADPH network, and as such are subject to the
same rules and regulations that apply to the ADPH-owned equipment, i.e., their machines
must be configured to comply with ADPH security policies.
Procedure(s)
1. VPN use is to be controlled using either a one-time password authentication such as a
token device or a public/private key system with a strong pass phrase.
96
2. When actively connected to the ADPH network, VPNs will force all traffic to and from
the PC over the VPN tunnel: all other traffic will be dropped.
3. VPN gateways will be set up and managed by the ADPH network operational groups.
4. Users of computers that are not the ADPH-owned equipment must configure the
equipment to comply with the ADPH VPN and Network policies.
For FTI:
1. Federal Tax Information (FTI) will not be disclosed to any person without authorization.
This includes, but is not limited to:
Eligibility & Enrollment Applicants
Information Requestors
Off-shore contractors
2. Remote access to systems containing FTI will not be permitted for any reason.
Form(s)
None
Reference(s):
• HIPAA Security Rule, CFR §164.312(d), Standard: Person or Entity Authentication,
(Required)
• Reference(s):
• IRS Publication 1075 (11.1): Disclosure to Other Persons
• Internal Revenue Code § 6103(a)(2): Confidentiality and Disclosure of Returns and
Return Information
Contact
Send e-Mail to IT–Technical Support
97
IV.F. Transmission Security
IV.F.1. Transmission Integrity Controls
Applies To
IT Technical Support
Purpose
The purpose of this policy is to implement security measures to ensure that electronically
transmitted sensitive data is not improperly modified without detection until disposed of.
Scope
The procedures cover the electronic transmission of sensitive data and other business
information by all employees, vendors, and agents operating on behalf of ADPH.
Policy
It is the policy of the Alabama Department of Public Health to secure the electronic
transmission of sensitive information.
Procedural Responsibilities
IT Technical Support
Guidelines
1. ADPH uses SSL (Secure Sockets Layer) and VPN protocols to secure Web-based client
or browser and server traffic.
2. Only approved ADPH employees and authorized third parties may utilize the benefits of
VPNs, which are “user managed” services.
Procedure(s)
• ADPH will prohibit the installation of an unauthorized wireless access point.
Form(s)
None
Reference(s):
• HIPAA Security Rule, CFR §164.312(e) (2)(i), Standard: Transmission Security,
Implementation Specification: Integrity Controls (Addressable)
• IV.B.4 Encryption and Decryption Policy
Contact
Send e-Mail to IT-Technical Support
98
IV.F.2. Encryption
Applies To
IT Technical Support
Purpose
The purpose of this policy is to implement, as needed, a mechanism to encrypt sensitive data
whenever deemed appropriate.
Scope
The procedure is for ADPH to protect sensitive data, while at rest or in transit, using
encryption to protect the confidentiality, integrity, authentication, non-repudiation, and
availability of all protected information.
Policy
It is the policy of the Alabama Department of Public Health to use encryption to protect the
confidentiality, integrity, authentication, non-repudiation, and availability of sensitive data.
Procedural Responsibilities
IT Technical Support
Procedure(s)
See IV.B.4 Encryption and Decryption
Form(s)
None
Reference(s):
• HIPAA Security Rule, CFR §164.312(e) (2)(ii), Standard: Transmission Security,
Implementation Specification: Encryption (Addressable)
• IV.B.4 Encryption and Decryption Policy
Contact
Send e-Mail to IT–Technical Support
99
V
Other ADPH Security Policies
V.A. Overview
Purpose
This section is reserved for additional ADPH security policies that do not correlate directly to the
Standards and Implementation Specifications outlined in the HIPAA Security Rule.
Policies
The following additional security policies addressed in this section include:
Section V.B – Electronic Signature
An electronic signature is accomplished through the use of an authentication control, such as a
password, token, or biometric.
Section V.C – Copier Policy
In order to protect stored data on copiers from unauthorized disclosure, it is important to ensure
that images stored are properly removed from machines upon completion of print jobs, when the
device is transferred, becomes obsolete, or is no longer usable as a result of damage.
100
V.B. Electronic Signature
V.B.1. Electronic Signature
Applies To
IT Technical Support
Purpose
Electronic signature is the attribute that is affixed to an electronic document to bind it to a
particular entity. Electronic signature may be an electronic sound, symbol, or process
attached to or logically associated with a record and executed or adopted by a person with the
intent to sign the record. An electronic signature process secures the user authentication
(proof of claimed identity, such as by biometrics (fingerprints, retinal scans, hand written
signature verification, etc.), tokens or passwords) at the time the signature is generated;
creates the logical manifestation of signature (including the possibility for multiple parties to
sign a document and have the order of application recognized and proven) and supplies
additional information such as time stamp and signature purpose specific to that user; and
ensures the integrity of the signed document to enable transportability, interoperability,
independent verifiability, and continuity of signature capability. Verifying a signature on a
document verifies the integrity of the document, associated attributes, and verifies the
identity of the signer. There are several technologies available for user authentication,
including passwords, cryptography, and biometrics. (ASTM 1762-95, as cited in the HISB
draft Glossary of Terms Related to Information Security in Health care Information Systems)
Scope
The procedure is for the Department to generate/receive documents of all types filed
physically or utilizing electronic media, to control the integrity of the data submitted, to
reduce processing costs and processing times, to facilitate accuracy and reduce complexities
of manual processing and to accept electronic signatures and other such authentication
methods.
Policy
It is the policy of the Alabama Department of Public Health to adopt electronic signature
standards as outlined in the Alabama Uniform Electronic Transactions Act.
Procedural Responsibilities
IT Technical Support
Guidance
ADPH will adhere to the Alabama Administrative Code which states that the digital
signature must be:
 Unique to the person using it
 Capable of verification
 Under the sole control of the person using it
 Linked to a document in such a manner that the digital signature is invalidated if any
data in the document is changed.
101
Procedures
Employees will sign a letter of “Receipt and Acknowledgement” stating that they
acknowledge the receipt of a personal identification number (“PIN”) for use exclusively with
the Alabama Department of Public Health’s automated systems. The use of this PIN in the
System is the legal equivalent to the employee’s signature and divulging the PIN to any other
person allows such person to use the PIN in their place and affirms that any action taken
using such PIN as though the action were taken by that employee.
Note: In most cases, the PIN will be the employee’s User ID and password.
Form(s)
Sample of Receipt and Acknowledgement (Appendix C)
Reference(s):
II.E.3 Access Establishment and Modification
Contact
Send e-Mail to Security Team
102
V.C. Copier Policy
V.C.1. Copier Policy
APPLIES TO
All ADPH Employees and Contractors
INTRODUCTION
Copiers now come standard with hard drives installed. With the press of a button, jobs can
be reprinted on demand. Many copiers allow users to reprint any job on the printed job list.
Copiers that have a print-and-hold feature store the documents until someone erases them. In
order to protect stored data on copiers from unauthorized disclosure, it is important to ensure
that images stored are properly removed from machines upon completion of print jobs, when
the device is transferred, becomes obsolete, or is no longer usable as a result of damage.
POLICY
It is the policy of the Alabama Department of Public Health to ensure that data stored on
leased or purchased copiers is removed so that there is reasonable assurance that the data
may not be retrieved and reconstructed.
GUIDELINES and PROCEDURES
All Copiers
1. When there is no business reason for having a hard drive on a copier, it is best
practice to have hard drive removed or disabled by the vendor prior to leasing or
purchasing.
2. It is best practice to set copier to delete all print jobs upon job completion.
3. The Alabama Department of Public Health Information Technology Technical
Support Division must approve any copier if it will be attached to a Department
network.
4. A departmental system administrator must disconnect a copier from the Department’s
network prior to connecting diagnostic equipment required to service or perform
maintenance on the copier.
5. Copier technicians servicing copiers must be escorted by a Department employee.
The escort must:
a. Obtain a visitor ID badge for the copier technician. The ID badge must be
worn visibly at all times while on-site;
b. Inspect the copier to ensure that no hard copies are present before a
maintenance visit occurs;
c. Inspect the copier for any security anomaly after the visit. If the escort
suspects an anomaly, he or she must immediately report this information to
the Alabama Department of Public Health Support Desk;
d. Ensure maintenance personnel are not allowed to remove replacement hard
drives or circuit boards from the Department’s possession without properly
sanitizing the hard drive;
e. Return visitor ID badge;
Leased Copiers
103
When a leased copier is removed from inventory and is returned to the vendor, a full
manufacturer’s reset to reset the copy machine to its factory default settings must be
performed. In addition to the reset, if a hard drive is present, the media must be
overwritten using approved and validated overwriting technologies/methods/tools.
Purchased Copiers
When a purchased copier is salvaged or transferred to another area, a full manufacturer’s
reset must be used to reset the copy machine to its factory default settings. In addition to
the reset, if a hard drive is present, for property transfer, the media must be overwritten
using an approved and validated overwriting technology/method/tool. If the copier is to
be salvaged, the hard drive must be physically destroyed.
Use the Media Destruction Log located in the ADPH Document Library to record information
regarding the deletion of data from the copiers.
Approved methods of media sanitization for all copiers:
To clear: Perform a full manufacturer’s reset to reset the copy machine to its factory default
settings. Instructions can be found in the ADPH Document Library in the ADPH HIPAA
Privacy & Security category. If the make and model copier are not found in the Document
Library, contact the ADPH Information Security Officer for instructions. This must be done
prior to the supplier removing the equipment as they may charge for performing this function.
Physical Destruction: Shred, disintegrate, pulverize, incinerate. Incinerate copy machines by
burning the copy machine in a licensed incinerator.
104
VI
Glossary
Access
The ability or the means necessary to read, write,
modify, or communicate data/information or otherwise
use any system resource.
Access Authorization (addressable)
Implement policies and procedures for granting access
to electronic protected health information.
Access Control
Implement technical policies and procedures for
electronic information systems that maintain electronic
protected health information to allow access only to
those persons or software programs that have been
granted access rights as specified in Section
164.308(a)(4).
Access Control and Validation Procedures
(addressable)
Implement procedures to control and validate a person’s
access to facilities based on their role or function,
including visitor control, and control of access to
software programs for testing and revision.
Access Establishment and Modification
(addressable)
Implement policies and procedures that, based upon the
entity’s access authorization policies, establish,
document, review, and modify a user’s right of access to
a workstation, transaction, program, or process.
Accountability (addressable)
Maintain a record of the movements of hardware and
electronic media and any person responsible therefore.
V
Administrative Safeguards
Applications and Data Criticality Analysis
(addressable)
These are administrative actions, and policies and
procedures, to manage the selection, development,
implementation, and maintenance of security measures
to protect electronic protected health information and to
manage the conduct of the covered entity’s workforce in
relation to the protection of that information.
Assess the relative criticality of specific applications
and data in support of other contingency plan
components.
Assigned Security Responsibility
Identify the security official who is responsible for the
development and implementation of the policies and
procedures required b this subpart for the entity.
Audit Controls (required)
Implement hardware, software, and/or procedural
mechanisms that record and examine activity in
information systems that contain or use electronic
protected health information.
Authentication
The corroboration that a person is the one claimed.
Authorization and/or Supervision
(addressable)
Implement procedures for the authorization and/or
supervision of workforce members who work with
electronic protected health information or in locations
where it might be accessed.
Automatic Logoff (addressable)
Implement electronic procedures that terminate an
electronic session after a predetermined time of
inactivity.
Availability
The property that data or information is accessible and
useable upon demand by an authorized person.
Business Associate Contracts and Other
Arrangements
A covered entity, in accordance with Section 164.306,
may permit a business associate to create, receive,
maintain, or transmit electronic protected health
information on the covered entity’s behalf only if the
covered entity obtains satisfactory assurances, in
accordance with Section 164.314(a) that the business
associate will appropriately safeguard the information.
Common Control
Exists if an entity has the power, directly or indirectly,
significantly to influence or direct the actions or policies
of another entity.
V
Common Ownership
Exists if an entity or entities possess an ownership or
equity interest of 5% or more in another entity.
Confidentiality
The property that data or information is not made
available or disclosed to unauthorized persons or
processes.
Contingency Operations (addressable)
Establish (and implement as needed) procedures that
allow facility access in support of restoration of lost
data under the disaster recovery plan and emergency
mode operations plan in the event of an emergency.
Contingency Plan
Establish (and implement as needed) policies and
procedures for responding to an emergency or other
occurrence (for example, fire, vandalism, system
failure, and natural disaster) that damages systems that
contain electronic protected health information.
Covered Functions
Those functions of a covered entity the performance of
which makes the entity a health plan, health care
provider or health care clearinghouse.
Custodians
Custodians are in physical or logical possession of
either ADPH information or information that has been
entrusted to ADPH. Whenever information is
maintained only on a personal computer, the User is
also the Custodian. Each type of production application
information must have one or more designated
Custodians. Custodians are responsible for safeguarding
the information, including implementing access control
systems to prevent inappropriate disclosure, and making
back-ups so that critical information will not be lost.
Custodians are also required to implement, operate, and
maintain the security measures defined by information
Owners. IT is the custodian for all department-wide
systems.
Data Back Plan (required)
Establish and implement procedures to create and
maintain retrievable exact copies of electronic protected
health information.
V
Data Backup and Storage (addressable)
Create a retrievable, exact copy of electronic protected
health information, when needed, before movement of
equipment.
DLCI
Data link connection identifier. The DLCI values make
up the logical connections between different framerelay users.
Device and Media Controls
Implement policies and procedures that govern the
receipt and removal of hardware and electronic media
that contain electronic protected health information into
and out of a facility, and the movement of these items
within the facility.
Disaster Recovery Plan (required)
Establish (and implement as needed0 procedures to
restore any loss of data.
Disposal (required)
Implement policies and procedures to address the final
disposition of electronic protected health information,
and/or the hardware or electronic media on which it is
stored.
Sensitive Data Repository
May be a database, spreadsheet, folder, storage device,
document, or other form of electronic information.
Electronic Funds Transfer
A system of transferring money from one bank account
directly to another without any paper money changing
hands. One of the most widely used EFT programs is
Direct Deposit, in which payroll is deposited straight
into an employee’s bank account, although EFT refers
to any transfer of funds initiated through an electronic
terminal, including credit card, ATM, Fedwire and
point-of-sale (POS) transactions. It is used for both
credit transfers such as payroll payments, and for debit
transfers, such as mortgage payments.
Emergency Access Procedure (required)
Establish (and implement as needed) procedures for
obtaining necessary electronic protected health
information during an emergency.
Emergency Mode Operation Plan
(required)
Establish (and implement as needed) procedures to
enable continuation of critical business processes for
protection of the security of electronic protected health
information while operating in emergency mode.
V
Encryption (addressable)
The use of an algorithmic process to transform data into
a form, which there is a low probability of assigning
meaning without use of a confidential process or key.
Encryption and Decryption (addressable)
The conversion of data into a form, called a cipher text,
which cannot be easily understood by unauthorized
people. Decryption is the process of converting
encrypted data back into its original form, so it can be
understood.
Evaluation
Perform a periodic technical and non-technical
evaluation, based initially upon the standards
implemented under this rule and subsequently, in
response to environmental or operational changes
affecting the security of electronic protected health
information that establishes the extent to which an
entity’s security policies and procedures meet the
requirements of this section.
An extranet is a computer network that allows
controlled access from the outside for specific business
or educational purposes. Extranets are extensions to, or
segments of, private intranet networks that have been
built in many corporations for information sharing and
ecommerce.
Extranet
Facility
The physical premises and the interior and exterior of a
building(s).
Facility Access Controls
Implement policies and procedures to limit physical
access to its electronic information systems and the
facility or facilities in which they are housed, while
ensuring that properly authorized access is allowed.
Facility Security Plan (addressable)
Implement policies and procedures to safeguard the
facility and the equipment therein from unauthorized
physical access, tampering, and theft.
V
File Transfer Protocol
A standard Internet protocol is the simplest way to
exchange files between computers on the Internet. Like
the Hypertext Transfer Protocol (HTTP), which
transfers displayable Web pages and related files and
the Simple Mail Transfer Protocol (SMTP), which
transfer e-mail, FTP is an application protocol that uses
the Internet’s TCP/IP protocols. FTP is commonly used
to transfer Web page files from their creator to the
computer that acts as their server for everyone on the
Internet. It is also commonly used to download
programs and other files to your computer from other
servers.
Firewall
A firewall, working closely with a router program,
examines each network packet to determine whether to
forward it toward its destination. A firewall also
includes or works with a proxy server that makes
network requires on behalf of workstation users. A
firewall is often installed in a specially designated
computer separate from the rest of the network so that
no incoming request can get directly at private network
resources.
Health Care Component
A component or combination of components of a hybrid
entity designated by the hybrid entity in accordance
with Section 164.105 (a) (2) (iii) (C).
Hybrid Entity
A single legal entity:
(1) that is a covered entity; (2)whose business activities
include both covered and non-covered functions; and
(3) that designates health care components in
accordance with paragraph Section 164.105 (a) (2) (iii)
(C).
Information Access Management
Implement policies and procedures for authorizing
access to electronic protected health information.
Information System
An interconnected set of information resources under
the same direct management control that shares
common functionality. A system normally includes
hardware, software, information, data, applications,
communications, and people.
V
Information System Activity Review
(required)
Implement procedures to regularly review records of
information system activity, such as audit logs, access
reports, and security incident tracking reports.
Integrity
The property that data or information have not been
altered or destroyed in an unauthorized manner.
Internet
The Internet is the largest interconnected system of
computer networks in the world. It is a three level
hierarchy composed of backbone networks, mid-level
networks, and stub networks. These include
commercial (.com or .co), university (.ac or .edu) and
other research networks (.org, .net) and military (.mil)
networks and span many different physical networks
around the world with various protocols, mainly the
Internet Protocols.
Intranet
An intranet is the private, internal network that manages
company information 24 hours a day, seven days a
week, for employees only.
Isolating health care clearinghouse
functions (required)
If a health care clearinghouse is part of a larger
organization, the clearinghouse must implement policies
and procedures that protect the electronic protected
health information of the clearinghouse from
unauthorized access by the larger organization
Log-in Monitoring (addressable)
Procedures for monitoring login attempts and reporting
discrepancies.
Maintenance Records (addressable)
Implement policies and procedures to document repairs
and modifications to the physical components of a
facility that are related to security.
Malicious Software
Software, for example, a virus, designed to damage or
disrupt a system.
Mechanism to authenticate electronic
protected health information (addressable)
Implement electronic mechanism to corroborate that
electronic protected health information has not been
altered or destroyed in an unauthorized manner.
Media Re-use (required)
Implement procedures for removal of electronic
protected health information from electronic media
before the media are made available for re-use.
V
Operational group
Information Technology Technical Support Division
Owner
Owners are the bureau or office directors or their
delegates within ADPH who bear responsibility for the
acquisition, development, and maintenance of
production applications which process ADPH
information. Production applications are periodicallyexecuted computer programs which support ADPH
programs and activities. All production application
system information must have a designated Owner. For
each type of information, Owners designate whether it
is confidential, designate its criticality, define which
users will be permitted to access it, and define its
authorized uses.
Password
Confidential authentication information composed of a
string of characters.
Password Management (addressable)
Procedures for creating, changing, and safeguarding
passwords.
Person or Entity Authentication (required)
Implement procedures to verify that a person or entity
seeking access to electronic protected health
information is the one claimed.
Physical Safeguards
Physical measures, policies, and procedures to protect a
covered entity’s electronic information systems and
related buildings and equipment, from natural and
environmental hazards, and unauthorized intrusion.
Plan Sponsor
Defined as Section 3(16) (B) of ERISA, 29 U.S.C. 1002
(16) (B).
Protection from Malicious Software
(addressable)
Procedures for guarding against, detecting, and
reporting malicious software.
V
Required by Law
A mandate contained in law that compels an entity to
make a use or disclosure of protected health information
and that is enforceable in a court of law. Required by
law includes, but is not limited to, court orders and
court-ordered warrants; subpoenas or summons issued
by a court, grand jury, a governmental or tribal
inspector general, or an administrative body authorized
to require the production of information; a civil or an
authorized investigative demand; Medicare conditions
of participation with respect to health care providers
participating in the program; and statutes or regulations
that require the production of information, including
statutes or regulations that require such information if
payment is sought under a government program
providing public benefits.
Response and Reporting (required)
Identify and respond to suspected or known security
incidents; mitigate, to the extent practicable, harmful
effects of security incidents that are known to the
covered entity; and document security incidents and
their outcomes.
Risk Analysis (required)
Conduct an accurate and thorough assessment of the
potential risks and vulnerabilities to the confidentiality,
integrity, and availability of electronic protected health
information held by the covered entity.
Risk Management (required)
Implement security measures sufficient to reduce risks
and vulnerabilities to a reasonable and appropriate level
to comply with Section 164.306(a).
Sanction Policy (required)
Apply appropriate sanctions against workforce members
who fail to comply with the security policies and
procedures of the covered entity.
V
Secure Sockets Layer (SSL)
The SSL is a commonly used protocol for managing the
security of a message transmission on the Internet. SSL
has recently been succeeded by Transport Layer
Security (TLS), which is based on SSL. SSL uses a
program layer located between the Internet’s Hypertext
Transfer Protocol (HTTP) and Transport Control
Protocol (TCP) layers. SSL is included as part of both
the Microsoft and Netscape browsers and most Web
server products. SSL uses the public-and-private key
encryption system from RSA, which also includes the
use of a digital certificate.
Security Awareness and Training
Implement a security awareness and training program
for all members of its workforce (including
management).
Security Incident
The attempted or successful unauthorized access, use,
disclosure, modification, or destruction of information
or interference with system operations in an information
system.
Security Incident Procedures
Implement policies and procedures to address security
incidents.
Security Management Process
Implement policies and procedures to prevent, detect,
contain, and correct security violations.
Security or Security Measures
Encompasses all of the administrative, physical, and
technical safeguards in an information system.
Security Reminders (addressable)
Periodic security updates.
Technical Safeguards
The technology and the policy procedures for its use
that protect electronic protected health information and
control access to it.
User means a person or entity with authorized access.
Workstation means an electronic computing device, for
example, a laptop or desktop computer, or any other
device that performs similar functions, and electronic
media stored in its immediate environment.
V
Termination Procedures (addressable)
Testing and Revision Procedure
(addressable)
Implement procedures for terminating access to
electronic protected health information when the
employment of a workforce member ends or as required
by determinations made as specified in paragraph
(a)(3)(ii)(B) of this section.
Implement procedures for periodic testing and revision
of contingency plans.
Transmission Security
Implement technical security measures to guard against
unauthorized access to electronic protected health
information that is being transmitted over an electronic
communications network.
Unique Users Identification (required)
Assign a unique name and/or number for identifying
and tracking user identity.
Users
Users are responsible for familiarizing themselves with
and complying with all ADPH policies, procedures, and
standards dealing with information security. Questions
about the appropriate handling of a specific type of
information should be directed to either the Custodian
or the Owner of the involved information.
VPN (Virtual Private Network)
A network that is constructed by using public wires to
connect nodes. For example, there are a number of
systems that enable you to create networks using the
Internet as the medium for transporting data. These
systems use encryption and other security mechanisms
to ensure that only authorized users can access the
network and that the data cannot be intercepted.
Workforce Clearance Procedure
Implement procedures to determine that the access of a
workforce member to electronic protected health
information is appropriate.
V
Workforce Security
Implement policies and procedures to ensure that all
members of its workforce have appropriate access to
electronic protected health information, as provided
under paragraph (a)(4) of this section, and to prevent
those workforce members who do not have access under
paragraph (a)(4) of this section from obtaining access to
electronic protected health information.
Workstation
A general-purpose computer designed to be used by one
person at a time. The usual workstation configuration is
comprised of a display terminal, a system unit that
includes a disk drive, a keyboard, and a mouse.
Optionally a workstation can have additional devices
such as CD drives and diskette drives. A typical
workstation has installed on it operating system
software as well as business and office application
software.
Implement physical safeguards for all workstation that
access electronic protected health information, to
restrict access to authorized users.
Workstation Security (required)
Workstation Use (required)
Implement policies and procedures that specify the
proper functions to be performed, the manner in which
those functions are to be performed, and the physical
attributes of the surroundings of a specific workstation
or class of workstation that can access electronic
protected health information.
Written Contract and Other Arrangement
(required)
Document the satisfactory assurance required by
paragraph (b)(1) of this section through a written
contract or other arrangement with the business
associate that meets the applicable requirements of
Section 164.314(a).
V
VII
Appendices
Special Note: All forms contained within this document are for sample purposes only. Official up-todate forms can be obtained from the Document Library.
V
APPENDIX A – Security Officer Job Description
Objectives
Establish accountability for security of sensitive data for the Plan as a HIPAA Covered Entity. The
Security Official oversees all ongoing activities related to the development, implementation,
maintenance of, and adherence to the organization’s policies and procedures covering the security of,
and access to sensitive data in compliance with federal and state laws and the health care organization’s
information privacy practices.
Responsibilities:
• Accountable for developing and implementing security policies and procedures for all members
of the workforce that come in contact with sensitive data.
• Provide guidance to development staff and assist in the identification, implementation, and
maintenance of information security policies and procedures in coordination with organization
management.
• Accountable for ensuring that each bureau, office, area, and county has an appointed Security
Coordinator and an alternate Security Coordinator.
Work with the Privacy Official:
• Create security training and orientation for all personnel, volunteers, contractors, and other
appropriate third parties.
• Mitigate the effects of all disclosures that are not compliant or are contrary to the plan’s security
goals.
• Cooperate with the Office of Civil Rights, other legal entities, and organization officers in any
compliance review or investigation.
• Establish and administer a process for receiving, documenting, tracking, investigating, and
taking action on all complaints concerning the organization’s security policies and procedures.
• Work with organization administration to represent the organization’s information security
interest with external parties (government bodies) who undertake to adopt or amend security
legislation, regulation, or standard.
• Initiate, facilitate, and promote activities to foster information security awareness within the
organization.
• Conduct continuous risk assessment and analysis. As significant threats are discovered,
management support for additional initiatives and countermeasures will be sought and
implemented.
• Conduct related ongoing compliance monitoring activities in coordination with the
organization’s other compliance and operational assessment functions.
• Responsible for the security infrastructure of the organization.
V
•
•
•
•
Identify key security initiatives and standards, (e.g., virus protection, security monitoring,
intrusion detection, local and remote access control policies, and other technical security
services and mechanisms).
Establish mechanisms to track access to sensitive data as required by law to allow qualified
individuals to review or receive a report on such activity.
Review all system-related information security plans throughout the organization’s network to
ensure alignment between security and privacy practices.
Maintain current knowledge of technical security services and mechanisms and monitors
advancements in information security technologies to ensure organizational adaptation and
compliance.
Responsibilities of Security Coordinators:
• Assist employees with obtaining User IDs.
• Assist employees with changing passwords.
• Request changes through the IT Support Desk to employee’s access rights.
• Make efforts to locate workstations in areas where public access is restricted and not accessible
to the public.
• Assist in other security matters that may develop.
• Request access for employees when an employee assumes new duties, or changes duties. Note:
Security Coordinators cannot request access for themselves. Additional access requests for
themselves must come from a different security coordinator. They can request password resets.
• Complete Computer Access Removal forms for employees who transfer or resign their positions
with the Public Health Department.
• Access to systems for an entire area must come from an Area Security Coordinator.
• Report access problems to the IT Support Desk.
V
APPENDIX B – Mission Criticality
Fatal - Restore time < 24 Hours – Loss would
stop ADPH from providing services
Critical - Restore Time 1 - 7 days – Loss would
severely impair the ability to provide services.
Essential - Restore time > 7 days – Loss would
cause interruptions to service but operations
could continue.
System
Criticality
ACORN
Essential
ADPH Calendar
Essential
ADPH Web Site (ADPH.org)
Fatal
AFNS (Advantage Financial System)
Alabama Breast and Cervical Cancer
Early Detection Program (ABCCEDP)
ALL Kids Eligibility and Enrollment
System
Critical
ALPHTN
Fatal
ARTEMIS
Critical
ASPEN
Essential
Automated Contract Tracking System
Essential
AVAA (Audio Visual Application Assistor)
Essential
Breast and Cervical Cancer System
Essential
Essential
Essential
V
Impact if Lost
The department will be able to continue to
provide services.
The ADPH Calendar is considered low risk to the
Department since its failure will not prevent
continuation of the Department functions.
If the internet connection is down,
communications with citizens, clinics, area
offices, labs, etc. will be impaired.
A loss of service would cause complete failure of
ADPH to provide service to the citizens as well as
to the employee
The department will be able to continue to
provide services.
The department will be able to continue to
provide services.
Essential for broadcasting information during
emergency situations.
This system is considered low risk to the
Department since its failure will not prevent
continuation of the disease control functions.
The department will be able to continue to
provide services.
The department will be able to continue to
provide services.
The department will be able to continue to
provide services.
The department will be able to continue to
provide services.
System
Criticality
Cancer Registry
Essential
Cancer, Tobacco Registries
Essential
Child Death System
Essential
CHIP Document Management System
Essential
CLAIMS (Claims Management System)
Essential
Cost Accounting
Essential
Cost Accounting Online Reporting
Critical
Death Tracking System
Disease Control applications
e-CATS (Electronic Cost Accounting Time
Sheets)
Electronic Birth Certificate System
(EVERS)
Essential
Critical
Eligibility and Enrollment System
Essential
EMR for Wellness Screenings
Essential
Ensemble
Essential
Environmental System
Critical
Environmental System
Essential
Family Planning Eligibility Application
Essential
Grayco EMSIS
Essential
Grayco Facman
Essential
Essential
Critical
V
Impact if Lost
The department will be able to continue to
provide services.
The department will be able to continue to
provide services.
The department will be able to continue to
provide services.
The department will be able to continue to
provide services.
This system is critical to the financial stability of
the Department because 80% of ADPH funding is
derived from Billing.
The department will be able to continue to
provide services.
Loss of this system would severely impair the
ability of the Department to provide services.
Alabama residents would have to use alternate
means to prove their death
Various servers, various programs
The department will be able to continue to
provide services.
Alabama residents would have to use alternate
means to prove their birth.
The department will be able to continue to
provide services.
The department will be able to continue to
provide services.
The department will be able to continue to
provide services.
A loss of service would severely hinder service to
the citizens.
The department will be able to continue to
provide services.
The department will be able to continue to
provide services.
The department will be able to continue to
provide services.
The department will be able to continue to
provide services.
System
Criticality
Grayco Systems - EMS and Facilities
Critical
Health Alert Network (ALERT)
HEART (Healthcare Electronic
Application for Reporting Time)
Fatal
HRS (Human Resource System )
Fatal
ICS Support Systems
Fatal
ImmPrint
Critical
Incident Action Plan
Fatal
Internet
Fatal
Inventory Management System
Critical
Inventory Verification System
Essential
Laboratory Information System
LCMS (Learning Content Management
System
Fatal
Lotus Notes
Fatal
McKesson Horizon Home Care System
Critical
Critical
Essential
V
Impact if Lost
Loss of this system would severely impair the
ability of the Department to provide services.
A loss of service would cause complete failure of
ADPH to provide service to the citizens as well as
to the employee
Loss of this system would severely impair the
ability of the Department to provide services.
A loss of service would cause complete failure of
ADPH to provide service to the citizens as well as
to the employee
A loss of service would cause complete failure of
ADPH to provide service to the citizens as well as
to the employee. This system is for calling and
alerting ADPH and Emergency Preparedness
responders.
This system is considered low risk to the
Department since its failure will not prevent
continuation of the disease control functions.
A loss of service would cause failure of ADPH to
provide services to the citizens as well as to the
employee.
If the internet connection is down,
communications with citizens, clinics, area
offices, labs, etc. will be impaired.
Loss of this system would severely impair the
ability of the Department to provide services.
The department will be able to continue to
provide services.
A loss of service would cause complete failure of
ADPH to provide service to the citizens as well as
to the employee
The department will be able to continue to
provide services.
If Lotus Notes goes down, communications with
the Internet, clinics, area offices, labs, etc. will be
terminated.
Loss of this system would severely impair the
ability of the Department to provide services.
System
Criticality
Medicaid Network Referral System
Essential
NATUS
NEDSS (National Electronic Disease
Surveillance System)
PHALCON (Public Health of Alabama
County Operations Network)
Prescription Drug Monitoring Program
(PDMP)
Critical
Production Management
Essential
Reports Databases
Essential
SAFE
Essential
Slot Management
Critical
State Mainframe
Critical
Statewide Network
Fatal
STELLAR
Critical
Super MICAR
Essential
SWIMS
Fatal
Time Matters
Trauma Registry
Essential
Essential
Critical
Impact if Lost
The department will be able to continue to
provide services.
Loss of this system would severely impair the
ability of the Department to provide services.
Disease Surveillance
Medical and Nutritional Services to over 100,000
citizens of Alabama would eventually cease.
Critical
Essential
This system does not run on ADPH servers.
The department will be able to continue to
provide services.
The department will be able to continue to
provide services.
The department will be able to continue to
provide services.
Loss of this system would severely impair the
ability of the Department to provide services.
If the statewide network goes down, all
communications with the Internet, clinics, area
offices, labs, etc. will be terminated. The
Department will be able to continue to provide
services.
If the statewide network goes down, all
communications with the Internet, clinics, area
offices, labs, etc. will be terminated. The
Department will be able to continue to provide
services.
A loss of service would severely hinder service to
the citizens.
The department will be able to continue to
provide services.
A loss of service would cause complete failure of
ADPH to provide service to the citizens as well as
to the employee
The department will be able to continue to
provide services.
Tracks and reports trauma injuries.
V
System
Criticality
VISION
Essential
Vital Records Information System
Essential
Voice over IP Telephones
Fatal
Web Enabled Enrollment System (WEES)
Essential
Web Security Application
Essential
WIC SAM
Essential
V
Impact if Lost
The department will be able to continue to
provide services.
Alabama residents would have to use alternate
means to prove their birth, death, marriages,
divorce…etc.
If telephone service goes down, use of
alternative communication methods would be
deployed (i.e., cellular phones). The Department
will be able to continue to provide services.
The department will be able to continue to
provide services.
Serves as security for VS, PDMP, Meaningful Use,
and Environmental
The department will be able to continue to
provide services.
APPENDIX C – Remote Access and Confidentiality Agreement
Patient Data Confidentiality
and Remote Access Agreement
This Patient Data Confidentiality and Remote Access Agreement applies to workforce
members who are authorized to access electronic information systems, including but not
limited to:
____________________________________________________________________________
____________________________________________________________________________
I understand that as a result of my own or my employer’s relationship (contractual or
otherwise) with the Alabama Department of Public Health involving access to or exchange of
patient information, I have a legal and/or ethical responsibility to safeguard the confidentiality
and integrity of electronic medical records, protected health information (PHI) and/or other
proprietary data, including financial information, to which I come in contact. I will access, use
or disclose this confidential information ONLY when it is necessary, appropriate and lawful to
do so in the performance of my duties and in accordance with the Department’s use and
disclosure policies.
I understand that if I fail to adhere to the provisions of this confidentiality agreement or the
Department’s use and disclosure policies, I may be subject to remedial action, such as
termination of my employment or contract, formal warning, suspension and/or permanent
revocation of authorization to access electronic information systems.
Additional Terms and Conditions
1. I will access the Department’s electronic
information systems and the data within
ONLY if I am authorized to do so AND I
have a work-related reason based on my
job or position. I will not access these
systems or the data within for personal
reasons of any kind.
the Health Insurance Portability and
Accountability Act of 1996 (HIPAA), and/or
other state and federal laws.
3. I will not in any way divulge, copy,
release, alter or destroy any confidential
information, including PHI, except as
authorized by the Department or as
required by law.
2. I will access PHI ONLY after having
received prior authorization, or when
appropriate and lawful based on the
Department’s use and disclosure policies,
4. I will avoid inappropriate disclosure of
confidential information, including PHI, by
V
using appropriate security measures. These
measures may include, but are not limited
to: locking up laptops, electronic media
(such as CDs and USB flash drives) and
mobile devices containing electronic media
(including smart phones, tablets and other
handhelds) when not in use, using
password-protected screen savers, and
positioning computer or mobile device
screens that show confidential information
away from the view of unauthorized
persons.
7. I will IMMEDIATELY notify my supervisor
or the security officer if:
a. My credentials, which may include a
User ID and password used to access
electronic information systems have or
may have been disclosed or otherwise
compromised;
b. I know or suspect that activities that
violate this confidentiality agreement
the Department’s use and disclosure
policies have occurred; or
c. I misplace or otherwise lose possession
of any device, such as a laptop or
handheld, containing the Department’s
electronic information.
5. I understand that the Department
reserves the right to log, access, review,
monitor, and audit or otherwise utilize
information stored on or passing through
its electronic information systems in order
to manage and enforce patient data
privacy and security policies.
8. I agree that my obligations under this
confidentiality agreement will continue
indefinitely, even after termination or
expiration of my employment, contract or
relationship with the Department.
9. Upon termination of my employment,
expiration of my contract or other
termination of my relationship with the
Department, I will immediately return any
confidential information owned by the
Department.
6. When accessing electronic information
systems, I will use ONLY those credentials
assigned to me, which may include a User
ID and password. I will NOT:
a. Share, disclose or publicly display my
credentials; or
b. Use tools or techniques to break, exploit
or otherwise circumvent established
security measures.
By completing the electronic signature, I acknowledge that I have read this
Patient Data Confidentiality and Remote Access Agreement and
I agree to comply with all the terms, conditions, and policies stated or listed
herein.
V
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement