PAGE 1 of 9 Category: Information Technology Security and HIPAA DPH Unit of Origin: Department of Public Health Policy Owner: Phillip McDown, CISSP Phone: 255-3577 CISSPCISSP/C Distribution: DPH-wide Other: n/a Email: phil.mcdown@sfdph.org 1. POLICY INTENT DEFINITION: For the purpose of this policy, the term Portable Computer(s) includes Personal Digital Assistants (PDAs), Laptops, Notebooks, Palmtops, Cellular Phones, Combination devices, Cameras, detachable memory media and any future technology capable of storing, manipulating, transferring and transmitting digital data. This document establishes the security policy for deployment and use of Portable Devices capable of downloading, copying, storing or transporting SFDPH data. It intends to protect all Restricted SFDPH information accessed through, displayed on, output from and stored on such devices from being revealed to unauthorized persons, and to provide accountability for device use. This policy is intended to comply with those sections of the Code of Federal Regulations that govern HIPAA requirements for Information Security and Privacy. The sections that relate to Portable Computer Devices (as a subset of Workstations) are CFR 164.310(b) and (c), the 2010 HITECH act specifies the Federal enforcement and penalty aspects of this policy. This Policy incorporates the intent and provisions of the External Personal Computer and USB Drive Technical Security Parameters Previously Issued in 2010 as a separate document and explicitly includes the use of any privately-owned devices which may access the CCSF Electronic Mail and Network systems, including interfacing with the e-mail, wireless voice and data communications systems and the use of Universal Serial Bus (USB) devices for document, file and attachment transfer to and from the Department s secure Wide Area Network (WAN) and physical facilities. INCLUSION BY REFERENCE: This policy is an annex to the SFDPH Workstation, Portable Device and Storage Media, Malware and Data Transmission Policies. All of the principles, standards, guidelines and responsibilities described in the aforementioned Policies are included as part of this document by reference. The purpose of this document is to further extend, refine and define how workstation security, use and control principles apply in the mobile data processing and storage device context.
PAGE 2 of 9 2. POLICY STATEMENTS: 2.1 General Access Control 2.1.1 Device Access. Data accessed via Portable Devices is for authorized work purposes only. Access to SFDPH data is permitted only after a valid User ID and Password has been entered regardless of the nature of the device. 2.1.1.1 Only authorized SFDPH workforce members, vendors, contractors and third-party providers, who have been issued a Network logon ID and established a valid password, are permitted to use portable computers to access SFDPH data. 2.1.1.2 Patients and the general public are only allowed to see SFDPH data or patient information with the data owner s or patient s explicit, written, or spoken permission and under specific and controlled circumstances. Refer to SFDPH HIPAA Privacy and Confidentiality Procedures for details regarding such access. 2.1.1.3 Refer to the Access Control Policy and the Password Policy Security Policy documents for more details. 2.1.2 Role-Based Access to Restricted data. Only data authorized for access by the user who is signed-on to access the network may be displayed, copied, uploaded or download by that individual. Do not try to access data that you are not authorized to use or to allow others to use a portable computer that you are signed-onto. Refer to the Need-To- Know portion of the Access Control Policy for specifics. 2.1.3 Auditing of Access. All attempts to sign-on and/or access data from a portable computer may be logged by Enterprise Systems, and reported to Management, Information Audit and the Incident Response Team, as appropriate. 2.2 Access to CCSF Electronic Mail and Attachments. A) Privately owned personal computers may be utilized to access the CCSF Electronic Mail system via Department Remote Access systems (Virtual Private Network/Juniper etc.). Attachments to external electronic mail messages are also allowed, but will be screened for Computer Virus/Malware contamination upon introduction to the SFDPH Wide Area Network
PAGE 3 of 9 (WAN). If the external personal computers have approved Anti-Virus / Anti Malware software installed and is capable of scanning attachments for the presence of viruses, the capability will be in operation when the device attempts to communicate with SDFPH systems. Attachments are to be scanned for current status and remediated BEFORE connection to or data exchange with the SFDPH WAN is attempted. C) Attachment scanning capabilities of firewalls and e-mail appliances at SFDPH will be enabled at all times, unless directed otherwise by IT management. In upon introduction to the SFDPH WAN, malware is detected in an external e-mail message and/or attachment, that document will be isolated, remediated and, if necessary, deleted by the Department WAN security infrastructure 2.3. Use of Universal Serial Bus data storage devices ( USB Drive, Memory Stick, Flash Drive, Thumb Drive etc.) General guideline: Employees and other SFDPH system and network users are expected to take all reasonable care that they do not permit any USB device to become contaminated with malware (due to prior connection to a device, network or website that may be contaminated, e.g. a home computer with inadequate anti-malware applications operating on it). Additional care must be taken to avoid connecting any such contaminated device to any SFDPH network, system or device. A) Universal Serial Bus (USB) devices may be authorized to be utilized to store and transfer documents to the SFDPH WAN via Department Remote Access methodologies or direct connection. Devices which communicate with SFDPH systems and to which USB devices are allowed to connect must have the Auto-Run function disabled at the USB port level before any data exchange is attempted. Removal of PHI or other Restricted from SFDPH facilities in any kind of portable device requires prior written permission by the user s supervisor. B) In order to augment SFDPH Network Malware screening, it is required that appropriate Anti-Virus/Malware software be installed on the personal computer device. (A listing of approved Anti-Malware packages for remote access is included in this document as Appendix A) and will periodically be updated by DPH-IT. If the external personal computer s device has appropriate Anti-Virus/Malware software installed, the USB device and document scanning and remediation functionality of the software is to be enabled before connection to the SFDPH WAN.
PAGE 4 of 9 C) In the event Malware is detected, by any means, on any USB device or document connecting to the SFDPH WAN, that device will be disconnected from the WAN and the drive, document or file isolated, remediated and deleted - if necessary, it is to be erased and reformatted, by the Departmental WAN security infrastructure. 2.3. Accountability for Portable Devices: For all portable devices permitted or assigned to workforce members, the device s installed security systems, changes of possession, modifications, losses and thefts will be documented in such a way that preserves an audit trail of the responsibility for and use of the device and of the responsibility for performing and/or approving relocations, modifications and removal. 3. STANDARDS & GUIDELINES General Guideline: - Especially when away from your SFDPH office environment, treat your portable electronic devices and work area as you are expected to treat your office workspace: Put away Restricted data when you are done with it, lock it up when you go away and don t leave it around or use it where others can read it. When using portable devices to display data, be especially aware of the people in your vicinity. Also be aware of the increased risk of loss or theft of portable devices (and the data stored on them). 3.1. Portable Computer Usage: 3.1.1. Prevent unauthorized device access. Portable computers which store, display or transmit SFDPH Restricted data must: 3.1.1.1.Not be left unattended by the user. If the nature of the job assignment is such that the user must leave the device unattended, the user must log-out or otherwise disable the device. For detachable devices such as PDA s and USB drives, the device will be ejected and either securely stored or maintained in the user s possession. 3.1.1.2.Be set to enable all system and application capabilities to time-out (terminate the logged-in session after a prescribed period of inactivity has occurred). 3.1.1.3.Only be used in locations and positions such that their displays cannot be easily viewed or read by unauthorized persons.
PAGE 5 of 9 3.1.1.4.Be stored in secure locations from which they cannot be easily or quickly removed or stolen. 3.1.2. Prevent unauthorized Data Network access. Portable devices may not attempt access to the SFDPH Data Network without authorization: 3.1.2.1.Without authorization; do not attempt to connect any interface (cable, plug etc.) from a portable device to a device or outlet that may connect to the SFDPH Data Network. 3.1.2.2.Do not attempt to wirelessly (RF or Wi-Fi) interface a portable device with any SFDPH data network or access point without authorization. 3.1.2.3.All wireless devices to be used to connect to any SFDPH data network must be registered and used according to the RF Security Policy and the Wi-Fi Security Policy. 3.1.3. Data Storage Limitations. In general, storage of Restricted data (PHI and/or any information covered by confidentiality or privacy regulation, legislation or law) on portable computers should be disallowed by local managers and only explicitly permitted when there are compelling business/clinical reasons and no viable alternative. 3.1.3.1.In cases where critical data must be stored on a portable computer, access control and security policies must be strictly followed and enforced (Access Control Policy and Workstation Policy). 3.1.3.2.If critical data is to be saved on a portable computer, it will be stored in encrypted form. 3.1.3.3.In cases where critical data has previously been stored on a portable computer, it shall be removed and securely disposed-of (See Disposal Policy) as soon as the need for it ends. 3.1.3.4.Backup or any form of copying and/or removal of critical data from a portable computer will be supervised by local management and limited to specific authorized workforce members.
3.1.4. Data Output Limitations: PAGE 6 of 9 3.1.4.1.In general, physical (e.g., hard-copy) output of critical data from portable computers should be disallowed by local management and only permitted when there are compelling reasons and no viable alternative. 3.1.4.2.In cases where Restricted data must to be physically output in print or other physical medium from a portable computer, the output must be removed, destroyed or stored securely when no longer being actively used. 3.2. Accountability for Portable Computers. In addition to the standards and guidelines specified in the Workstation Policy, the following portable-specific requirements must also be accounted for: 3.2.1. Portable Equipment and Software: The portable device s storage site(s) when not in use The name and specifications of all installed and/or enabled security measures such as password controlled activation, encrypted data storage or encrypted transmission of data. 3.2.2. Actions: Assignment to workforce member(s) Relocation, removal, loss, theft or disposal or the device. 3.3. Loss or theft of the device - when away from SFDPH facilities, any loss or theft of portable computers must be immediately reported to the user s management and, as appropriate, to the facity s security staff and/or local Law Enforcement authorities. Because these events often happen out of SFDPH jurisdiction, this is distinct from and in addition to the ordinary reporting of property thefts when on site as required in the relevant SFDPH administrative policies. 4. RESPONSIBILITIES 4.1. SFDPH Executive Management is responsible for: 4.1.1. Authorizing the establishment of Enterprise-wide standards for portable computer use and providing direction to the implementation of the standards: 4.1.2. Establishing Standards and Guidelines for the Enterprise-wide application of this policy.
PAGE 7 of 9 4.1.3. Directing the development and deployment of training in the appropriate and secure use of portable computers. 4.1.4. Defining the roles of the various, Departments, business units and trusted entities in the implementation of this policy: 4.1.5. Establishing contractual obligations for all third parties to comply with this policy. 4.2. The SFDPH CIO/CISO is responsible for: 4.2.1. Advocating and supporting DPH-IT security needs, concerns and projects to Chief Officer and Division Director level Senior management 4.2.2. Implementing SFDPH-wide policy for portable computer devices and is ultimately responsible for the safety and security of the SFDPH Enterprise Network. The SFDPH CIO or designee must approve all exceptions to this policy. 4.2.3. Development, deployment and maintenance of policies for appropriate and secure use of portable computing devices. 4.2.4. Directing the development and promulgation of training and orientation materials to encourage and encourage employee awareness of the security problems and issues involved in the use of portable memory devices and media devices. 4.2.5. Directing the monitoring, and analysis of the state of compliance and risk-management of existing programs and procedures. 4.3. SFDPH Information Technology (DPH-It) is responsible for: 4.3.1. Developing guidelines for the distribution, registration and network connection of portable computers. 4.3.2. Maintaining access control systems and role-related access tables for portable computers used to access SFDPH systems. 4.3.3. Developing standards for installation and visibility control equipment for portable computers. 4.4. Local Management is responsible for: 4.4.1. Interpreting Enterprise-wide policy and adapting it to local physical and work-related conditions.
PAGE 8 of 9 4.4.2. Establishing procedures for issuing portable computers to workforce members and for accounting for the information required in the Workstation Policy and in 3.2 above. These procedures will be available and maintained in writing, either on paper, web pages accessible to workforce members or both. 4.4.3. Establishing procedures for controlling physical and visual access to and use of portable computers. These procedures will be produced and maintained in writing, either on paper, web pages accessible to workforce members or both. 4.4.4. Ensuring that each workforce member is receives training on the requirements for appropriate use of portable computers and the capabilities and limitations of the user s particular profile and of the consequences of attempts to exceed them. 4.5. Facility Management is responsible for: Providing physical facilities for secure storage, inventory and disposal of portable computers. 5. PENALTIES FOR VIOLATIONS (for details refer to the Sanctions Policy): 5.1. General Workforce Violations: Violation of published Information Security Policy, standards, guidelines, rules or procedures are subject to the same progressive discipline processes and sanctions as any other violation of the terms and conditions of employment at SFDPH. 5.2. Individual Non-Employee and Third Party Workforce Violations: Violation of published Information Security Policy, standards, guidelines, rules or procedures by persons employed through a third party or otherwise not subject to the progressive discipline processes and sanctions of the terms and conditions of employment at SFDPH are subject to the sanctions provided under the terms and conditions of the agreement(s) whereby their services are provided. 5.3. Trusted Workforce member Violations: Managers, System Engineers, System Administrators and other classifications who are given greater than routine access to and control of critical information systems and data may be subject to stricter standards of security behavior and more abrupt and stringent penalties in the case of violations 5.4. Contractor and Third Party Entity Violations: In addition to the individual sanctions noted in 2.1 and 2.2 above, third party organizations, business entities and others who are contractually required to comply with SFDPH Security Policies and standards may be subject to specified monetary fines or penalties or termination of the agreement as required for by the written contract and criminal penalties provided for in the applicable laws and regulations.
PAGE 9 of 9 APPENDIX A: Listing of Approved Anti-Virus /Malware Software Packages for remote access to the SFDPH Network via WebConnect. 1) Retail Products: MacAfee: Virus Scan Plus, Internet Security, Total Protection Symantec: Norton 360, Norton Internet Security, Norton Anti-Virus Trend Micro Systems: Anti -Virus/ Anti -Spyware, Internet Security Pro. Avast!: Home Edition 2) Internet Service Provider Bundled Products. Comcast: Mc Afee Security Suite AT & T: Mc Afee Virus scan Plus / Mc Afee Security Suite AOL: Mc Afee Virus Plus. 3) Enterprise Products. SFDPH Standard: Trend Office Scan. UCSF Standard: Sophos Anti-Virus. APPENDIX B: Listing of approved security software for other forms of Remote Access and Data Transfer (e.g., USB devices) TO BE DEVELOPED as future technology and acquisition allows.