PAGE 1 of 7 Category: Information Technology Security and HIPAA DPH Unit of Origin: Department of Public Health Policy Owner: Phillip McDown, CISSP Phone: 255-3577 CISSPCISSP/C Distribution: DPH-wide Other: n/a Email: phil.mcdown@sfdph.org 1. POLICY INTENT The document establishes the policy for digital wireless network devices used to receive and transmit information at San Francisco Department of Public Health (SFDPH) facilities. It defines standards and guidelines for measures to protect SFDPH resources and data from security threats associated with digital wireless transmission and reception, to improve incident response for wireless issues and regulate access to and from the SFDPH Enterprise Network. This policy is intended to comply with those sections of the Code of Federal Regulations that govern HIPAA requirements for Information Security. The sections that relate to Wireless Network Devices (as a subset of Network Security in general) are CFR 164.310(b) and (c), the 2010 HITECH act specifies the Federal enforcement and penalty aspects of this policy. Inclusion by Reference: This policy is an annex to the SFDPH Data Network Policy, the Portable Computer Device and Radio Frequency Transmission policies. All of the principles, standards, guidelines and responsibilities described in these Policies are included as part of this document by reference. The purpose of this document is to further extend, refine and define how Data Network Security, use and control principles apply in the wireless data transmission context. For information on policy and standards for secure remote access to the SFDPH Data Network, refer to the Remote Access Policy. For information on policy and standards for secure access and use of wireless devices and for security of information stored in wireless devices, refer to the Workstation Policy and the Portable Computer Policy. Wireless connectivity cannot be guaranteed. Frequency conflicts and signal interference can have a negative effect on the integrity of health information and telemetry that is transmitted wirelessly. Although this is a SFDPH security issue, technical and broader management considerations require that the issues of permissible use, frequency management and assignment to mitigate interference, among wireless technologies be addressed in a separate City-wide Wireless Access Controls policy or section, which is beyond the scope of this document.
PAGE 2 of 7 DEFINITIONS: Due to advances in portable wireless capabilities (e.g., smart phones, palm tops, smart pads and laptops) with the capability to both transmit digitally on the 3-4 Giga Hertz bands (3G and 4G) and to act as wireless access points (WAPs) it is necessary to distinguish between this capability, referred to hereinafter as Wi-Fi and lower radio-frequency voice communications (<2.9 GHz) used for on-site communications, telemetry, emergency communications, vehicle dispatch etc. This is referred to hereinafter as RF. For specific policy statements regarding these voice and fixed physical location devices, see the DPH RF Transmission Policy. 2. POLICY STATEMENTS 2.1. Planning and Approval: All systems intended to or actually connected, either physically or wirelessly, to the SFDPH Network are subject to the planning and approval process as defined in the Network Security Policy, Facilities Planning policies and DPH RF Transmission policy and such other SFDPH policies as apply. Refer to the requirements for review and approval by other divisions and departments in the Data Network Policy. For Wi-Fi devices, this may take the form of blanket guidelines for portable Wi-Fi, enforced only for those devices which actually store or transmit PHI. 2.2. Wireless technology will only be used where appropriate. 2.2.1. Wi-Fi technology will not be used in areas where its emissions will interfere with the function of patient care technology, communications and equipment. 2.2.2. Wi-Fi technology, regardless of frequency emitted, will not be used as the primary or sole form of network connection in any system where failure of the wireless technology will have serious consequences such as impairing safety, patient care, critical operational functions etc. 2.2.3. The use of privately owned Wi-Fi devices for personal communications and Web access is permitted in SFDPH facilities, except where they violate section 2.2.1 above,. 2.2.4. If a Wi-Fi device is to be used in the business context to access, transmit or store PHI or other restricted SFDPH data - permission to do so must be obtained in advance from the user s management for such use. 2.2.4.1. Documentation of such permission must be recorded and signed in hard copy.
PAGE 3 of 7 2.2.4.2. A signed Confidentiality or other Appropriate Use agreement may be required before such permission is granted. 2.2.4.3. Specific device safeguards, such as password use and/or encryption may also be explicitly required in such cases. 2.3. Frequency and Deployment Rules All provisions of this policy are in addition to the requirements of the overall SFDPH Enterprise and CCSF RF Frequency Assignment, Deployment and Conflict Resolution policies and/or guidelines. Where the provisions of this policy and the SFDPH Enterprise or CCSF policies are in conflict, the SFDPH Enterprise or CCSF Policy takes precedence over this policy. 2.4. Registration and Inspection of Wi-Fi Devices 2.4.1. All Wi-Fi network access points and Wi-Fi devices which will communicate with the SFDPH network(s) are subject to section 2.2.4 and its subsections. 2.4.2. DPH-IT will establish general risk mitigation strategies for access points, users, client and portable devices, and standards for encryption, virus protection, password setting, signal interception avoidance and other preventative measures. 2.4.3. Staff must be made aware that many of their Wi-Fi devices (e.g., Smart Phones, Note Pads, Laptops etc.), are capable of functioning as a Wireless Access Point for non- SFDPH devices, as well as operating as network connected devices within SFDPH facilities. Those devices that are expected to be used on an SFDPH campus should be examined by DPH-IT staff for proper encryption and access control applications (e.g. WEP) and been registered as an approved Access Points (see 2.4.4 and 2.4.5 below) prior to being used on the job. Devices used for storing and transmitting PHI and other SFDPH critical information fall under the SFDPH Workstation, Network, Encryption, Portable Storage Media and Portable Computing Device Policies. 2.4.4. Prior to deployment, physically fixed wireless access points must meet the current DPH- IT RF security standards and have their MAC addresses added to the appropriate access control tables. What should we require for portable device WAPs? 2.4.5. Only approved, inspected and registered Wi-Fi device access points are permitted for deployment within the SFDPH.
PAGE 4 of 7 2.4.5.1.SFDPH will monitor networks for connection of unregistered (rogue) Wi-Fi devices attempting to access sensitive information or applications. 2.4.5.2.When detected, unapproved (rogue) devices will be removed from service by DPH-IT, and the person(s) responsible for the devices may be subject to disciplinary action. Isn t this section totally futile in the growing BYOD environment? 2.5. Management and Security of Access Points: 2.5.1. Physical Security: Wi-Fi access points shall be properly secured within a safe, adequately monitored space to prevent theft, unauthorized access and physical tampering. 2.5.1.1.Portable access points must be secured in accordance with the Portable Computer Policy s requirements and guidelines. 2.5.1.2.Loss or theft of portable devices with Access point and/or transmission capability, which have been used to process SPDPH PHI on the job, must be reported in compliance with the Portable Computing Device policy. 2.5.2. Configuration Management: All Wi-Fi devices which store or transmit restricted data must be secured using a password that complies with the requirements in the SFDPH Password Policy. If this is not possible due to technological limitations of the Wi-Fi device, the strongest security measures available for that device shall be used. 2.5.2.1.Administrators must ensure that all vendor default usernames and passwords have been removed from devices as part of the registration process. 2.6. Broadcast Interference: SFDPH reserves the right to limit or control the signal strength and propagation of any Wi-Fi devices that are found to interfere with essential RF activities (see section 2.2.1). 2.7. Broadcast Security and Encryption: DPH-IT will provide and maintain an up-to-date standards list that will include approved Wi-Fi technologies, current minimum encryption standards, and best practices for secure use.
2.8. Access to SFDPH Facilities and Data PAGE 5 of 7 2.8.1. Once a device is inspected and authenticated; users and devices may be limited to routing access only within DFH networks as needed under their job requirements. Just as with a RF or wired network, SFDPH network authentication must satisfy prescribed login/password standards before using SFDPH resources that are not normally accessible by nodes outside the SFDPH firewalls. 2.8.2. Access control mechanisms such as firewalls should be deployed to separate unauthorized Wi-Fi networks from any network with the ability to access PHI. 2.8.3. As the technology permits, Wi-Fi devices should employ a combination of layered authentication methods and on-the-device data encryption to protect sensitive, proprietary and patient information. 2.9. Identity Authentication shall require at least two factors beyond a device s registration code: such as the user s logon/id code and password. 2.10. New Technologies not Explicitely Covered in this Policy: All newly deployed Wi-Fi technologies must satisfy all existing and future standards as required by law or established by DPH-IT before being approved for use within SFDPH facilities.. STANDARDS AND GUIDELINES 3. RESPONSIBILITIES 3.1. SFDPH Executive Management: 3.1.1. Approves policy, standards and guidelines for the use of Wi-Fi access to the SFDPH Data Network. 3.1.2. Directs the development and deployment of training in the appropriate and secure use of Wi-Fi devices. 3.2. The SFDPH CIO/CISO is responsible for: 3.2.1. Advocating and supporting DPH-IT Wi-Fi security needs, concerns and projects to Chief Officer and Division Director level Senior management
PAGE 6 of 7 3.2.2. Implementing SFDPH-wide policy for Wi-Fi devices and is ultimately responsible for the safety and security of the SFDPH Enterprise Network. The SFDPH CIO or designee must approve all exceptions to this policy. 3.2.3. Development, deployment and maintenance of policies for appropriate and secure use of Wi-Fi network devices. 3.2.4. Directing the development and promulgation of training and orientation materials to enable and encourage employee awareness of the security problems and issues involved in the use of Wi-Fi devices. 3.2.5. Directing the monitoring, and analysis of the state of compliance and risk-management of existing programs and procedures. 3.3. DPH-IT: 3.3.1. Develops and supports standards and procedures for the centralized registration of authorized devices and access points. 3.3.2. Develops and supports the procurement, implementation and maintenance of datanetwork wireless intrusion and unauthorized use prevention technologies. 3.3.3. Will resolve any conflicts between wireless devices in accordance with the guidelines in the San Francisco City Department of Technology and County and SFDPH Wireless Frequency Management Policy. Priority is granted to fully supported and registered installations, except as appropriate in the case of medical, safety, or emergency devices. 3.3.4. Supports or performs the regular scanning of the Radio Frequency spectrum at all SFDPH sites for vulnerable and/or unregistered wireless devices and will coordinate response with the SFDPH Technical Team in the event of a possible system intrusion or compromise. 3.4. (Organization to be determined) is responsible for: 3.4.1. Maintaining the list of acceptable Voice RF frequencies and wireless technologies. 3.4.2. Assignment of voice communication frequencies and allocation of channels to individual sites. 3.4.3. Resolving conflicts between incompatible wireless devices.
PAGE 7 of 7 3.4.4. Conducting periodic spectrum analysis to assess the potential impact of electromagnetic interference (EMI) from transmitters and the impact of electromagnetic emissions from wireless devices. 4. PENALTIES FOR VIOLATIONS: 4.1. County of San Francisco General Workforce Violations: Violation of published Information Security Policy, standards, guidelines, rules or procedures are subject to the same progressive discipline processes and sanctions as any other violation of the terms and conditions of employment at SFDPH. 4.2. Individual Non-Employee and Third Party Workforce Violations: Violation of published Information Security Policy, standards, guidelines, rules or procedures by persons employed through a third party or otherwise not subject to the progressive discipline processes and sanctions of the terms and conditions of employment at SFDPH are subject to the sanctions provided under the terms and conditions of the agreement(s) whereby their services are provided. 4.3. Contractor and Third Party Entity Violations: In addition to the individual sanctions noted in 2.1 and 2.2 above, third party organizations, business entities and others who are contractually required to comply with SFDPH Security Policies and standards may be subject to specified monetary fines or penalties or termination of the agreement as required for by the written contract and criminal penalties provided for in the applicable laws and regulations. 4.4. Trusted Workforce Member Violations: Managers, System Engineers, System Administrators and other classifications who are given greater than routine access to and control of critical information systems and data may be subject to stricter standards of security behavior and more abrupt and stringent penalties in the case of violations. 5. EXAMPLES AND ATTACHMENTS: 5.1. Policies to be Included or Developed: 5.1.1. Obtaining Authorization to use a personal Wi-Fi Device for business purposes within a SFDPH network environment.