The purpose of this policy is to maintain an adequate level of security to protect DOEA’s and the Area Agencies on Aging’s (AAA) shared information systems from unauthorized access. This policy defines the rules necessary to achieve this protection and to ensure a secure and reliable operation of DOEA’s and AAA’s information systems.
POLICY
Only authorized users are granted access to information systems, and users are limited to specific defined, documented and approved applications and levels of access rights. Computer and communication system access control is to be achieved via user IDs that are unique to each individual user to provide individual accountability. Where the current system has limited capability, the access shall be controlled by policy. The law requires that access be only on the basis of need-to-know. Users who knowingly and willfully access data, for which there is no need-to-know, or allow their passwords to be shared, will be terminated from the system permanently. It is the responsibility of every user, supervisor and organization to ensure this standard is met. This policy will be referenced in the Business Associate agreements with the AAA’s.
Who is Affected?
This policy affects all workforce members of DOEA, Area Agencies on Aging (AAA’s) and all contractors, consultants, temporary employees and business partners. Employees who deliberately violate this policy will be subject disciplinary action up to and including termination.
Affected Systems
This policy applies to all computer and communication systems owned or operated by DOEA. Similarly, this policy applies to all platforms (operating systems) and all application systems.
Entity Authentication
Any user (remote or internal), accessing shared DOEA’s and AAA’s networks and systems, must be authenticated. The level of authentication must be appropriate to the data classification and transport medium. Entity authentication includes but is not limited to:
- Automatic logoff
- A Unique user identifier
- At least one of the following:
- Password
- Personal identification number
- A telephone callback procedure
- Token
Workstation Access Control System
All workstations used for this DOEA’s and AAA’s business activity, no matter where they are located, must use an access control system approved by DOEA.
In most cases this will involve password-enabled screen-savers with a time-out-after-no-activity feature. Active workstations are not to be left unattended for prolonged periods of time, where appropriate. When a user leaves a workstation, that user is expected to properly log out of all applications and networks.
Users will be held responsible for all actions taken under their sign-on. Do not share your password. Where appropriate, inactive workstations will be reset after a period of inactivity (typically 15 minutes). Users will then be required to re-log in to continue usage. This minimizes the opportunity for unauthorized users to assume the privileges of the intended user during the authorized user’s absence.
Disclosure Notice
A notice warning that only those with proper authority should access the system will be displayed initially before signing on to the system. The warning message will make clear that the system is a private network or application and those unauthorized users should disconnect or log off immediately.
System Access Controls
Access controls will be applied to all computer-resident information based on its Data Classification to ensure that it is not improperly disclosed, modified, deleted, or rendered unavailable.
Access Approval
System access will not be granted to any user without appropriate approval. Management is to immediately notify the Security Official and report all significant changes in end-user duties or employment status. User access is to be immediately revoked if the individual has been terminated. Notification to the Division of Information Systems must be made prior to the dismissal of an employee except in an emergency situation. Personnel must be notified of planned terminations to coordinate the security measures. In addition, user privileges are to be appropriately changed if the user is transferred or assigned to a different job. AAA’s should establish a policy addressing the access for separating employees of AAA’s and Business Associates.
Limiting User Access
DOEA’s approved access controls, such as user logon scripts, menus, session managers and other access controls will be used to limit user access to only those network applications and functions for which they have been authorized.
Need-to-Know
Users will be granted access to information on a “need-to-know” basis. That is, users will only receive access to the minimum applications required and necessary to perform their jobs functions.
Compliance Statement
Users with access to DOEA’s and AAA’s information systems must sign a compliance statement prior to issuance of a user-ID. A signature on this compliance statement indicates the user understands and agrees to abide by DOEA’s and/or AAA’s policies and procedures related to computers and information systems. Semi-annual confirmations by DOEA and the AAA’s will be required of all system users.
History Tables and Login
Login and password history trails are based on the data classification of the systems.
Confidential System
Access to confidential systems, such as CIRTS, CDC or Client files will be logged and audited in a manner that allows the following information to be deduced:
- Access time
- User account
- Method of access
Audit trails for confidential systems should be backed up and stored in accordance with DOEA’s and AAA’s back-up and disaster recovery plans. All system and application logs must be maintained in a form that cannot readily be viewed by unauthorized persons. All logs must be audited on a periodic basis. Audit results should be included in periodic management reports. The audit reports will be reviewed by the HIPAA Security Officer quarterly and submitted to the HIPAA Administrator’s office with a narrative indicating potential problems or concerns.
The audit feature for the CIRTS system will be controlled by DOEA. The audit function will record a history of access to the application. This function will be utilized at the AAA level as well, but the functionality will be controlled at the DOEA level.
Unauthorized Access
Employees are prohibited from gaining unauthorized access to any information systems or databases that do not require their access, or in any way damaging, altering, or disrupting the operations of any system(s). System privileges allowing the modification of “production data” must be restricted to “production” applications.
Remote Access
Remote access must conform, at least minimally, to all HIPAA and state statutory requirements. The Security Officer of the authorizing agency, such as DOEA or a AAA, approves remote access.
DOEA Systems Access
DOEA retains authority over use of its database network and intranet, and connection to the state network, in order to maintain compliance with state and federal requirements. The department must limit access to electronic Protected Health Information (PHI) to ensure security and privacy integrity. Both are maintained consistent with state and federal law through the use of restricted personal identification passwords. The following policy pertains to the department’s application called Client Information Referral Tracking System (CIRTS).
CIRTS Access
DOEA retains authority to grant access to the CIRTS database and to delegate the authority to the AAA Directors via the LAN administrators to grant access permission to the Business Associates, lead agencies and AAA employees. The number of access permissions is not limited at this time.
Access permissions are given to users after the user signs an agreement to abide by the confidentiality and privacy laws of the federal and state governments. These agreements must be maintained by the employing agency and identify the privileges granted to the employee and the authorizing signature for such.
Upon separation, the employer should immediately notify the AAA that access should be terminated. The agreement should be noted and canceled and access removal documented.
Appropriate access use will be included in the annual monitoring by DOEA and AAA’s as well as individual employers on an annual basis at minimum.
DOEA reserves the right to revoke access at any time based upon based upon violation of agreements or findings that substantiate non-compliance.
The AAA’s may also revoke the right to access at any time based upon similar findings.
CIRTS Roles and Privileges
Access permission will be assigned specific roles that have delineated privileges. The table of roles and corresponding privileges are defined by job function. The screen access is defined under each job function. Privileges within screens (add, delete, edit, view) are defined for each screen.
These roles are established in CIRTS on a system-wide basis and cannot be modified by an AAA or Business Associate. When the AAA assigns roles to user, all the screens that accompany that role are available to the user. Because each AAA is organized differently with unique Business Associates, the AAA will have to define which users are assigned to which role based on the need-to-know. The AAA will have to define this access for each user that they grant access. Classification of types of users is encouraged as a framework for role assignment.
Once each quarter, DOEA will hold a team meeting with AAA’s to discuss changes or modifications to the CIRTS application, if any requests are received from users. Requests should be sent to the Division Director of Information Services. The quarterly meeting will incorporate discussions to evaluate modifications based on, but not limited to, the following:
- Statewide application
- User enhancement
- Cost
- Technical availability
- Added value to program
- HIPAA and/or Security policies
Modifications to Roles and/or Privileges will be evaluated in these meetings.
ORACLE Data Base Access
DOEA Oracle data base connections will be HIPAA compliant. Access to the CIRTS database outside of DOEA’s proprietary system will be restricted in the number of users that may access data in this fashion.
The department policy is that general access to the database through R&R or Microsoft Access or other applications will be prohibited. Database access privilege will be granted by DOEA, or the AAA’s, on a limited basis, to ensure compliance with privacy, and that a “need-to-know” standard is established and followed.
Each AAA will be granted access to Oracle data base connections outside of DOEA’s proprietary system by exception only. These will be documented, and each user will sign an agreement to maintain the confidentiality of client’s Protected Health Information (PHI). Only the AAA director can authorize this access in the field. DOEA authorizes access for DOEA employees. Review of the access must be performed semi-annually to affirm continued need-to-know requirements. These users will be subject to the same conditions as CIRTS users. Access permission will be assigned specific roles that have delineated privileges. The table of roles and corresponding privileges are defined by job function. The screen access is defined under each job function. Privileges within screens (add, delete, edit, view) are defined for each screen.
DOEA and the AAA’s reserve the right to revoke this privilege at any time.
Each AAA LAN Administrator must track the following information
- Name
- Position
- Place of Employment
- Supervisor
- Roles required to view access to tables
- Confidentiality statement signed by the employee
- AAA Director’s signature authorizing access
It is the full intention of the department that this is a temporary measure taken while web-based technologies are under development. This policy ensures that users granted this privilege understand that strict adherence to privacy policy will be enforced, and access denied if security and privacy policies are not followed.