Transcription
Department of HealthInformation Security and Privacy PolicyDOHP 50-10-16Table of ContentsDOHP 50-10.1Policy 1 - Information Security and PrivacyDOHP 50-10.2DOHP 50-10.3Policy 2 – Acceptable Use and Confidentiality AgreementPolicy 3 – Secured Areas and Physical SecurityDOHP 50-10.4Policy 4 – Data Classification and ProtectionDOHP 50-10.5Policy 5 – Patient Privacy RightsDOHP 50-10.6DOHP 50-10.7DOHP 50-10.8Policy 6 – Public Health HIPAA ExemptionsPolicy 7 – Contract Providers and Business AssociatesPolicy 8 – Risk AnalysisDOHP 50-10.9Policy 9 – Contingency PlanningDOHP 50-10.10Appendix APolicy 10 – Information Technology SecurityDefinitions and GlossaryAppendix BForms Acceptable Use and Confidentiality Agreement Authorization for Non-Routine Disclosure of PatientMedical Information Cooperative Agreement between DOH and Colleges andUniversities Corrective Action Plan Information Technology Security Exception Request Initiation of Services and Instructions Standard Third Party Networking Connection Agreement Third Party Network Connection Request Transmittal Letter Suggested Language User System Access Review Form Virus Reporting FormAppendix CConfidentiality Statutes, Rules, and Federal RegulationsAppendix DAppendix EAppendix FVirus ProtectionPassword ConstructionDisclosure of Special ReasonsJanuary 2016Copyright 2005, 2007, 2008, 2010, 2016 the Florida Department of Health
Department of HealthI.Information TechnologyInformation Security and Privacy Policy 1Information Security and PrivacyDOHP 50-10.1-16Page 1 of 9PolicyThe Florida Department of Health (Department) possesses technology resources, data,and information that must be protected from unauthorized access, modification,destruction, and disclosure per federal and state laws.Each Department program office, division, county health department (CHD), andChildren’s Medical Services (CMS) area office must have written local informationsecurity and privacy procedures to ensure the security of information and protect theconfidentiality, data integrity, and access to information. Local procedures must conformto the Department Information Security and Privacy Program (ISPP) requirements asreflected in these policies and be written in approved Department format as establishedin DOHP 5-2, Writing, Instituting, and Revising Department Policies, IOPs, TAGs, andSOCs. Local procedures must include core security procedures required by theDepartment and supplemental operating procedures necessary to implementestablished Department policies and protocols. All procedures must be reviewedannually and updated as appropriate. Corrective action plans must be developed andimplemented for all identified deficiencies.Local entities such as CHD, CMS Area Offices, divisions, and program offices reservethe right to establish local protocols and procedures that may be more stringent. In theevent of a conflict, the more restrictive measures apply.Deviations from the Department Information Security and Privacy Policy must berequested by submitting a justification to the Information Security Manager (ISM) whichincludes an associated risk analysis and proposed physical, administrative and technicalsafeguards.Failure to comply with this policy may result in disciplinary action, up to and includingtermination of employment and/or referral for criminal prosecution.A.Information Security and Privacy Program1.The Department of Health must maintain an agency-wide informationsecurity program to ensure administrative, operational, and technicalcontrols are sufficient to reduce risks to the confidentiality, integrity, andavailability of agency information and information technology resources.a)The Information Security Program must be responsive andadaptable to changing environments, vulnerabilities, and technologiesaffecting state information resources.2.The State Surgeon General and the Director or Administrator of eachlocal entity such as CHDs, CMS Area Offices, and program offices mustdesignate key personnel with specific responsibility to coordinate thesecurity and privacy of information for their area.January 2016Copyright 2005, 2007, 2008, 2010, 2016 the Florida Department of Health
Department of HealthII.III.IV.Information TechnologyInformation Security and Privacy Policy 1Information Security and PrivacyDOHP 50-10.1-16Page 2 of 9a)The State Surgeon General shall designate a Health InsurancePortability and Accountability Act (HIPAA) Privacy Officer, aHIPAA Complaint Officer, an Information Security Manager (ISM),and a HIPAA Security Officer.b)The Director or Administrator of each local entity shall designateat least one Information Security and Privacy Coordinator (ISPC),at least one Information Owner, at least one InformationCustodian, at least one Key Custodian, at least one DisasterRecovery Coordinator, and a local HIPAA Reviewing Officer asappropriate based on Section VI.D.7. of this policy.(1)Responsibilities must be documented in the designee(s)position description.(2)The designee(s) identity must be documented in the localinformation security and privacy procedures.(3)The identity of each ISPC must be relayed to the ISM.AuthorityA.Public Law (PL), 104-191, Health Insurance Portability and Accountability Act of1996B.45 Code of Federal Regulations (CFR), Public Welfare, Parts 160 (GeneralAdministrative Requirements), 162 (Administrative Requirements), and 164(Security and Privacy)C.Section 282.318, Florida Statutes, Enterprise Security of Data and InformationTechnologyD.Chapter 71A-1, Florida Administrative Code, Florida Information TechnologyResource Security Policies and StandardsSupportive DataA.16 CFR., Section 681, Identity Theft RulesB.15 United States Code (USC) 1681, Credit Reporting Agencies, CongressionalFindings and Statement of PurposeSignature Block with Effective DateSignature on FileJennifer TschetterChief Operating Officer1/22/2016DateJanuary 2016Copyright 2005, 2007, 2008, 2010, 2016 the Florida Department of Health
Department of HealthV.Information TechnologyInformation Security and Privacy Policy 1Information Security and PrivacyDOHP 50-10.1-16Page 3 of 9DefinitionsSee Appendix AVI.ProtocolA.B.Outcomes1.An information security and privacy program that is responsive andadaptable to changing environments, vulnerabilities, and technologies,affecting state information and information resources.2.Documented information security and privacy policies, protocols, andprocedures for each local entity, to include written local operatingprocedures for implementing, reviewing, and updating local informationsecurity policies, protocols, and procedures.3.Documented procedures for monitoring compliance with the localinformation security and privacy policies, protocols, and procedures.4.Documented procedures for developing and implementing correctiveaction plans.PersonnelDirector and Administrator of each Department division, office, CHD, and CMSarea office, and other staff designated as responsible for developing andupdating local information security and privacy protocols, procedures, andcorrective action plans.C.D.Competencies1.Knowledge of federal laws, Florida Statutes, Florida AdministrativeCodes, departmental policies, protocols, and procedures, and industrystandards, pertaining to information security and privacy.2.Knowledge of department policies, protocols, and procedures related tosecurity and privacy of information.Areas of Responsibility1.All Department Employeesa)All members of the workforce are responsible for protectingDepartment data, resources, and assets in their possession.January 2016Copyright 2005, 2007, 2008, 2010, 2016 the Florida Department of Health
Department of HealthInformation TechnologyInformation Security and Privacy Policy 1Information Security and PrivacyDOHP 50-10.1-16Page 4 of 9b)2.All members of the workforce are responsible for immediatelynotifying their local Information Security Coordinator of anyviolation of Department security policies, or suspected/potentialbreach of security.Information Security Manager (ISM)The Information Security Manager shall administer the Departmentinformation security program. Responsibilities include:3.a)The development, review, and updating of the Departmentinformation security and privacy policies, protocols, andprocedures.b)The development, review, and updating of the Department’sstrategic information security plan and associated operationinformation security plan.c)The coordination of the Department information security riskmanagement process.d)The coordination of the Department Computer Security IncidentResponse Team (CSIRT).e)The coordination of Information Technology Disaster Recoveryplanning in support of the Department Continuity of OperationsPlan (COOP).Department HIPAA Privacy OfficerThe Department HIPAA Privacy Officer shall provide leadership forprivacy oversight to ensure the Department complies with federal, state,and Department privacy requirements. Responsibilities include:a)Participating in the development, implementation, andmaintenance of policies, protocols, procedures, and correctiveaction plans related to privacy matters.b)Provides counsel for privacy matters to the Department securityprogram.c)Provides consultation on information privacy awareness training toall members of the workforce.d)Ensures the organization has and maintains appropriate consentand authorization forms, notice of privacy practices and materialsJanuary 2016Copyright 2005, 2007, 2008, 2010, 2016 the Florida Department of Health
Department of HealthInformation TechnologyInformation Security and Privacy Policy 1Information Security and PrivacyDOHP 50-10.1-16Page 5 of 9reflecting current organization, and legal practices andrequirements.4.e)Develops and implements information privacy risk assessments incoordination with the Department ISM and HIPAA ComplaintOfficer and conducts related ongoing compliance monitoring.f)Works cooperatively with the local legal counsel, local privacycoordinators, and other applicable organizational units inoverseeing client rights to inspect, amend, and restrict access toprotected health information (PHI).g)Initiates, facilitates, and promotes activities to foster privacyawareness within the organization and related entities.h)Reviews all system-related information security plans throughoutthe organization’s network to ensure the privacy of protectedhealth information.i)Maintains current knowledge of applicable federal laws, FloridaStatutes, Florida Administrative Codes, departmental policy,protocols, and procedures; monitors advancements intechnologies to ensure organizational adaptation and compliancein coordination with the Office of Information Technology (IT) andprivacy coordinators.Department HIPAA Complaint OfficerThe HIPAA Complaint Officer shall serve as a point of contact for allquestions regarding the content of the Notice of Privacy Practices, as wellas all complaints regarding privacy violations. Responsibilities include:a)Establishing and administering a process for receiving,documenting, tracking, investigating, and taking action on allcomplaints concerning the Department’s privacy policies,protocols, and procedures.(1)5.Violations categorized as a Category 2 per the IncidentReporting Policy, DOHP 5-6, must be referred to the Officeof Inspector General for investigation.Information Owner (formerly, Information Resource Owner)Information Owners, must classify the data their organization possessesand must specify the security properties associated with each informationset.January 2016Copyright 2005, 2007, 2008, 2010, 2016 the Florida Department of Health
Department of HealthInformation TechnologyInformation Security and Privacy Policy 1Information Security and PrivacyDOHP 50-10.1-16Page 6 of 9a)6.Information Owners served by networks shall prescribe sufficientcontrols to ensure that access to network services, host services,and subsystems are restricted to authorized users and uses only.Controls shall selectively limit services based upon useridentification and authentication.Local Information Security and Privacy Coordinators (ISPC)Local ISPCs shall serve as liaisons for each local entity for security andprivacy matters. They will work closely with the staff in their jurisdiction,other ISPCs, the ISM, and the HIPAA Privacy Officer to ensure a uniformapproach to security and privacy. Responsibilities include:a)Knowledge of respective statutes, administrative code,Departmental policies, protocols and procedures relating toinformation security and privacy.b)Maintaining professional skills and competencies by participatingin training and other professional development activities.c)Coordinating the development and review of local informationsecurity and privacy procedures, at least annually.d)Ensuring all members of the workforce in their jurisdiction haveaccess to information security and privacy policies, protocols, andprocedures.e)Coordinating the procurement and dissemination of currentinformation security and privacy awareness training materialsconsistent with Department policies and protocols.f)Ensuring that all new members of the workforce have completedsecurity and privacy awareness training within 30 days ofemployment and/or prior to accessing confidential information,whichever is earliest. Refer to the Acceptable Use andConfidentiality Agreement Policy, DOHP 50-10.2.g)Coordinating an annual information security and privacy riskassessment for their respective entity.h)Document a corrective action plan (CAP) for issues identified inthe annual risk assessment, per the Risk Analysis Policy DOHP50-10.8.i)Enforce all information security and privacy policies.January 2016Copyright 2005, 2007, 2008, 2010, 2016 the Florida Department of Health
Department of Health7.Information TechnologyInformation Security and Privacy Policy 1Information Security and PrivacyDOHP 50-10.1-16Page 7 of 9j)Monitoring, at least annually, the list of staff authorized to accessconfidential information and facilitating corrections as appropriate.Refer to the Secured Areas and Physical Security Policy, DOHP50-10.3.k)Monitoring, at least annually, the assignment and maintenance ofuser credentials for all applications within their jurisdiction byreviewing the list of persons with access to electronically storeddata and facilitating changes as appropriate.l)Maintaining incident reports and documentation of resolution of allsuspected and confirmed breaches of security and confidentiality.m)Coordinating and monitoring corrective actions identified duringthe investigation of an incident or risk analysis. Refer to the Policyand Procedures on Incident Reporting, DOHP 5-6.n)Assisting the local System Administrator with maintenance,training and annual testing of the site’s Information TechnologyDisaster Recovery Plan. Refer to the Contingency PlanningPolicy, DOHP 50-10.9.Local HIPAA Reviewing OfficerThe Local HIPAA Reviewing Officer must be a licensed healthcareprofessional who holds a valid medical license in Florida and has beenidentified as a potential reviewing official for each of the covered entities.Responsibilities include:a)Reviewing any individual’s complaint on a decision to deny accessto that individual’s protected health information for the reasonsspecified in 45 CFR 164.524(a) (3).(1)8.The reviewing officer cannot have been directly involved inthe original decision to deny access.Local Information Custodian and Key CustodianThe Local Information Custodian shall assist information owners inclassifying data and specifying and implementing security controls toprotect the integrity and accuracy of the data. Key Custodians mustdocument and manage physical access to the secured area they areassigned and shall assist information owners with access control ofinformation in designated secured areas. Key Custodians may bedelegated authority to assist with Information Custodian duties, howeverthis delegation must be documented. Responsibilities include:January 2016Copyright 2005, 2007, 2008, 2010, 2016 the Florida Department of Health
Department of Health9.Information TechnologyInformation Security and Privacy Policy 1Information Security and PrivacyDOHP 50-10.1-16Page 8 of 9a)Establishing procedures to ensure information is accessible onlyto authorized persons and maintaining access logs for informationset(s).b)Assisting owners in evaluating the cost-effectiveness of physicalsecurity controls and monitoringc)Periodically reviews the access log for secured areas.d)Implements and monitors techniques and procedures for reportingincidents.Local IT Disaster Recovery CoordinatorEach local entity shall assign a Local IT Disaster Recovery Coordinator.In response to emergency events, this role may be required to workirregular hours, more than eight (8) hours per day, for extended periods(including weekends and holidays), at locations other than their officialheadquarters, and be required to perform duties in addition to thoseoutlined in the employee’s position description. Employees assigned tothis role must be able to deploy to emergency sites with limited advancenotice. Regional Disaster Preparedness Consultants shall not bedesignated Local IT Disaster Recovery Coordinator for any one office.Responsibilities include:a)VII.Planning and directing the detailed information technologyactivities before, during, and after a disaster.ProcedureApplicable policies, protocols and procedures.VIII.Distribution ListChief of StaffDeputiesExecutive Office DirectorsDivision DirectorsBureau ChiefsCounty Health Department Directors and AdministratorsChildren’s Medical Services Medical DirectorsChildren’s Medical Services Nursing DirectorsChildren’s Medical Services Program AdministratorsIX.History NotesJanuary 2016Copyright 2005, 2007, 2008, 2010, 2016 the Florida Department of Health
Department of HealthInformation TechnologyInformation Security and Privacy Policy 1Information Security and PrivacyDOHP 50-10.1-16Page 9 of 9Original effective date of the Information Security policy was signed November 1999.The January 2016 Information Security and Privacy policy supersedes the original. Thispolicy was revised in August 2007, April 2010, and June 2015. The Office of InformationTechnology’s Security Administration Team Manager is responsible for this policy.January 2016Copyright 2005, 2007, 2008, 2010, 2016 the Florida Department of Health
Department of HealthI.Information TechnologyInformation Security and Privacy Policy 2Acceptable Use and Confidentiality AgreementDOHP 50-10.2-16Page 1 of 8PolicyAccess to the internet, telephone, or email service is a privilege, not a right. Allmembers of the workforce shall be held accountable for protecting information fromunauthorized access, modification, destruction, disclosure, or improper use, and forsafeguarding confidential information in accordance with federal laws, Florida Statutes,Florida Administrative Code, Department policies, and industry standards. AllDepartment data, information, and technology resources shall only be used for officialstate business, except as allowed by the Department’s policies. This includesinformation in any format or medium.All members of the workforce shall receive mandatory information security and privacyawareness training prior to providing services to clients, accessing confidentialinformation, accessing information technology resources, or within 30 days ofemployment start date, whichever is earliest. Additional training, based on job-specificduties or responsibilities, may be required.All members of the workforce shall complete an annual refresher information securityand privacy awareness training course.The Department shall respect the legitimate proprietary interests of intellectual propertyholders and obey the copyright law prohibiting the unauthorized use or duplication ofsoftware. Only authorized information technology (IT) members of the workforce shallinstall software and hardware on Department systems. All software and hardwareinstalled on Department systems must be approved by the Office of InformationTechnology (OIT).An Acceptable Use and Confidentiality Agreement (Agreement), DH 1120, confirmingthe worker understands the requirements and penalties for failure to comply withinformation security and privacy policies, protocols, and procedures, shall be completedand signed by each member of the Department workforce. Members of the workforceshould ask their management for any needed clarification prior to signing theAgreement.Members of the workforce found to be in violation of these policies may be subject todisciplinary action, up to and including termination of employment, and/or legal action.A.General1.Supervisors may monitor computer use by direct observation, orreviewing work productivity and quality. If the supervisor observes,suspects, and/or was notified of an issue which requires additionalinformation, they should contact their local Human ResourceManagement (HR) office. HR will contact the Department InformationSecurity Manager (ISM) or the Office of Inspector General to request theinformation be provided and released, as appropriate.January 2016Copyright 2005, 2007, 2008, 2010, 2016 the Florida Department of Health
Department of HealthInformation TechnologyInformation Security and Privacy Policy 2Acceptable Use and Confidentiality AgreementDOHP 50-10.2-16Page 2 of 82.Use of unapproved streaming media technologies requires prior writtenapproval from the user’s supervisor and the Information Security Manager(ISM) or delegate. Users may request approval through their supervisorusing the Office of Information Technology Security Policy ExceptionRequest Form.3.Use of state resources constitutes consent to monitoring of activities withor without a warning.a.The workforce shall have no expectation of privacy when usingDepartment resources.b.The Department may inspect any and all files stored on anyDepartment network or local computer system, includingremovable media.4.Only Department-owned or managed devices may be connected to theDepartment network. Exceptions require prior approval from the ISM.5.Department devices (including computers, mobile devices, printers, etc.)will be configured according to OIT approved standards and guidelines.6.Only Department-approved software shall be installed on Departmentowned or Department-managed devices. This restriction does not applyto personally-owned devices approved for use in the Department’s “BringYour Own Device” (BYOD) program.7.Illegal duplication of software is prohibited.8.Users must immediately report suspected account compromises,including suspected computer malware (viruses, etc.) occurrences, to thelocal Information Security Coordinator and System Administrator ordesignee.9.The workforce may use the Department’s internet email access link forDepartment email access while away from the office with theirsupervisor’s approval.a.Users may not configure a personal email client (e.g. Outlook,Thunderbird; Gmail) to connect to the Department email systemwithout express authorization by the ISM.b.Included members of the workforce (eligible for overtime pay)must obtain prior approval for each use outside of their normalworking hours and are required to account for all hours worked.Additional hours worked must be recorded as required byDepartment policy. Approval to use internet email access in noJanuary 2016Copyright 2005, 2007, 2008, 2010, 2016 the Florida Department of Health
Department of HealthInformation TechnologyInformation Security and Privacy Policy 2Acceptable Use and Confidentiality AgreementDOHP 50-10.2-16Page 3 of 8way eliminates the requirement for prior approval fortelecommuting in accordance with the Telework Policy, DOHP 6024.c.B.The workforce must ensure that the computer used for internetemail access has up-to-date anti-virus software and currentoperating system security patches.Computer Use1.Members of the workforce will be given a user account to accessDepartment IT resources. This access will be based on the documentedneed as provided by the appropriate hiring authority. The DepartmentISM or delegate has final authority regarding access to the Departmentnetwork and IT resources.a)Access to Department IT resources is reserved for Departmentapproved users.b)Department workforce shall have unique user accounts.2.The local Information Security Coordinator, in coordination withsupervisors, must regularly, but not less than annually, review anddocument the access privileges of their staff across all informationsystems using the User System Access Review (USAR) form in AppendixB and ensure access is appropriate to job responsibilities. Reviews mustbe submitted to the Security Administration Team by April 1, annually.3.Users must never share account passwords or allow others to utilize theiraccount credentials. Users are responsible for all activities occurring fromthe use of their account credentials.4.a)Department workforce is responsible for safeguarding theirpasswords and other authentication methods by not sharingaccount passwords, email encryption passwords, personalidentification numbers, smart cards, identification badges, or otherdevices used for identification and authentication purposes.b)Passwords shall not be passed or stored in plain text. Passwordsmust be encrypted or secured by other means when delivered tousers.Department workforce shall be held accountable for their accountactivities.a)Audit records shall allow actions of users to be uniquely traced foraccountability purposes.January 2016Copyright 2005, 2007, 2008, 2010, 2016 the Florida Department of Health
Department of HealthInformation TechnologyInformation Security and Privacy Policy 2Acceptable Use and Confidentiality AgreementDOHP 50-10.2-16Page 4 of 8b)5.C.User accounts must be authenticated at a minimum by a complexpassword.(1)Department accounts will require passwords of at least ten(10) characters to include an upper and lowercase letter, anumber, and a special character.(2)Reference the Mobile Device Policy, DOHP 50-20 forMobile Device Password requirements.c)Department workforce shall immediately report suspected accountcompromises according to Department incident reportingprocedures, DOHP 5-6.d)Department workforce must log-off or lock their workstations priorto leaving the work area.e)Workstations must be secured with a password-protectedscreensaver with the automatic activation feature set at no morethan 10 minutes.Department workforce must not disable, alter, or circumvent Departmentsecurity measures.Personal Use1.Members of the workforce are permitted to briefly visit non-prohibitedinternet sites or use email and\or telephones for personal reasons duringnon-work hours (lunch period or before/after work) subject to thelimitations contained within this policy. Local entities have the right tohave local protocols and procedures that are more stringent. In the eventof a conflict, the more restrictive security and privacy measures apply.a)Personal use may be monitored and subject the employee todisciplinary action.(1)Department workforce may access non-Department,browser-based email accounts such as Gmail, Yahoo,Outlook.com, etc.(a)(2)This privilege applies only to browser based emailcapabilities; users may not use Outlook, OutlookExpress, or other PC-based software or plug-ins toaccess non-Department email.Usage must not interfere with the worker’s job duties.January 2016Copyright 2005, 2007, 2008, 2010, 2016 the Florida Department of Health
Department of HealthInformation TechnologyInformation Security and Privacy Policy 2Acceptable Use and Confidentiality AgreementDOHP 50-10.2-16Page 5 of 8b)D.(3)Usage must not consume significant amounts ofDepartment IT resources or compromise the normalfunctionality of the Department’s systems.(4)Personal use must not result in any additional cost to theDepartment and the Department accepts no responsibilityfor adverse incidents resulting from employee personaluse.Examples of acceptable internet/intranet sites are those dealingwith health matters, weather, news, business or work-relatedtopics, community activities, career advancement, and personaleducational enrichment.Unacceptable UsesThe prohibited activities listed below are examples and are not all inclusive.Department workforce performing any of these activities as part of their assignedjob responsibilities must have written supervisor approval or these tasks must beidentified in their position description.1.Department IT resources must not be used for knowingly accessing,downloading, distributing, or participating in any of the following:a)Any purpose which violates state or federal laws or rules.(1)To include posting or sharing any confidential and/orexempt information on public facing or publicly accessiblewebsites.b)Personal profit, benefit, or gain.c)Political campaigning.d)Viruses, worms, Trojan horses, email bombs, etc., through willfulintent or negligence.(1)Note: Files downloaded from the internet must be scannedfor viruses before use and/or distribution; no file receivedfrom an unknown source should be downloaded even ifattached to an email message.(2)Virus protection information can be found in Appendix D.January 2016Copyright 2005, 2007, 2008, 2010, 2016 the Florida Department of Health
Department of HealthInformation TechnologyInformation Security and Privacy Policy 2Acceptable Use and Confidentiality AgreementDOHP 50-10.2-16Page 6 of 8e)Harassing, intimidating, threatening, complaining, or otherwiseannoying materials including, but not limited to, chain letters,thought/quote of the day, or motivational quotes.f)Sexually explicit, pornographic, or vulgar material.g)Inappropriate language or profanity, including, but not limited toobscene, racial, ethnic, hate-speech, or other discriminatorycontent.h)Non-work related material relating to gambling, weapons, illegaldrugs, illegal drug paraphernalia, or violen
information security plan. c) The coordination of the Department information security risk management process. d) The coordination of the Department Computer Security Incident Response Team (CSIRT). e) The coordination of Information Technology Disaster Recovery planning in support of the Department Continuity of Operations Plan (COOP). 3.
