FROM: John Na tmo Audito

Transcription

1 COUNTY OF LOS ANGELES DEPARTMENT OF AU DITOR.CONTROLLER KENNETH HAHN HALL OF ADMINISTRATION 5OO WEST TEMPLE STREET, ROOM 525 LOS ANGELES, CALIFORNIA 9OO PHONE: (213) FAX: (213) JOHN NAIMO AUDITOR.CONTROLLER April 20, 2015 TO Supervisor Michel D. Antonovich, Myor Supervisor Hild L. Solis Supervisor Mrk Rid ley-thoms Supervisor Sheil Kuehl Supervisor Don Knbe FROM: John N tmo Audito ller SUBJECT: DEPARTMENT OF PUBLIC HEALTH - AND SECURITY POLICIES REVIEW INFORMATION TECHNOLOGY The Bord of Supervisors' (Bord) Informtion Technology (lt) nd Security Policies (Policies) require ll County deprtments to comply with estblished Countyrruide lt security stndrds to help ensure proper controls over County lt resources. As required by Bord Policy 6.108, we re reviewing County deprtments'complince with the Policies. We hve completed review of the Deprtment of Public Helth's (DPH or Deprtment) complince with the Policies nd relted County stndrds. Our review included testing system ccess to five systems DPH identified s mission criticl, including systems contining sensitive helth informtion. We lso reviewed physicl security over lt equipment, computer encryption nd ntivirus softwre, equipment disposition, nd lt security wreness trining. Results of Review Our review disclosed tht DPH needs to improve its controls over res such s systems ccess, lt equipment control, nd computer encryption. ln ddition, some of the issues noted could violte federl Helth lnsurnce Portbility nd Accountbility Act (HIPAA) nd Helth lnformtion Technology for Economic nd Clinicl Helth (HITECH) Act lws. Therefore, we reported our preliminry findings to the County's Chief HIPAA Privcy Officer. The following re exmples of res for improvement: Help Conserve Pper - Print Double-Sided "To Enrich Lives Through Effective nd Cring Service"

2 Bord of Supervisors April 20, 2015 Pge 2 lnpproprite Systems Access - DPH needs to restrict unneeded ccess to sensitive/confidentil informtion in their systems, nd determine whether unneeded ccess resulted in HIPAA/HITECH violtion. We reviewed two of DPH's systems, nd noted tht DPH did not remove systems ccess for 13 users who terminted DPH employment. One of the terminted employee ccounts ws used for three yers fter the employee terminted to view protected helth informtion (PHl) nd to order lbortory tests for pproximtely 100 DPH clients. DPH mngement indicted tht they re investigting to determine if the individul who ccessed the terminted user ccount ws uthorized to view the PHI nd to order the lbortory tests DPH's ttched response indíctes they determined tht current employee used the terminted employee's ccount in performíng her job duties. The current employee filed to obtin her own sysfem ccount, which violted County policy. However, she ws uthorized to view PHI nd no reportble HIPANHITECH violtion occurred. DPH indicfes if hs reminded lt mngers to promptly remove terminted employee ccess. DPH rs /so developing procedure to notify mngers of personnel chnges so they cn immeditely updte sysfems ccess. Systems Access Documenttion - DPH needs to improve their systems ccess documenttion. We could not review user ccess for three of DPH's systems. For one of the three systems, DPH could not generte list tht identifies who hs ccess to the system. For two systems, DPH could not document system ccess role cpbilities, mking it imprcticl to determine if users' ccess roles were pproprite for their job duties. DPH's response indictes they implemented system upgrde tht llows them to generte user ccess logs to monitor sysfem ccess, ln ddition, DPH will develop sysúem ccess uthoriztion form tht includes ccess role d e scri ption s nd j u stificti on s. Physicl Security - DPH needs to physiclly secure its lt resources, s required by Bord Policy Twenty-one employees who terminted from the County continued to hve key crd ccess to enter three DPH offices for up to five yers fter termintion. We lso noted tht DPH stores surplus computer equipment in wrehouse receiving re tht is open to the public for deliveries. ln ddition, lptops t two (4Ùo/o) of the five offices reviewed re not secured with lock when left unttended. DPH's response indictes they cnceled key crd ccess for the terminted employees nd will develop procedures to immeditely updte keycrd ccess when personnel chnges occur. DPH lso convened n Assef Mngement

3 Bord of Supervisors April 20, 2015 Pge 3 lmprovement Tem to ensure computer equipment in their wrehouse nd other fcilities re properly secured. Inccurte lt Inventories - DPH needs to improve controls over lt equipment inventories. We could not locte seven (10Yo) of the 68 items from DPH's equípment lists. While DPH stff indicted tht some of these items hd been disposed, they could not document ny of the disposls. ln ddition, we noted 9,400 (45%) of the 20,757 items on DPH's lists hve missing or incorrect mke/model, mnufctureds seril number, sset custodin, etc., including 315 items ssigned to individuls who no longer work t the Deprtment. DPH's response indictes they investigted nd submitted Computer Security lncident Report to the County Chief lnformtion Security Officer for the missing lt devices. DPH lso reminded mngers nd ssef custodins to immeditely report /osf, stolen, or improperly inventoried lt resources. DPH's Assef Mngement lmprovement Tem,s /so reviewing inventory mngement procedures to identify improve ments. Stff Gomputer Assignments DPH needs to evlute stff computer ssignments, trnsfer/slvge unneeded items, nd evlute estblishing computer pool nd checkout process for computer devices tht stff do not frequently use. DPH's inventory records indicte tht 487 (14%) of the 3,583 employees hve two or more ssigned computers (e.9., desktop nd lptop or tblet). Eight (32%) of the 25 employees interviewed with two or more computers indicted they do not need one of their computers, including one employee who hd not used his lptop for two yers. DPH's response indictes they will review computer ssignmenfs fo determine if the type nd mount of devices re ligned with ssef custodins' job duties. They will lso evlute expnding the use of computer check-out pools. Portble Computer Encryption DPH needs to improve encryption documenttion nd ensure portble computers re encrypted, s required by Bord Policy DPH did not hve encryption documenttion for 319 (18%) of the 1,773 portble computers. ln ddition, their documenttion for the remining items does not include enough detil, such s the computers' sset tg or seril numbers, to mtch it to ny of the 1,773 computers in inventory. We reviewed 28 portble computers nd noted eight (29o/o) did not hve encryption softwre instlled. We lso noted tht stff/mngers do not periodiclly monitor to ensure portble computers re encrypted. DPH's response indictes they will recll ll portble computers to vlidte nd document tht ech devíce is encrypted. DPH lso worked with the Chief

4 Bord of Supervisors April 20, 2015 Pge 4 lnformtion Office to cquire softwre tht will llow them to monitor the encryption sffus of ll portble nd desktop computers. Antivirus Softwre - DPH needs to ensure ll computers hve current ntivirus protection, s required by Bord Policy Thirteen (23"/o) of the 56 computers reviewed hd outdted ntivírus softwre protection, including one computer with no ntivirus softwre instlled. DPH's response indictes they will review ll portble computers to verify tht ntivirus protection is instlled nd configured to receive routine updtes. Hrd Drive Disposl - DPH needs to properly document tht ll County dt is ersed from hrd drives when computers re disposed, s required by Bord Policy We noted two instnces where DPH disposed of 65 hrd drives but could not document ersing ten (15%) of them. ln nother instnce, DPH documented disposing of 35 computers nd four boxes of hrd drives, nd documented ersing 84 hrd drives. However, DPH's documenttion does not indicte how mny hrd drives were in the boxes, so we could not determine if DPH ersed ll hrd drives before disposl. DPH's response indictes they implemented new procedure where progrm offices send ech computer to DPH's Mterils Mngement wrehouse for proper sn ittion nd docu me nttion. Gomputer lncident Response - DPH needs to report missing lt equipment through the County's computer incident response process. We noted tht between 2011 nd 2013, DPH mngers/stff filed to report 131 missing or stolen lt equipment items to the Deprtment's lnformtion Security Officer (DISO), s required by Bord Policy As result, the DISO could not ssess the impct of ny dt/softwre loss nd could not mke ny required notifictions to the Chief lnformtion Office, the Auditor-Controller (A-C) HIPAA Privcy Officer, or the A-C Office of County Investigtions. DPH's response indictes they hve reminded ll employees fo immeditely report mrssrng or stolen lt resources fo their superuisor. DPH mngement lso told us tht subsequent to our review, they investigted nd ccounted for 100 (76%) of the 131 mrsslng lt equipment items. Of the 31 tht remin unccounted for, DPH indicted tht three could hve contined PHl, but DPH indicted they believe the risk of brech is low. They re prepring seprte memo to the Bord on this rssue, Detils of these nd other findings nd recommendtions re included s Attchment I

5 Bord of Supervisors April 20, 2015 Pge 5 Review of Report We discussed our report with DPH mngement. The Deprtment's ttched response (Attchment ll) indictes generl greement with our findings nd recommendtions. We thnk DPH's mngement nd stff for their coopertion nd ssistnce during our review. lf you hve ny questions, plese contct me, or your stff my contct Robert Smythe t (213) JN:AB:RS:MP Attchments c: SchiA. Hmi, lnterim Chief Executive Offícer Cynthi A. Hrding, M.P.H., lnterim Director, Deprtment of Public Helth Robert Pittmn, Chief Informtion Security Officer, Chief lnformtion Office Lind McBride, Chief HIPAA Privcy Officer, Deprtment of Auditor-Controller Public lnformtion Office Audit Committee

6 Attchment I DEPARTMENT OF PUBLIC HEALTH INFORMATION TECHNOLOGY AND SECURITY POLICIES REVIEW Bckground The Bord of Supervisors' (Bord) lnformtion Technology (lt) nd Security Policies (Policies) require ll County deprtments to comply with Countywide lt Policies, stndrds, nd guidelines. The Policies help protect County lt ssets nd ensure the confidentility nd integrity of systems dt. As required by Bord Policy 6.108, we re reviewing County deprtments' complince with the Policies. We hve completed review of the Deprtment of Public Helth's (DPH or Deprtment) complince with the Policies, nd relted County stndrds nd guidelines. DPH hs pproximtely 21,000 lt devices such s desktop computers, lptops, servers, multifunctionl printers, tblets, etc. Our review included testing systems ccess, physicl security, encryption nd ntivirus softwre, equipment disposition, nd lt security wreness trining. Systems Access Bord Policy requires deprtments to sfegurd personl nd confidentil informtion on their lt systems. As n entity tht delivers helth cre nd possesses protected helth informtion (PHl), DPH is responsible for complince with informtion security nd privcy stndrds defined within the federl Helth lnsurnce Portbility nd Accountbility Act (HIPAA), including the Helth lnformtion Technology for Economic nd Clinicl Helth (HITECH) Act. These lws ddress privcy nd security requirements relted to the storge nd trnsmission of PHl, to prevent ginst unuthorized ccess nd dt breches. Filure to comply with HIPAA nd HITECH cn result in prctices or incidents tht my be reportble to the United Sttes Deprtment of Helth nd Humn Services. lnpproprite Access We reviewed user ccess for two of the 30 systems tht DPH identified s mission criticl. The systems reviewed were the Phrmcy lnventory nd Lbeling System (PILS), nd the Public Helth Lbortory System (PHLAB). Our review ws intended to determine if ccess to PHI is limited bsed on employee job duties. Bsed on our review, user ccess to PILS ppered to be pproprite. However, we noted tht 13 PHLAB users, including two contrctors, terminted employmenucontrcts with DPH but continued to hve ctive ccess to PHLAB for two weeks to three yers fter termintion. ln ddition, one of the user ccounts ws used to ccess PHLAB 133 times fter termintion to view PHI nd order lbortory tests for pproximtely 100 clients. DPH mngement indicted they re investigting whether the individul who ccessed the terminted user ccount ws uthorized to view the PH! nd to order the lbortory tests. AU DITOR-CONTROLLER COUNTY OF IOS A'VGELES

7 DPH - lt nd Security Policies Review Pge 2 These issues occurred becuse DPH stff did not follow Deprtment policy for immeditely restricting ccess when employees terminte, nd did not periodiclly review PHLAB ccess levels, s required by County Fiscl Mnul (CFM) Section DPH mngement needs to determine if the terminted employee's ccess to PHLAB resulted in HIPAA/HITECH violtion, nd tke ction to correct nd report ny violtions. The Deprtment lso needs to remind stff to immeditely updte systems ccess privileges when employees terminte nd periodiclly review systems ccess to ensure ccess levels re uthorized nd pproprite for ech user's job duties. Recommendtions Deprtment of Public Helth mngement: 1 Determine f terminted employee ccess to the Public Helth Lbortory System resulted in HIPAA/HITECH violtion, nd tke ction to correct nd report ny violtions. 2. Remind stff to immeditely updte systems ccess privileges when employees terminte. 3. Periodiclly review systems ccess to ensure ccess levels re uthorized nd pproprite for ech user's job duties. Access Documenttion We plnned to review user ccess for three other criticl DPH systems; the Ptient Helth Informtion System (P-H S), CseWtch HlV, nd CseWtch STD. However, we could not review ccess due to lck of documenttion. Specificlly: User Access Reports - DPH could not generte user ccess report for P-HIS. As result, we could not identify who hd system ccess or their ccess cpbilities. DPH mngement indicted tht P-HIS is legcy system tht does not currently hve ccess reporting cpbility. DPH mngement needs to evlute modifying the P-HIS to trck nd report user ccess roles, or develop lterntive mesures to monitor user ccess. Access Role Documenttion - DPH could not document the user ccess role cpbilities for the CseWtch HIV nd CseWtch STD Systems. As result, we could not determine if users' ccess roles re pproprite for their job duties. DPH mngement needs to document ccess role cpbilities for CseWtch HIV nd CseWtch STD, nd monitor ccess s required. Without sufficient informtion, the Deprtment cnnot dequtely monitor user ccess nd ccess role cpbilities s required by CFM Section AU DITOR-CONTROLLER COUNTY OF LOS AA'GELES

8 DPH - lt nd Securitv Policies Review Poe 3 Recommendtions Deprtment of Public Helth mngement: 4 Evlute modifying the Ptient Helth lnformtion System to trck nd report user ccess roles, or develop lterntive mesures to monitor user ccess. 5. Document ccess role cpbilities for CseWtch HIV nd CseWtch STD, nd monitor ccess s required. Access Controls Bord Policy requires systems to hve pproprite user uthentiction such s log-on identifictions (ld) nd psswords tht re not shred. CFM Section includes pssword complexity requirements, nd requires deprtments to document pprovls for system ccess ssignments. We reviewed ccess controls for the fíve DPH systems mentioned in the sections bove, nd noted the following weknesses: O o Pssword Complexity - Psswords for four (80%) of the five systems do not require combintion of numeric, upper, nd lower cse chrcters s required by the CFM. Access Authoriztions - 18 (90%) of the 20 user ccounts reviewed for four systems did not hve documented pprovl for the ccess. This includes 16 users who hd no ccess request form on file, nd two users who hd n ccess request form on file tht ws not signed by supervisor. We could not review ccess uthoriztions for the fifth system due to the lck of user ccess report noted in the section bove. DPH mngement needs to require systems psswords to include combintion of numeric, upper, nd lower cse chrcters, nd needs to document pprovls for ll system ccess ssignments. Recommendtions Deprtment of Public Helth mngement: 6. Require systems psswords to include combintion of numeric, upper, nd lower cse chrcters. 7. Document pprovls for ll system ccess ssignments. AU DITOR-CONTROLLER COUNTY OF OS AA'GELES

9 DPH - lt nd Security Policies Review Pqe 4 Phvsicl Securitv Bord Policy requires deprtments to physiclly sfegurd lt resources from tmpering, dmge, theft, or unuthorized physicl ccess. This includes developing Fcility Security Pln tht documents the physicl security mesures t ech fcility. These controls help prevent dt breches such s the recent brech t DPH contrctor. We noted tht DPH hs not developed Fcility Security Plns. ln ddition, we visited five DPH offices tht house criticl lt resources such s dt centers, computers, multifunctionl printers, etc., nd noted the following physicl security weknesses: o lnpproprite Access: Twenty-one employees who terminted from the County continued to hve ctive key crd ccess to enter three DPH offices for up to five yers fter termintion. Unsecured Equipment: DPH stff do not lwys secure unttended computer equipment. Specificlly, DPH's Mterils Mngement Division stores surplus computer equipment Ín wrehouse receiving re tht is open to the public during business hours. DPH stff re not lwys present, mking the equipment, dt, nd softwre susceptible to theft.!n ddition, lptops t two of the five DPH offices reviewed re not secured wíth lock when left unttended. Surveillnce System: One of DPH's most criticl dt centers contining confidentil dt hs surveillnce system tht does not work. DPH lt mngers re wre of the issue, but need to tke ction to identify funds nd dedicte stff to replce the surveillnce system. DPH mngement needs to immeditely cncel key crd ccess for the terminted employees noted in our review nd for ny employee who trnsfers loctions or termintes. DPH lso needs to secure unttended computing devices when not in use, including when devices re witing for snittion nd disposl. While Bord Policy does not require surveillnce cmers, DPH needs to identify funds nd stff resources to replce the surveíllnce system t the criticl lt fcility identified in our review. Recommendtions Deprtment of Public Helth mngement: I I lmmeditely cncel key crd ccess for the terminted employees noted in our review, nd for ny employee who trnsfers loctions or termintes. Secure unttended computing devices when not in use, including when devices re witing for snittion nd disposl. AU DITOR-CONTROLLER COUNTY OF OS ANGE ES

10 10. ldentify funds nd stff resources to replce the surveillnce system t the criticl informtion technology fcility identified in our review. lt Equipment Control Bord Policy requires deprtments to ssign lt equipment to specífic individuls (custodins). CFM Chpter 6 lso requires deprtments to inventory their lt equipment nnully nd to keep up-to-dte lt equipment lists. These controls help ensure County computers nd dt re ccounted for nd sfegurded. Equipment Inventories We reviewed 98 DPH lt equipment items, including the 68 from DPH's equipment lists nd 30 we observed t five DPH field offices. We noted missing lt equipment, nd weknesses in equipment control tht could llow County computers nd dt to go missing or be stolen without being detected. Specificlly: Missing Equipment - We could not locte seven (1O%) of the 68 items from DPH's equipment lists. This includes three desktops, two lptops, nd two tblets ssigned to DPH offices tht mnge PHl. DPH lt stff t one office indicted tht five of the computers my hve been disposed, but could not provide ny disposl documenttion. DPH mngement needs to investigte the missing computer devices nd report ny lost or stolen computers through the County's incident response procedures to minimize the risk of ny lost dt or softwre on these devices. Inccurte Trcking - 40 (41o/o) of the 98 items reviewed hd n inccurte custodin, loction, or equipment description recorded on DPH's equipment lists. Using udit softwre, we nlyzed ll 20,757 items on DPH's lt equípment lists nd noted tht 9,400 (45%) hve missing or incorrect mke/model, mnufcturer's seril number, sset custodin, etc., including 315 items ssigned to individuls who no longer work t the Deprtment. DPH needs to updte its equipment inventories for the inccurcies identified in our review. Asset Tgs - DPH generlly does good job of using sset tgs to ccount for lt equipment. However, we noted one (1o/o) of the 98 lt equipment items reviewed did not hve n sset tg to identify it s County property. DPH needs to ensure County property tg is ttched to ll equipment. We lso noted DPH does not properly conduct physicl inventories of their lt equipment becuse they do not lwys updte their inventory lists for discrepncies in loction, custodin, or equipment description when conducting their physicl count. DPH needs to conduct ccurte physicl inventories nd investigte nd updte inventory lists for ny discrepncies. AU DITOR.CONTROLLER COUNTY OF LOS A'VGEI-ES

11 DPH - lt nd Securitv Policies Review Pqe 6 Recommendtions Deprtment of Public Helth mngement: 11. lnvestigte missing computer devices nd report ny lost or stolen computers through the County's incident response procedures. 12. Updte equipment inventories for the inccurcies noted in our review. 13. Ensure County property tg is ttched to ll equipment. 14. Ensure stff conduct ccurte physicl equipment inventories nd investigte nd updte inventory lists for ny discrepncies. Computer Assignments DPH's records indicte tht 487 (14o/o) of their 3,583 employees hve two or more computers ssigned to them (e.9., desktop nd lptop or tblet). Eight (32Yo) of the 25 stff interviewed with two computers indicted tht they do not need one computer, including one person who hd not used his lptop for two yers. In ddition, three of the eight individuls hd two of the sme type of device (e.9., two lptops, two tblets, etc.). Unneeded computers increse the risk of loss, nd result in higher mintennce, support, nd softwre costs. DPH should evlute their stff computer ssignments, trnsfer or slvge unneeded items, nd evlute estblishing computer pool nd checkout process for devices tht stff do not frequently use. Recommendtion 15. Deprtment of Public Helth mngement evlute stff computer ssignments, trnsfer or slvge unneeded items, nd evlute estblishing computer pool nd checkout process. Portble Gomputer Encrvption Bord Policy requires deprtments to encrypt ll County owned portble computers. Encryption helps render dt unredble if computer is lost or stolen, nd protects ginst unuthorized disclosure of personl/confidentil informtion. DPH could not document tht they encrypted ll of the 1,773 portble computers in their inventory. Specificlly, DPH only hd encryption documenttion for 1,454 (82Yo) portble computers (319 less thn their inventory). ln ddition, the encryption documenttion did not include enough informtion, such s ech device's sset tg number or seril number, to llow us to mtch it to ny of the 1,773 computers in AU DITOR-CONTROLLER COUNTY OF LOS AA'GELES

12 DPH - lt nd Securitv Policies Review Pqe 7 inventory. We reviewed 28 portble computers ssigned to DPH stff nd noted eight (29%) díd not hve encryption softwre instlled. ln ddition, DPH mngement does not periodiclly monitor the Deprtment's portble computers to ensure tht ech device is encrypted. DPH needs to ensure ll portble computers re encrypted, nd tht ech portble computer cn be specificlly mtched with documenttion tht confirms it is protected by current encryption technology, nd periodiclly monitor the encryption sttus of ll portble computers. Recommendtions Deprtment of Public Helth mngement: 16. Ensure ll portble computers re encrypted, nd tht ech portble computer cn be specificlly mtched with documenttion tht confirms it is protected by current encryption technology. 17. Periodiclly monitor the encryption sttus of ll portble computers. Antivirus Softwre Bord Policy requires deprtments to ensure they hve functioning up-to-dte ntivirus softwre protection for ll County computers. Deprtments must updte ntivirus softwre regulrly to protect ginst the most current threts. Thirteen (23o/o) of the 56 computers reviewed did not hve up-to-dte ntivirus softwre protection, including one with no ntivirus softwre instlled. DPH mngement needs to ensure ll computers hve current ntivirus protection. Recommendtion 18. Deprtment of Public Helth mngement ensure ll computers hve current ntivirus protection. Hrd Drive Disposl Bord Policy requires deprtments to render unredble nd unrecoverble ll dt nd softwre from computer hrd drives before disposing of the devices from County inventory. We reviewed ten instnces where DPH disposed of multiple computers nd hrd drives. For three (30%) of the ten computer disposls reviewed, DPH could not document tht they ersed every hrd drive disposed. Specificlly: AU DITOR-CONTROLLER COUNTY OF LOS AÍVGELES

13 o f n two disposl instnces, DPH could not document ersing ten (15%o) of the 65 totl hrd drives. ln one disposl instnce, DPH documented disposing of 35 computers nd four boxes of hrd drives, nd documented ersing 84 hrd drives. However, we could not determine if DPH ersed every hrd drive becuse the documenttion does not indicte how mny hrd drives were in the boxes. DPH lso does not document the sset tg number of disposed computing devices or the seril number of the ersed hrd drives, mking it impossible to determine which computing devices hd their hrd drive ersed. DPH mngement needs to ensure ll hrd drives re properly ersed before disposl, mintin documenttion of the ersures, nd ensure the documenttion includes the seril number nd/or computing device sset tg number of every hrd drive ersed. Recommendtion 19. Deprtment of Public Helth mngement ensure ll hrd drives re properly ersed before disposl, mintin documenttion of the ersures, nd ensure the documenttion includes the seril number nd/or computing device sset tg number of every hrd drive ersed. lt Securitv lncidents Bord Policy requires deprtment mngement to immeditely report lt security incidents through the County's computer incident response procedure to minimize the impct of security breches, such s HIPAA dt loss, to individuls nd to the County. We noted tht DPH does not lwys report lt security incidents through the County's incident response procedure. Specificlly, DPH mngers/stff identified 131 missing or stolen lt equipment items between 2011 nd 2013, but did not report them to the Deprtment Informtion Security Officer (DISO), s required by Bord Policy As result, the DISO could not ssess the impct of these losses to the individuls, the Deprtment, nd the County. The DISO lso could not mke required notifictions to the Chief lnformtion Office, the Auditor-Controller's (A-C) HIPAA Privcy Officer, nd the A-C Office of County lnvestigtions tht the items nd ny ssocited dt or softwre were missing. Approximtely 85 (65%) of the 131 missing/stolen items were ssigned to sections tht hndle PHl, incresing the risk tht HIPAA or HITECH violtions could hve occurred. DPH mngement needs to report missing nd stolen computers through the County's incident response procedure, nd remind stff to report security incidents to the DISO. Weknesses in DPH's security wreness trining progrm, discussed ín the next section, my hve contributed to stff nd mngers' lck of knowledge of incident response procedures. AU DITOR-CONTROLLER COUNTY OF tos ANGELES

14 DPH - lt nd Securitv Policies Review Pqe 9 Recommendtion 20. Deprtment of Public Helth mngement report missing nd stolen computers through the Gounty's incident response procedure, nd remind stff to report security incidents to the Deprtment Informtion Security Officer. lnformtion Securitv Trining Bord Policy requires deprtments to provide informtion security wreness trining (Trining) to ll lt resource users t the time they re hired nd periodiclly therefter. Trining should be documented to ssist mngement in determining employee wreness nd prticiption. DPH mngement indicted tht they provide periodic Trinings for ll lt users, but lso indicted tht the trining is optionl, genertes low ttendnce, nd DPH does not keep ttendnce records to evlute employee wreness. DPH needs to ensure ll lt resource users receive dequte lt Security Awreness Trining. DPH lso could not document wht Trining mteril they provided to stff, so we could not determine if the Trining ddressed criticl topics such s procedures for reporting lt security incidents s mentioned bove. DPH needs to ensure!t trining nd ttendnce is documented. Recommendtion 21. Deprtment of Public Helth mngement ensure ll informtion technology (lt) resource users receive dequte lt Security Awreness Trining, nd tht the trining nd ttendnce is documented. AU DITOR.CONTROLLER COUNTY OF LOS AÍVGEI-ES

15 Attchment II Pge I of 8 CYNTHIA A. HARDING, M,P.H. lntsr m Direclor JEFFFEY D. GUNZENHAUSER, M.D., M.P.H. lnler m Hollh Ollic r 313 Nolh F gu m Slrs, Fæm 7@ Los An9 16s, Clilornl TEL (213) 2G8156. FAX (213) 48l-2739 wwyy. pnbl ch.rllh.l county. gov EOARD OF SUPERVISORS Hild! L. Solir Fúst Di6tricl l lrrl Rldl.Êhom. Secmd 0irtict Sh.ih Ku.hl Thùd D strit Oon Xnlb Foudh Oiskict Frhh O 3ùicl April2,20L5 TO: lohn Nimo Auditor-Controller FROM Cynthi A, Hrdine, MPH lnterim Director SUBJECf: DEPARTMENT OF PUBUC HEALTTI - RESPONSE TO INFORMATION TECHNOTOGY AND SECURITY POTICIES REVIEW Plese find ttched our response to the ud t performed by your deprtment of Public Helth's complince with the Bord of Superyisors' lnformtion Technology nd Security Policies, As indicted in the ttchment, DPH grees with ll of the findings nd we re in the process of ddressing those res where we were not in full complince, Our Deprtmentl lnformtion Security Officer will be following up to ensure tht ech corrective ction is effectively implemented. I would like to thnk you nd your stff for bringing to our ttent on the res tht we need to strengthen. lf you hve ny quest ons or require dditionl informtion, plese contct me, or your stff my contct Jim Green, DPH Chief lnformtion Officer, t or jimgreen@ph.lcounty.gov CH:JG:dc:v Attchment County Counsel County Chief HIPAA Privcy Officer County Chief lnformtion Security Officer Auditor-Controller DPH Administrtive Deputy DPH Chief lnformtion Officer DPH Audit & lnvestigtions Division DPH HIPAA Privcy Officer DPH lnformtion Security Officer

16 Attchment ll Pge 2 ol 8 Attchment I Review of Public Helth's Complince with Bord lt Policies Systems Access 1." Terminted Employee Access Determine if terminted employee ccess to the Public Helth lb System resulted in Helth lnsurnce PortbiliÇ nd Accountbility Act nd Helth lnformtion Technology for Economic nd Clinicl Helth Act lws (HIPAA/HITECH violtion, nd tke ction to correct nd report ny violtions. Agree, DPH determined tht the terminted employee's Public Helth Lb System ccount ws used by n employee ssigned to perform the sme duties tht the terminted employee performed. The employee filed to obtin nd use her own credentils for these duties, which violted County policy. However, this did not result in reportble brech of Electronic Protected Helth lnformtion (ephl). DPH reviewed Public Helth Lb System user ccounts t the helth center to ensure tht employees re ll using their own credentils. The DPH lt Security Awreness Trining Progrm includes review of Acceptble Use, lt Security is emphsizing in ech trining session t DPH Progrm offices the requirement tht employees use only their own uthorized credentils for system ccess. 2 Remind stff to immeditely updte systems ccess privileges when employees terminte. Agree. Since July, 2Ot4,DPH lt Directors re being reminded in the Deprtmentl lnformtion Security Steering Committee to promptly remove credentils of terminted employees nd to regulrly review user ccounts to ensure tht ll system ccess privileges re pproprite. DPH is developing procedures for notifying Progrm Directors nd System Mngers of personnel chnges, instructing them to immeditely updte system ccess privileges when employees terminte or chnge ssignments, nd providing regulr review of ccount privileges, 3. Periodiclly review systems ccess to ensure ccess levels re uthorized nd ppropríte for ech user's job duties. Agree, DPH now utomticlly disbles ny Active Directory ccount for which 60 dys psses without login ctivity, The Deprtmentl lnformtion Security Officer is developing tools to conduct regulr ssessments of ccounts nd ccess privileges for ech DPH system to ensure users hve the pproprite level of ccess reltive to their job duties,

17 Attchment ll Pge 3 of I Access Documenttion Recommendtions 4. User Access Reports Evlute modifying the Ptient Helth lnformtion System (P-HlSl to trck nd report user ccess roles or develop lterntive mesures to monítor user ccess. Agree, As prt of n upgrde implemented in December 20L4, users re now required to uthenticte through Active Directory (AD) to log in to P-HIS. The login cretes user ccess log entry, which is being used to monitor ccess. 5. Access Role Documenttion Document ccess role cpbilities for CseWtch HIV nd CseWtch STD, nd monitor eccess s required, Agree. As of September,2OL4, Csewtch (HlV) nd STD*Csewtch users log in through Terminl Server, This login process cretes user ccess log entry, which is used to monitor ccess. DPH will develop stndrd System Access Authoriztion form by June 30,2015, to include justifictions for ccess nd role descriptions for ech system ccess request. Access Controls Recommendtions 6. Require systems' psswords to include combintion of numeric upper nd lowercse chrcters. Agree. The DPH Active Directory, which controls ccess to PCs, file shres, nd other DPH network resources, enforces complex psswords, Some DPH dt systems require dditionl credentils for ccess, nd we re conducting n evlution to determine for ech system whether it cn be configured or modified to implement complex pssword requirements, ln cses where strong pssword logic cnnot be implemented, DPH will evlute options to replce systems or provide compensting controls. 7 Access Authoriztions Document pprovls for ll system ccess ssignments. DPH will develop stndrd System Access Authoriztion form by June 30,2Ot5, to include justifictions for ccess nd role descriptions for ech system ccess request, nd develop record-keeping procedures, Revielv of Pul)l c Heòlth's Cornplince r,vitlr Borcl lt Policies April 2, 2015 Pge 2 oí 7

18 Physicl Security Attchment ll Pge 4 of I 8. lmmeditely cncel keycrd ccess for terminted employees nd for ny employee who trnsfers to nother loction or termintes employment. Agree. DPH hs cnceled keycrd ccess for terminted employees identified in the udit. DPH will develop procedures to notify Progrm Directors nd System Mngers of personnel chnges nd instruct them to immeditely updte keycrd ccess when employees terminte or chnge ssignments. We will lso conduct periodic reviews of ccess lists to ensure tht ll ccess continues to be pproprite, 9. Unsecured Equipment Secure unttended computing devices when not in use, including when devices re witíng for snittion nd disposl. Agree. DPH hs convened n Asset Mngement lmprovement Tem to work with the Ferguson Wrehouse Mngers nd Asset Custodins to ensure tht ssets in the wrehouse nd other fcilities re properly secured. 10. Surveillnce Svstem ldentify funds nd stff resources to replce the surveillnce system t the criticl informtion technology fcility ldentified in our review. Agree, DPH hs engged vendor to review the surveillnce system nd mke recommendtions for the design nd impfementtion of replcement system. Once design is pproved, DPH will move expeditiously to cquire nd implement the replcement system. To further ddress physicl security, DPH will develop Fcility Security Pln to document physicl security mesures t ech DPH fcility. Revierv of PLrblic Helth's Conrplince t', ith Borcl lt Policies April 2,2015 Pge 3 of 7

19 Attchment ll Pge 5 of I lt Equipment Control E q ui pme nt I nve ntories Recom me n d ti ons tt. lnvestigte missing computer devices nd report ny lost or stolen computers using the County's íncident response procedures. Agree, DPH investigted the missing devices identified in the udit, A Computer Security lncident Report Form hs been completed nd submitted to the County Chief lnformtion Security Officer in ccordnce with the County's incident response procedures. Progrm Directors nd Asset Custodins hve been reminded tht the County's incident response procedures require employees to report lost, stolen, or improperly inventoried County lt resources immeditely to their supervisors. The monthly Deprtmentl lnformtion Systems Security Committee (DISSC) Meeting is used to periodiclly remind lt Directors of these requirements. ln ddition, t ech nnul inventory, the Deprtmentl lnformtion Security Officer will work with DPH Mterils Mngement to ensure tht in the event ny computer items re not ccounted for, they re properly reported using the DPH Computer Security lncident Report Form. t2 Updte equipment inventories for inccurcies. Agree, The DPH Asset Mngement lmprovement Tem is reviewing ll inventory mngement procedures to identify gps nd prioritize improvements, lnitil improvements include: (1) Slvge ctivities hve been centrlized for improved ccurcy nd control, nd (2) PC technicins use the Deprtment's brcode sset mngement system to immeditely updte inventory in the field s equipment is moved or slvged, 13. Ensure County property tg is ttched to ll equipment. Agree. DPH revised its process in December 2OL4to ensure tht ll equipment received goes through the DPH Mterils Mngement Wrehouse, where it is tgged, ln ddition, PC technicins will be trined to ensure County ssettg is ttched when performing nnul inventories, conducting routine inspections, providing mintennce, or replcing lt equipment, Revielv of Pt blic Helth's Conrplince t'vith Borcl lt Policies April 2,2015 Pge 4 of 7

20 Attchment Il Pge 6 of 8 L4. Ensure stff conduct ccurte physicl equípment inventories nd investigte nd updte inventory lists for ny discrepncies. Agree. The DPH Asset Mngement lmprovement Tem is reviewing ll inventory mngement procedures to identify gps nd prioritize improvements. PC technicins will receive dditionl trining on procedures nd will use the Deprtment's brcode sset mnegement system to immeditely updte inventory in the field s equipment is mintined, moved or slvged, 15. Evlute stff computer ssignments, trnsfer or slvge unneeded items, nd evlute estblishing computer pool nd checkout process. Agree. DPH will evlute current computer ssignments to determine whether the pproprite equipment nd the number of ssigned computers re in lignment with job duties. We will ensure tht proper trnsfer nd slvging of unneeded items re completed nd documented. We will evlute expnding the use of computer pools nd refining the computer checkout process. Portble Computer Encryption 16. Ensure ll poéble computers re encrypted nd tht ech portble computer cn be specificlly rntched with documenttion tht confirms it is protected by current encryption technology. Agree, DPH will conduct LOO% recll of ll portble computers in the Deprtment to vlidte nd document tht they re properly encrypted. ln ddition, s prt of the desktop encryption project, we re implementing the cpbility to monitor nd report on the encryption sttus of ll computers, including portbles. L7 Periodiclly monitor the encryption sttus of ll portble computers. Agree. DPH worked with the County Chief lnformtion Security Officer to cquire WinMgic softwre, which DPH will use to monitor nd report on encryption sttus of ll desktops nd portble computers, Revielv of Pr.rl lic Helth's Cornplince r,vith Bord lt Polícies April 2, 2O15 Pge 5 of 7

21 Attchment ll Pge 7 of I Antivirus Softwre Antivirus Recommendtion 18. Ensure ll computers hve current ntivirus protection. Agree, The Deprtment's desktop computers receive ntivirus updtes through routine ptching over the network, As prt of the portble computer recll, DPH will review ech portble computer to verify its ntivirus protection nd correct ech deficiency. We will ensure ech computer is configured to receive routine ntivirus updtes. Hrd Drive Disposl 19. n Ensure ll hrd drives re properly ersed before disposl, mintin documenttion of the ersures, nd ensure the documenttíon includes the seril number ndlor computing device sset tg number of every hrd drive ersed. Agree, Previously, hrd drives were removed from computers in DPH Progrm offices before being slvged, which mde it difficult to determine whether the hrd drive ws properly ersed prior to disposl of the computer. Under our new procedures implemented in July 2OL4, the entire computer is sent to the DPH Mterils Mngement Wrehouse for proper snitizing nd documenttion. lt Security lncidents 20. endtion Report missing nd stolen computers through the County's incident response procedure nd remind stff to report security incidents to the Deprtment lnformtion Security Officer (Drsol. Agree. All DPH stff were reminded in Mrch, 2015, tht the County's incident response procedures require employees to report missing or stolen County lt resources immeditely to their supervisors. The DepÉmentl lnformtion Security Officer routinely reinforces incident response procedures in the monthly Deprtmentl lnformtion Systems Security Committee (DISSC) Meeting. Revier*v of Pul lic Helth's Complince r,vith Bord lt Policies April 2,2015 Pge 6 of 7

22 Attchment II Pge 8 of 8 I nfo rmtio n Secu ritv Tri ni nq 2t. Ensure ll informtion technology (lt) resource users receive dequte lt Security Awreness Trining nd tht the trining nd ttendnce is documented. Agree. Currently, Deprtmentl policy requires tht ll employees tke HIPAA wreness trining within 30 dys of employment. The Deprtment's orienttion pckge includes dditionl informtion bout computer security. Effective My 2OtL, ttendees of the qurterly lt Security Awreness Trinings sign in to document their ttendnce trining. ln ddition, the DepÉmentl lnformtion Security Officer is working with the County lnformtion Security Officer on selection nd implementtion of online lt security wreness trining to be delivered to ll employees through the LerningNet. Revierv of Public He lth's Conrplince with Bord lt Policies April 2, 2O15 Pge 7 of 7