Health and Human Services Enterprise Information Technology Security Training Resource Guide

Health and Human Services Enterprise Information Technology Security Training Resource Guide Version 1.0 March 28, 2005

Table of Contents Section I Getting Started...1 Introduction... 1 Overview... 1 Information Security... 1 HIPAA Security Rule... 2 Other State and Federal Security Laws... 2 Section II About This Guide...3 Overview... 3 Section III Security Guidelines...4 Computer Usage Agreement... 4 Computer Resources and Right to Privacy... 4 Personal Use of State Owned Resources... 5 Equipment... 5 Internet... 5 Pornography or Sexually Explicit Information... 6 Your Agency E-mail... 6 Responding to E-mail Requests Containing PHI... 7 External Requests... 7 Internal Requests... 8 Fax Communication... 8 Virus Protection/Reporting...8 Passwords... 9 Selecting a Strong Password... 9 Sharing Your Password... 10 Compromised Password... 11 i

Protecting Information During Transmission... 11 Acceptable Ways To Transmit Sensitive Data... 11 Software Policy... 11 Personal Software... 12 Software From the Internet... 12 Protecting Against Unauthorized Access... 12 Electronic Access... 12 Employment Termination... 12 Physical Security... 13 Portable Computing Devices... 13 Reporting a Security Breach... 14 Media Disposal... 14 Failure to Comply... 14 Section IV Glossary...16 ii

Section I Getting Started Introduction Overview The Texas Health and Human Services (HHS) Enterprise information and information resources are valuable assets that must be protected from unauthorized disclosure, modification, use, or destruction. The Health and Human Services Commission and its member agencies must take steps to ensure that its information and information resources maintain their integrity, confidentiality, and their availability is not compromised. This training is provided to inform you about the HHS security policies that define the level of security controls that will protect assets against unauthorized access, disclosure, modification or destruction, whether accidental or deliberate, as well as assure the availability, integrity, utility, authenticity and confidentiality of information. As a user of the HHS Enterprise computer systems, you have been authorized to read, enter, or update information. You have the responsibility to use the information resource for only the purposes for which you have been specifically approved. You must also comply with all defined security measures. You are responsible and will be held accountable for all actions performed under your user identification (user ID). You must protect your area by keeping unauthorized individuals away from your equipment and data. In addition, you must report all situations where you believe an information security vulnerability or violation may exist, according to your normal problem reporting procedure. All of the answers you will need to successfully complete the training and pass the test are found in this guide. Information Security This guide provides a high level review of the Agency s Security Policies and Procedures. As you read through this guide you will see reference notations next to some of the text. These notations refer you to other, more detailed documents, including: Texas Health and Human Services (HHS) Enterprise Security Policy Security Guide (ESPSG) The HHS Human Resources Manual (HR Manual) HHS Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Policy. Version.1.0 1 03/28/2005

When you take the test, you will be given an acknowledgement that you either answered the question incorrectly or correctly. If you answered incorrectly, the reference will tell you where to go to find the correct answer. If you answered correctly, the reference will reinforce why the answer was correct. HIPAA Security Rule The final HIPAA Security Standard Rules were published on February 20, 2003. The regulations adopt standards for the security of electronic protected health information (PHI). Covered-entities must implement these standards by April 20, 2005. This final rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to ensure the confidentiality of electronic protected health information. Definition of PHI "Protected Health Information", or PHI, is information that is: 1. Linked to, or could be linked to, a specific person by name, Social Security number (SSN), date of birth (DOB), geographic area or other individually identifiable information (for example Medicaid ID number) and is 2. Related to that person's past, present or future physical or mental care condition; the provision of health care to that person; or the payment for the provision of health care. Other State and Federal Security Laws State agencies shall provide an ongoing information security awareness education program for all users. It is the policy of HHS that the agencies and their employees will protect the Information Resources (IR) of the department in accordance with the Texas Administrative Code (TAC), Title 1, Part 10, Chapter 202 Information Security Standards and the Information Resources Management Act (Texas Government Code Chapter 2054). HHS Agencies will also protect the information resources in accordance with Agency and enterprise rules and regulations, and applicable state and federal laws. Violating a data security system may be a crime under Chapter 33 of the Texas Penal Code (Computer Crimes). The criminal classification ranges from a misdemeanor through a felony of the first degree, depending on circumstances. In addition violation of copyright laws and license agreements, including those applicable to computer software, may result in fines and /or other legal actions. Version.1.0 2 03/28/2005

Section II About This Guide Overview This guide is your resource for answering the test questions on the Security computer based training (CBT). Read this guide carefully in preparation for taking the test. All of the answers you will need to successfully complete the training are found in this guide. If you want a more detailed explanation, a notation, under the major headings in Section II, gives the reference to the manual where it can be found. Example: [ESPSG - Protection Against Malicious Code]. The purpose of security training is: To reinforce security policies, practices and procedures, To ensure that you are knowledgeable and aware of security threats, concerns, and the procedures for reporting security incidents, To establish responsibility and accountability, and To satisfy legal requirements. This resource guide provides an overview of the security policy that includes: Personal use of equipment and the Internet, Passwords, Protecting individually identifiable health information and other sensitive information during electronic transmission and at rest, Downloading software to your desktop, Destruction of old computer equipment, disks and CDs, Network access, and Penalties and disciplinary action that will result if you violate a security policy. Version.1.0 3 03/28/2005

Computer Usage Agreement [ESPSG - User Access Management] Section III Security Guidelines It is mandatory for all Agency workforce (employees, temporary employees, volunteers, and employees of independent contractors) who are approved to access the Agency s information systems to sign the Agency s Computer Usage Agreement. The Agency s Computer Usage Agreement when signed confirms that the employee understands the policies and procedures related to the use of the Agency s computer resources. Existing workforce must recertify their understanding on an annual basis. Certification is required before the employee can access any Agency computer system. In addition, confidentiality and non-disclosure agreements indicate that certain information is private or secret. Employees who need to access such information shall be required to sign a confidentiality agreement. Computer Resources and Right to Privacy [HHS HR Manual Chapter 4 (Employee Conduct)] You shouldn t have any expectations of privacy for material sent or stored on Agency computer resources. According to the HR Manual, Agency provided equipment and informational systems, such as computer files, desk files, electronic mail (e-mail), and voice mail, are the property of the State of Texas. An HHS employee does not have a right to privacy in any of the property provided by an HHS Agency. All information a governmental body collects, assembles, or maintains is public unless expressly exempt from disclosure by law. Public information can be obtained through a public information (open records) request. Without advance notice, HHS agencies reserve the right to: Monitor voice mail messages, Monitor messages sent over the e-mail system, Enter or monitor the computer files of HHS employees, and Examine any state-owned equipment or property. Version.1.0 4 03/28/2005

This also means that your Agency has the right to track your Internet use. The Internet Use policy is discussed later in this guide. Personal Use of State Owned Resources [HHS HR Manual Chapter 4 (Employee Conduct)] Equipment Employees are expected to observe work rules. The HHS-HR Manual Section B (Employee Conduct), Work Rule #4, states: [HHS employees] must limit personal use of state computers. Personal use must not increase the state s costs for computer supplies, such as paper or toner. Printing personal documents is prohibited. State computer resources cannot be used to play computer games unless there is an HHS Agency-approved business related purpose. For example, using a computer game for therapy or rehabilitation with a consumer would be considered an Agencyapproved, business-related purpose. Internet The Agency Internet connection is intended to support official Agency business. The Internet may be used for limited personal purposes in the same manner as the telephone may be used for limited personal purposes. Unacceptable uses of the Internet are those that: Interfere with the ability of other Agency staff to do their jobs in a timely manner, including listening to or watching non-work related audio or video broadcasts; Initiate, distribute, or forward chain letters; Involve solicitation; Are associated with any personal business activity; Interfere with the performance of official HHS duties and normal work activities; Involve offensive or harassing statements, including comments based on race, national origin, sex, disability, or religion; Send, forward, download, or store sexually oriented messages or images. Version.1.0 5 03/28/2005

Employees found using the Internet for inappropriate purposes may be subject to disciplinary action, up to and including dismissal. Viewing or downloading pornographic material is cause for immediate dismissal. Personal use of the Internet for continuous audio or video feeds may adversely impact system performance and is prohibited. It is important for Agency employees to keep bandwidth capacity free for business purposes (e.g., monitoring legislative bills, performing work-related Web-search activities, or participating in a Web seminar). Pornography or Sexually Explicit Information Sending, forwarding, downloading, and storing of non-work related sexually oriented messages or images are unacceptable uses of the Internet and is cause for immediate dismissal. If employees observes someone viewing or downloading pornography or nonwork related sexually explicit information on an Agency computer, they must report the incident to the their supervisor or the HHSC Office of Inspector General (OIG) - Internal Affairs Section. If you are a supervisor and suspect that these activities are being performed on an Agency computer, do not initiate a search of the computer. Report the incident to HHSC Office of Inspector General (OIG) - Internal Affairs Section. OIG staff will provide directions to supervisors and/or designated Information Technology (IT) personnel. Use of Agency E-mail [HHS HR Manual Chapter 4 (Employee Conduct)] You have the responsibility to use information resources for only the purposes assigned to you and as stated in Agency policies. The use of e-mail is covered under the HHS-HR Manual Section B (Employee Conduct), Use of the Internet. The Internet and an HHS employee s Agency e-mail address may be used for limited personal purposes in the same manner as the telephone may be used for limited personal purposes (e.g. communicating with a family member). Employees found using the Internet or e-mail for inappropriate purposes may be subject to disciplinary action, up to and including dismissal. Version.1.0 6 03/28/2005

Employees should not respond to requests for their Agency s e-mail address except for business related purposes. Giving your Agency e-mail address provides a potential window of opportunity for businesses and individuals to indiscriminately send unsolicited, non-work related e-mail to you, which is more commonly known as SPAM or junk e-mail. This has a potential for clogging or slowing down the transmission of data on State computer networks. Responding to E-mail Requests Containing PHI [HHS HIPAA Security Policy] When you receive e-mail requesting information that contains protected health information (PHI), it is important that you know the acceptable ways to respond. Encryption is the only secure method for sending communication over the Internet. Currently, encryption technology is not available to HHS employees to secure e-mail communication with consumers or the general public. Other methods such as password protecting a document adds an additional level of security, however, passwords may be broken using tools available on the Internet. In general, confidential information may be transmitted over the Internet (external e-mail) only if: An acceptable mode of encryption is used to protect the confidentiality and integrity of the data, and An authentication or identification procedure is employed to assure that both the sender and recipient of the data are known to each other and are authorized to receive and decrypt the information. External Requests If you receive an e-mail from a consumer or other individual about a consumer and that e-mail message contains PHI you should respond using the following procedures: If you can answer the consumer inquiry without PHI, respond appropriately. Do not include PHI in your response. This includes the PHI in the original request. If the answer to the inquiry requires you to include PHI, e-mail the requestor that you must either respond in writing through the mail or via regular fax (not efax). Version.1.0 7 03/28/2005

Internal Requests If encryption is available, it should be used. If it is not available, communication of PHI or confidential information from one HHS employee to another, over internal lines (intranet) is considered an acceptable risk. However, e-mail should not contain PHI or confidential information in the subject line and any confidential information or PHI contained in the body of the e-mail should be kept to the minimum necessary. If you have any questions about how to respond, contact your Agency Privacy Officer. Fax Communication FAX communication of PHI and/or confidential information is also considered a secure transmission method. If the information is sent by fax, the cover sheet should include a statement that the information is confidential. Staff should not use efax to communicate with consumers or the general public. Virus Protection/Reporting [ESPSG - Protection Against Malicious Code] Your computer has virus protection software installed on it. This software is your first line of defense against an attack and must not be disabled or bypassed. Employees should never disable or cancel anti-virus software scans. This leaves your computer vulnerable which in turn can open a doorway for the virus to move onto the network. Every virus that is not automatically cleaned by the virus protection software constitutes a security incident and must be reported immediately to your Agency Help Desk. It is your responsibility to: Protect information resources through requirements for the prevention and detection of malicious code and Mitigate potential liability from propagating malicious code. This means that if you suspect an e-mail attachment contains a virus or other malicious code, you should definitely not open it or forward it. This will cause the virus to spread Version.1.0 8 03/28/2005

and has the potential for causing very serious damage to not only the your computer, but also the entire computer network. Follow the Agency s Help Desk instructions as to what you should do. Remember, it is your responsibility to protect information resources. You will be subject to disciplinary action if any problems occurred because you removed or bypassed the virus protection software. Passwords [ESPSG - Password Use] When you signed your Agency s Computer Usage Agreement you agreed that you would comply with the security policies and procedures of the state Agency. The agreement makes you accountable for protecting state resources from unauthorized access. A password is a secret word or phrase used to gain admittance or access to information. Passwords are used to grant access to: Systems that reside at any HHS Enterprise facility The HHS Enterprise network, or Stored HHS Enterprise information. Passwords are used for the following purposes: To prevent compromise of confidential information. To provide a minimum level of user authentication To establish user accountability. Users should not use: The same password for HHS Enterprise accounts as for other non-hhs Enterprise access (e.g., personal ISP account, option trading, benefits, etc.). The "Remember Password" feature of applications. Selecting a Strong Password Strong passwords provide the first line of defense against improper access and compromise of confidential information. Strong passwords typically follow these best practice characteristics: Version.1.0 9 03/28/2005

Contain both upper and lower case characters (e.g., a-z, A-Z) Have digits and special characters as well as letters e.g., 0-9,!@#$%^&*()_+ ~- =\`{}[]:";'<>?,./) Are at least eight characters long Note: Some legacy systems may not accept a 6-8 alphanumeric character string and special characters. Passwords may not have consecutive duplicate characters such as 99 or BB Passwords may not have consecutive-count numbers or letters such as 1234 or ABCD Are not words in any dictionary including, slang, dialect, jargon, etc. Are not based on personal information, names of family, etc. Are not to be written down or stored on-line. Should be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way to Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation. Should never be the same as your user ID. Sometimes your Agency assigns a temporary password for you to access certain systems. You are responsible for changing that temporary password to a permanent one of your choosing. Passwords are meant to be a secret so you are not supposed to share your password with anyone including the IT staff. Passwords should be changed periodically, at least once every 90 days. It is recommended that user-level passwords (e.g., e-mail, web, desktop computer, etc.) be changed more frequently, at least once every 60 days. User accounts that have systemlevel privileges granted through group memberships or programs should have a unique password from other accounts held by that user. Sharing Your Password You must not share your HHS Enterprise password with anyone, including administrative assistants or secretaries. All passwords should be treated as sensitive, confidential information. You should not write passwords down and store them anywhere in your office. Nor should you store passwords in a file on ANY computer system (including Personal Digital Assistants or similar devices) without encryption. Version.1.0 10 03/28/2005

If you need to share computer resident data, you should use approved network services or any other mechanisms that do not infringe on any policies. Compromised Password You are responsible for all activity that takes place with your user-id and password (or other authentication mechanism). If you suspect that your password has been discovered or used by another person, you should immediately change your password and report the incident to your Agency s IT Security Team. Protecting Information During Transmission [ESPSG - Network Access Control] There are situations that are not considered acceptable methods for transmitting sensitive data, such as protected health information (PHI). Although a password protected document adds an additional level of security, the password may be broken using tools available on the Internet. Password protected documents are not considered secure. Therefore, sending external communications containing sensitive data and PHI must be encrypted. Acceptable Ways To Transmit Sensitive Data HHS Enterprise system employees are required to use a secure link (e.g., encrypted) to transmit sensitive or confidential information outside of an Agency s network. Such encryption should be accomplished only with systems approved by the IT department. If you need to transmit sensitive or protected data, you must use encryption or the protected transmission environment in use by your Agency such as Virtual Private Networks (VPN) and Network Address Translations (NAT). Software Policy [ESPSG - Software Licensing] It is illegal to copy commercial software or install unlicensed copies of commercial software on Agency computer resources Version.1.0 11 03/28/2005

Software From the Internet Staff should not download software from the Internet unless it is on an Agency approved list. Downloading unapproved software runs the risk of introducing malicious code into the network. Your Agency s Help Desk will have the latest information on software approved for Agency use and will be able to guide you to further information as needed. Personal Software Employees cannot install personally owned software on Agency computers. Protecting Against Unauthorized Access [ESPSG - User Access Management] You should notify the appropriate Agency management if access control mechanisms are broken or if you suspect that these mechanisms have been compromised. Electronic Access Sensitive information, either in paper or electronic form, must be protected from unauthorized access or disclosure. Care should be taken to limit access. To prevent unauthorized access, staff should implement one or more of the following: Implement a password protected screen saver requirement Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. Locking your workstation or starting a password-protected screen saver, before you leave your work area, will prevent unauthorized persons from viewing sensitive information. Some computer applications and systems have embedded coding to automatically terminate your session after a predetermined time of inactivity. Employment Termination The user s password access will be removed from all computer resources whenever an employee s employment with the Agency is terminated. Follow Agency procedures for removing access. Version.1.0 12 03/28/2005

Physical Security Measures have been designed to safeguard the physical perimeter of Agency facilities that house HHS Enterprise information resources. Security Badges One of the safeguard measures is your identification badge. It identifies you and your access privileges and is a control to prevent unauthorized access attempts. Physical access controls must not be disabled or bypassed. All badges shall be checked prior to entry. A receptionist, desk attendant, security guard or electronic card reader that logs the identity, time, date, and access privileges of each entry attempt may do such checking. Never share your security badge. If you forget or misplace your badge, go to your Agency s Security Desk and ask for a temporary one. Do not piggyback through a secure entrance behind an employee who has a security badge. Likewise, do not allow anyone to follow you through a secure doorway. Staff authorized to access a facility are required to have their badge visible at all times. Physical Security Perimeter Physical security perimeters are used to: Restrict access to only authorized users Reduce exposures to malicious threats Allow access privileges to be revoked quickly if necessary and, Safeguard the physical perimeter of Agency facilities that house HHS Enterprise information resources. Portable Computing Devices When using a portable computing device (e.g. laptop, Palm Pilot, etc) to access Agency data, you must take precautions to ensure that mobile computing does not compromise the security of the systems being used or data therein. To ensure the security of the device, implement one or both of the following standards: Implement a password-protected sign on screen requirement for mobile equipment. Implement a mechanism to encrypt electronic protected health information when appropriate. Version.1.0 13 03/28/2005

Reporting a Security Breach [ESPSG - Reporting Security Weaknesses] It is the responsibility of each employee to safeguard information, and report breaches and threats to any of the information resource systems. You are expected to remain vigilant for possible fraudulent activities. You should note and report observed or suspected security weaknesses to systems and services. Media Disposal [ESPSG - Information & Media Handling & Security] Sensitive or confidential information stored on electronic hardware and media (e.g. hard disks, CD's, floppy disks, tapes) must be destroyed according to the Agency retention schedule and in a secure manner. This includes the secure disposal of information collected on paper, electronic hardware, or computer media. Just deleting electronic files does not provide a secure method of preventing access to information stored on electronic media. Items that may require secure disposal include: paper documents, audio or video recordings, reports, magnetic tapes, removable disks or cassettes, program listings, test data, and system documentation. To prevent the compromise of sensitive information through careless or inadequate disposal of computer media, follow your Agency procedures for destroying electronic media. Failure to Comply [HHS HR Manual Chapter 4 (Employee Conduct)] The HHS HR Work Rules found in Chapter 4, Section B state that HHS employees must keep all HHS information and all information obtained as an HHS employee confidential, except as otherwise required by law, e.g., the Public Information Act, Texas Government Code, Chapter 552. Consumer-related information may be released only in accordance with sound professional practices, state and federal regulations, and HHS policies and procedures. Related work rules require that you must: Observe work rules Protect state information and property Not steal, sell, willfully or negligently damage, destroy, misuse, lose, or have unauthorized possession of owned or leased state property or use any HHS property, services, or information in an unauthorized manner or for monetary gain (including vehicles, long distance telephone services, and HHS computer systems) Version.1.0 14 03/28/2005

Not destroy, falsify, or cause another to falsify, remove, steal, conceal, or otherwise misuse state information (including documents and oral information) or property. Violating work rules may result in disciplinary action, up to and including dismissal from employment and possible criminal prosecution. Version.1.0 15 03/28/2005

Section IV Glossary Authentication Bandwidth capacity CMS Computer software Computer Usage Agreement Computer virus efax Encryption ESP ESPSG External HHS IT Information Technology Resources or IT Resources The verification of the identity of a person or process. In a communication system, authentication verifies that messages really come from their stated source, like the signature on a (paper) letter. The amount of data that can be passed along a communications channel in a given period of time. Federal Centers for Medicare and Medicaid Services Responsible for enforcing the HIPAA Security Rule. The instructions executed by a computer. An agreement signed by the employee that outlines the policies and procedures related to the use of the Agency s computer resources. Depending on the Agency, this document may also be referred to as: Information Security Agreement, Computer Resource Use Agreement, or Computer Security Agreement. An example of malicious code. A program that attaches itself to an executable file or vulnerable application and delivers a payload that ranges from annoying to extremely destructive. A file virus executes when an infected file is accessed. A macro virus infects the executable code embedded in Microsoft Office programs that allow users to generate macros. Sending a fax from a computer. Any procedure used to convert plaintext into ciphertext (encrypted message) in order to prevent any but the intended recipient from reading that data. HHS Enterprise Security Policy Enterprise Security Policy Standards and Guidelines Relating to, connected with, or existing outside a single Agency or the network of HHS Agencies. HHS Enterprise Information Technology (IT) Department Hardware, software, and communications equipment, including, but not limited to, personal computers, mainframes, wide and local area networks, servers, mobile or portable computers, peripheral equipment, telephones, wireless communications, public safety radio services, facsimile machines, technology facilities including but not limited to, data centers, dedicated training facilities, and switching facilities, and other relevant hardware and software items as well as personnel tasked with the Version.1.0 16 03/28/2005

Internal Internet Intranet PHI Privacy Officer Security Officer Virtual Private Network VPN planning, implementation, and support of technology. Information Resources Is defined by Section 2054.003(6), Texas Government Code and/or other applicable state or federal legislation. Relating to, or located within a single Agency or the network of HHS Agencies. A global system interconnecting computers and computer networks. The computers and networks are owned separately by a host of organizations, government agencies, companies, and colleges. The Internet is the present information super highway. A private network for communications and sharing of information that, like the Internet, is based on TCP/IP, but is accessible only to authorized users within an organization. An organization s intranet is usually protected from external access by a firewall. Protected Health Information 1. Linked to, or could be linked to, a specific person by name, Social Security number (SSN), date of birth (DOB), geographic area or other individually identifiable information (for example Medicaid ID number) and is 2. Related to that person's past, present or future physical or mental care condition; the provision of health care to that person; or the payment for the provision of health care. Responsible for implementing and monitoring Agency compliance of Privacy rules. Responsible for implementing and monitoring Agency compliance of Security rules. A virtual private network (VPN) is a network in which some of the nodes are connected using the public Internet, but the data sent across the Internet is encrypted, so the entire network is virtually private. Version.1.0 17 03/28/2005