| System managers/owners must adhere to the established DMH security management process which includes: -
A risk analysis of electronic data resources and information systems and processes, -
Identification of any administrative, physical, and technical risks that could impact PHI and other confidential data; -
A risk management plan, vulnerability assessment scanning, and information systems activity review procedures; -
The application of a disciplinary action/sanction policy against members and other users who fail to comply with DMH Policy 553.02, DMH Privacy and Security Compliance Program. System managers/owners must maintain an up-to-date list of all current DMH applications and systems and ensure that all known systems undergo an annual risk assessment and have in place a risk management plan and documented and auditable activity review procedure. - Risk Analysis/Risk Management
DMH Chief Information Officer (CIO) must ensure that system managers/owners conduct risk assessments for their data resources and information systems. Department Information Security Officer (DISO) must document risk assessment results in a Risk Analysis Report. CIO or designee must create a DMH Master Security Management Report. The report shall be updated at minimum annually to identify system and application risks and recommend safeguards and actions to mitigate those risks. The recommended safeguards and actions must expressly include justifications for any exceptions or decisions not to mitigate a system or application risk.
CIO or designee must develop appropriate plans to implement the Master Security Management Report's recommended safeguards and actions.
The Risk Analysis Report and Master Security Management Report must be provided to the DISO or designee for review and approval. The reports must be kept confidential and available only to those with a need to know in order to remediate or supervise remediation. - Disciplinary Action/Sanction Policy
Workforce members who violate any of the data security policies or procedures may be subject to appropriate disciplinary action up to and including discharge in accordance with the administrative specification in DMH Policy 605.01, Discipline and Civil Service Rule 18.031, Discipline. Failure to comply with the Health Insurance Portability and Accountability Act (HIPAA) can result in civil and criminal penalties (42 USC 1320d-5).
Non-DMH workforce members, contractors, and agencies that violate the security policies and procedures are subject to sanctions or penalties imposed pursuant to the applicable contract, memorandum of understanding (MOU), and/or federal, State, or local laws. - Information Systems Activity Review
DMH Chief Information Officer (CIO) or designee must establish, document, and implement procedures and schedules for reviewing information systems activity, including, but not limited to, audit logs, problem logs, system access reports, change control logs, and security incident reports.
DISO or designee must conduct an evaluation of security safeguards annually or more frequently when there are changes in the DMH security environment to demonstrate and document compliance with both County and DMH security policies and procedures.
For additional information on this matter, please consult with the DISO.
|
