| DMH shall limit physical access to electronic information systems—and the facility in which they are contained— while ensuring that only authorized access is permitted. This policy and its associated procedures must be consistent with DMH Policy No. 508.01, Safeguards for Protected Health Information (PHI).
DMH shall ensure the integrity, confidentiality, and availability of data through the following Facility Access Control components: -
Contingency Operations
DMH Chief Information Officer (CIO) must be responsible for developing, testing, implementing, and maintaining the information technology (IT) component of the DMH Contingency Operations Plan. The plan provides facility access when necessary to restore information systems and/or lost data under the Disaster Recovery Plan and Emergency Mode Operations Plan in the event of an emergency (DMH Policy 550.03, Information Technology Contingency Plan Policy).
-
IT Facility Security Plan
DMH Chief Information Officer (CIO) must be responsible for developing, testing, implementing, and maintaining the IT component of the Facility Security Plan to safeguard the facility and the computer information assets therein from unauthorized physical access, tampering, and theft.
DMH facility management must:
-
Ensure that only permitted and authorized workforce members have access to computing devices. -
Ensure that the networking devices such as servers, switches, and routers are in locked rooms and cabinets, away from the public and unauthorized individuals. -
Validate that all facility workstations, notebooks, monitors, and printers are locked and secured by a locking mechanism in order to prevent unauthorized movements, tampering, loss, and/or theft.
-
Physical Access Control and Validation for workforce members and visitors
DMH Chief Information Officer (CIO) must be responsible for developing, testing, implementing, and maintaining the IT component of the Facility Access Control and Validation Procedure to control and validate the access of each person (including each visitor) to the facility based on his/her role or function, and to control access to software programs for testing and revision.
DMH facility management must ensure that areas where sensitive and confidential data is accessed or maintained are protected and behind a locked door inaccessible to and restricted from the public or unauthorized workforce members.
CIO must implement and configure access card systems and cipher locks or keys where feasable to control admittance to restricted areas so that individuals are only able to access and enter areas for which they have authorization.
Workforce members must wear and visibly display a current photo identification badge as provided by DMH Human Resources. Prior to its expiration date, workforce members must renew their badge through DMH Human Resources. Facility personnel must escort visitors at all times. No exception will be permitted.
-
Facility Maintenance Records
CIO must be responsible for developing, testing, implementing, and maintaining a Facility Security Maintenance Record to document repairs and modifications to the physical components of the facility that are related to security (e.g., hardware, walls, doors, locks). |
