LOS ANGELES COUNTY
DEPARTMENT OF MENTAL HEALTH
  Policy 557.01 Transmission Security
 
  PROCEDURES
  1. The appropriate measure of transmission security necessary is determined through the risk assessment process and outlined in the Facility Master Security Management Report.
     
    1. The Departmental Information Security Officer (DISO) or their designee must ensure that DMH deploys and maintains integrity controls and safeguarding methods such as encryption to protect Protected Health Information (PHI) and other confidential communications transmissions over the Internet, external connections, and all parts of the communications network, i.e., Local and Wide Area Network (LAN and WAN).
       
    2. The DISO will provide oversight and guidance to the DMH Chief Information Officer (CIO) or their designee to deploy the appropriate network security methods stated in the DMH Network Security Architecture and the DMH Information Technology Network Security Guidelines.
       
    3. The DMH CIO or their designee must ensure the facility LAN is optimally managed, operational, secured, and integrates into the DMH WAN for secured Internet and external connections.
       
    4. The DMH CIO or their designee must ensure System Managers/Owners utilize and maintain integrity controls and safeguarding methods such as encryption whenever deemed appropriate to protect PHI and other confidential communications transmissions.
       
    5. The DMH CIO or their designee must ensure System Managers/Owners take into consideration each system's Risk Analysis Sensitivity Score (DMH Policy 550.01, Security Management Process), and implement controls to ensure only authorized workforce members have access to network services for secured data transmission (DMH Policy 554.02, System Access Control).
       
    6. The DMH CIO or their designee must ensure the integrity controls and safeguarding methods such as encryption implemented under this policy are documented within the System Security Documentation (DMH Policy 554.02, System Access Control: Definitions).
       
    7. The DMH CIO or their designee must ensure the System Managers/Owners implement the following integrity control procedures:
       
      1. Identify the information communicated across networks, including all traffic containing PHI and other confidential information, for which data integrity will be checked.
      2. Determine the integrity controls (e.g., application or network message authentication tools) that will be used to perform the integrity inspections.
      3. Utilize the selected integrity controls to check the integrity of incoming PHI and other confidential messages.
      4. If the tool reports a discrepancy between the message received and the message sent, or if it appears that no message authentication measure has been included, then the System Managers/Owners must notify the DMH DISO or their designee.
         
    8. The DMH CIO or their designee must ensure System Managers/Owners implement the following encryption procedures when deemed necessary pursuant to the DMH Risk Management Plan:
       
      1. Determine the encryption mechanisms that will be used in transmitting or receiving PHI and other confidential information messages over an open communications network and ensure that such encryption mechanisms are compatible with the encryption features employed by entities with which the facility communicates.
      2. PHI and other confidential messages requiring encryption must be encrypted at the application or network layer prior to being transmitted.
      3. Ensure that the passwords, tokens, and keys associated with the message encryption measures are protected from unauthorized disclosure or access as according to DMH Policy 554.02, System Access Control: Encryption and Decryption Procedures.