LOS ANGELES COUNTY
DEPARTMENT OF MENTAL HEALTH
  Policy 551.03 Workstation Use and Security
 
  PROCEDURES
The DMH Chief Information Office Bureau (CIOB) or designee must ensure that the following workstation security procedures are implemented within each DMH facility.  All workstations including, but not limited to, County and personal computers, desktop devices, and mobile devices such as tablets, laptops, notebooks, portable electronic devices (PEDs), cellular telephones, smart phones, computer carts, printers, fax machines, etc., that are used for County business whether connected to the DMH network or not are subject to the following procedures.
  1. Access and Use of Workstation and Network Services
     
    1. Workforce members are prohibited from using personally owned computing devices (i.e., desktops, laptops, notebooks, Universal Serial Bus (USB) flash drives, audio/video recorders, digital cameras, etc.) to conduct DMH business or store County data.
       
    2. These procedures are intended to put in place physical safeguards to restrict access to information through securing DMH workstations:
       
      1. General
         
        1. Workstations located in public or open areas must be physically secured in a locked room, secured in locked cabinets, and strongly anchored to deter unauthorized movement.  The facility and program managers must routinely inspect the facility for disconnected or inappropriately connected workstations and computer devices and peripherals.  Identified devices that do not meet DMH physical security standards (BOS Policy 6.100) must be reported to the Helpdesk.  Security cameras or additional forms of monitoring should be considered in high-risk areas where PHI or Personally Identifiable Information (PII) can be accessed such as printers and fax machines. (BOS Policy 6.106)
        2. Workstations must be set up to automatically generate a password-protected screen saver when the computer receives no input for a specified period (to be determined by the Departmental Information Security Officer [DISO] based on risk assessment results).  The DISO or designee may approve other lockout schemes that protect against unauthorized access to confidential and/or sensitive information.
        3. Devices must be located in environments that are in accordance with the manufacturer's operational specifications.
        4. Inventory and maintenance records must be maintained for all workstations.
           
      2. Hardware/Software
         
        1. Workforce members must not change the system configuration of their workstation (e.g., network properties, video card) without proper authorization.
        2. Workforce members must not install or uninstall software (e.g., downloaded Internet software, games, patches, plug-ins, and screen savers) on their workstation without proper authorization and licensing.
        3. Workforce members are prohibited from altering, tampering, removing, replacing, taking apart, or exchanging parts and hardware components of the workstations.
        4. Workforce members must not re-enable floppy drives, Compact Disk-Read Only Memory (CD-ROM) drives, USB ports, etc., on workstations that have access to confidential data, unless the workforce member is authorized to use those devices.
        5. Only authorized personnel may move, relocate, replace, or remove workstations and computing equipment from their designated physical locations.
        6. Only authorized users may open the casing and coverings from the chassis and frame of computing devices. 
        7. Only authorized individuals are permitted to install/uninstall software, change configuration, and perform repair services on workstations.
        8. The facility/program manager must ensure that appropriate controls are in place when sending equipment off premises for repair or maintenance (i.e., they must protect the device’s stored data by ensuring that the device’s internal drive is removed and left with DMH management unless other arrangements have been defined and are agreed upon as part of the contract and documented in the business associate agreement).
           
      3. Measures to limit unauthorized access must include the following:
         
        1. Configuration of workstation and network services
           
          • DMH system managers and owners must configure workstations and network services to allow only authorized access to the workstation, applications, and network services. 
          • DMH workforce members must have both authorizations to access a workstation and the appropriate rights to do so.  They may not access any confidential and/or sensitive information from a workstation unless they have the authorization and it is a requirement for doing their job.
          • DMH workstations, desktop computers, mobile devices, user names, and passwords are encrypted and secured to prevent unauthorized access to sensitive or confidential data,
          • PEDs including, but not limited to, Portable Removable Medias (PRM), Portable Computing Device (PCD), Portable Recording Device (PRD), Portable Storage Device (PSD), and Portable Wireless Device (PWD) that are capable of storing confidential and/or sensitive information must be encrypted.  DMH workforce members are only permitted to use DMH-issued PEDs.  Prior to issuance, these devices must be pre-authorized and whitelisted by CIOB to be accessible on DMH network.  Enforced safeguards limit the usage and access to only the pre-authorized devices and deny access and connectivity to all the others.
             
      4. Permitting only authorized access to workstations, applications, and network services through enforced controls.
         
        1. Unique User Identifications (User IDs) and Passwords
           
          • The DMH DISO or designee is responsible for ensuring the assignment of a unique User ID to each user to identify and track the user's identity when logging into workstations, networks, or applications.
          • Each user must protect his/her password.  Users must not write down their password and place it at or near the workstation (e.g., a note taped to the monitor or placed under the keyboard)
          • Logging into workstations, networks, or applications with another user's ID and/or password is prohibited.  It is prohibited to ask to share a password.
          • Users must not share their unique User IDs (logon identifier) and passwords with any other person including management or information technology (IT) support personnel.
          • Users' passwords must be changed at least every 90 days.
          • Passwords must be at least eight (8) characters long and contain a combination of alpha and numeric characters.  The password may also include special characters.
          • Anyone who suspects that their password might have been compromised must immediately change their password and report the incident to Help Desk and their management.
          • Two-factor authentication in which the user provides two means of identification, one typically a physical token (e.g., card or key fob) and the other typically something memorized, (e.g., a security code) must be used for information systems receiving a Risk Analysis Sensitivity score of "High." (DMH Policy 550.01)
          • With authorization from the DMH DISO, a workforce member may be given permission to utilize other user authentication methods (e.g., biometric devices, tokens).
             
        2. DMH system managers and owners must monitor and ensure that the technical enforced controls are functional and working at all times.  Malfunctioning devices and the ones identified not functioning appropriately and as expected must be repaired immediately or must be taken off DMH Network.  Incompliant devices must not be used for DMH business.
        3. Typically, DMH workforce members are assigned a dedicated workstation for their daily use.  However, for some special assignments, a shared workstation may be configured for a shared purpose.  In such situations, workforce member’s User ID shall provide each user an isolated session that is separated for anyone else’s using this shared device.
           
      5. Permitting only authorized access to workstations, applications and network services through enforced controls.
         
        1. Unique User ID's and Passwords
           
          • The DMH DISO or designee is responsible for ensuring the assignment of a unique User ID to each user to identify and track the user's identity when logging into workstations, networks, or applications.
          • Each user must protect his/her password.  Users must not write down their password and place it at or near the workstation (e.g., a note taped to the monitor or placed under the keyboard).
          • Logging into workstations, networks, or applications with another user's ID and/or password is prohibited.  It is prohibited to ask to share a password.
          • Users must not share their unique User IDs (logon identifier) and passwords with any other person including management or IT support personnel.
          • Users' passwords must be changed at least every 90 days.
          • Passwords must be at least eight (8) characters long and contain a combination of alpha and numeric characters.  The password may also include special characters.
          • Anyone who suspects that their password might have been compromised   must immediately change their password and report the incident to Help Desk and their management.
          • Two-factor authentication in which the user provides two means of identification, one typically a physical token (e.g., card or key fob) and the other typically something memorized, (e.g., a security code) must be used for information systems receiving a Risk Analysis Sensitivity score of "High." (DMH Policy 550.01)
          • With authorization from the DMH DISO, a workforce member may be given permission to utilize other user authentication methods (e.g., biometric devices, tokens).
             
        2. DMH system managers and owners must monitor and ensure that the technical enforced controls are functional and working at all times.  Malfunctioning devices and the ones identified not functioning appropriately and as expected must be repaired immediately or must be taken off DMH Network.  Incompliant devices must not be used for DMH business.
        3. Typically, DMH workforce members are assigned a dedicated workstation for their daily use.  However, for some special assignments a shared workstation may be configured for a shared purpose.  In such situations, workforce member’s User ID shall provide each user an isolated session that is separated for anyone else’s using this shared device.
           
      6. Access to Workstations Not in Use
         
        1. Workstations not in use must be password protected and locked.
        2. Workstations must be set up to automatically generate a password-protected screen saver when the computer receives no input for a specified period of time (to be determined by the DMH DISO) based on risk assessment results.  The DMH DISO or designee may approve other lockout schemes that protect against the unauthorized access to confidential and/or sensitive information.
        3. To insure that devices are adequately protected, all those exceeding 90 days of not being physically attached and authenticated to the DMH network shall be disjoined and disconnected from the DMH Domain.  The assignee shall have to contact the Help Desk for assistance.  After all the patches and updates are installed, Help Desk shall rejoin and reconnect the device so that the workforce member is able to access their network resources.
           
      7. Workstations must display an appropriate warning banner prior to gaining operating systems access.  The banner must make the workforce members aware that:

        “This computer system (including all related equipment, network, and network devices) is the property of the County of Los Angeles and is provided for authorized use only.  There is no expectation of privacy in this system.  Any or all uses or access of this computer system, including its data, may be monitored, interrupted, recorded, read, copied, or captured and disclosed in any manner for any lawful or authorized purpose, including disciplinary or civil action and criminal prosecution.  Use or access of this system, authorized or unauthorized, constitutes consent to such monitoring, interception, recording, reading, copying or capturing, and disclosure.  Unauthorized or improper use or access of this computer system may result in criminal, civil and/or administrative action.  By continuing to use or access this system, you agree to these terms.”
         
  2. Access and Use of Mobile Devices
     
    1. Mobile devices must be pre-approved and registered for use in a facility by the DMH CIOB or designee.
       
    2. Workforce members must exercise good judgment in determining the amount of necessary data stored on their mobile devices to perform their functions.
       
    3. All mobile devices containing sensitive information (e.g., confidential patient information) must be encrypted.
       
    4. Mobile devices such as laptops, notebooks, and tablets may not be left unattended and unsecured no matter the location.  They must always be anchored and locked using the locking mechanism provided with the device to an immoveable object during business hours.
       
    5. Mobile devices must be secured when not in use.  These devices must either be carried on persons or must be stored in enforced, lockable cabinets in secured areas.
       
    6. Accessing DMH resources and systems from any public or private unencrypted and password-free Wireless Access Point (WAP) and Wi-Fi connection is prohibited.  Consequently, access to PHI over a wireless connection is prohibited unless via a secure and encrypted connection.
       
    7. Workforce members who work in the field must never leave their assigned mobile devices unsecured and unattended in plain view in their vehicle.  The device must be locked in the car’s trunk and, most importantly, the car must be locked to prevent unauthorized access. Workforce members are prohibited from leaving their mobile devices in their car overnight.
       
  3. Physical Attributes of Surroundings
     
    1. Precautions must be taken to prevent unauthorized individuals from observing sensitive information when a workstation is in use.  Workforce members must follow the subsequent instructions:
       
      1. Confidential data (e.g., patient information) must be password protected, encrypted, or stored on a secure network drive.
         
      2. Critical information having a sensitivity score of "High" must be encrypted.
         
      3. Confidential data must not be downloaded without authorization from the DMH DISO or designee.
         
      4. Confidential data must not be saved on removable devices (e.g., CD-ROM, external drives, and USB drives) without adequate and proper safeguards and authorization from the DMH DISO or designee.
         
      5. Removable media containing confidential data (e.g., patient information) must be encrypted and stored in secured areas.
         
      6. Disposal of confidential electronic records stored on removable or external media (e.g., CD-ROM, diskettes, and hard drives) must be in accordance with DMH Policy 554.01.
         
      7. Use caution when viewing and entering confidential information.  Workforce members must always lock their workstations while away from their stations. (The lock can be initiated by pressing the keyboard keys CTRL + ALT + DELETE or ï + L simultaneously.)
         
      8. Layout and design of the space must shield the view of the workstation screen from the public.  Where it is not possible, to shield the workstation screen from view, devices such as privacy screens and shields are to be used.
         
      9. Printers and fax machines must be regularly monitored for abandoned printouts and unattended sensitive or confidential printed materials, including PHI, which must be reported to facility management.
         
      10. Printers or fax machines are not to be left unattended in non-secure areas when printing confidential and/or sensitive information.  Workforce members must ensure that the appropriate printer that is locally available for their use is selected.  They must pick up their print jobs immediately.  Where available, features such as secure printing must be selected in order for the printout to be held in the device’s memory until the initiator approaches the device and authorizes printing of the withheld job.  In an event when a print job is mistakenly sent to an incorrect printer, every effort must be made to retrieve and destroy the printout.