LOS ANGELES COUNTY
DEPARTMENT OF MENTAL HEALTH
  Policy 554.02 System Access Control
 
  PROCEDURES
System managers/owners must ensure appropriate technical safeguards are implemented to allow access only to authorized users and that access is granted only to information that is minimally necessary to accomplish the intended purpose of the use, disclosure, or request (need to know).
  1. Granting and Revoking Access: For granting and revoking access, refer to DMH Policy 550.02, Workforce Members Security Procedures.
     
  2. Unique User Identification (ID): System managers/owners must ensure that DMH systems assign a unique name and/or number to uniquely identify and track each workforce member’s activities and regulate who may view or access what resources in Los Angeles County’s managed networks, systems, and applications that may contain Electronic Protected Health Information (EPHI).
     
    1. Any workforce member who requires access to any network, system, or application that creates, accesses, transmits, receives, or stores EPHI, must be provided with a unique user ID string.
       
      1. System managers/owners must clearly define the naming/numbering format for system users.
         
      2. The system must be able to identify the unique user name and allow audit capabilities in accordance with the recommended safeguards specified in DMH Policy 558.01, System Audit Controls.
         
    2. Each workforce member must ensure that their assigned User ID and password is protected appropriately and only used for legitimate access to networks, systems, or applications.
       
      1. If a workforce member believes their user ID and/or password has been compromised, the individual must report it immediately in accordance with DMH Policy 552.01, Security Incident Report and Response.
         
    3. Any workforce member who suspects their password may be compromised or is known by someone must immediately change their password and report the incident to Helpdesk and their management.
       
    4. Workforce member’s passwords must follow the requirements specified in DMH Policy 551.03, Workstation Use and Security.
       
    5. Each workforce member must protect his/her password. They must not write down their password and place it at or near the workstation (e.g., a note taped to the monitor or placed under the keyboard).
       
    6. Logging into workstations, networks, or applications with another user's ID and/or password is prohibited.  It is prohibited to ask to share a password.
       
    7. Workforce members must not share their unique User IDs and passwords with any other person including management and IT support personnel.
       
    8. Any system connected/connecting to the County network must display a system login banner with verbiage regarding authorized and acceptable use of a computer system and its resources, data, and network access capabilities at the point of access which sets the right expectations for everyone attempting to access such system.
       
  3. Multi-factor authentication: To protect DMH systems and confidential information from external threats, system managers/owners must ensure that workforce members who require remote access provide two or more means of identification, one which is typically physical (e.g., a secure ID card using a one-time code) and the other which is typically something memorized (e.g., a secret Personal Identification Number (PIN) required for all systems receiving a Risk Analysis Sensitivity score of "High" - see DMH Policy 550.01, Security Management Process.) This will minimize the risk of hackers accessing DMH systems, should they succeed in phishing or guessing workforce members’ login passwords.
     
  4. System Login Banner: System managers/owners must ensure that every login process for multi-user computers includes a special notice as contained in the procedure section of this policy. DMH banners are based on the type of resource and access attempt being made for:
     
    1. NETWORK DEVICES

      “This computer system (including all related equipment, network, and network devices) is the property of the County of Los Angeles and is provided for authorized use only. There is no expectation of privacy in this system.”

      “Any or all uses or access of this computer system, including all of its data, may be monitored, interrupted, recorded, read, copied, or captured and disclosed in any manner for any lawful or authorized purpose, including disciplinary or civil action and criminal prosecution. Use or access of this system, authorized or unauthorized, constitutes consent to such monitoring, interception, recording, reading, copying, or capturing and disclosure.”

      “Unauthorized or improper use or access of this computer system may result in criminal, civil, and/or administrative action. By continuing to use or access this system, you agree to these terms.”
       
    2. REMOTE LOGIN

      “You are about to access a computer system (including all related equipment, network, and network devices) which is the property of the County of Los Angeles and is provided for authorized use only. There is no expectation of privacy in this system.”

      “Any or all uses or access of this computer system, including all of its data, may be monitored, interrupted, recorded, read, copied, or captured and disclosed in any manner for any lawful or authorized purpose, including disciplinary or civil action and criminal prosecution. Use or access of this system, authorized or unauthorized, constitutes consent to such monitoring, interception, recording, reading, copying, or capturing and disclosure.”

      “Unauthorized or improper use or access of this computer system may result in criminal, civil, and/or administrative action. By continuing to use or access this system, you agree to these terms.”
       
    3. INTERNET ACCESS

      “You are about to access a computer system (including all related equipment, network, and network devices) which is the property of the County of Los Angeles and is provided for authorized use only. There is no expectation of privacy in this system.”

      “Any or all uses or access of this computer system, including all of its data, may be monitored, interrupted, recorded, read, copied, or captured and disclosed in any manner for any lawful or authorized purpose, including disciplinary or civil action and criminal prosecution. Use or access of this system, authorized or unauthorized, constitutes consent to such monitoring, interception, recording, reading, copying, or capturing and disclosure.

      Unauthorized or improper use or access of this computer system may result in criminal, civil, and/or administrative action.”
       
  5. System Login Monitoring: System managers/owners must ensure that user’s activities and the process for accessing systems is recorded and monitored for successful and failed attempts. Such monitoring allows DMH Information Security Office to identify suspicious activities and systematic unauthorized penetration attempts by malicious hackers targeting DMH computing devices, systems, or network and react in real time to interrupt and block such explorations in order to avoid any data compromises that can result in a breach. System owners/managers must enable access logging by users or processes. Logs should include attributes such as “When”, “Where”, “Who”, “What”, and “How” for each event initiated by the system’s application and user for both information at rest (storage) and information in transit (transmission).  Detailed specifications can be found in DMH Policy 558.01, System Audit Controls.
     
  6. Emergency Access Procedure: System managers/owners must ensure that DMH electronic systems have alternate secured manual or automated procedures for accessing stored information during an emergency invoked by the Departmental Information Security Officer (DISO) or designee where the usual means of secured access is not available. Refer to DMH Policy 550.03, Information Technology Contingency Plan.
     
  7. Unauthorized Access Prevention: System managers/owners must implement adequate and sufficient controls to prevent unauthorized access to DMH systems. The following prevention controls are best practices that system managers/owners should implement where feasible for protecting sensitive information from unauthorized persons.
     
    1. Automatic Lock: System managers/owners must ensure that after 20 minutes of inactivity, a password-protected screensaver is initiated on all systems to prevent unauthorized users from viewing or accessing EPHI or other sensitive data. Details for screen saver specifications can be found in DMH Policy 551.03, Workstation Use and Security Policy.
       
    2. Automatic Session Timeouts: System managers/owners must configure automatic timeouts to expire connecting sessions to DMH systems after 20 minutes of being idle or inactive where feasible.
       
    3. Automatic Logoff:  Where feasible, system managers/owners must ensure that DMH systems are configured to automatically logoff a user after 20 minutes of inactivity.
       
    4. Manual Logoff:  DMH workforce members must logout when connection to a DMH system is no longer needed. DMH workforce members are also required to logoff from their computing devices at the end of their shift. They must leave their workstations powered on after hours so the computers can be patched and updated accordingly.
       
    5. Automatic Restart:  System managers/owners must implement controls to ensure computing devices are restarted at least once a week to ensure that all software updates and operating system patches installed during the week are in effect and enforced.
       
  8. Encryption: DMH CIO must ensure that the System managers/owners address appropriate encryption for protecting electronic information contained within the storage structure for all DMH electronic data storage systems (i.e., databases or file systems) and during electronic or in-person transfers and transports based on the DMH Master Security Management Report in DMH Policy 550.01, Security Management Process. To minimize the possibility of sensitive or confidential data being compromised, encryption must be applied as follows:
     
    1. Confidential data (e.g., patient information) must be password protected, encrypted, or stored on a secure network drive.
       
    2. Confidential data having a Sensitivity Score of "High" must be encrypted.
       
    3. All electronic transfers and transportations for sensitive or confidential data must be encrypted.
       
    4. All web sessions and web connections that include access or process of sensitive or confidential data must be secured by encryption.
       
    5. Removable media containing confidential data (e.g., patient information) must be encrypted and stored in secure areas.
       
    6. All workstations, desktop computers, laptops, notebooks, tablets, and portable devices containing sensitive information (e.g., confidential patient information) must be encrypted.

      For further details on encryption, refer to DMH Policy 551.03, Workstation Use and Security.

      Information System Access Control Review and Documentation: After performing a risk analysis and determining the Risk Analysis Sensitivity Score, system managers/owners must design access controls commensurate with the rating. For procedures on how to determine the Risk Analysis Sensitivity Score, refer to Information Access Management Procedures in DMH Policy 550.01, Security Management Process.

      The DISO, taking into consideration each system's Risk Analysis Sensitivity Score, must evaluate and approve the design, effectiveness, and implementation of the access controls to limit unauthorized access of workforce members to information systems, including workstations, servers, networks, and applications, and deny all unauthorized endeavors.
       
  9. System Security Documentation:

    System managers/owners must document implementation of the above safeguards in the System Security Documentation that accompanies the electronic data system.  The system security documentation and all system documentation must be submitted to the DISO or designee for review.