| The Los Angeles County Department of Mental Health (DMH) Chief Information Officer (CIO) must establish and document procedures for each of the following requirements and submit such procedures for approval to the Departmental Information Security Officer (DISO) or designee.
A user authentication mechanism (e.g., unique user identification and password, biometric input, or a user identification smart card) must be used for all Workforce Members (DMH or Non-DMH) seeking access to any network, system, or application that contains Protected Health Information (PHI) and other confidential information.
Multi-factor authentication, in which the workforce member (in order to obtain remote access) provides two or more means of identification, one of which is typically physical (e.g., a secure ID card using a one-time code), the other of which is typically something memorized (e.g., a secret Personal Identification Number, or PIN, which is required for all systems receiving a Risk Analysis Sensitivity score of "High" - see DMH Policy 550.01, Security Management Process.)
Workforce members seeking access to any network, system, or application must not misrepresent themselves by using another person's User ID and/or Password, smart card, or other authentication information.
Workforce members are not permitted to allow other persons or entities to use their unique User ID or password, smart card, or other authentication information.
Workforce members must make a. reasonable effort to verify the identity of the receiving person or entity prior to transmitting PHI and other confidential information.
CIO must ensure that person or entity authentication controls implemented under this policy are documented within the System Security Documentation, DMH Policy 554.02, System Access Control.
|
