LOS ANGELES COUNTY
DEPARTMENT OF MENTAL HEALTH
  Policy 559.01 Information Integrity
 
  PROCEDURES
DMH Chief Information Officer (CIO) or designee shall determine the need for integrity controls following the result of risk assessment in accordance with DMH Policy 550.01. DMH CIO or designee must ensure that general integrity control procedures and integrity checking procedures are implemented to protect PHI and other confidential information from improper alteration and/or destruction.
  1. General integrity control - DMH CIO or designee must:
     
    1. Ensure that information systems include integrity controls for all hardware and software.
       
    2. Ensure all integrity controls documented in System Security Documentation, which is defined in DMH Policy 554.02, are reviewed and approved by Departmental Information Security Officer (DISO) or designee.
       
    3. Ensure workforce members are trained to maintain data integrity properly.
       
    4. Examine workflow procedures and system components for reliability and correctness to guard against unauthorized and unintentional modification or destruction of data.
       
    5. Protect information systems against environmental threats that would harm data, including room temperature and humidity, fire suppression systems, or weather-related events.
       
    6. Provide a means for workforce members to report suspected unauthorized data modification or destruction in accordance with DMH Policy 552.01.
       
  2. Integrity checking procedures - System Managers/Owners must:
     
    1. Use the integrity controls listed in Risk Management Report, Recommended Safeguards Description Section, of DMH Policy 550.01.
       
    2. Determine the directories and files including file on back up servers for which data integrity will be checked including those containing PHI and other confidential information.
       
    3. Establish a schedule for the checking of stored files in which the frequency of inspection is commensurate with the criticality of each file type including both periodic inspections and event-specific checks (e.g., upon receipt or transmission of information).
       
    4. Determine the integrity resources and methods that will be used to perform integrity inspections (e.g., cryptographic checksum tools, lists of directories and files and the attributes of each, log files detailing actions taken by users and anti-virus utility).
       
    5. Create baseline reference information based on the integrity control(s) selected (e.g., cryptographic checksums) for the applicable directories and files.  The preferred method for recording and accessing the baseline reference data is through a read only storage medium (e.g., CD-ROM). These records must be stored securely, accessible only to appropriate personnel and protected against environmental threats.
       
    6. Check actual directory and file contents and attributes against the baseline reference(s) selected (e.g., cryptographic checksum matching) to determine if there have been any unauthorized (actual or suspected) changes to the system.
       
    7. Report any unauthorized (actual or suspected) changes to the system by following DMH Policy 552.01.