LAC Department of Mental Health Public Portal

	LOS ANGELES COUNTY DEPARTMENT OF MENTAL HEALTH
	Policy 1200.07 Use of Department Portable Electronic Devices

Policy Category: Administrative

Distribution Level: Directly Operated Programs

Responsible Party: Chief Information Office

Approved by Greg Polk, Chief Deputy Director, on June 5, 2019

I. POLICY STATEMENTS

This policy:

Provides the Los Angeles County Department of Mental Health (DMH/Department) workforce guidance for the issuance and management of portable electronic devices (PEDs) to conduct County business for voice and email communications, electronic messaging, and DMH network access and internet connections.
Complies with federal and State laws and regulations regarding the security of sensitive protect health information (PHI) and other confidential information when using PEDs.
Articulates expectations for DMH workforce members to conduct County business with DMH-issued PEDs for voice and email communications, electronic messaging, and DMH network access or internet connections.
Informs DMH workforce members that storage and transport of business-sensitive PHI or other confidential data are not allowed on any non-DMH issued PEDs.

II. DEFINITIONS

Information Technology and Security Glossary

III. POLICY

DMH shall assign PEDs to the Department workforce members whose duties and responsibilities clearly require such equipment to conduct County business and does not make assignments based on convenience, seniority, or position.
1. Supervisors and managers must ensure that only authorized workforce members are assigned PEDs. The following justifications clarify when a PED may be assigned:
  1. When a workforce member’s job is field-based and requires remote access and/or remote connectivity to DMH network, resources, and data.
  2. When a manager or supervisor requires more than one (1) PED (a pool of devices) for shared use by his/her workforce members to ensure the effective and efficient performance of their duties.
  3. For specific workforce members within Emergency Outreach Bureau (EOB) and Disaster Operations Center (DOC) or for post disaster recovery purposes.
  4. When a workforce member who, on a regular basis, is engaged in making presentations, providing training, etc., and requires a laptop, smart phone, or other PED for these purposes.
  5. When a workforce member cannot perform the duties of his/her assignment effectively or efficiently without a laptop, smart phone, or other PED.
2. Acquisition/requisition of PEDs such as laptops, smart phones, universal serial bus (USB) flash drives, audio/video recorders, digital cameras, and all other information technology devices and services within DMH must be made by and/or approved by Chief Information Office Bureau (CIOB), regardless of funding source.
3. If a workforce member transitions away from field-based duties due to a change in duties or inter-departmental transfer and the PED is no longer required, they must return the device and related equipment to CIOB.
4. If a workforce member terminates employment with DMH for any reason, they must return their PEDs and related equipment to CIOB (DMH Policy 560.01). Under no circumstances shall a workforce member transfer his/her DMH-issued portable device to another workforce member.
5. All usage of DMH-issued PEDs for business, non-business, and personal shall be tracked.
6. Workforce members shall have no privacy expectation with respect to their use of DMH-issued PED. DMH may log, review, or monitor any and all data created, stored, sent, or received at any time.
7. DMH-issued PEDs found inactive for over 90 days must be returned to CIOB. Exceptions shall be considered for those devices purposed for emergency, disaster recovery functions, or safety reasons.
8. In the event a workforce member is absent for over 90 days, the supervisor must advise CIOB to disable the device and corresponding accounts during their absence.
9. DMH-issued PEDs are strictly for DMH business use. Personal use of DMH-issued PEDs, explicitly smart and mobile phones, is allowed only during emergencies.
10. Workforce members covered under the Federal Fair Labor Standard Act (FLSA) are not permitted to use DMH-issued PEDs after working hours. Failure to comply may result in disciplinary action.
11. Issuance of DMH PEDs does not imply that the Department is authorizing the workforce members to work beyond their normal working hours or schedule. County policy requires all overtime be pre-approved (DMH Policy 603.04).
12. Any alteration or modification to the configuration of PED’s existing settings is prohibited. This action is a compliance violation which may weaken existing security of the device and may introduce confidential or sensitive information to risks of being compromised.
13. Downloading, installing, or using applications not initially pre-installed at the distribution of PED is prohibited. All non-standard application installation and use must be pre-approved by CIOB Information Security.
14. All electronic communications such as emails, text messages, video messages, exchange of electronic files and images, and all electronic file transportations, transfers, uploads, downloads, and/or storing of electronic data must follow all the Departmental privacy and security requirements and policies concerning the secure storage or transportation of electronic sensitive or confidential information, including but not limited to PHI.
15. Any violation of this policy and procedures may result in disciplinary action up to and including discharge.
16. Failure to comply with HIPAA of 1996 can result in civil and criminal penalties. (45 CFR 164.312(e)(2)(i) and 42 USC 1320d-5)
Safeguards for PEDs, including Portable Computing Devices (PCD), Portable Wireless Devices (PWD), Portable Storage Devices (PSD), Portable Recording Devices (PRD), and Portable Internet Connectivity Devices (PICD).
1. DMH Asset Management personnel must ensure that all PEDs are tagged with a DMH asset label and assignee’s information is documented.
2. All PEDs issued to a program for general workforce use must be accounted for at all times. Logs must be kept detailing who, when, and why the device was checked out/used and document detailed information on material stored or transported.
3. Assigned PEDs shall not be loaned and passwords must not be shared. Authorized assignees must be the sole operators of the device.
4. Workforce members who work in the field must never leave their assigned PEDs unsecured and unattended in plain view in their vehicle. The device must be locked in the car’s trunk and, most importantly, the car must be locked to prevent unauthorized access. Workforce members are prohibited from leaving their mobile in their car overnight.
5. Workforce members, before leaving a PED unattended, must log off or lock their device’s screen. When not in use, it is preferable to physically lock or carry the device in person or secure it out of sight in a locked drawer or compartment.
6. Strong passwords or passcodes must be setup following the character combination guideline and used at all times (DMH Policy 551.03). For mobile devices, strong passcodes and biometrics shall be used for unlocking.
7. Workforce members must not use public unsecured Wi-Fi under any circumstances. Accessing DMH resources and systems from any public or private unencrypted and password-free WAP and Wi-Fi connection is prohibited. Consequently, access to PHI over a wireless connection is prohibited unless via a secure and encrypted connection.
8. No electronic equipment is meant to last forever. All contained data may be lost if the device is damaged or due to device malfunction, loss, or theft. Workforce members must regularly save all important files and documents stored on assigned devices to an approved cloud storage (i.e. Office 365) or on the DMH Network directory.
PCDs - Laptops and Notebooks:
1. Workforce members issued a laptop or notebook device may be required to relinquish their desktop computer.
2. Use of personally owned laptops or notebooks to conduct County business or store County data is strictly prohibited. Workforce members are only permitted to use DMH-issued PCDs to connect to the County Network.
3. CIOB personnel must ensure that the operating system, built-in and pre-installed applications, and endpoint and malware protections are kept current on devices capable of running such software.
4. Workforce members must regularly connect their assigned laptops and notebooks to the DMH network for the device to receive proper system and application updates. Plugging devices that have outdated software to the DMH network may create security, support, or other issues.
5. To ensure that devices are adequately protected, all devices exceeding 90 days of not physically being attached and not having been authenticated to the DMH network shall be disjoined and disconnected from the DMH Domain. The assignee shall have to contact the Help Desk at (213) 351-1335 for assistance to rejoin their device and access any network resources.
6. Workforce members qualified for a laptop or notebook computer shall receive a cable lock that must be used to secure the device at all times when it is not stored away.
7. In addition to the laptop and cable lock, a docking station, monitor, standard size keyboard, and mouse shall be provided to allow the assignee to use their device in the office as a replacement for their desktop computer. When the docking station is in use, it must be secured with the cable lock.
8. When PCDs are not located in areas where they can be adequately secured (e.g., in locked offices, cabinets, drawers, racks), cables or other locking accessories must be employed to deter unauthorized removal of or tampering with the device.
9. All laptops and notebooks, particularly those in public access areas, must be located and oriented so that information on displays is not easily viewable by unauthorized persons. If displays cannot be secured, accessories such as privacy filters must be utilized or viewing must be suspended until it is safe to view later.
10. Electronic PHI (ePHI) must only be stored, reviewed, created, updated, or deleted using authorized and County-issued laptops and notebooks that meet the security requirements for that type of equipment.
11. All portable laptops and notebooks containing ePHI must be encrypted.
12. All users including users with administrative privilege, must not disable hardware or software (e.g., anti-virus, anti-spyware, firewall, intrusion detection) that protects PCDs against cyber-attacks.
PWDs - Smart Phones and Tablets:
1. Use of personally owned smart phones or tablets at work is only permitted for emergencies. Emailing, transporting, sending, uploading, downloading, and storing sensitive or confidential information and County data through a personally owned PWD is strictly prohibited. Workforce members are only permitted to use DMH-issued PWDs for such purposes.
2. Uploading or posting comments, documents, images, or videos that include sensitive or confidential information to social networking sites, non-DMH websites, or cloud storage is prohibited. All exceptions must be pre-approved by CIOB.
3. Workforce members are prohibited from using native SMS, Apple iMessage, or any other third party messaging application when the communication includes sensitive or confidential messages with any individual, including clients and other workforce members, unless CIOB Information Security Office grants explicit permission.
4. Only authorized workforce members using an approved device and authorized to have the DMH-approved secure text messaging application installed on their device may send texts or video messages, including ones that may include PHI or confidential data.
5. In events when email messages contain sensitive or confidential information, the communications must be secured by utilizing DMH Secure Email Solution. (DMH Policy 557.02)
6. Taking photos or videos that include DMH clients, clients’ medical information, or structures that can identify clients are prohibited. CIOB must pre-approve all exceptions.
7. Workforce members qualified for a smart phone and/or tablet shall receive a protective case which must be used at all times to ensure physical damage shall not affect operability.
8. All smart phones and/or tablets being used in public areas must be oriented so that information displayed is not easily viewable by unauthorized persons. If displays cannot be positioned to deter viewing, accessories such as privacy filters must be utilized, or viewing must be suspended until it is safe to view later.
9. Remote device wipe and its recovery feature must be configured and enabled on all mobile devices.
10. Screen timeouts must be configured to lock the display of idle smartphones and/or tablets exceeding 20 minutes.
11. Tracking software must be installed and activated in order to trace and find a misplaced or lost device (i.e., Find my iPhone).
PSD - USB Flash Drive and External Drive:
1. Use of personally owned PSDs to store DMH information is strictly prohibited.
2. Only DMH-issued PSDs may be used for work related purposes.
3. ePHI must only be stored or transported by authorized PSDs that meet the necessary security requirements.
4. All PSDs containing ePHI must be encrypted regardless of business need and types of files to be transported by the workforce member. All DMH-issued devices are fully encrypted.
5. PSDs are designed to function as short-term tools for electronic data transportation. Workforce members must not utilize such devices for long-term files and documents storage. All PSDs are susceptible to corruption and/or damage, and data can be permanently lost. Data can also be lost if the device is lost or stolen. Workforce members must regularly save or backup all important files and documents stored on their assigned devices to a network directory.
PRD - Audio or Video Recorder and Digital Camera or Camcorder:
1. Only DMH-issued recording devices may be used for conducting County business related purposes. The Departmental Information Security Officer (DISO) must approve the device brand and model.
2. Use of personally owned PRDs to process, record, capture, or store County materials, interviews, or meetings is strictly prohibited.
3. ePHI must only be stored or transported by authorized PRDs that meet the necessary security requirements.
4. DMH-issued PRDs must be configured in a manner to encrypt the event’s recording in real time. The device must be password protected to prevent unauthorized access to the stored recorded materials.
5. All DMH-issued PRDs containing ePHI must be encrypted. In the event encryption might not be supported by the device’s technology or its limited capabilities, specific handling guidelines must be developed for the adequate protection of information during operations. The guidelines must be endorsed by the DISO prior to the device’s use. All operators must abide by guidelines when using PRDs.
6. The program to which PRDs have been assigned must centrally manage recording devices.
7. Once checked out, it is the assigned workforce member’s responsibility to maintain physical security of the device and recorded content.
8. All DMH-issued PRDs are designed to function as short-term tools for storing recorded materials. Workforce members must not utilize such devices for long-term audio-visual material storage. No electronic equipment is meant to last forever. All contained data may be lost if the device is damaged or due to a device malfunction, loss, or theft. If business requires and it is appropriate for the recorded materials to be maintained for an extended period, workforce members must remove and store the recorded materials in an approved storage server and apply required protection based on the content of the recording. It is best practice to delete the recorded materials from the PRD as soon as the recording is moved to an approved storage location. This way, no file is in jeopardy if the device malfunctions or is misplaced.
Portable Internet Connectivity Devices (PICD) - Hot Spots and AirCards®: PICDs shall only be used to perform work-related duties.

IV. PROCEDURES

Use of Department Portable Electronic Devices

V. AUTHORITIES

HIPAA Security Rule – Code of Federal Regulations Title 45 Part 164 Subpart C Section 164.312(e)(2)(i)
Los Angeles County Board of Supervisors Policy 6.101 - Use of County Information Assets
Los Angeles County Board of Supervisors Policy 6.104 – Information Classification
Los Angeles County Board of Supervisors Policy 6.105 - Information Technology Audit and Risk Assessment
Los Angeles County Board of Supervisors Policy 6.110 - Protection of Information on Portable Computing Devices
Los Angeles County Board of Supervisors Policy 3.160 - County Cellular Telephone and Other Wireless Data Devices Usage Policy
Los Angeles County Fiscal Manual Revised 02/2015 Section 4.7.0 Cellular Telephones and Other Wireless Data Devices Usage
National Institute of Standards and Technology Special Publication 800-88 Revision 1, Guidelines for Media Sanitization
United States Code Title 42 Part C Section 1320d-5

VI. ATTACHMENTS

DMH Audio/Video Recorder – Digital Camera/Camcorder Usage Agreement
DMH CD/DVD Burner Usage Agreement
DMH Cellular Phone, Smart Phone, or Pager Application Agreement
DMH Hotspot/Air Card Usage Agreement
DMH Laptop or Notebook Usage Agreement
DMH USB Storage Drive Usage Agreement
Service Catalog Link to Accident/Incident Investigative Report
Los Angeles County Security Incident Report