Chapter 21 - Access Control
Part 8 - Information Resources Management
- Purpose. This chapter establishes the policy and procedures for allowing users access to Indian Health Service (IHS) Information Technology (IT) resources.
- Background. Modern IT has created an efficient and immediate way of transmitting sensitive information across distances. Health care providers may now find instant information at their fingertips, thereby enhancing their ability to provide comprehensive patient care. The convenience of such immediate access, however, creates significant concerns for protecting patient privacy, and these concerns must be addressed with adequate information access control.
The IHS Security Program is in compliance with laws, regulations, and directives that compel Federal agencies to protect information and IT resources by restricting access to government systems to only authorized personnel. The IHS IT resources include, but are not limited to: personal computers (PC) and related peripheral equipment and software; network and web servers; telephones, cellphones, and smartphones; facsimile (FAX) machines; photocopiers; Internet connectivity and access to Internet services; and all forms of email. Appropriate IT access control ensures that IHS information is protected from unauthorized access, which could result in a compromise of the confidentiality, integrity, or availability of IHS information.
- Scope. This policy applies to all IHS information system owners, users, custodians, and business associates. This policy covers all information systems operated by IHS, including, but not limited to PCs and related peripheral equipment and software; network and web servers; telephones, cellphones, and smartphones; FAX machines; photocopiers; Internet connectivity and access to Internet services; and all forms of email.
- Authorities.
- Department of Health and Human Services - Office of the Chief Information Officer (OCIO) "Policy for Information Systems Security and Privacy"
- Department of Health and Human Services - OCIO "Policy for Information Systems Security and Privacy Handbook"
- Part 8, Chapter 6, "Limited Personal Use of IT Resources," Indian Health Manual (IHM)
- Part 8, Chapter 17, "Agency-Issued Cellular Telephones, BlackBerry® Smartphones, and Personal Digital Assistant Devices," IHM
- Part 8, Chapter 19, "Least Privilege," IHM
- "Federal Information Security Management Act of 2002," 44 United States Code (U.S.C.) § 3541, et seq.
- "Privacy Act of 1974," Public Law 93-579 as amended, 5 U.S.C. § 552a
- National Institute of Standards and Technology Special Publication 800-53, Rev 4, "Recommended Security Controls for Federal Information Systems," April 2013
- Office of Management and Budget Circular A-130, Appendix III, "Security of Federal Automated Information Resources," 11/28/2000
- Federal Information Processing Standard 200, "Minimum Security Requirements for Federal Information and Information Systems"
- Federal Information Processing Standard 199, "Standards for Security Categorization of Federal Information and Information Systems"
- The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations
- Indian Health Service, Division of Information Security (DIS) Standard Operating Procedure (SOP) 06-11a, "General User Security Handbook," Version 2.1, February 2013
- Policy. The IHS protects information and IT resources by restricting access to government systems to only authorized personnel. Indian Health Service business must not be performed on privately-owned personal equipment unless that equipment was previously authorized by the IHS Chief Information Officer (CIO). Requests to use personally owned equipment may be made using the Information Security Policy Waiver Form. This policy does not apply to email Web Access.
- Acronyms.
(1) CIO Chief Information Officer (2) CISO Chief Information Security Officer (3) DIS Division of Information Security (4) DITO Division of Information Technology Operations (5) ETS Enterprise Technology Services (6) FAX Facsimile (7) HHS Health and Human Services (8) IHM Indian Health Manual (9) IHS Indian Health Service (10) ISSA Information Systems Security Awareness (11) ISSO Information Systems Security Officer (12) IT Information Technology (13) ITAC Information Technology Access Control (14) OCIO Office of the Chief Information Officer (15) PC Personal Computer (16) PHI Personal Health Information (17) PIN Personal Identity Number (18) PIV Personal Identity Verification (19) RoB Rules of Behavior (20) RPMS Resource and Patient Management System (21) SOP Standard Operating Procedure (22) U.S.C. United States Code (23) VPN Virtual Private Network - Definitions.
- Access. The ability to enter, view, instruct, communicate with, store data in, retrieve data from, or otherwise make use of specific information resources.
- Access Control. The process for review, approval, and provisioning of user access, as well as regular account auditing and assurance.
- Access Privilege. A user's authorization to perform a specific activity in order to view or modify an information resource.
- Authentication. A security measure designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual's authorization to receive specific categories of information.
- Compromise. Disclosure of information to unauthorized persons, or a violation of the security policy of a system in which intentional or unintentional authorized disclosure, modification, destruction, or loss of an object may have occurred.
- Information Systems Security Officer. A role appointed within the IHS, including Area and Regional Offices to ensure that the appropriate operational security posture is maintained for an information system or program.
- Information Technology. Any equipment or interconnected system or subsystem of equipment used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the Agency. Information technology includes computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources. Information technology does not include any equipment that is acquired by a Federal contractor incidental to a Federal contract. For purposes of this definition, equipment is "used" by the IHS whether the IHS uses the equipment directly or it is used by a contractor under a contract with the IHS that requires the use of such equipment; or requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product.
- Least Privilege. Granting users only the minimum privileges required to perform their official duties.
- Mobile Device. Any portable, digital apparatus that stores and processes data. Individuals using mobile devices must adhere to the policy and procedures found in 8-17 IHM, "Agency-Issued Cellular Telephones, BlackBerry® Smartphones, and Personal Digital Assistant Devices."
- Personally Identifiable Information. Personally identifiable identification is any piece of information that can be used to identify, contact, or locate a person or can be used with other sources to identify an individual.
- Privilege. A right granted to an individual, a program, or a process.
- Privileged Account. An account that is authorized (and therefore trusted) to perform security-relevant functions that ordinary users are not authorized to perform.
- Protected Health Information.
- Individually identifiable health information, that is:
- Transmitted by electronic media;
- Maintained in electronic media; or,
- Transmitted or maintained in any other form or medium.
- Protected health information excludes individually identifiable health information in:
- Education records covered by the Family Educational Rights and Privacy Act, as amended (20 U.S.C. 1232[g]);
- records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and,
- Employment records held by a covered entity in its role as employer.
- Individually identifiable health information, that is:
- Provisioning. The creation, management, and maintenance of user accounts and their profiles across IT infrastructure and business applications.
- Remote Access. Computer access to IHS networks or systems by authorized users from outside the protection of Agency firewalls.
- Security Incident. An event that may result in, or has resulted in the unauthorized access to, or disclosure of sensitive or classified information; unauthorized modification or destruction of systems data; reduced, interrupted, or terminated processing capability; malicious logic or virus activity; or the loss, theft, damage, or destruction of any IT resource.
- System Owner. The IHS official responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information system.
- System Permissions. The technical configuration that enables a user to perform certain actions on information resources.
- System User. An individual authorized to access an information system.
- Director, IHS. The Director, IHS, must ensure the IHS conforms to applicable laws and regulations. The Director, IHS, is administratively responsible for ensuring IT access controls protect all IHS IT privacy and security.
- Chief Information Officer. The CIO must ensure that IHS information systems and data are safe from unauthorized access that might lead to alteration, damage, destruction, or unintended disclosure.
- The CIO is responsible for reviewing and approving access control directives.
- The CIO must ensure all access controls are implemented on all IHS systems.
- Chief Information Security Officer. The IHS Chief Information Security Officer (CISO) is responsible for the security of all IHS information while the information is being processed and/or transmitted electronically and for the security of the resources associated with these functions:
- The CISO must ensure continuous authorization is performed for all major applications and general support systems.
- The CISO is responsible for granting waivers and exceptions to access control mechanisms as necessary.
- Information Systems Security Officer. The Information Systems Security Officer (ISSO) is responsible for administering the access control policy and procedures and ensuring the security of information systems within their respective organizations.
- The ISSO must ensure access control policy and procedures are followed within their respective organizations.
- The ISSO must ensure appropriate access control mechanisms are implemented within their respective organization.
- The ISSO must coordinate the annual access review process within their respective organization and ensure Information Technology Access Control (ITAC) supervisors review employee access each year within established timeframes.
- The ISSO must conduct administrator-user account reviews.
- Information Technology Access Control Supervisors. The ITAC Supervisors are responsible for submitting appropriate access requests for IHS system users on their team and for reviewing their team members' access. The ITAC supervisor must:
- Review and update the ITAC profiles and system access of all users under their ITAC supervision annually, or more often if necessary.
- Ensure that pre-employment requirements are fulfilled.
- Request deactivation of users' access privileges immediately, upon their separation or extended leave from IHS.
- Ensure users have a business need before requesting Virtual Private Network (VPN) as described in the DITO Technical Note – How to Request VPN Access
- Ensure that all staff are made aware of and are instructed to comply with this policy and all other relevant IHS policies.
- Ensure staff take all necessary training in the required timeframe.
- Submit complete and timely ITAC access requests for new employees, allowing sufficient time for the creation of the required user account prior to the user's start date.
- Ensure that each user for whom they request access has the appropriate business need to justify such access for the requested information system and/or network.
- Ensure that each contractor has a valid contract, an accurate contract number and expiration date entered in ITAC initially, and are updated as needed for each contract staff.
- ITAC System Approvers and Global Approvers. The Area ISSO or designee shall assign, to selected individuals, the responsibility of approving ITAC access requests. An ITAC system approver may be assigned to a single system, or a global approver may be assigned to a location (e.g., facility, Service Unit, or Area). System approvers and global approvers must approve access only when there is a demonstrated need for accomplishing work duties.
- System Owner. Each system owner must establish access control mechanisms that balance the need for access limits with the need to execute business functions.
- System Administrator. The system administrator is the person most often responsible for operational security for a subset of machines within the organizational component's site or facility. All system administrators must:
- Verify that all inactive accounts are disabled after sixty (60) days of nonuse and delete accounts after ninety (90) days of inactivity.
- Grant the most restrictive access privileges needed to perform job related roles and responsibilities.
- Follow the "Standard Operating Procedure for IHS Active Directory Object Policy," IHS Office of Information Technology, Version 1.2, March 2014 for account creation. Division of Information Technology Operations (DITO) SOP 13-04
- Configure IHS systems and networks to comply with HHS password standards, including but not limited to lifespan, length, complexity, and forced password expiration every 60 days.
- Prohibit the use of generic or anonymous user accounts.
- Provide users access to information systems only upon full completion of the ITAC authorization process.
- Remove and disable user accounts of personnel separating from IHS immediately upon notification from supervisors or other management officials.
- Take appropriate and prompt action on receipt of requests for change of privileges, suspension of user accounts, password resets, and de-activation of users, in accordance with this policy and ITAC procedures.
- Notify users of their system account details in a secure and confidential manner.
- Ensure that appropriate records of system activity, including all account creations, changes of privileges, and deactivation of accounts, are maintained and made available for review to the appropriate personnel.
- Notify the designated information and system owners and ISSO if they suspect a user is responsible for misusing the information system or is in breach of this policy. Incidents can be reported by following the DIS SOP 09-02, "Incident Reporting."
- Deactivate VPN accounts as specified in the DITO Technical Note – How to Request VPN Access
- Maintain detailed records for all privileges allocated.
- System Users.System users must:
- Ensure their password, Personal Identity Verification (PIV) card, and PIV card Personal Identity Number (PIN) are protected and cannot be compromised.
- Protect passwords and PINs by committing them to memory or storing them in a safe place.
- Follow IHS password procedures listed in the IHS General User Security Handbook, regarding password usage and management.
- Change a password or PIN if it has been guessed, or otherwise compromised, or is suspected to be compromised.
- Report compromises or suspected compromises to the local ISSO.
- Appropriately safeguard all IT resources, including mobile computing devices (e.g., laptop computers, tablets, notebooks, and mobile phones).
- Appropriately protect the information contained in IHS systems and the IHS network.
- Ensure all passwords are kept confidential at all times and not shared with others, including co-workers or third parties.
- Change passwords at least every 60 days or when instructed to do so by designated system administrators, network administrators, or their ISSO.
- Report all misuse and breaches of this policy to their ITAC Supervisor or ISSO by following the DIS SOP 09-02, "Incident Reporting."
- Business Associates. Business Associates must comply with the terms set forth in the Business Associate Agreement and other contract terms and conditions.
- Least Privilege. All users with access to IHS IT resources will be granted the most restrictive access privileges needed for performing authorized tasks, pursuant to 8-19 IHM. In addition, users may not access IHS systems or data for which they have no business need to know, regardless of their permissions.
- Information Systems Security Awareness Training. All Users must complete the Information Systems Security Awareness (ISSA) training annually. New employees must complete ISSA training prior to or within 24 hours of gaining access to IHS information systems unless the user has read the IHS Quick Guide to Information Security or risk access deactivation.
- Rules of Behavior. During a user's completion of ISSA training, the individual must review and accept the IHS Rules of Behavior (RoB) which is stored and tracked in the ISSA training system. Some users may also be responsible for completing role-based or system-based training and must acknowledge any specifically related RoB, such as, the RoB for privileged users.
- Information Technology Access Control. All access to IHS controlled areas, systems, and data must be requested and approved through the ITAC system prior to "provisioning." Provisioning is the issuance of any equipment or the granting of any access to controlled computer systems or building areas. All ITAC Supervisors are responsible for submitting requests to activate or deactivate a user's access when his or her access needs change. For more information on ITAC system procedures, see DIS SOP 13-01, "ITAC System."
- A New User request must be submitted and approved for all new employees before any access may be given.
- Current employees whose access needs change must be updated within one business day in ITAC via an Update Access request.
- Departing employees must have their access removed via a Remove User request. Once de-provisioning is complete, the user's ITAC profile will be archived.
- User Account Maintenance and Review. Federal security regulations require managers to conduct annual team member access reviews. All ITAC Supervisors must review the access of every team member once a year or more often as necessary, and make administrative changes if there are discrepancies. This annual access review is essential to ensure that users maintain only the access needed to do their jobs. In addition, every ITAC Supervisor must annually review their team members' demographic information and update it as necessary (see DIS-SOP-13-01, "ITAC System"). The ITAC Supervisor must:
- Validate user training compliance during the Annual Access Review, including, ISSA training and any required role-based training.
- Consider whether the user has a continued need for access to Departmental resources and that system level privileges are appropriately assigned.
- Physical Access. Physical access to controlled areas must be restricted to authorized personnel and monitored for unauthorized personnel. This includes necessary log-keeping, authorized escort, and security controls like cameras, signage and locks.
- Requests for Escalated User Access Privileges. Requests for Enterprise Administrator and Domain Administrator (Tier 3) access must be reviewed and approved through internal Enterprise Technology Services (ETS) Change Control. Once approved, only ETS can create the accounts. Requests for Area/Facility escalated privileges (Tier 1 & 2) access must be reviewed and approved by the respective Area ISSO. Once approved, Area/Facility administrators can create the accounts.
- Enterprise and Domain Administrator Accounts.
- Enterprise and Domain level administrator accounts must not be named in a manner that would identify it as a privileged account (e.g., Administrator01).
- Settings for Enterprise and Domain level administrator accounts enforce a 15 character password and a 15 minute lock out duration.
- Enterprise and domain level administrator accounts must be assigned to a single user with appropriately identified user attribution contained within the Active Directory by designated personnel.
- Enterprise and Domain level administrator accounts will follow the standards found in the DITO SOP 13-04, "IHS Active Directory Object Policy."
- Domain level administrator accounts must be set to expire at least once per year and reviewed for reactivation by the IHS CISO or designee.
- Separation of Duties. All procedures developed at the local level must ensure the separation of duties. Each facility and site manager must ensure there are no conflicting roles when granting access to IHS Federally-controlled information systems. For more information on separation of duties, refer to DIS SOP 09-25, "Separation of Duties." Where possible, no single individual should have total control of more than one of the following critical IT functions:
- System Administrator
- Information Systems Security Officer
- Database Administrator
- Developer (Programmer)
- Analyst
- Verifier (Software Certifier)
- Web Application Developer (Programmer/Analyst)
- Passwords. Logical password controls must be implemented and enforced for all IHS systems and networks. User passwords must adhere to IHS standards for complexity and periodic updating. Passwords are to remain confidential, and users must protect their usernames and passwords in accordance with the IHS RoB. The procedures outlined in the DIS SOP 06-11a, "General User Security Handbook," contain information on IHS password procedures, including guidance for proper management and protection of passwords, PIV cards, and PIV card PIN.
- Personal Identity Verification Cards. The IHS is currently implementing the use of PIV smart cards for authentication to Federal systems in order to comply with Homeland Security Presidential Directive-12.
- Virtual Private Network Access. The "DITO Technical Note – How to Request VPN Access" describes the requirements for and limitations to individual VPN access, including two-factor authentication and account deactivation or termination. The Office of Information Technology staff provides technical support for personally owned equipment using the IHS VPN.
- Non-use Deactivation. All inactive user accounts, including remote access accounts, showing no activity for 60 days will be disabled. User accounts showing no activity for 90 days will be deleted, as stated in the DIS SOP 06-11a, "General User Security Handbook."
- Account Termination. All departing employees, including contractors, must have their user accounts disabled as soon as possible, but no longer than one business day after the employee's departure.
- A departing employee's Federal ITAC Supervisor must assist the employee with the clearance process. This assistance includes completing the IHS Clearance Checklist (Circular Exhibit 2011-02-A), ensuring all government property the employee is responsible for is returned and his or her system access is deactivated.
- System administrators must act immediately to disable accounts upon notification of an employee's separation.
- Supervisors who have employees separating from the IHS must ensure the employees' access to IHS information systems, i.e., the Resource and Patient Management System (RPMS) modules; the Unified Financial Management System; the Purchase Request Information System Management; and the IHS network is disabled as close as possible to their official departure date, and that their ITAC profiles are archived in the ITAC system.
- All ITAC Supervisors are responsible for submitting "Remove User" requests for team members who have left or are going to leave the IHS, as per the DIS SOP 13-01, "ITAC System." It is possible in ITAC to select a future date on which the team member's access should be disabled, but the default date is the current date.
- Access Revocation. The IHS has established management controls to ensure IHS IT resources are used appropriately. Management officials are responsible for terminating an individual's access to IT resources if they abuse their access privileges. Some examples of abuse include:
- Using government systems as a staging ground or platform to gain unauthorized access to other systems.
- Violating the terms of limited personal use. (See 8-6 IHM, "Limited Personal Use of Information Technology Resources.")
- Neglecting to exercise the principle of least privilege. (See 8-19 IHM, "Least Privilege.")
- Accessing sensitive information without a business need to do so.