Att 7 - Rules of Behavior - System Administrators

The “Rules and Behavior for Hepatitis Testing and Linkage to Care Monitoring and Evaluation Syrem (HEPTLC) Agency System Administrators” document specifies the formal rules of behavior which the CDC expects of HEPTLC local Agency System Administrators and communicates policies and procedures to be followed. We will receive formal acknowledgement from you, in the form of a signature, which denotes that you have read, understand and intend to comply with these rules. In addition, you should have read the Security Summary.

You will also be responsible for ensuring that all of your agency’s users sign a Rules of Behavior for Grantee Users; and that your agency obtains signatures on the same or a similar document from its directly funded users.

The information presented within the Rules of Behavior document for HEPTLC Agency System Administrators addresses:

 The scope, boundaries, and applicability of the system rules

 The governing law and policy applicable to the system

 Statements of policy related to expected user behaviors and responsibilities

 The range of consequences possible for policy violation

 Statements regarding any HEPTLC system-specific prohibited actions

 The process for obtaining HEPTLC system help and a listing of additional resources

 The process for publishing and acknowledging revisions

 A formal acknowledgement and signature mechanism

1.2 Legal, Regulatory, and Policy Requirements

HEPTLC is a part of the CDC System Enterprise Architecture and is held to a high standard of performance with regard to security. The following standards were applied to HEPTLC:

Standards Required by Law for Federal Systems

Clinger Cohen Act of 1996 (Public Law 104-106)
OMB Budget Circular A-130
Federal Information Security Management Act (FISMA)
HHS Information Security Program Policy
Executive Orders, Directives, Regulations, Publications, Guidance(s)
National Institute of Standards and Technology Special Publications 800 Series

With respect to these laws and regulations, prohibited uses include:

Access or using information inappropriately which is protected by the Privacy Act or other federally mandated confidentiality provisions and/or by OMB Circular A-130, Management of Federal Information Resources.
Violating copyrights or software licensing agreements.

References

45 CFR 5, Freedom of Information Regulations
45 CFR 5b, Privacy Act Regulations
OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources

1.3 Statement of System Policy

Each system administrator is responsible for preventing unauthorized use of and access to, HEPTLC system resources. This duty includes complying with all stated policy requirements, taking due care and reasonable precautions when handling system data or using system resources, and in the management and protection of system authentication controls (passwords, certificates, etc.). When in doubt, administrators are strongly encouraged to contact the HEPTLC Service Support Center for assistance.

1.4 No Expectation of Privacy

CDC or local agency system administrators may periodically monitor both the system and user activities for purposes including, but not limited to, troubleshooting, performance assessment, usage patterns, indications of attack or misuse, and the investigation of a complaint or suspected incident. Users are provided system access for the purpose of facilitating Federal, state, local, and agency public health missions only.

1.5 Penalties for Non-Compliance

System administrators who do not comply with the prescribed Rules of Behavior are subject to penalties that can be imposed under existing policy and regulation including reprimands, suspension of system privileges, suspension from duty, termination, and criminal prosecution.

2. System Administrator Responsibilities

2.1 Ethical Conduct

HEPTLC Agency System Administrators should be held accountable for their use of the HEPTLC system and the data. Users of the HEPTLC are only able to access: the data that they enter, the data that belongs to their individual organization and specific data to which they have been given rights. Using system resources to copy, release, or view data without authorization is prohibited. Altering data improperly or otherwise tampering with the system is prohibited. System administrators have access to client-level data and are therefore responsible for the protection of confidential information and must report any breaches.

2.2 Authentication Management

Access to HEPTLC files and software must be restricted to authorized users. Agency System Administrators will establish user accounts, limiting activities within the system, and terminating access when employees leave, change jobs, or breach agency policies. Users who share the same computer must have separate logins and SDN digital certificates.

2.2.1 Granting Access

The agency system administrator grants access to staff requiring use of HEPTLC software or data. The steps in this process for HEPTLC grantees are as follows:

application for SDN Digital Certificate
include letter from agency (refer to HEPTLC Security Summary)

This is done in writing through the user’s supervisor and should include a description of the user’s duties related to HEPTLC. Once a certificate is granted, the Agency System Administrator establishes an account with levels of access and permissions for that user which should only be necessary to perform their required duties. Users are assigned a user ID and a means of authenticating who they are, such as a password. An Agency System Administrator’s responsibility also includes restricting access to parts of HEPTLC according to the role of the user, modifying access within the system when a user’s duties change, and terminating access when employees leave, change jobs, or breach agency policies.

Users of HEPTLC who have access to confidential data or secured areas should sign binding, non-disclosure agreements (Rules of Behavior and Memorandum of Understanding and Assurance of Confidentiality) before being given access to HEPTLC. Other trainings in the policy and procedures concerning security and confidentiality are also recommended.

2.2.2 Levels of Access

The Agency System Administrator is responsible for restricting access to parts of HEPTLC according to the role of the user and modifying access within the system when a user’s duties change. All users do not need access to all parts of the system. Access to the various parts of HEPTLC should be restricted based upon the role of the user. For example, typical roles include data entry, generating reports, system administration, and viewing information. Some staff may need to read information about clients but not enter data. Others may need to analyze aggregated data but not view case-specific information. The Agency System Administrator assigns the roles for users of HEPTLC. Please refer to Chapter 2, Section 5 of the Security Summary.

2.2.3 Terminating Access

The system administrator will modify or terminate a user’s access as soon as it becomes known that the individual is changing duties within the agency, leaving the agency or breach agency policies The job-transition protocol of the agency should include immediate notification to the HEPTLC system administrator of any change in employee status so that the proper actions can be taken to protect the system and its data.

2.2.4 Use of Passwords

Passwords must be used to confirm the user identity. Passwords should be changed periodically (at least every 90 days) and not shared among staff. Separate passwords may also be used to protect specific data sets or applications within the system. For example, a user may need to enter their individual password to get access to the system, but then may need to enter a second, different password in order to get access to information about a certain set of clients. The HEPTLC password policy is that the passwords should be at least 8 characters long, contain a mix of at least three of the four types of keyboard elements (upper case letters, lower case letters, numerals, and punctuation marks), and can not be the individuals name (refer to Chapter 2, Section 4 and Chapter “Security Recommendations for Your Grantee Agency” Security Summary). Suggestions are to use the first letters from a phrase or abbreviations of a series of words and intersperse or replace letters with associated symbols or numerals in order to make the password easily remembered. The grantee agency should establish policies for passwords that incorporate the HEPTLC minimum requirements above, they then can also make more stringent password policies. Passwords should be required by the system to be changed periodically (at least every 90 days) and staff should be trained not to divulge passwords. The number of attempts to gain access to the HEPTLC system is limited, locking the user out after three unsuccessful attempts to log-in to HEPTLC. System administrators can reset passwords if users forget their password.

2.2.5 Proxies

HEPTLC will have the ability to identify and assign proxies, i.e., the ability to assign one person’s permissions to someone else. Although multiple users can be granted proxies for an individual, only one user can log in at a time as a proxy user of another user. Only Agency System Administrators have permission to grant and delete a proxy. Rules should be developed at the site level to determine how long proxies may last and how they should be administered. The Agency System Administrator should see that all users comply with the rules of proxy administration. Only users who have signed a Rules of Behavior for HEPTLC Agency Users may be given a proxy.

2.3 Information Management and Document Handling

At the local level data collection for hepatitis testing and linkage to care variables may not only exist on the HEPTLC servers. Data may also be on data collection forms or counselor notes, client files, CD-ROMS, personal digital assistants (PDAs), or other information storage media. Since all of these types of media may contain confidential information, the agency must develop policies and procedures for the use, storage, and disposal of data for each medium used to record or store local data.

The computers (desktop and laptop), PDAs, servers, and other electronic equipment used to collect, enter, copy, store, analyze, or report HEPTLC data should be under the control of the grantee. The use of equipment related to HEPTLC, including internet connections, e-mail, photocopiers, facsimile machine, and other equipment that might be used to copy, transmit, or process HEPTLC data should be regulated by written policies and procedures. The policies should require that computers have screensaver locks that automatically engage when the computer is not used for a set time period and should require that personnel electronically lock their computers when they leave their desk. (In Windows this is done by depressing the Ctrl, Alt, and Delete keys simultaneously, then depressing the Enter key).

2.3.1 Storage

Agencies should establish policies and procedures that outline when it is appropriate to export local data to storage media. All storage media should be clearly labeled. Removable media such as zip disks, CD-ROMS, etc., should be destroyed or sanitized with disk wiping tools before reuse or disposal. Storage media, whether removable or fixed, paper or electronic, containing HEPTLC data should be stored in a secured area. Data removed from secured areas for analysis should be de-identified first. Diskettes, laptops, thumb drives and other storage media that contain HEPTLC data should have only the minimum data necessary to perform a given task; should be encrypted or stored under lock and key when not in use; and (except for backups) be sanitized immediately following the task completion. Cleaning crews, maintenance staff, and other unauthorized personnel must be escorted into secured areas by designated staff. Encryption of data during storage is recommended.

2.3.2 Disposal

Many states have laws or regulations concerning how long client records must be stored, and when and how they must be destroyed. Agencies must develop policies and procedures that comply with these state regulations. When client records are to be destroyed, this should include not only paper records but also electronic records. Please note that “deleting” a file or record on the computer does not actually remove the information from the system. Even overwriting or formatting the media may not sanitize it; special sanitization programs or physical destruction of the storage media may be required. Agencies must be sure to sanitize or destroy hard drives of computers scheduled for disposal or transfer to staff not authorized to use HEPTLC.

2.3.3 Release of Data

Agencies must develop a written policy and procedure for releasing data. These policies should be periodically reviewed and modified to improve the protection of confidential information. Policies concerning the release of de-identified and aggregate data that prevent indirectly identifying clients through small denominators or cell sizes should also be established. Access to any data containing confidential information or case-specific data should be contingent on having a signed, current, binding non-disclosure agreement currently on file at the individual agency. These agreements must include discussion of possible ramifications and criminal and civil liabilities for unauthorized disclosure of information.

Reporting to the CDC:

Reporting to the CDC should be done according to the schedule specified by the CDC. While data may be entered into HEPTLC at any time, it is not reported to the CDC until the appropriate files are submitted to the CDC by the authorized personnel of each agency over the SDN. There should be policies and procedures developed to specify the data quality assurance process that will be implemented and the administrative approval process that should be followed prior to reporting/submitting data to the CDC.

Releasing Data to Partners:

In order to assist other agencies in tracking referrals or for other related purposes, agencies may enter into agreements with other agencies to share limited information about specific clients. Data sharing should be based upon written agreements and clients should understand how their confidential information will be treated/shared with other agency partners. Agencies must develop policies and procedures to comply with state regulations regarding release of data.

Releasing Data to the Public:

Except under conditions specified in writing and explained to clients, only authorized staff members who have signed a binding non-disclosure agreement (and who have a need to know) should be allowed access to sensitive client identifying data. Agencies should have a policy and protocol for releasing de-identified and aggregate data for use in analysis, grant applications, reporting and administrative functions. This policy should specify what data may be released, in what form, to whom the data may be released, and who may approve the release of data.

2.3.4 Encryption

HEPTLC data are sensitive, confidential information that may have legal and personal implications for clients; therefore, the data should be protected from unauthorized access. HEPTLC data should always be encrypted during transmission and often should be encrypted during storage, such as during collection in the field. Data transmitted to the CDC through the SDN is secured through the use of several security controls (See chapter 2 of Security Summary for detailed description of security controls). However, it is the responsibility of the grantee to assure security until the data are submitted to CDC.

If an organization decides to send data to anyone other than the CDC, the data should be encrypted. All HEPTLC data is encrypted using the Self Decrypting Archive function of PGP (Encryption sofeware). An encrypted SDA file is generated and sent to CDC over the SDN. The data remains encrypted until it enters the CDC network and reaches the validation team at which time it is decrypted PGP meets the Federal Information Processing Standards 140-2 (FIPS 140-2) requirements and the CDC central key requirement for CDC.

In addition to HEPTLC data being encrypted with a Secure Socket Layer (SSL) during transit, some information remains encrypted within the database, visible only to the agency that entered it. The system encrypts all sensitive, client-identifying variables and includes (in the online help) an encryption indicator for each variable. The online help also includes a warning to users that information entered in specific fields will not be encrypted. The following is a list of client variables that will be encrypted in HEPTLC R3.1:

EVALUATION (HEPTLC) DATA VARIABLES

Data Element:	Comments:
Test Site Information
Name of test site
Type of test site	(IDU, CHC, Other)
Contact information of test site	Address, Phone #, Fax #
Demographic Information
Patient ID
Patient's state of residence
Country of origin/county of birth
Age	Age (month, year)
Gender (Current Gender Identity)	Male, Female, Transgender
Race	AA, W, Asn, NH/PI, AI/AN, Oth
Ethnicity	Hsp, Non-Hsp, Oth
Vaccination History
Hep A vaccine	Ever, # of dose
Hep B vaccine	Ever, # of dose
Lab Information
Lab Name (The lab that performed the test)
Patient ID
Date of test
Test Technology
Test Results
Hep C
Hepatitis C antibody (HCV Ab)	Date, Positive, Negative, Indeterminate, Invalid
Hepatitis C RNA (HCV-RNA)	Date, Positive, Negative, Indeterminate, Invalid
Quantitative HCV RNA	Result, Date (Category B - ECHO option)
HCV Genotype	Result, Date (Category B - ECHO option)
Hep B
Hepatitis B core antibody	Data, Positive, Negative, Indeterminate, Invalid
Hepatitis B surface antigen	Data, Positive, Negative, Indeterminate, Invalid
Diagnosis	Chronic HBV, Chronic HCV

Post-Test Follow -Up
Test results provided	yes, no. If yes, date. If no, why?
post-test counseling provided	yes, no. If yes, date. If no, why?
Linkage to care	yes, no, date*
Antiviral Therapy (AVT)	Regimen, Date (Category B - ECHO option)
Reported to surveillance	yes, no, date*
Risk Factors
Hep C
Persons Who Inject Drugs (PWIDs) and persons who use non-injection drugs
Persons born from 1945 through 1965
HIV-positive [Self-Report Positive (SRP)]
Hep B
Persons born in countries with intermediate or high prevalence of HBV infection
Other at-risk populations, including PWID and MSM
Contacts of hepatitis B positive person
HIV-positive (SRP)
If female, is client pregnant?	yes, no, don't know, declined, not asked

*NOTE*
All personal identifying information, such as Name (FN, LN, MN), SSN, Address at Diagnosis and/or Current Address, Phone # should NOT be submitted to CDC

2.3.5 Backing up data

CDC regularly backs up all HEPTLC data stored on CDC database servers. HEPTLC data that are not yet transmitted, either because they have not yet been entered in the system or because the data are not being stored on CDC servers (HEPTLC) must be backed up periodically by the grantee. Frequency of backup should depend upon how often the data changes and how significant those changes are, but should be done based on a fixed schedule that is part of the normal maintenance of the system. Backup copies should be tested to make sure they are actually usable and stored under lock and key in a secure area and a separate copy of data kept at a secure off-site location if possible.

2.4 System Access and Usage

As a System Administrator, you will review all grantee accounts yearly to make sure they are appropriate and current.

As a System Administrator you agree to only access the system when authorized.

As a System Administrator you have the authority to create and manage all administrators for all of you directly funded agencies.

As a System Administrator, you have the ability to manage permissions to all modules and sub-modules, both Administrative and Non-Administrative for your users.

2.4.1 Portable Equipment

While the use of portable computers has its advantages, it also creates additional security risks, such as loss or theft of the portable computer and data it stores. If computers are used outside the office, agencies should establish policies regarding physical security (the computer should be locked to an immovable object), and digital security (the computer should be protected with a unique username, complex password, and sensitive data should be encrypted). Laptop computers and other portable hardware that contain HEPTLC data should store those data in encrypted formats. Laptops should employ whole disk encryption in order to protect any sensitive data that may be stored on the hard drive.

2.4.2 Physical Security of Equipment

HEPTLC Agency System Administrators should maintain an inventory of all system hardware and software provided to system users, and periodic audits should be conducted to account for all assets. Visitors or unauthorized personnel should not be allowed access to areas containing computers holding HEPTLC data without an escort. All computer equipment should be protected by surge suppressors and emergency battery power to prevent data loss in case of fluctuations in the power supply. All computers and other equipment used for HEPTLC should be housed or stored in secure areas and physically attached to an immovable object, if possible. All rooms where HEPTLC data are stored, either on paper, computer or other storage media should be locked at all times when not in use and it should be known with whom the keys reside.

2.4.3 Offsite Access

The grantee must develop a policy regarding dial-up or other external access to their work location computer system for the purposes of accessing HEPTLC data, when working outside of the office. Since the HEPTLC system contains sensitive, confidential information, dial-up or other access to the system from outside is strongly discouraged as this creates more opportunities for unauthorized intrusion into the system. If offsite access is permitted, it should be restricted to the fewest persons possible and additional security measures should be taken to ensure identification and authentication to obtain access in addition to restricting access to as few as possible.

2.4.4 Locking Workstations

All users should secure their workstations before leaving them. Automatic screen saver locks should also be set to engage whenever the system is left idle (15 minutes of inactivity). In order to unlock the screensaver, the system should require entry of the user’s ID and password.

2.4.5 Disable Browser Password Caching

All HEPTLC users will be accessing the application through a web browser (i.e. Internet Explorer) and should disable the ability of their web browser to cache (save) their passwords. This will prohibit others who use your computer to have access to passwords and other personal information that the web browser has cached for you. To disable this option, open a new Web browser, and select Internet Options from the Tools menu. password caching.

2.5 Incident Reporting

2.5.1 Breaches of Confidentiality

A breach of confidentiality is any failure to follow confidentiality protocols, whether or not information is actually released. This includes a security infraction that results in the release of private information, with or without harm to one or more individuals. All suspected breaches of confidentiality or security (e.g., possible viruses, hackers, password divulgence, lost or misplaced storage media) should be reported immediately to the HEPTLC Agency System Administrator. This administrator will determine the cause, develop and implement process improvements and/or determine if the incident should be reported to the HEPTLC Security Coordinator via the HEPTLC Service Support Center.

At the local level, sanctions for violations of confidentiality protocols should be established in writing, as part of the organizational policies and should be consistently enforced.

2.5.2 Unauthorized Intrusions

Any computer attached to the Internet, such as a HEPTLC system computer is subject to unauthorized intrusions, such as hackers, computer viruses, and worms. In addition, authorized users may attempt to access parts of the system for which they do not have access authority. Grantees must take all reasonable precautions to protect their systems from these types of unauthorized penetrations. A plan must be developed and implemented to prevent and, if necessary, recover from changes to the system caused by unauthorized penetrations of the computer system. Typical precautions include using effective passwords, installing firewalls (HEPTLC) and anti-virus software, making backup copies of software (HEPTLC), saving data at regular intervals so that the system can be restored to a previous state (HEPTLC), and training staff in basic computer security (such as keeping passwords secret and not downloading materials from the Internet or other unauthorized software onto computers that have HEPTLC access).

2.6 Training and Awareness

All agency staff dealing with HEPTLC system should be trained on policies and procedures established by the agency, the legal aspects of data collection, and the ethics of their responsibility to the clients. Training should cover state regulations and the agency’s policies concerning confidentiality, computer security, and legal obligations under non-disclosure agreements. Grantee staff should be aware of common threats to confidentiality and security, contingency plans for breaches of confidentiality and security, and the penalties associated with breaches of confidentiality and security. Each agency staff member with access to HEPTLC data should receive HEPTLC training including security updates.

Personnel are as much a part of a data collection and reporting system as computer hardware and collection forms. People are usually the weakest link in any security system. All personnel dealing with HEPTLC data should be trained on the policies and procedures established by the agency, the legal aspects of the data collection, and the ethics of their responsibility to the clients. Furthermore, they should also be aware of the penalties associated with breaches of confidentiality or security. Each agency should have a policy on confidentiality and security. The confidentiality and security policy must make clear that authorized users are responsible for knowing the confidentiality and security policies and procedures, challenging unauthorized users, reporting possible breaches, and protecting equipment and data. Staff should be required to sign a statement acknowledging that they have been made aware of the confidentiality and security requirements for the agency. The signed statement should be kept in the employee’s file.

2.7 HEPTLC Security Agreements

In an effort to provide maximum protection of the data that is entered into HEPTLC, in addition to the physical and system security measures explained in this document, there will also be a Rules of Behavior for HEPTLC Agency Users regarding appropriate and allowed use of HEPTLC. CDC also will execute a Memorandum of Understanding (MOU) with each directly funded grantee organization. The process for completion of security agreements is described in the Technical Guidance for Hepatitis Testing and Linkage to Care Monitoring and Evaluation System (HEPTLC) Grantee Security Guidelines.

3. User Assistance and Additional Resources

For assistance in using HEPTLC, contact your local HEPTLC administrator, the HEPTLC Service Center through the CCID Informatics Customer Support Help Desk via e-mail at [email protected] or via telephone at 877-000-000.

4. Revisions and Renewal

Revisions to this document will be released as needed. Notifications of the availability of the revised documents will be made through the HEPTLC announcement function and other established communication channels. Unless notified otherwise, it will be assumed that all grantees using HEPTLC accept the revisions. Comments and concerns should be sent to the HEPTLC Service Center via the CCID Informatics Customer Support Help Desk at [email protected].

5. Acknowledgement and Agreement of Rules of Behavior for HEPTLC Agency System Administrators

I have read and agree to comply with the terms and conditions governing the appropriate and allowed use of HEPTLC as defined by this document, applicable agency policy, and state and Federal law. I understand that infractions of these rules will be considered violations of CDC and agency standards of conduct and may result in disciplinary action including the possibility of supervisory notification, official reprimand, suspension of system privileges, suspension from duty, termination, and/or criminal and civil prosecution.

I certify that all HEPTLC system users at our agency have signed the Rules of Behavior for HEPTLC Agency Users.

I certify that I have read the Security Summary and my agency’s Memorandum of Understanding with the CDC and I agree to abide by the procedures stated in these documents.

_______________________________

(Signature / Date)

_______________________________

(Printed Name)

_______________________________

(Title) HEPTLC System Administrator

_______________________________

(Agency Name)

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
Author	Bonds, Constance (CDC/OID/NCHHSTP)
File Modified	0000-00-00
File Created	2021-01-30