
2/31

EXECUTIVE SUMMARYThe Leon County Health Center IT team has defined a policy which assigns responsibility

for the design, deployment, management, coordination, and operation of the facility'sfuture

reliable network infrastructure on the grounds of the Center. We are aware of the criticalnature of our organization, so we have optimized for 99.99% uptime, and aim for 100% uptime!

The Written Description describes the network in detail and references the diagrams in

the Appendix A & B of our network layouts, and includes all hardware & software information.

The Network Policies remind everyone that operation of these systems is a privilege, which can

be taken away at any point, and are designed to protect employees and clients from illegal or

damaging actions while using the network system. It basically outlines what you can and cannot

look at or perform while using our network, and the repercussions for violating this agreement.

It includes everything on the network, not just the Internet access, ranging from printing and

email usage to protocol standards and patches to the operating systems.

We are committed to respecting all patients and clinical research subjects rights to

maintain the privacy of their health information. Our standards are based on those of the

federal law known as the Health Insurance Portability and Accountability Act (HIPAA).

Therefore, the Security Policy does just that, and touches base on systems security as well asphysical security of the center. It provides a procedure for handling security violations as well.

Our Disaster Recovery Policy describes in detail the procedures and policies in event

that a "disaster" occurs. This includes how we plan to backup our servers, manage viruses in the

systems, disk/fault tolerance, power failure, and how we plan to bring all things to a "normal"

working order after an event happens. Our Budget spreadsheet outlines the costs relating to

our proposal, including all the hardware and software of the infrastructure.

Appendix A is a physical network diagram which lays out the location of every proposed

network device and their endpoints (workstations, servers, etc). Appendix B is the logical

diagram, and shows how our network will function, and how the information would flow with

all services provided.


3/31


4/31

WRITTEN DESCRIPTION

Looking at the Appendix A: Physical Network Diagram, it displays the actual layout of the

network. We designed the network very similarly to how the layout of the office within themedical facility looks like (from the inside). We took the managing and head roles of the facility

(the Director, Chief Medical Officer, and 3 rotating Doctors), and combined them to share the

same printer labeled as Management. The Medical Supplies and Medical Records are also

sharing a printer. All of the other departments get their own printers (Human Resources, Billing

& Accounting, Public Outreach, Receptionist, Counseling, Officer Manager, and a general

mobile printer). This also includes the IT department of course (we get our own printer too!). As

far as the other 200 mobile users that need Wi-Fi, we designed and created a wireless accesspoint for them, and simulated the 200 users.

With the IT department, we decided to separate them from the medical facilities'

building. In the diagram, we included all the servers, the patch panel, and the PBX. The cabling

standard that was used was 100 Base T - Cat 5 UTP Ethernet, as labeled in the diagram. As far as

the part of the directions that says "The buildings are separated by a two lane paved street. The

city will not grant a permit to dig under the street to run cabling, we simulated the IT

department to be able to use the WPA for internet connectivity (as seen in the diagram with

the yellow bolts).

In regards with the Appendix B: Logical Network Diagram, we decided to dedicate the

instructed address range to the servers (instructions asked for the 5 external IP addresses to be:

90.44.22.5 - 90.44.22.9). We have the servers connected to a switch. We decided on a switch

because they are more "intelligent" than a hub and faster in speed. Note that we didn't use a

hub also because they route data to all devices at one time, which would only slow our networkdown. Also, we have the outside service router attached to a simulated Pix Firewall. This is

designed to keep the network as secure as possible. The firewall can check packets against an

access control list, flap packets, etc. Beyond the firewall, it is connected to the gateway router,

which directs traffic to the Internet. We are assuming that not everybody understands this


5/31

process, but this is the way a team member saw it done in the Military and it worked. It is more

designed for a mobile setup, but it can be used stationery as well.

For the internal network, the inside service router is using Network Address Translation

(NAT) to translate the private IP addressed to public IP addresses. We chose the private class C

address for the subnetting. Specifically, we used the IP address 192.168.1.0 /24 and broke it

down for what we needed. We implemented switches to group the users in different broadcast

domains as the instructions wanted it that way. Those different broadcast domains are Virtual

Local Area Networks (VLANs).

For the cabling, router-to-router used a cross-over cable. For router-to-switch, we used

straight-through cables. From PC-to-router, we used roll-over cables. Also, on the outside

network, we simulated some IP addresses for the firewall, gateway router, outside service

router, and outside switch.

For the different departments, we decided to put the Director, Chief, Medical Officer,

and the 3 rotating Doctors all on the same VLAN, and labeled them Management. All of the

other different departments got their own separate and respective VLANs. Doing this keeps the

different departments in their own broadcast domain. Keeping the different departments in

different broadcast domains also improves the traffic flow and makes it go faster. If they were

in the same domain, we would have one big collision domain which would make the network

very slow and cause more errors to occur.


6/31

NETWORK POLICIES

PURPOSE:

This policy is designed to protect employees and clients from illegal or damaging actions byindividuals, either knowingly or unknowingly.

The Leon County Health Center provides a communication network capable of offering

electronic mail (e-mail), Internet access, printing, where applicable, but not limited to computer

equipment, software, operating systems, storage media, and network accounts for employees

to assist in and make possible legitimate business communications. The Health Care Centers

network and systems should be dedicated to providing service to its patients and used primarily

for medical business.

Operation of these systems is a privilege. Employees should never put information on or accesse-mail or Internet services unless they feel comfortable accessing or putting the same

information in a widely distributed office memo. By using the Leon County Health Centers

network systems (including e-mail and Internet), employees agree that they are aware of,

understand and will comply with the provisions of the policy.

1.0.1 USE OF CENTERS SYSTEMS:

The Centers computer system is provided to assist employees to perform their jobs, store

confidential files, and communicate with each other internally and with outside individuals and

organizations, where applicable. The Centers computer system should primarily be used formedical business purposes. Inappropriate use exposes The Leon County Health Center to risks

including virus attacks, compromise of network systems and services, and legal issues.

1.0.1.1 INAPPROPRIATE USE:

A. Use of the Centers computer systems is to engage in communication which violates federal,state, or local laws, codes and regulations, Centers policies and procedures is strictly

prohibited at all times.

B. In addition, the following uses of the Centers systems are inappropriate and are prohibitedat all times unless there is legitimate business need. The need must be conveyed to and the

use authorized by the employees department director prior to such use. Inappropriate uses

of the Centers system include, but are not limited to:

1. Personal commercial use;


7/31

2. Usage for any type of harassment or illegal discrimination including transmission ofobscene or harassing messages to any other individual;

3. Gambling;4. Access of pornographic, sexually explicit or offensive materials including materials of

lewd, risqu or course nature, or any other offensive or morally questionable materials;5. Usage for recreational gain including the use of social networks;6. Unauthorized copying of copyrighted/ confidential material;7. Usage for any unethical activity that could adversely affect the Leon County Health

Center;

8. Usage which violates software license agreements;9. Attempting to make unauthorized entry to other Centers systems or to other networks;

or

10.Transmission of sensitive or proprietary information to unauthorized person ororganizations;

11.Usage which precludes or hampers the Centers network performance;12.Downloading games or software that is illegal or is not licensed to the Center.

C. Due to the adverse effect that instant messaging has on the network performance,employees may not access instant messaging software. No personal access to instant

messaging will be allowed at any time.

1.0.2.2 APPROPRIATE USE:

A.

The Centers computer systems may be used by employees for business purposes.

1.0.3 WEB BROWSING:

A. The Internet is a great storehouse of information and contains resources that are invaluableand can greatly enhance our ability to deliver cost-effective services to our patients. The

Center encourages exploration of the Internet for legitimate business-related or

professional activities.

B. During the employees normal work hours, the only use of the Centers Internet accountshould be legitimate Center business. Employees who work within the publics visual siteshould be cognizant of public perception and should use care and discretion in providing an

appropriate image of the Leon County Health Center.

1.0.4 COMPUTER STORAGE ALLOCATION:

Information Technology Services would be responsible for setting parameters and allocating


8/31

maximum disk space for all computer system users. Employees who can demonstrate

legitimate business needs for more disk space than which is allocated shall make a request to

increase their disk space. Such requests shall be evaluated and approved on a case-by-case

basis.

1.0.5 E-MAIL OR SYSTEM CORRUPTION:

Employees e-mail may become corrupt for a number of reasons. If the corruption is a direct

result of a significant technical failure or natural disaster, the Information Technology Services

will assist in rebuilding the mailboxes and recover lost files.

1.0.6 COMPUTER SYSTEM ACCESS:

The Center treats all information transmitted through or stored in the system, including e-mail

messages, as business information. An employee or anyone else using the Centers computer

has no expectation of privacy in use of that computer.

1.0.7 RECORDS RETENTION:

The Leon County Health Center has the obligation to maintain all electronic files and records in

the same manner in which paper records are to be maintained in accordance with the State,

Federal, and Local archivist records retention schedule.

1.0.8 RECORD PRINTING:

All records should be printed solely for the use of a patient or business manner. In the event

that a file is printed and is no longer needed it should be properly discarded and shredded to

ensure our patients confidentiality.

1.0.9 WORKSTATION CONFIGURATION:

The purpose of the workstation configuration is to establish standards for the Centers base

configuration of workstation computers that are authorized to operate within the Leon County

Health Center. Since data that is created, manipulated and stored on these systems may be

proprietary, sensitive or legally protected, it is essential that the computer systems and

computer network, as well as the data that is stores, be operated and maintaine4d in a secure

environment and in a responsible manner.

1.0.9.1 GENERAL CONFIGURATION REQUIREMENTS:


9/31

1. Operating systems configuration should in accordance with the industry standards andHIPAA guidelines. Operating systems no longer supported by the vendor should be

upgraded or decommissioned.

2. Account and application passwords much comply with the Password Protection Policy.3.

All workstations must be kept up to date with the most recent patches and updates for theworkstations, the only exception being when immediate application would interfere with

business requirements.

4. All workstations much have antivirus protection software installed to prevent a virus.5. Workstations may not connect to any other network.6. Workstations that have access to sensitive information must be configured sot that

information cannot be viewed or copied by unauthorized users. Such workstations should

have appropriate tools such as password protected screen savers, data encryption, or

application which will automatically log off where practical.

1.0.9.2 PERSONALLY OWNED COMPUTERS:

1. No personal computers should be connected to the network2. No sensitive information is to be stored or transmitted on personal computers.1.0.10 USER ADMINISTRATION:

Leon County Health Center is committed to providing employees with reliable technology in a

stable operating condition while appropriately addressing the Centers needs and maintaining

the medical systems integrity and data security.

1.0.10.1 LEVELS OF ACCESS:

There are two security access levels at the Leon County Health Center: General and

Administrator.

1. The General access level allows most administrative power with some restrictions.Installation of software or hardware would require the assistance of the IT department.

2. The Administrator access allows the employee to have complete and unrestricted access tothe computer. The ability to install hardware or software, edit the registry.

3. However, at a need to basis an employees access level might be changed to help facilitatethat job responsibilities.

4. Each employee will receive a username.

1.0.11 NAMING CONVENTIONS:


10/31

All Leon County Health Center owned computers on the centers network should be using the

following standard naming convention so that the computers can be located quickly in

emergencies, and to assist the work of Information Technology staff.

1. Computer names should begin with the departmental abbreviation (e.g. HR).2. Computers used primarily by one person, the name should end with a hyphen and that

persons username (e.g. HR-1254). If a person has more than one computer it should be

used (e.g. HR-1254-2).

3. Only alphanumeric characters and hyphens should be used.4. The computer name will normally stay the same for each staff members, so when they get a

new machine it will be set up with the same name as the old one.

5. All computers will be placed on the Active Directory.1.0.12 NETWORK PROTOCOLS:The purpose of the standards on the Leon County Health Center is to improve the durability and

efficiency of the network.

1. The Leon County Health Center has a multiple computer communication protocols on itnetwork. TCP/IP is the only protocol that is capable of communication across the Internet

and the only one that will be supported by all computers.

2. The routers will be placed strategically on the network to partition the traffic into sections(LANs) and to direct traffic between the LANs as needed.

3. Any unregistered device on the network is subject to disconnection from the Leon CountyHealth Center network, without notice, whether or not they are disrupting network service.

The management of the network protocol shall be performed by information systems

administrators and network administrators to assure the efficiency, availability, and security of

the common resources, in accordance with the governing Leon County Health Center

Acceptable Use Policy.

1. Simple Mail Transfer Protocol (SMTP):i. All email protocol traffic shall utilize the centralized mail gateways. Inbound mail traffic

with destination addressed for servers other than other operated by IT Services shall

utilize a DNS MX to relay that traffic through the centralized mail gateways.

2. Dynamic Host Configuration Protocol (DHCP):i. All hosts on the network shall either obtain and use a static IP address or use the

Centers DHCP server to obtain an assigned IP address.

3. Banned Protocols:


11/31

i. IT Services keeps a list of banned protocols which have shown to interfere with thearchitecture and management of the Centers network environment.

1.0.13 NETWORK DEVICE PLACEMENT:

All the network devices (routers, hubs, etc.) should use the following policy:

1. The devices must be inventoried. By inventoried it is meant to be entered into the databasewith the domain name service.

2. If a password is needed to access the device for querying its configuration, understandingits operation or setting parameters in the device, then the passwords to all the devices need

to be in the database.

3. All storage servers must be kept offsite at a remote location to ensure security parameters.1.0.14 POWER AND APPLYING PATCHES:

Each device on the network must have the recent and updated patches as long as they do not

have any immediate interface with the software.

Devices must be left on to ensure that the network can have a constant maintenance and up to

date software for the network.

1.0.15 POLICY COMPLIACE:

Use of the Leon County Health Centers systems including e-mail, Internet services, and printingis a privilege. Inappropriate use or violations of this policy may result in disciplinary action, up

to and including termination.

If in the course of their normal duties, department directors, managers, supervisors, employees

and Information Technology Services staff have any reason(s) to believe that an employee is

misusing the Centers computer systems, they shall report the inappropriate use to the

observers Department Director.

All reports of alleged policy violations or inappropriate use of Centers systems received by any

Department Director shall be reported to the Information Technology Manager to coordinatean investigation or to recommend an appropriate course of action.

If, as a result of the investigation, sufficient facts are gathered to support the allegations, it is

the responsibility of the Department Director to administer any disciplinary action(s) necessary

after consultation with the Leon County Health Center HR.


12/31

1.0.16 CHANGES TO THIS POLICY:

This policy may be temporarily changed by IT Services Manager for any reason, but typically in

response to new types of threats or risks. Notice of the change in the policy will be distributed

to all Leon County Health Center and departmental computer support divisions. Temporary

changes normally will not be extended over six (6) months without being submitted and

approved formally through policy change process.


13/31

SECURITY POLICY

The Leon County Health Center is committed in providing the highest quality health

care, which includes respecting patients and clinical research subjects rights to maintain the

privacy of their health information. The standards for protecting patient health information are

described in the federal law known as the Health Insurance Portability and Accountability Act

(HIPAA). The Leon County Health Centers HIPAA policies are designed to ensure the

appropriate security of all patient health information across the County, in compliance with the

law. Our HIPAA privacy and security compliance policies are available at

www.leonhealthcenter.orgfor a more in-depth viewing.

OUR HIPAA SECURITY RULE OVERVIEW:

The focus of the security rule is to maintain the confidentiality, integrity, and availability of

electronic protected health information (ePHI) that the Leon County Health Center covered

components creates, accesses, transmits or receives.

ePHI is any Protected Health Information (PHI) which is stored, accessed, transmitted orreceived electronically. Hence, the e at the beginning of ePHI.

Confidentiality is the assurance that ePHI data is shared only among authorized personsor organizations.

Integrity is the assurance that ePHI data is not changed unless an alteration is known,required, documented, validated and authoritatively approved. Most important to

HIPAA, data integrity ensures that we can rely on data in making medical decisions. It is

an assurance that the information is authentic and complete, and that the information

can be relied upon to be sufficiently accurate for its purpose.

Availability is the assurance that systems responsible for delivering, storing andprocessing critical ePHI data are accessible when needed, by those who need them

under both routine and emergency circumstances.
http://www.leonhealthcenter.org/http://www.leonhealthcenter.org/http://www.leonhealthcenter.org/


14/31

PRIVACY VS SECURITY:

HIPAA regulations cover both security and privacy. Security and privacy are distinct, but related.

The Privacy rule pertains to the right of an individual to control the use of his or her personalinformation. Protected health information (PHI) should not be divulged or used by others

without their consent. The Privacy rule covers the confidentiality of PHI in all formats

including electronic, paper and oral. Confidentiality is an assurance that the information will

be safeguarded from unauthorized disclosure. The physical security of PHI in all formats is an

element of the Privacy rule.

The Security rule focuses on administrative, technical and physical safeguards specifically asthey relate to electronic PHI (ePHI). Protection of ePHI data from unauthorized access,

whether external or internal, stored or in transit.

POLICIES AND PROCEDURES RELATED TO HIPAA SECURITY:

5100 HIPAA Security Anchor Policy: ePHI Security Compliance

5111 PHYSICAL SECURITY POLICY

5111 PR.1 procedure: Physical Facility Security Plan for Leon County Health Center and ITS Data

Centers

The Center is responsible for maintaining a Physical Facility Security Plan for Leon

County Health Center and ITS-Med Data Centers. The Health Centers Physical Facility Security

Plan ensures that PHI (Protected Health Information) in any format (electronic, paper, audio

tapes, transcripts, videotapes, etc.) that is housed in Center and ITS-Med data center locations

meets HIPAA requirements for physical security at a level that is consistent with the criticality

and risk of the PHI.

5111 PR.2 procedure: Physical Access and Environmental Supports to Protected Health

Information


15/31

The current recommendations are to use alarm keypad systems (change key codes

often) or ID key card swipes for labs, hospital rooms or areas accessed by multiple individuals.

Keep current documentation of who can authorize access to the area and individuals who

currently have access and status at the Center.

Electronic storage devices (diskettes, CDs/DVDs, zip drives, external drives, video/audio

tapes, USB drives, etc) and non-electronic PHI (images, medical records, lab results, paper files,

etc.) should be kept in secure locations when not in use. Locked cabinets, closets and offices

can provide this protection.

PHYSICAL SECURITY OF PORTABLE DEVICES:

Portable electronic devices used to create, access, transmit or receive Protected Health

Information (PHI) are subject to special requirements designed to minimize the risk of

inappropriate disclosure of PHI through theft or accidental loss. Portable devices include, but

are not limited to, laptop, notebook and sub-notebook computers, hand-held computers,

palmtops, Personal Digital Assistants (PDAs), and smart phones.

Physical security is the responsibility of the device owner, who is also responsible for

appropriate disposition of the device when it is retired from use (see Policy 1609: MediaControl).

You must implement current security standards for smart phones & PDAs that store,

access or transmit ePHI, whether Leon-issued or personal, including:

Password protection Limitation of the email stored on the device to 250 messages or 7 days Subscription to a service that allows for remote purging of messages stored on the

device

Completion of a Security Design Review for smart phone applications that might accessor receive


16/31

You may never store ePHI on thumb drives of other removable media devices unlessthey comply with Leon County Health Center ITS standards to protect ePHI with

encryption.

For technical securitycompliance issues see Policies 1610 (Systems and NetworkSecurity); 1607 PR1 (Encryption); and 5100) Electronic Protected Health Information

(ePHI) Security Compliance.

5123 ELECTRONIC COMMUNICATION OF HEALTH RELATED INFORMATION

(Email, Voice Mail and other Electronic Messaging Systems)

5123 PR.1 procedure: Communication of PHI via Electronic Messaging

General Guidelines:

Electronic Mail Communication of PHI -- 5123 PR.1 04

1. Email systems used by Leon County Health Center personnel must be configured to

require SSL/TLS encryption when transmitting an email message to the SMTP server

AND when retrieving messages from an IMAP or POP server.

2. Except where PHI relates specifically to treatment, any PHI transmitted by email should

be limited to the minimum necessary to meet the recipients needs.3. Email messages containing PHI must not be forwarded to non-Leon County Health Center

email addresseseither individually or by an automated forwarding mechanism unless an

approved Secure Electronic Messaging option is employed (end-to-end encryption).

4. Instant Messaging (IM) software should not be installed or used for electronic messaging

until an approved secure Instant Messaging (IM) option is available.

Approved Secure Electronic Messaging Options(end-to-end encryption):

1) POL: Patient Online is a secure, Web-based application allowing patients or research

subjects to view portions of their medical record and electronically communicate with their

clinicians.


17/31

2) Leon County Health Center File Transfer Facility - File transfer facility utilizes a secure

web-based method for the actual data transfer, but retains the flexibility of email for the

communications. This facility uses https: all transactions are encrypted. This encryption

ensures that the data cannot be intercepted in transit. Retrieval of the file(s) to the

intended individual should be restricted by providing a username/password pair that the

recipient must know in order to retrieve the data:

Do not send the password via File Transfer facility.

Call the recipient to communicate the password.

Use a clue that only the recipient would know, such as the password is the color of the

scarf you wore last night.

5142 INFORMATION SYSTEM ACTIVITY REVIEW

5142 PR.1 procedure: Information Systems Activity Review Procedure

Configuration Compliance and Activity Review:

Information Security office (ISO) will utilize the data in the Above-Threshold ePHI

Systems Inventory Database to identify Above-Threshold systems that may need remediation to

meet HIPAA requirements. Those systems will be prioritized according to data criticality and theapparent extent of deviation from Centers standards for HIPAA Security compliance. ISO will

assist System Owners to carry out a detailed risk analysis to determine possible steps to

eliminate deviation from Centers standards.

ISO will pay particular attention to optimizing system logging activities and the

development of procedures for the review of system logs.

Log and audit standards for Above-Threshold systems:Log and Audit messages must contain at a minimum:

Unique timestamp

System name

User or daemon where applicable


18/31

Resulting message

For Basic Systems, periodic sampling, or spot checks will be used to review system logs and

access reports.

Review of Security Incident Response Reports

ISO will review Security Incident Response reports and link incident reports to corresponding

system records in the Above-Threshold ePHI Systems Inventory Database. ISO will provide

summary reports to the HIPAA Privacy Officer and to the Centers CIO.

User-Level System Access, Activity, and Transaction Logs

ISO and/or Internal Audit will carry out spot checks of user-level access, activity and transaction

and exception logs.

5143 IT SECURITY INCIDENT RESPONSE POLICY

5143.1 Identification of Incidents

5143.2 Establishment of an IT Security Incident Response Team

5143.3 Risk Assessment Classification Matrix5143.4 Documentation and Communication of Incidents

5143.5 Subordinate Procedures

1601 Information Access and Security

1601 PR.3 procedure: Access Control for Protect Health Information (ePHI)

Review User Access ProfilesData owners and system administrators must periodically review user access to ensure that

each persons access privileges are appropriate.

Monitor Employee Status and Duties


19/31

A system activity review shall be conducted by the System Owners, Systems Administrators or

their designees to evaluate who has access and whether access is still required and appropriate.

Monitor the following types of events within the organizations to determine if individual user

access needs to be modified or deleted:

termination of employment or student status

1607 INFORMATION TECHNOLOGY APPROPRIATE USE POLICY

1607 PR.1 procedure: Centers Endorsed Encryption Implementations

ENCRYPTION OF DATA

Users are encouraged to encrypt files, documents, and messages for protection againstinadvertent or unauthorized disclosure while in storage or in transit over data networks. The

Center makes available software and protocols endorsed by the Information Security Office

that provide robust encryption, as well as the capability for properly designated Centers

officials to decrypt the information, when required and authorized under this policy. Users

encrypting information are encouraged to use only the given software and protocols. Users

who elect not to use the specified encryption software and protocols on IT Systems are

expected to decrypt information upon official, authorized request.

1609 MEDIA CONTROL

1609 PR.1 procedure: Disposal of Media Containing Confidential or Protected Health

Information

1610 SYSTEMS AND NETWORK SECURITY POLICY

1610 PR.1 procedure: Systems and Network Security Procedure

SPECIAL PROVISIONS FOR SYSTEMS WITH EPHI

The IT security procedures described herein are mandatory for network connected computing

devices that create, access, transmit or receive electronic Protected Health Information (ePHI).
http://www.yale.edu/ppdev/Procedures/its/endorsedencryption/EndorsedEncryptionImplementation.pdfhttp://www.yale.edu/ppdev/Procedures/its/endorsedencryption/EndorsedEncryptionImplementation.pdfhttp://www.yale.edu/ppdev/Procedures/its/endorsedencryption/EndorsedEncryptionImplementation.pdfhttp://www.yale.edu/ppdev/Procedures/its/endorsedencryption/EndorsedEncryptionImplementation.pdf


20/31


21/31

HIPAA Training: This pertains to those using computing or communications systems

during the course of work at Leon County Health Center. This includes systems use on

remote locations, such as home, hotels and other offcenter locations.

Based on your role, please overlook the following courses:

HIPAA Security TrainingIf you are a faculty member, student or staff member in the Center AND you

store, access, transmit or receive electronic protected health information

(ePHI) or have oversight responsibilities of staff who do.

OR

You are an IT support provider for one or more people in the Center.

HIPAA Security Training for Business ManagersIf you are a business manager in the Center.

2. General Security TrainingIf you use email or other networked resources, as a faculty member, student or staff

member in the Center, you DO NOT store, access, transmit or receive electronicprotected health information (ePHI) without the general security training. You DO NOT

have oversight responsibilities or provide IT support for staff who do.

HIPAA ePHI Security Compliance Policy

1. Everyone must use strong passwords (8 14 characters, with 2 letters and 2non-letters) for computer and application access, and comply with ITS password

security standards.

ITS Password Security Standards Guide 16102. Everyone must immediately report all incidents that may involve a potential

breach of ePHI such as a loss or theft of a computer, smart phone, or thumb

drive that might contain ePHI to the HIPAA Security Officer hotline.
http://www.yale.edu/ppdev/policy/5100/5100.pdfhttp://www.yale.edu/ppdev/policy/5100/5100.pdf


22/31

3. You must secure paper records that include protected health information:You must immediately report all incidents that may involve the loss or theft of

any such paper records.

All faculty, staff, trainees, students and others who store, access, transmit or receive Protected

Health Information on paper (PHI) or electronically (ePHI) must comply with the following

policies:

1. All Leon County Health Center laptop and desktop computers used tostore, access, transmit or receive ePHI must follow these current secure

configuration standards, including:

Whole Disk Encryption Automatic distribution of security and other patches via central

computer management software

Installation and update of anti-virus /anti-spyware software Automatic locking and password protection of desktops after 15

minutes of inactivity

Registration in the ITS Backup serviceo Protection via proxy servers or removal of administrative

privileges

o Removal of applications that increase the vulnerability ofcomputers such as Peer to Peer (P2P) file sharing

o A locking cable or equivalent device for physical securityo All new desktop and laptop computers must be purchased

from Leon County Health Center

o Other safeguards as they become technically feasible.


23/31

2. You must implement current security standards for smart phones andother devices that store, access, transmit or receive ePHI, whether Leon

County Health Center-issued or personal, including:

Password protection Encryption Limitation of the email stored on the device to 250 messages or 7

days

Subscription to a service that allows for remote purging ofmessages stored on the device


24/31

DISASTER RECOVERY POLICIES

PURPOSE:

The Disaster Recovery Plan is intended to provide a framework for reconstructing vital

operations to ensure the safety of employees and the resumption of time-sensitive operations

and services in the event of an emergency. At the same time, it is intended to be a guide and

not a series of defined instructions void of flexibility. The nature of the interruption should

determine how a business continuation plan is used.

BACKUP PROCEDURES:

Restore OS and application systems software to workstations Restore off-the-shelf software on local workstations Restore access rights Physicians will work from available pooled workstations daily. Employees involved in recovery will have access to recovery site 24/7. Work with the Technical Recovery Team members in establishing connectivity to

servers (network connectivity)


25/31

Ensure all team leaders/alternates involved with recovery are aware of the RecoveryTime Objectives as well as the Recovery Point Objective

Problems associated with workstation recovery should be directed through amember of the Crisis Management Team.

VIRUS MANAGEMENT:

While logging may show you after the fact that a virus has been found, you probably

want to know as soon as possible when a virus hits

This task includes ensuring that we have effective virus protection running on our

network. Just having virus protection software on your workstations isnt enough. We will also

run virus protection software on your server. While logging may show you after the fact that a

virus has been found, you probably want to know as soon as possible when a virus hits. To

counter the virus threats, we have file servers is to provide a central location for storing and

accessing files. Run virus scanners constantly on your workstations. Since there is a specific

amount of clients on the network, visit each workstation on the network to update the virus

signature files. Deduce running workstation-based virus scanning to detect files loading from

the network can potentially slow down processing at the workstation level. Server-side

scanners will be used to log the virus scanning activity for both your servers and your

workstations in a central location, which allows you to keep tabs on what the software is doing

and what it has detected.

Server-side virus protection software immediately notifies you of a virus with e-mail,

pager alerts, or network broadcasts.

DISK/FAULT TOLERANCE:

There are several different ways to achieve disk fault tolerance. The most common

implementation is known as RAID, or Redundant Array of Independent (or Inexpensive) Disks.

Multiple disks can be configured in a number of different ways to create a fault-tolerant array.

Data can simply be mirrored from one disk to another, or parity information can be stored that

will enable the regeneration of lost data. RAID can be implemented either as a hardware or


26/31

software solution. There are many different levels? Of RAID: 0, 1, 2, 3, 4, 5, 6, 7, 10, 0+1, and

53 are the most common.

Windows Server 2003 has built-in support for three levels of software-implemented

RAID:

level 0 (disk striping, no parity) level 1 (disk mirroring) level 5 (striping with parity)

The biggest advantage of hardware RAID is performance; disk access is faster because

you dont have the operating system overhead (the RAID disks appear as one to the operating

system). The big advantage of software RAID is cost; you dont have to buy extra expensive

RAID controllers or other additional hardware to use it.

POWER FAILURE:

Electricity:

To analyze the power outage risk, it is important to study the frequency of power

outage and the duration of each outage. It is also useful to determine how many powers feeds

operate within the facility and if necessary make the power system redundant.

Telephones:

Telephones are a particularly crucial service during a disaster. A key factor in evaluating

risks associated with telephone systems is to study the telephone architecture and determine if

any additional infrastructure is required to mitigate the risk of losing the entire

telecommunication service during a disaster.

Water:

There are certain disaster scenarios where water outages must be considered very

seriously, for instance the impact of a water cutoff on computer cooling systems.


27/31

BUDGET

Product Type Estimated Price

Patch Panel $388TalkSwitch PBX Phone Systems $695100 Base T - Cat 5 UTP Ethernet Cable $59Switches $140Cisco PIX Firewall Bundle $1395Internet (Wi-Fi WPA) $24/monthGateway Router $100Other Routers $200Servers (Email, HTTP, DNS, File & Print, Databases) $3,100VLANs $800Printers $2,519Cross-Over Cables $200Straight-Through Cables $150Roll-Over Cables $250Computer Workstations $32,000Security Software (Personal Anti-Virus Protection &Server-side Virus Protection) $3,000Backup/Storage/Archive Software $1,300OS/Application Systems Software $2,000Backup Power Generators $5,385Other $1,319

Total Estimated Budget $55,000 + $24/month

The above spreadsheet simply outlines estimated costs related to our proposal. The

company does not already have an asset, so any of these may be eliminated. All estimated

prices were researched on Google for the best and lowest prices for a small business.

The following items that we will be justifying costs for are needed to hook up the

network together. The patch panel was found to be $388 for the cheapest price. The switches

and routers estimated together as $440. A bundle of the 100 Base T - Cat 5 UTP Ethernet Cable

was $59 for more than we would need in length. The servers needed to be online with the cost

of setting up VLANs across the facility estimated as $3,900. Cross-Over Cables, Straight-Through


28/31

Cables, and Roll-Over Cables are all needed to connect the routers, switches, and PCs together

and total to an estimated $600 for more than needed so we would have extra in case we need

to replace some cables.

Black-and-white laser inkjet printers were found to be around $229, and we would need

at least 11 (one for each department as shown in the Physical Diagram), which brings the total

to $2,519. The TalkSwitch PBX Phone Systems are $695 for everything (phones, setup, and the

PBX), and connects to up to 64 phones, which is more than enough for our Health Center. The

Cisco PIX Firewall Bundle, which we would need to keep intruders and unwanted guests out of

our network systems, was found to be $1,395. Our computer workstations cost $32,000 as we

calculated for about 64 workstations, each costing $500 for the computers and accessories. We

assume this would be enough workstations for the users coming in and out to access records

and did not bring their laptops.

Security Software, which includes personal Anti-Virus Protection & Server-side Virus

Protection for each workstation and computer, would cost about $3,000 for a business bundle.

This would ensure each computer is protected against the simplest viruses and malware that

happen to penetrate the systems firewall security. Backup/Storage/Archive Software costs

about $1,300, and would include the programs to backup computers that have for some reason

crashed or just to allocate more storage room for records and files. OS/Application SystemsSoftware costs $2,000 to keep all computers up-to-date on all applications and running the

same operating system. Finally, the Internet (Wi-Fi-WPA preferred) would be $24 a month to

keep it up and running.

We put in the backup Power Generators for $5,385 in the case a power failure were to

occur and we needed to access medical records. The remaining $1,319 not accounted for in the

total so far that we have listed under as Other is allocated for anything that we have looked

over and missed that we would need for the setup or maintaining of our proposed networkinfrastructure. Everything else that we have listed totals to $53,681 ($55,000 with the $1,319),

and then the $24 a month for the Internet Wi-Fi. Our team will look over and re-evaluate

anything deemed unreasonable or unnecessary.


29/31

APPENDIX A: PHYSICAL NETWORK DIAGRAM

See attached diagrams in the back.


30/31

APPENDIX B: LOGICAL NETWORK DIAGRAM

See attached diagrams in the back.


31/31

MEMBER CONTRIBUTION

Each of the members contributed to the final product. The amounts varied due to time constraints and

schedules as well as reliability. Members are listed in order by last name alphabetically.

How we ended up dividing the parts of the project up:

Jana Giordani She volunteered to work on Security Policy.

Marlene Marte She volunteered to work on the Network Policies.

Anthony McClurkin He volunteered to work on the Disaster Recovery Policies.

Kwanhaun Belinda Ng She volunteered to work on the Executive Summary, compose theBudget spreadsheet , and help with the Written Description. She also did the final editing for producing

the final product.

Roosevelt Woodley He volunteered to work on both of the diagrams (Appendix B: LogicalNetwork Diagram and Appendix A: Physical Network Diagram). He also helped compose most of the

Written Description since he was in charge of designing the diagrams.

Network Med

Documents

Transcript of Network Med