Prepared by Abt Associates for the U.S. Department of Housing

Prepared by Abt Associates for the U.S. Department of Housing and Urban Development

Homeless Management Information System (HMIS) Data and Technical

Standards: Comply with the Security Requirements in the Final Notice

Prepared by Abt Associates for the U.S. Department of Housing and Urban Development 2

HMIS Data and Technical Standards Training

• This is training module 4 of a 4 part series addressing the following components of the Final HMIS Data and Technical Standards

– Training 1: Overview

– Training 2: Participation and Data Collection Requirements

– Training 3: Privacy Standards

– Training 4: Security and Technical Standards

• Other training modules are available at: www.hmis.info


Companion Training Materials

• This training module features an accompanying set of training materials that includes:

– Data Standards Compliance Checklist for Agencies

– CoC/Implementing Jurisdictions Data Standards Compliance Assessment Checklist

– System Monitoring Guidelines


Overview

• Security standards for HMIS users

• Security standards for HMIS computers

• System/Server level security standards

• Monitoring security at the system level


Defining Security

• Security refers to the protection of client personal protected information and sensitive program information from unauthorized access, use or modification.


Security Standards Framework

• Two-tiered: required baseline standards and additional recommended protocols

• Provide for technical controls to protect client data

• Require covered homeless organizations (CHO) to assess their current technical infrastructure and make changes as needed


Applicability

• All workstations, desktops, laptops, and servers that connect to the CHO network or access the HMIS through a Virtual Private Network (VPN) must comply with the baseline security requirements.

• Handout: Agency Data Standards Checklist


What is a Virtual Private Network (VPN)?

• A private communications network that uses a public network to connect remote sites or users

• VPN allows an employee to access his/her agency’s local network from an off-site location using the Internet.

• VPN users typically have software that allows them to access their network through the internet using a secure site

• Learn more about VPNs: http://computer.howstuffworks.com/vpn.htm


Baseline HMIS Agency Security Requirements

• HMIS users

– Unique username and password

– Signed receipt of privacy notice

• HMIS computers and networks

– Secure location

– Workstation username and password

– Virus protection with automatic update

– Locking password protected screen saver

– Individual or network firewall

– Public Key Infrastructure (PKI) to prevent unauthorized access


Baseline HMIS User and HMIS Computer Requirements


HMIS Computer Requirements

• Computers in public areas used to collect and store HMIS data must be staffed at all times

• Password protected screen savers must be automatically enabled when workstation is not in use

• CHOs may decide to automatically log users off the system after a period of inactivity


HMIS Computer Requirements

• Virus protection

– Must automatically scan files; and

– User must regularly update software to detect new viruses.

– Free virus protection is available at:

• www.free-av.com

• www.nonprofit-tech.org

• Individual or network firewall:

– Network firewall = baseline requirement if internet is accessed through central server; and

– Individual firewall needed if internet is accessed through a modem.

• Additional spyware software is strongly recommended


User Training (Strongly Recommended)

• Although not a baseline requirement, all users should participate in:

– Data and Technical Standards Training

• Participation and Data Collection Requirements; and

• Privacy and Security Protocols to Protect Client Data.

– Software training

• How to enter, edit, change, and delete data; and

• User and computer security requirements.

– Ethics and privacy training

• Consent protocol and privacy protocols; and

• How to interview clients in a sensitive manner.

– User groups are strongly encouraged to develop peer support opportunities


Baseline HMIS System / Server Requirements

• Authentication;

• Multiple Access;

• Virus Protection with Auto Update;

• Firewalls - Individual workstations or network;

• Encryption transmission;

• Public Access – PKI – Public Key Infrastructure;

• Location Control;

• Back Up and Disaster Recovery;

• System Monitoring; and

• Secure Disposal.


Web Security Model


User Authentication

• Every user accessing the HMIS system must have a unique username and password.

• Passwords must:

– Include at least one number and one letter;

– Be at least 8 characters long;

– Not be based on user’s name, organization, or software; and

– Not be based on common words.

• Good: [Na$car#39]

• Bad: bobclark99

• Terrible: hmis


User Authentication (cont.)

• Both the workstation and the software used to access HMIS data should require user authentication (e.g., username/passwords).

• Logging on to the HMIS computer alone is not sufficient.

• Written information pertaining to user access should not be stored or displayed in any publicly accessible location.


Multiple Access

• An individual user must NOT be allowed access to the HMIS from multiple workstations on the network at the same time.

• An individual user must NOT be allowed to log onto the local network from more than one location at a time.


System Level Virus Protection

• All systems on the network (including remote and VPN users) must have anti-virus software installed and updated regularly that automatically scans files.

Old Anti-Virus Software = No Anti-Virus Software


Firewalls

• All machines accessing HMIS must have firewall protection from public networks (i.e., the Internet), typically via hardware.

• Any machines accessing the Internet via dial-up modem must have a personal firewall.

• Individual or network firewall:

– If you use Windows XP you can install a firewall using Windows XP Service Pack 2; and

– Free or low cost firewall software can be downloaded at:

• www.zonelabs.com

• www.techsoup.org


Firewall Behind a Network

Image found at: http://www.integration1.com.au/pages/default.cfm?page_id=21925


Encryption

• A CHO must encrypt all HMIS data that are electrically transmitted over the internet

• Encryption is the conversion of plain text into encrypted data (code)

• Encryption is used to protect a client’s sensitive personal information from unauthorized viewing


Data Transmission Encryption

• Two options

– 128 bit encryption over the wire; and

• Secure Socket Layer (SSL): A communications protocol used to secure all sensitive data. SSL is normally described as wrapping an encrypted envelope around message transmissions over the Internet.

– Secure direct connections.

• Virtual Private Network (VPN)


Public Access

• HMIS that use public forums for data collection/reporting must have additional security to limit access using Public Key Infrastructure (PKI) or through IP filtering.

• Translation: Any Web-based HMIS accessed over the Internet, needs digital certificates installed on all browsers on all computers accessing the HMIS (PKI) or an extranet to limit access based on IP address.


IP Addresses

• Everything on the internet (servers, desktops, blackberries) is assigned an internet protocol (IP) address;

• The internet uses IP addresses to move information from one place to another;

• An IP address looks like this: 10.141.215.223; and

• Firewalls block suspicious IP addresses from accessing your computer.


What is Public Key Infrastructure?

• Each user is issued a private key to encrypt messages and a public key to decode messages;

• Private key is kept secret and known only to user;

• Public key uses a digital certificate to authenticate the identity of the user;

• Digital certificates must be issued by a recognized Certificate Authority; and

• Secure socket layer “SSL” encryption does not meet the baseline PKI requirements.


PKI: Public Key Infrastructure

• Options for implementing PKI:

– Self issued certificate authority-Example: Microsoft Certification Authority;

– Third party certificate authority Example: Verisign or Thawte;

– Seattle USB token; or

• Alternative to PKI: Limiting access to HMIS through IP filtering. Community examples:

– Los Angeles-filtering by IP address.

Certificate Template


Physical Access/Location

• Access to workstations must be controlled and monitored.

– Options: locked offices, privacy screens, etc.

• Access to servers must be controlled to a greater degree.

– Options: locked cabinet or cage; secure facilities.


Backup and Disaster Recovery

• All HMIS data must be regularly backed up and stored in a secure off-site location:

– Backup your data and applications;

– Save them to tape;

– Test the tapes;

– A Backup tape laying next to a server won’t help if the server room catches fire!; and

– Alternatively, consider secure network-based offsite backup solutions.


Secure Disposal

• Tapes, disks and hard drives must be properly formatted and erased before disposal.

– At least two erasure passes (three or more is recommended).

• Free and commercial software is available to prepare old workstation hard drives, tapes, and floppies before discarding.


System Monitoring

• Most security breaches are carried out by authorized users of client record systems.

• All systems including central servers must be monitored and “routinely” reviewed by staff.

• Monitoring decisions:

– Who monitors?;

– What is normal and what is abnormal usage and access?;

– How do I access the information?; and

– What variables to monitor?

• Handout: Security Monitoring


System Monitoring (cont.)

• What variables to monitor:

– Logon success/failure;

– Account management;

– Policy changes;

– Privilege use;

– Process tracking;

– System events; and

– Connection attempts (IP and port).


Additional security protocols

• Options:

– Designating a Chief Security Officer to supervise implementation;

– Applying a firewall to all HMIS workstations where a network firewall is installed; and

– Destroying HMIS media at a bonded vendor.


Key Security Points

• Applies to all machines on the CHO network or accessing the network through a VPN;

• All computers must have virus protection;

• All servers or computers directly accessing the internet must be protected by a firewall;

• Web-based HMIS must use PKI or IP filtering to limit public access to data;

• Physical access to computers and servers must be restricted;

• Regular back-up and storage of HMIS data; and

• Regular monitoring of HMIS at the system level.


Summary

• HMIS Data and Technical Standards set requirements for:

– Data Elements and Data Collection Requirements (Training 2);

– Privacy Standards (Training 3); and

– Security and Technical Standards (Training 4).


Security Resources

• National Institute of Standards and Technology Computer and Security Resource Center

– http://csrc.ncsl.nist.gov

• Carnegie Mellon/CERT: Connecting to the Internet– http://www.cert.org/tech_tips/before_you_plug_in.html

• CERT Implementation Tips for Servers and Networks– http://www.cert.org/tech_tips/

• National Institutes of Health Center for Information Technology Security Site

– http://www.alw.nih.gov/Security/security.html

• Forum of Incident Response and Security Reform– http://first.org


Additional Resources

• Final Notice:

– http://www.hud.gov/offices/cpd/homeless/hmis/standards/index.cfm

• HMIS Related Info:

– http://www.hud.gov/offices/cpd/homeless/hmis/index.cfm

– www.hmis.info

Documents

Prepared by Abt Associates for the U.S. Department of Housing