Laserfiche WebLink
ATTACHMENT A <br />HIPAA AND DATA SECURITY REQUIREMENTS <br />g. When accessing the Data from within the Contractor's network (the Data stays within <br />the Contractor's network at all times), enforce password and logon requirements for <br />users within the Contractor's network, including: <br />(1) A minimum length of 8 characters, and containing at least three of the following <br />character classes: uppercase letters, lowercase letters, numerals, and special <br />characters such as an asterisk, ampersand, or exclamation point. <br />(2) That a password does not contain a user's name, logon ID, or any form of their full <br />name. <br />(3) That a password does not consist of a single dictionary word. A password may be <br />formed as a passphrase which consists of multiple dictionary words. <br />(4) That passwords are significantly different from the previous four passwords. <br />Passwords that increment by simply adding a number are not considered <br />significantly different. <br />h. When accessing Confidential Information from an external location (the Data will <br />traverse the Internet or otherwise travel outside the Contractor's network), mitigate risk <br />and enforce password and logon requirements for users by employing measures <br />including: <br />(1) Ensuring mitigations applied to the system don't allow end -user modification. <br />(2) Not allowing the use of dial -up connections. <br />(3) Using industry standard protocols and solutions for remote access. Examples <br />would include RADIUS and Citrix. <br />(4) Encrypting all remote access traffic from the external workstation to Trusted <br />Network or to a component within the Trusted Network networks (using key lengths <br />of 128 bits or greater) Algorithm modules validated by the National Institute of <br />Standards and Technology (NIST) Cryptographic Module Validation Program <br />C( MVP) are required. The traffic must be encrypted at all times while traversing <br />any network, including the Internet, which is not a Trusted Network. <br />(5) Ensuring that the remote access system prompts for re -authentication or performs <br />automated session termination after no more than 20 minutes of inactivity. <br />(6) Ensuring use of Multi -factor Authentication to connect from the external end point <br />to the internal end point. Authentication mechanisms must meet or exceed those <br />described in the most recent version of NIST SP 800-63 for information requiring <br />assurance level 3 or higher. One of the authentication factors should be provided <br />by a device separate from the computer gaining access. <br />(7) Ensuring all system and service accounts use Enterprise Active Directory or a <br />similar centralized authentication and authorization mechanism. If authentication <br />methods such as SQL authentication are required by the system, Contractor uses <br />credentials secured during transmission through encrypted sessions such as <br />TLS1.2 (or greater) or IPSec, and in storage using a secure hash method validated <br />Washington State K140VS Page 12 of I9 <br />Department of Corrections Attachment A 26RAD <br />