Laserfiche WebLink
ATTACHMENT A <br />HIPAA AND DATA SECURITY REQUIREMENTS <br />Authorized Users through the use of access control lists which will grant access only <br />after the Authorized User has authenticated to the network using a Unique User ID <br />and Hardened Password or other authentication mechanisms which provide equal or <br />greater security, such as biometrics or smart cards. Data on disks mounted to such <br />servers must be located in an area which is accessible only to authorized personnel, <br />with access controlled through use of a key, card key, combination lock, or comparable <br />mechanism. <br />For DOC Confidential Information stored on these disks, deleting unneeded Data is <br />sufficient as long as the disks remain in a Secure Area and otherwise meet the <br />requirements listed in the above paragraph. Destruction of the Data, as outlined below <br />in Section 8 Data Disposition, may be deferred until the disks are retired, replaced, or <br />otherwise taken out of the Secure Area. <br />c. Optical discs (CDs or DVDs) in local workstation optical disc drives. Data <br />provided by DOC on optical discs which will be used in local workstation optical disc <br />drives and which will not be transported out of a Secure Area. When not in use for the <br />contracted purpose, such discs must be Stored in a Secure Area. Workstations which <br />access DOC Data on optical discs must be located in an area which is accessible only <br />to authorized personnel, with access controlled through use of a key, card key, <br />combination lock, or comparable mechanism. <br />d. Optical discs (CDs or DVDs) in drives or jukeboxes attached to servers. Data <br />provided by DOC on optical discs which will be attached to network servers and which <br />will not be transported out of a Secure Area. Access to Data on these discs will be <br />restricted to Authorized Users through the use of access control lists which will grant <br />access only after the Authorized User has authenticated to the network using a Unique <br />User ID and Hardened Password or other authentication mechanisms which provide <br />equal or greater security, such as biometrics or smart cards. Data on discs attached <br />to such servers must be located in an area which is accessible only to authorized <br />personnel, with access controlled through use of a key, card key, combination lock, or <br />comparable mechanism. <br />e. Paper documents. Any paper records must be protected by storing the records in a <br />Secure Area which is only accessible to authorized personnel. When not in use, such <br />records must be stored in a Secure Area. <br />Remote Access. Access to and use of the Data over the State Governmental <br />Network (SGN) or Secure Access Washington (SAW) will be controlled by DOC staff <br />who will issue authentication credentials (e.g. a Unique User ID and Hardened <br />Password) to Authorized Users on Contractor's staff. Contractor will notify DOC staff <br />immediately whenever an Authorized User in possession of such credentials is <br />terminated or otherwise leaves the employ of the Contractor, and whenever an <br />Authorized User's duties change such that the Authorized User no longer requires <br />access to perform work for this Contract. <br />g. Data storage on portable devices or media. <br />(1) Except where otherwise specified herein, DOC Data shall not be stored by the <br />Contractor on portable devices or media unless specifically authorized within the <br />Washington State K14078 Page 14 of 19 <br />Department of Corrections Attachment A 26RAD <br />