Download - HMIS Data and Technical Standards Training
![Page 1: HMIS Data and Technical Standards Training](https://reader038.vdocument.in/reader038/viewer/2022102818/56812b13550346895d8f06f2/html5/thumbnails/1.jpg)
Prepared by Abt Associates for the U.S. Department of Housing and Urban Development
Homeless Management Information System (HMIS) Data and Technical
Standards: Comply with the Security Requirements in the Final Notice
![Page 2: HMIS Data and Technical Standards Training](https://reader038.vdocument.in/reader038/viewer/2022102818/56812b13550346895d8f06f2/html5/thumbnails/2.jpg)
Prepared by Abt Associates for the U.S. Department of Housing and Urban Development 2
HMIS Data and Technical Standards Training
• This is training module 4 of a 4 part series addressing the following components of the Final HMIS Data and Technical Standards
– Training 1: Overview
– Training 2: Participation and Data Collection Requirements
– Training 3: Privacy Standards
– Training 4: Security and Technical Standards
• Other training modules are available at: www.hmis.info
![Page 3: HMIS Data and Technical Standards Training](https://reader038.vdocument.in/reader038/viewer/2022102818/56812b13550346895d8f06f2/html5/thumbnails/3.jpg)
Prepared by Abt Associates for the U.S. Department of Housing and Urban Development 3
Companion Training Materials
• This training module features an accompanying set of training materials that includes:
– Data Standards Compliance Checklist for Agencies
– CoC/Implementing Jurisdictions Data Standards Compliance Assessment Checklist
– System Monitoring Guidelines
![Page 4: HMIS Data and Technical Standards Training](https://reader038.vdocument.in/reader038/viewer/2022102818/56812b13550346895d8f06f2/html5/thumbnails/4.jpg)
Prepared by Abt Associates for the U.S. Department of Housing and Urban Development 4
Overview
• Security standards for HMIS users
• Security standards for HMIS computers
• System/Server level security standards
• Monitoring security at the system level
![Page 5: HMIS Data and Technical Standards Training](https://reader038.vdocument.in/reader038/viewer/2022102818/56812b13550346895d8f06f2/html5/thumbnails/5.jpg)
Prepared by Abt Associates for the U.S. Department of Housing and Urban Development 5
Defining Security
• Security refers to the protection of client personal protected information and sensitive program information from unauthorized access, use or modification.
![Page 6: HMIS Data and Technical Standards Training](https://reader038.vdocument.in/reader038/viewer/2022102818/56812b13550346895d8f06f2/html5/thumbnails/6.jpg)
Prepared by Abt Associates for the U.S. Department of Housing and Urban Development 6
Security Standards Framework
• Two-tiered: required baseline standards and additional recommended protocols
• Provide for technical controls to protect client data
• Require covered homeless organizations (CHO) to assess their current technical infrastructure and make changes as needed
![Page 7: HMIS Data and Technical Standards Training](https://reader038.vdocument.in/reader038/viewer/2022102818/56812b13550346895d8f06f2/html5/thumbnails/7.jpg)
Prepared by Abt Associates for the U.S. Department of Housing and Urban Development 7
Applicability
• All workstations, desktops, laptops, and servers that connect to the CHO network or access the HMIS through a Virtual Private Network (VPN) must comply with the baseline security requirements.
• Handout: Agency Data Standards Checklist
![Page 8: HMIS Data and Technical Standards Training](https://reader038.vdocument.in/reader038/viewer/2022102818/56812b13550346895d8f06f2/html5/thumbnails/8.jpg)
Prepared by Abt Associates for the U.S. Department of Housing and Urban Development 8
What is a Virtual Private Network (VPN)?
• A private communications network that uses a public network to connect remote sites or users
• VPN allows an employee to access his/her agency’s local network from an off-site location using the Internet.
• VPN users typically have software that allows them to access their network through the internet using a secure site
• Learn more about VPNs: http://computer.howstuffworks.com/vpn.htm
![Page 9: HMIS Data and Technical Standards Training](https://reader038.vdocument.in/reader038/viewer/2022102818/56812b13550346895d8f06f2/html5/thumbnails/9.jpg)
Prepared by Abt Associates for the U.S. Department of Housing and Urban Development 9
Baseline HMIS Agency Security Requirements
• HMIS users
– Unique username and password
– Signed receipt of privacy notice
• HMIS computers and networks
– Secure location
– Workstation username and password
– Virus protection with automatic update
– Locking password protected screen saver
– Individual or network firewall
– Public Key Infrastructure (PKI) to prevent unauthorized access
![Page 10: HMIS Data and Technical Standards Training](https://reader038.vdocument.in/reader038/viewer/2022102818/56812b13550346895d8f06f2/html5/thumbnails/10.jpg)
Prepared by Abt Associates for the U.S. Department of Housing and Urban Development 10
Baseline HMIS User and HMIS Computer Requirements
![Page 11: HMIS Data and Technical Standards Training](https://reader038.vdocument.in/reader038/viewer/2022102818/56812b13550346895d8f06f2/html5/thumbnails/11.jpg)
Prepared by Abt Associates for the U.S. Department of Housing and Urban Development 11
HMIS Computer Requirements
• Computers in public areas used to collect and store HMIS data must be staffed at all times
• Password protected screen savers must be automatically enabled when workstation is not in use
• CHOs may decide to automatically log users off the system after a period of inactivity
![Page 12: HMIS Data and Technical Standards Training](https://reader038.vdocument.in/reader038/viewer/2022102818/56812b13550346895d8f06f2/html5/thumbnails/12.jpg)
Prepared by Abt Associates for the U.S. Department of Housing and Urban Development 12
HMIS Computer Requirements
• Virus protection
– Must automatically scan files; and
– User must regularly update software to detect new viruses.
– Free virus protection is available at:
• www.free-av.com
• www.nonprofit-tech.org
• Individual or network firewall:
– Network firewall = baseline requirement if internet is accessed through central server; and
– Individual firewall needed if internet is accessed through a modem.
• Additional spyware software is strongly recommended
![Page 13: HMIS Data and Technical Standards Training](https://reader038.vdocument.in/reader038/viewer/2022102818/56812b13550346895d8f06f2/html5/thumbnails/13.jpg)
Prepared by Abt Associates for the U.S. Department of Housing and Urban Development 13
User Training (Strongly Recommended)
• Although not a baseline requirement, all users should participate in:
– Data and Technical Standards Training
• Participation and Data Collection Requirements; and
• Privacy and Security Protocols to Protect Client Data.
– Software training
• How to enter, edit, change, and delete data; and
• User and computer security requirements.
– Ethics and privacy training
• Consent protocol and privacy protocols; and
• How to interview clients in a sensitive manner.
– User groups are strongly encouraged to develop peer support opportunities
![Page 14: HMIS Data and Technical Standards Training](https://reader038.vdocument.in/reader038/viewer/2022102818/56812b13550346895d8f06f2/html5/thumbnails/14.jpg)
Prepared by Abt Associates for the U.S. Department of Housing and Urban Development 14
Baseline HMIS System / Server Requirements
• Authentication;
• Multiple Access;
• Virus Protection with Auto Update;
• Firewalls - Individual workstations or network;
• Encryption transmission;
• Public Access – PKI – Public Key Infrastructure;
• Location Control;
• Back Up and Disaster Recovery;
• System Monitoring; and
• Secure Disposal.
![Page 15: HMIS Data and Technical Standards Training](https://reader038.vdocument.in/reader038/viewer/2022102818/56812b13550346895d8f06f2/html5/thumbnails/15.jpg)
Prepared by Abt Associates for the U.S. Department of Housing and Urban Development 15
Web Security Model
![Page 16: HMIS Data and Technical Standards Training](https://reader038.vdocument.in/reader038/viewer/2022102818/56812b13550346895d8f06f2/html5/thumbnails/16.jpg)
Prepared by Abt Associates for the U.S. Department of Housing and Urban Development 16
User Authentication
• Every user accessing the HMIS system must have a unique username and password.
• Passwords must:
– Include at least one number and one letter;
– Be at least 8 characters long;
– Not be based on user’s name, organization, or software; and
– Not be based on common words.
• Good: [Na$car#39]
• Bad: bobclark99
• Terrible: hmis
![Page 17: HMIS Data and Technical Standards Training](https://reader038.vdocument.in/reader038/viewer/2022102818/56812b13550346895d8f06f2/html5/thumbnails/17.jpg)
Prepared by Abt Associates for the U.S. Department of Housing and Urban Development 17
User Authentication (cont.)
• Both the workstation and the software used to access HMIS data should require user authentication (e.g., username/passwords).
• Logging on to the HMIS computer alone is not sufficient.
• Written information pertaining to user access should not be stored or displayed in any publicly accessible location.
![Page 18: HMIS Data and Technical Standards Training](https://reader038.vdocument.in/reader038/viewer/2022102818/56812b13550346895d8f06f2/html5/thumbnails/18.jpg)
Prepared by Abt Associates for the U.S. Department of Housing and Urban Development 18
Multiple Access
• An individual user must NOT be allowed access to the HMIS from multiple workstations on the network at the same time.
• An individual user must NOT be allowed to log onto the local network from more than one location at a time.
![Page 19: HMIS Data and Technical Standards Training](https://reader038.vdocument.in/reader038/viewer/2022102818/56812b13550346895d8f06f2/html5/thumbnails/19.jpg)
Prepared by Abt Associates for the U.S. Department of Housing and Urban Development 19
System Level Virus Protection
• All systems on the network (including remote and VPN users) must have anti-virus software installed and updated regularly that automatically scans files.
Old Anti-Virus Software = No Anti-Virus Software
![Page 20: HMIS Data and Technical Standards Training](https://reader038.vdocument.in/reader038/viewer/2022102818/56812b13550346895d8f06f2/html5/thumbnails/20.jpg)
Prepared by Abt Associates for the U.S. Department of Housing and Urban Development 20
Firewalls
• All machines accessing HMIS must have firewall protection from public networks (i.e., the Internet), typically via hardware.
• Any machines accessing the Internet via dial-up modem must have a personal firewall.
• Individual or network firewall:
– If you use Windows XP you can install a firewall using Windows XP Service Pack 2; and
– Free or low cost firewall software can be downloaded at:
• www.zonelabs.com
• www.techsoup.org
![Page 21: HMIS Data and Technical Standards Training](https://reader038.vdocument.in/reader038/viewer/2022102818/56812b13550346895d8f06f2/html5/thumbnails/21.jpg)
Prepared by Abt Associates for the U.S. Department of Housing and Urban Development 21
Firewall Behind a Network
Image found at: http://www.integration1.com.au/pages/default.cfm?page_id=21925
![Page 22: HMIS Data and Technical Standards Training](https://reader038.vdocument.in/reader038/viewer/2022102818/56812b13550346895d8f06f2/html5/thumbnails/22.jpg)
Prepared by Abt Associates for the U.S. Department of Housing and Urban Development 22
Encryption
• A CHO must encrypt all HMIS data that are electrically transmitted over the internet
• Encryption is the conversion of plain text into encrypted data (code)
• Encryption is used to protect a client’s sensitive personal information from unauthorized viewing
![Page 23: HMIS Data and Technical Standards Training](https://reader038.vdocument.in/reader038/viewer/2022102818/56812b13550346895d8f06f2/html5/thumbnails/23.jpg)
Prepared by Abt Associates for the U.S. Department of Housing and Urban Development 23
Data Transmission Encryption
• Two options
– 128 bit encryption over the wire; and
• Secure Socket Layer (SSL): A communications protocol used to secure all sensitive data. SSL is normally described as wrapping an encrypted envelope around message transmissions over the Internet.
– Secure direct connections.
• Virtual Private Network (VPN)
![Page 24: HMIS Data and Technical Standards Training](https://reader038.vdocument.in/reader038/viewer/2022102818/56812b13550346895d8f06f2/html5/thumbnails/24.jpg)
Prepared by Abt Associates for the U.S. Department of Housing and Urban Development 24
Public Access
• HMIS that use public forums for data collection/reporting must have additional security to limit access using Public Key Infrastructure (PKI) or through IP filtering.
• Translation: Any Web-based HMIS accessed over the Internet, needs digital certificates installed on all browsers on all computers accessing the HMIS (PKI) or an extranet to limit access based on IP address.
![Page 25: HMIS Data and Technical Standards Training](https://reader038.vdocument.in/reader038/viewer/2022102818/56812b13550346895d8f06f2/html5/thumbnails/25.jpg)
Prepared by Abt Associates for the U.S. Department of Housing and Urban Development 25
IP Addresses
• Everything on the internet (servers, desktops, blackberries) is assigned an internet protocol (IP) address;
• The internet uses IP addresses to move information from one place to another;
• An IP address looks like this: 10.141.215.223; and
• Firewalls block suspicious IP addresses from accessing your computer.
![Page 26: HMIS Data and Technical Standards Training](https://reader038.vdocument.in/reader038/viewer/2022102818/56812b13550346895d8f06f2/html5/thumbnails/26.jpg)
Prepared by Abt Associates for the U.S. Department of Housing and Urban Development 26
What is Public Key Infrastructure?
• Each user is issued a private key to encrypt messages and a public key to decode messages;
• Private key is kept secret and known only to user;
• Public key uses a digital certificate to authenticate the identity of the user;
• Digital certificates must be issued by a recognized Certificate Authority; and
• Secure socket layer “SSL” encryption does not meet the baseline PKI requirements.
![Page 27: HMIS Data and Technical Standards Training](https://reader038.vdocument.in/reader038/viewer/2022102818/56812b13550346895d8f06f2/html5/thumbnails/27.jpg)
Prepared by Abt Associates for the U.S. Department of Housing and Urban Development 27
PKI: Public Key Infrastructure
• Options for implementing PKI:
– Self issued certificate authority-Example: Microsoft Certification Authority;
– Third party certificate authority Example: Verisign or Thawte;
– Seattle USB token; or
• Alternative to PKI: Limiting access to HMIS through IP filtering. Community examples:
– Los Angeles-filtering by IP address.
Certificate Template
![Page 28: HMIS Data and Technical Standards Training](https://reader038.vdocument.in/reader038/viewer/2022102818/56812b13550346895d8f06f2/html5/thumbnails/28.jpg)
Prepared by Abt Associates for the U.S. Department of Housing and Urban Development 28
Physical Access/Location
• Access to workstations must be controlled and monitored.
– Options: locked offices, privacy screens, etc.
• Access to servers must be controlled to a greater degree.
– Options: locked cabinet or cage; secure facilities.
![Page 29: HMIS Data and Technical Standards Training](https://reader038.vdocument.in/reader038/viewer/2022102818/56812b13550346895d8f06f2/html5/thumbnails/29.jpg)
Prepared by Abt Associates for the U.S. Department of Housing and Urban Development 29
Backup and Disaster Recovery
• All HMIS data must be regularly backed up and stored in a secure off-site location:
– Backup your data and applications;
– Save them to tape;
– Test the tapes;
– A Backup tape laying next to a server won’t help if the server room catches fire!; and
– Alternatively, consider secure network-based offsite backup solutions.
![Page 30: HMIS Data and Technical Standards Training](https://reader038.vdocument.in/reader038/viewer/2022102818/56812b13550346895d8f06f2/html5/thumbnails/30.jpg)
Prepared by Abt Associates for the U.S. Department of Housing and Urban Development 30
Secure Disposal
• Tapes, disks and hard drives must be properly formatted and erased before disposal.
– At least two erasure passes (three or more is recommended).
• Free and commercial software is available to prepare old workstation hard drives, tapes, and floppies before discarding.
![Page 31: HMIS Data and Technical Standards Training](https://reader038.vdocument.in/reader038/viewer/2022102818/56812b13550346895d8f06f2/html5/thumbnails/31.jpg)
Prepared by Abt Associates for the U.S. Department of Housing and Urban Development 31
System Monitoring
• Most security breaches are carried out by authorized users of client record systems.
• All systems including central servers must be monitored and “routinely” reviewed by staff.
• Monitoring decisions:
– Who monitors?;
– What is normal and what is abnormal usage and access?;
– How do I access the information?; and
– What variables to monitor?
• Handout: Security Monitoring
![Page 32: HMIS Data and Technical Standards Training](https://reader038.vdocument.in/reader038/viewer/2022102818/56812b13550346895d8f06f2/html5/thumbnails/32.jpg)
Prepared by Abt Associates for the U.S. Department of Housing and Urban Development 32
System Monitoring (cont.)
• What variables to monitor:
– Logon success/failure;
– Account management;
– Policy changes;
– Privilege use;
– Process tracking;
– System events; and
– Connection attempts (IP and port).
![Page 33: HMIS Data and Technical Standards Training](https://reader038.vdocument.in/reader038/viewer/2022102818/56812b13550346895d8f06f2/html5/thumbnails/33.jpg)
Prepared by Abt Associates for the U.S. Department of Housing and Urban Development 33
Additional security protocols
• Options:
– Designating a Chief Security Officer to supervise implementation;
– Applying a firewall to all HMIS workstations where a network firewall is installed; and
– Destroying HMIS media at a bonded vendor.
![Page 34: HMIS Data and Technical Standards Training](https://reader038.vdocument.in/reader038/viewer/2022102818/56812b13550346895d8f06f2/html5/thumbnails/34.jpg)
Prepared by Abt Associates for the U.S. Department of Housing and Urban Development 34
Key Security Points
• Applies to all machines on the CHO network or accessing the network through a VPN;
• All computers must have virus protection;
• All servers or computers directly accessing the internet must be protected by a firewall;
• Web-based HMIS must use PKI or IP filtering to limit public access to data;
• Physical access to computers and servers must be restricted;
• Regular back-up and storage of HMIS data; and
• Regular monitoring of HMIS at the system level.
![Page 35: HMIS Data and Technical Standards Training](https://reader038.vdocument.in/reader038/viewer/2022102818/56812b13550346895d8f06f2/html5/thumbnails/35.jpg)
Prepared by Abt Associates for the U.S. Department of Housing and Urban Development 35
Summary
• HMIS Data and Technical Standards set requirements for:
– Data Elements and Data Collection Requirements (Training 2);
– Privacy Standards (Training 3); and
– Security and Technical Standards (Training 4).
![Page 36: HMIS Data and Technical Standards Training](https://reader038.vdocument.in/reader038/viewer/2022102818/56812b13550346895d8f06f2/html5/thumbnails/36.jpg)
Prepared by Abt Associates for the U.S. Department of Housing and Urban Development 36
Security Resources
• National Institute of Standards and Technology Computer and Security Resource Center
– http://csrc.ncsl.nist.gov
• Carnegie Mellon/CERT: Connecting to the Internet– http://www.cert.org/tech_tips/before_you_plug_in.html
• CERT Implementation Tips for Servers and Networks– http://www.cert.org/tech_tips/
• National Institutes of Health Center for Information Technology Security Site
– http://www.alw.nih.gov/Security/security.html
• Forum of Incident Response and Security Reform– http://first.org
![Page 37: HMIS Data and Technical Standards Training](https://reader038.vdocument.in/reader038/viewer/2022102818/56812b13550346895d8f06f2/html5/thumbnails/37.jpg)
Prepared by Abt Associates for the U.S. Department of Housing and Urban Development 37
Additional Resources
• Final Notice:
– http://www.hud.gov/offices/cpd/homeless/hmis/standards/index.cfm
• HMIS Related Info:
– http://www.hud.gov/offices/cpd/homeless/hmis/index.cfm
– www.hmis.info