Proposed Account Management Procedures
These procedures address the following HIPAA procedural requirements: workforce security 308.a.3.ii. A, B, C; information access management 308.a.4.ii.B, C; security awareness training 308.a.5.ii.A, D.
Access to UCSF application systems and electronic information should be based on current need and controlled by verifying the identity of the user or application system. Every user should be uniquely identified based on the userID, and every userID should have an associated user.
Objective of the account management procedures:
- To ensure that only authorized UCSF users access appropriate UCSF systems;
- To ensure that authorized UCSF users are held accountable for all access made through their personal UserID and password.
2. DEFINITION OF TERMS
UCSF Users. UCSF students, faculty, staff, and others affiliated with the University (including those in program, contract, or license relationships with the University) may, as authorized by the Chancellor, be eligible to use University electronic communications resources and services for purposes in accordance with The Electronic Communications Policy, Sections III.D, Allowable Use.
Public Users. Persons and organizations that are not UCSF Users may only access UCSF electronic communications resources or services under programs sponsored by UCSF, as authorized by the Chancellor, or for the Office of the President, the Senior Vice President, Business and Finance, for purposes of such public access in accordance with Section III.D, Allowable Use.
Transient Users. Users whose electronic communications merely traverse the UCSF network. These users are not considered "Users" for the purposes of this Policy.
User Account. The actual login account assigned to a user that allows access to UCSF electronic communications resources. There are several types of user accounts:
Student. these accounts are issued to UCSF students and automatically expire in August of the year that the student graduates.
Faculty. these accounts are issued to UCSF faculty and do not expire until the individual leaves UCSF.
Staff. these accounts are issued to UCSF staff and do not expire until the individual is no longer in the employ of UCSF.
Contractor. these accounts are issued to non-UCSF individuals who are performing a service at UCSF. In general, contractor accounts should be set to expire on the expiration date of the contract. For open-ended contracts, these accounts should be set to expire every 6 months at which time a review of the account should be performed, and where appropriate, the expiration date would be extended for another 6 months.
Consultant. these accounts are issued to non-UCSF staff who are providing consulting services at UCSF. In general, consultant accounts should be set to expire on the date of the contract. For open-ended contracts, these accounts should be set to expire every 6 months at which time a review of the account should be performed, and where appropriate, the expiration date would be extended for another 6 months.
Temporary. there are occasio ns where a department may need to provide a individual with an account for a very brief period of time (for example, to access certain records for research purposes). Because it is not always possible to create these accounts on the spot, temporary accounts can be established in advance and then "lent" to the individual for that brief period of time. When the temporary account is given to an individual, it should be logged for access accountability purposes. When use of the temporary account is complete, the password for that account must be changed immediately (to prevent continued use by the individual who was given the temporary account).
3. ACCOUNT MANAGEMENT PROCEDURE
Scope of Procedure
The UCSF Account Management Procedure applies to all systems within UCSF with the exception of existing systems that cannot be upgraded for technical reasons. Administrators for systems that cannot meet this requirement should document this caveat within their own system documentation for future reference.
A. UserID Authorization
A documented process should be in place for authorizing users to UCSF computer systems and computerized information. A process will need to be developed to address the following activities:
- assigning a new user account
- revoking a user account
- reviewing access authorization to systems and/or information
- review of issued accounts
For each of the activities listed above, appropriate documentation of actions taken must be maintained. For assistance with documentation requirements, contact ITS Information Security Services (email@example.com or 415-514-4100).
I. Selecting a password
The password is the most important mechanism available to protect systems. Passwords should:
- be a minimum of six positions in length
- contain a combination of letters, numbers, or other displayable special characters (such as #, @)
- be changed, at a minimum, once a year
- not be found in the dictionary
- not contain more than three consecutive characters in any position from the previous password
- not contain the userID as part of the password
II. Changing a Password
Changing passwords on a scheduled basis should be commensurate with the sensitivity of the information. For example, accounts that are used to access clinical patient information may need to be changed every 30 - 60 days; accounts that are used for Internet access only may need to be changed only once a year. Document the schedule for changing passwords.
lll. Invalid Password Attempts
When a user cannot enter the password correctly within three (3) attempts, the account should be suspended until the system administrator can talk with the user. In general, there are three main reasons why an individual would have difficulty entering the password correctly within three tries:
- The user cannot remember the password that s/he selected originally;
- The user is not familiar with the process for logging on to the system;
- A hacker is trying to guess an authorized user's password to gain unauthorized access to the system.
By suspending the account, the system administrator has the opportunity to ascertain the reason for the invalid logon attempts and can address the real issue. Depending on the sensitivity of the information contained within the system, a password reset policy should be established that documents whether a password can be res et automatically by the sy stem or must require some type of human intervention. For example, accounts that are used to access clinical patient information should never have passwords reset automatically and should require human review of the situation before the account can be used again, however, for accounts that are used for Internet access only it may be appropriate to reset the accounts automatically after ten minutes with an alert sent to the system administrator for follow-up at a later time. Whatever the reset policy is, it must be documented and communicated to the users of that system.
IV. Passwords Assigned on the User's Behalf
As stated in the UCSF Account Management Policy, when a password is assigned for the user (either because it is a new userID or a password had to be reset), the first time that the user logs on s/he should be prompted to change the password immediately. This helps to ensure that the user will remember the password (since s/he selected it personally) and also ensures that whoever assigned the original password will no longer know the valid password used for authorized access.
C. Awareness Training Regarding the Use of Accounts
At a minimum, on an annual basis, the system owner providing accounts to users for access will send out "reminders" to their user community regarding the user's responsibilities for protecting their accounts. The reminder will include such areas as changing passwords, not sharing accounts, and individual responsibilities for any access made with an account.