U.S. Department of Health and Human Services
Indian Health Service: The Federal Health Program for American Indians and Alaska Natives
A - Z Index:
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
#

      IHS Area Offices
 
California Area Indian Health Service

        CA Home            Health Programs            Tribal Consultation           News & Events         About Us      Clinical Management      FAQs

  Home > Clinical Topics > Information Resource Management > FAQs  
 
 
  FAQs for Information Resource Management  
 
RPMS
Interconnection Security Agreement
Miscellaneous
 
RPMS FAQ's
 
Who can I call for Resource & Patient Management System (RPMS) & Network assistance?
 

An end user at a Tribal or Urban health program should always contact their local IT support center / RPMS Site Manager first. Then if more assistance is needed, local IT or Site Manager should contact the IT Staff at the California Area IHS (CAIHS) at (916) 930-3981 Ext. 353. If support is needed beyond what the California IT staff can provide, they will submit a trouble ticket with the Albuquerque OIT (Office of Information Technology) helpdesk.

When requesting assistance via email, please provide as much information as possible:

If RPMS related:

  • which option(s) you were using when the problem occurred
  • name of user having the problem and their contact information
  • brief description of the problem you're having>
  • screen shot of the problem
If WEB related:
  • Inaccessible web site URL (aka Internet address) and section
  • brief description of the problem you're having
 
Who at my healthcare organization should be doing the monthly RPMS exports on our database?
 

It is the health programs responsibility to complete any RPMS exports by the 25th of every month. The responsible person performing this task varies from organization to organization. Some sites assign the task of exporting data to the respective responsible party for such RPMS packages. The Site Manager would coordinate this effort on a monthly basis.

For example: The Immunization coordinator will export the data from the Immunization package; the Data Entry clerk or supervisor will export the data from the Patient Care Component (PCC) package; the Behavioral Health professional will export their own data from the Behavioral Health package; the Contract Health Service (CHS) coordinator will export the data from the CHS package; and the Dental Assistant will export data from the Dental Package.

Another possibility is to assign this task to one person to export ALL RPMS data at the same time. This one person could be the RPMS Site Manager, the Clinic Manager, IT personnel or other health professional that's capable and willing to take on this responsibility.

In the event the healthcare organization does not have someone who can perform this task, the health program staff should let our office know that there is no-one at the site who can perform these tasks and that they'd like our IRM staff to perform the exports until someone from the health program can be assigned this responsibility.

 
When are the monthly RPMS exports due to the California Area office?
 
Each health program should complete all their RPMS exports on or before the 25th of every month.
 
How do we set up a network printer to be utilized within the RPMS system?
 

First, setup the printer on your local area network (LAN). Once that is set up on your LAN and you can send a test print job from a networked PC, send an email message to the CAO Helpdesk with the following information:

  • IP Address of the printer
  • Printer make & model

    •      Generally includes facilities 3 letter abbreviation at the beginning of this name,
         Example: CAO3PB for California Area Office Third Party Billing
  • Whether the printer has it's own network port directly on the printer or the printer hooks up to a print server via parallel cable
Our IT staff will create a queue on the RPMS server as well as create a DEVICE in the RPMS database with the information provided in this email message. Once completed our staff will inform the requesting person that the print queue & DEVICE have been created and is ready for use.
 
We have a new employee in our organization that requires training in the RPMS system. Where can I find a schedule of RPMS training events?
 

The California Area Office provides training on RPMS packages about 6 to 20 times a year. A schedule of these classes can be found on our Training page:

The IHS National Programs provides a number of RPMS related training session's through-out the United States and provide for different formats: Onsite, Webex, or combination of the two. They post their schedules online:

http://www.ihs.gov/cio/rpms/index.cfm?module=home&option=OITTrainingLinks

 
____________________________________________________________________________________ Back to TopBack to Top
 
Interconnection Security Agreement (ISA) FAQ's
 
Are we required to have an Information Systems Security Officer?
 

Yes, someone in your organization must have this title. It is not required that this be a separate position. For instance, someone in the IT department might be designated for this role, in addition to other duties. We require that you schedule security training for that individual, and document a daily security task list (review event logs, patch servers, etc.)

 
Why the ISA at this time?
 

The Interconnection Security Agreement is federally mandated for any system, contractor, agency that touches the federal network. This is a component of the Security Certification and Accreditation process - also federally mandated.

 
What is the background check? We have done a drug and background check for all tribal employees. Is this all we need to do?
 

IT personnel should have a Public Trust, Level 5 background check. Below are guidelines for determining the sensitivity levels for various personnel:

Position Sensitivity Designations/Access Codes Non-Sensitive Positions National Security Positions Public Trust Positions
Sensitivity Levels Level 1
Non-Sensitive		 Level 2
Non-critical Sensitive		 Level 3
Critical Sensitive		 Level 4
Special Sensitive		 Level 5
Moderate Risk		 Level 6
High Risk

The level of sensitivity of a position should be determined using the position description and the types of data and systems accessed by the employee in the performance of his/her duties. Ultimately, the determination of position sensitivity from an IT perspective is based on the type and degree of harm the individual could cause through misuse of the system. This potential for harm increases as the level of access to sensitive, financial, and/or classified information increases.

 
What are the "IHS training and awareness requirements?"
 

Security Awareness Training can be taken at this site:

http://www.isa.ihs.gov/

It is required annually, and must be taken within 60 days of employment

Training ISSOs.
The training for ISSO's should include in-depth coverage of the threats and vulnerabilities related to their systems, techniques for detecting and reacting to incidents, and techniques for implementing Part 8, Chapter 12, "IT Security," Indian Health Service Manual in their environment. The IHS Manual can be found here:
http://www.ihs.gov/PublicInfo/Publications/IHSManual/Part8/pt8chapt12/pageone.htm

 
Who are the "IHS SECURTY POC" and what are the contact paths?
 

Your IHS California Area Security Points of Contact (POC's) are:

Robert Gemmell, ISSO
Phone: (916) 930-3927 x326
Email: Robert.Gemmell@ihs.gov

Kelly Stephenson, Alternate ISSO
Phone: (916) 930-3927 x330
Email: kelly.stephenson@ihs.gov

 
Can we get a site specific explanation of the "interconnect" with IHS?
 

All sites are defined as having an "interconnect" because site users access highly sensitive data across a federal network.

 
Are any data services offered by IHS such as off line backup or use auditing as required in the "Interconnection Security Agreement"?
 

Backup and auditing of the patient databases at the Sacramento location is conducted by IHS personnel. Backup and auditing at the sites is the responsibility of the site, but there are excellent Windows operating system tools and open source utilities available.

 
Is there an explanation for all of the sections of the "Interconnection Security Agreement"?
 

The National Institute of Standards and Technology (NIST) special publication 800-47, Appendix A, discusses ISA's. The entire NIST 800 series can be found here:

http://csrc.nist.gov/publications/nistpubs/ Exit Disclaimer – You Are Leaving www.ihs.gov

 
We have a backup and recover system - is this good enough or is there some specific standard needed to comply with the ISA?
 

Contingency planning is addressed in the NIST document 800-34, which can be found here:

http://csrc.nist.gov/publications/nistpubs/ Exit Disclaimer – You Are Leaving www.ihs.gov

 
What is the time frame to implement each of the requirements of the "ISA"?
 

As soon as possible. That having been said, The California Area Office will be doing annual testing in August, 2007 and risk assessment in September, 2007. That would probably be a good target to aim for.

 
Define the type of encryption, or cryptographic modules we should use and where we get them.
 

We're not able to discuss the specifics of IHS encryption in an FAQ, but all router to router packets are encrypted. Beyond that, we recommend that file system encryption be implemented at all sites. There are excellent open source tools that are Federal Information Processing Standards (FIPS) compliant available to accomplish this.

 
How do you suggest we audit/monitor our users? What software should we use and who pays for the software?
 

Systems Administrators at the sites should take advantage of the built in auditing and monitoring capabilities of the Windows server environment. The principle of "least access" should be implemented so that users are only able to access resources that are required for their work assignments.

Network monitoring at the router level is performed by IHS personnel. Deployment of proprietary monitoring software for the site LAN (your side of the router) is up to the site manager.

 
Where do we find the awareness training site? How is it used? Is this a web site? Is it a paper test?
 

Security Awareness Training can be taken at this site:

http://www.isa.ihs.gov/ (If the site is down, there is a paper test.)

 
What do you suggest we do to comply with the 24/7 requirement?
 

It's recommended that a best effort be made to assure that 24/7 contact is possible in the occasion of a security event. Remote sites without cell tower coverage should make home phone number's of responsible individuals known to the CAO IT staff.

An alternate to the System Administrator should be known to the CAO IT staff in the event that the System Administrator is not available. However, it is recommended that the System Administrator develop some method to access the system remotely.

 
What is a "persistent connection"?
 

A persistent connection is defined as an uninterrupted stream of IP packets between the site router and the IHS network

 
Do you have examples of the disaster recovery plan or the security plan so we have some idea what it should look like?
 

The NIST 800-34 document provides guidance for Contingency Plans. The NIST 800-18 addresses Security Plans. These documents can be found here:

http://csrc.nist.gov/publications/nistpubs/ Exit Disclaimer – You Are Leaving www.ihs.gov

 
Where can the recommended Standard Operating Procedures (SOP's) be found?
 

http://home.ihs.gov/ITSC-CIO/security/ (Intranet)

 
Where can we find Non-Disclosure Agreements?
 

Templates can be found readily on-line.

 
Our site hosts our own RPMS database - do we still need to sign an Interconnection Security Agreement?
 

If your site is on the federal network (in the 161.223.x.x IP range), or you have federal accounts for email or vpn, or in any other way access restricted federal resources, yes.

 
Where can we get the definition of a "security incident"?
 

The NIST 800-61 provides guidance with defining security incidents. It can be found here:

http://csrc.nist.gov/publications/nistpubs/ Exit Disclaimer – You Are Leaving www.ihs.gov

 
Do you want us to provide the CAO with a detailed Network Diagram?
 

Beyond our requirement that network diagrams be created and made available, it's a good "best practice" for your organization to have this in place, anyway.

 
What about wireless?
 

Wireless security is addressed in NIST 800-48 - it can be found here:

http://csrc.nist.gov/publications/nistpubs/ Exit Disclaimer – You Are Leaving www.ihs.gov

 
Where can I learn more about the certification and accreditation process?
 

All federal agencies are now in a perpetual Security Certification and Accreditation (C&A) process. This effort is mandated by the Federal Information Systems Management Act (FISMA), HIPAA, OMB Circular a-130, and other policy drivers.

Congress also mandated that interpretation and structure be given to their mandate by the National Institute of Standards and Technology (NIST).

These NIST documents are collectively known as the "800 series". They cover everything from secure wireless to post-security incident forensics and evidence "chain-of-custody" issues.

Among the most important 800 publications are:

800-53   Security Controls
800-100  Information Security Handbook: A Guide for Managers
800-37   Guide for the Security Certification and Accreditation of Federal Information Systems

Site Managers and security personnel can use this link to view all the instructional documentation that informs the various components of a C&A package:

http://csrc.nist.gov/publications/nistpubs/ Exit Disclaimer – You Are Leaving www.ihs.gov

 
____________________________________________________________________________________ Back to TopBack to Top
 
Miscellaneous
 
Our facility is moving into another building or adding a new satellite facility. What do we need to do to move our telecommunications equipment and IHS circuit or order a new circuit?
 

Call the Telecommunications Liaison in our office (916) 930-3981 x330 to help you coordinate the move of your circuit from the old building to the new one or to order a new circuit. Please keep in mind that Verizon requires, at a minimum, 41 business days to complete either request.

 
 
 
                                                                                                    CA Site Map        CA Links         CA Webmaster         Print Friendly Version
                                                                                                         Plug-Ins may be required for the content of this page. Plug-in Page

This website may require you to download plug-ins to view all content.

usa.gov link   Accessibility · Disclaimer · FAQs · Website Privacy Policy · Plain Writing Act · Freedom of Information Act · HIPAA · No Fear · Glossary · Contact

Indian Health Service (HQ) - The Reyes Building, 801 Thompson Avenue, Ste. 400 - Rockville, MD 20852