|
|
|
An end user at a Tribal or Urban health program should always contact their local IT support center / RPMS Site Manager first. Then if more assistance is needed, local IT or Site Manager should contact the IT Staff at the California Area IHS (CAIHS) at (916) 930-3981 Ext. 353. If support is needed beyond what the California IT staff can provide, they will submit a trouble ticket with the Albuquerque OIT (Office of Information Technology) helpdesk.
When requesting assistance via email, please provide as much information as possible:
If RPMS related:
- which option(s) you were using when the problem occurred
- name of user having the problem and their contact information
- brief description of the problem you're having>
- screen shot of the problem
If WEB related:
- Inaccessible web site URL (aka Internet address) and section
- brief description of the problem you're having
|
|
|
It is the health programs responsibility to complete any RPMS exports by the 25th of every month. The responsible person performing this task varies from organization to organization. Some sites assign the task of exporting data to the respective responsible party for such RPMS packages. The Site Manager would coordinate this effort on a monthly basis.
For example: The Immunization coordinator will export the data from the Immunization package; the Data Entry clerk or supervisor will export the data from the Patient Care Component (PCC) package; the Behavioral Health professional will export their own data from the Behavioral Health package; the Contract Health Service (CHS) coordinator will export the data from the CHS package; and the Dental Assistant will export data from the Dental Package.
Another possibility is to assign this task to one person to export ALL RPMS data at the same time. This one person could be the RPMS Site Manager, the Clinic Manager, IT personnel or other health professional that's capable and willing to take on this responsibility.
In the event the healthcare organization does not have someone who can perform this task, the health program staff should let our office know that there is no-one at the site who can perform these tasks and that they'd like our IRM staff to perform the exports until someone from the health program can be assigned this responsibility.
|
|
|
Each health program should complete all their RPMS exports on or before the 25th of every month.
|
|
|
First, setup the printer on your local area network (LAN). Once that is set up on your LAN and you can send a test print job from a networked PC, send an email message to the CAO Helpdesk with the following information:
- IP Address of the printer
- Printer make & model
Generally includes facilities 3 letter abbreviation at the beginning of this name, Example: CAO3PB for California Area Office Third Party Billing
- Whether the printer has it's own network port directly on the printer or the printer hooks up to a print server via parallel cable
Our IT staff will create a queue on the RPMS server as well as create a DEVICE in the RPMS database with the information provided in this email message. Once completed our staff will inform the requesting person that the print queue & DEVICE have been created and is ready for use.
|
|
|
The California Area Office provides training on RPMS packages about 6 to 20 times a year. A schedule of these classes can be found on our Training page:
The IHS National Programs provides a number of RPMS related training session's through-out the United States and provide for different formats: Onsite, Webex, or combination of the two. They post their schedules online:
http://www.ihs.gov/cio/rpms/index.cfm?module=home&option=OITTrainingLinks
|
|
____________________________________________________________________________________ Back to Top
|
|
|
|
Yes, someone in your organization must have this title. It is not required that this be a separate position. For instance, someone in the IT department might be designated for this role, in addition to other duties. We require that you schedule security training for that individual, and document a daily security task list (review event logs, patch servers, etc.)
|
|
|
The Interconnection Security Agreement is federally mandated for any system, contractor, agency that touches the federal network. This is a component of the Security Certification and Accreditation process - also federally mandated.
|
|
|
IT personnel should have a Public Trust, Level 5 background check. Below are guidelines for determining the sensitivity levels for various personnel:
Position Sensitivity Designations/Access Codes |
Non-Sensitive Positions |
National Security Positions |
Public Trust Positions |
Sensitivity Levels |
Level 1 Non-Sensitive |
Level 2 Non-critical Sensitive |
Level 3 Critical Sensitive |
Level 4 Special Sensitive |
Level 5 Moderate Risk |
Level 6 High Risk |
The level of sensitivity of a position should be determined using the position description and the types of data and systems accessed by the employee in the performance of his/her duties. Ultimately, the determination of position sensitivity from an IT perspective is based on the type and degree of harm the individual could cause through misuse of the system. This potential for harm increases as the level of access to sensitive, financial, and/or classified information increases.
|
|
|
Security Awareness Training can be taken at this site:
http://www.isa.ihs.gov/
It is required annually, and must be taken within 60 days of employment
Training ISSOs.
The training for ISSO's should include in-depth coverage of the threats and vulnerabilities related to their systems, techniques for detecting and reacting to incidents, and techniques for implementing Part 8, Chapter 12, "IT Security," Indian Health Service Manual in their environment. The IHS Manual can be found here:
http://www.ihs.gov/PublicInfo/Publications/IHSManual/Part8/pt8chapt12/pageone.htm
|
|
|
Your IHS California Area Security Points of Contact (POC's) are:
Robert Gemmell, ISSO
Phone: (916) 930-3927 x326
Email: Robert.Gemmell@ihs.gov
Kelly Stephenson, Alternate ISSO
Phone: (916) 930-3927 x330
Email: kelly.stephenson@ihs.gov
|
|
|
All sites are defined as having an "interconnect" because site users access highly sensitive data across a federal network.
|
|
|
Backup and auditing of the patient databases at the Sacramento location is conducted by IHS personnel. Backup and auditing at the sites is the responsibility of the site, but there are excellent Windows operating system tools and open source utilities available.
|
|
|
The National Institute of Standards and Technology (NIST) special publication 800-47, Appendix A, discusses ISA's. The entire NIST 800 series can be found here:
http://csrc.nist.gov/publications/nistpubs/
|
|
|
Contingency planning is addressed in the NIST document 800-34, which can be found here:
http://csrc.nist.gov/publications/nistpubs/
|
|
|
As soon as possible. That having been said, The California Area Office will be doing annual testing in August, 2007 and risk assessment in September, 2007. That would probably be a good target to aim for.
|
|
|
We're not able to discuss the specifics of IHS encryption in an FAQ, but all router to router packets are encrypted. Beyond that, we recommend that file system encryption be implemented at all sites. There are excellent open source tools that are Federal Information Processing Standards (FIPS) compliant available to accomplish this.
|
|
|
Systems Administrators at the sites should take advantage of the built in auditing and monitoring capabilities of the Windows server environment. The principle of "least access" should be implemented so that users are only able to access resources that are required for their work assignments.
Network monitoring at the router level is performed by IHS personnel. Deployment of proprietary monitoring software for the site LAN (your side of the router) is up to the site manager.
|
|
|
Security Awareness Training can be taken at this site:
http://www.isa.ihs.gov/ (If the site is down, there is a paper test.)
|
|
|
It's recommended that a best effort be made to assure that 24/7 contact is possible in the occasion of a security event. Remote sites without cell tower coverage should make home phone number's of responsible individuals known to the CAO IT staff.
An alternate to the System Administrator should be known to the CAO IT staff in the event that the System Administrator is not available. However, it is recommended that the System Administrator develop some method to access the system remotely.
|
|
|
A persistent connection is defined as an uninterrupted stream of IP packets between the site router and the IHS network
|
|
|
The NIST 800-34 document provides guidance for Contingency Plans. The NIST 800-18 addresses Security Plans. These documents can be found here:
http://csrc.nist.gov/publications/nistpubs/
|
|
|
http://home.ihs.gov/ITSC-CIO/security/ (Intranet)
|
|
|
Templates can be found readily on-line.
|
|
|
If your site is on the federal network (in the 161.223.x.x IP range), or you have federal accounts for email or vpn, or in any other way access restricted federal resources, yes.
|
|
|
The NIST 800-61 provides guidance with defining security incidents. It can be found here:
http://csrc.nist.gov/publications/nistpubs/
|
|
|
Beyond our requirement that network diagrams be created and made available, it's a good "best practice" for your organization to have this in place, anyway.
|
|
|
Wireless security is addressed in NIST 800-48 - it can be found here:
http://csrc.nist.gov/publications/nistpubs/
|
|
|
All federal agencies are now in a perpetual Security Certification and Accreditation (C&A) process. This effort is mandated by the Federal Information Systems Management Act (FISMA), HIPAA, OMB Circular a-130, and other policy drivers.
Congress also mandated that interpretation and structure be given to their mandate by the National Institute of Standards and Technology (NIST).
These NIST documents are collectively known as the "800 series". They cover everything from secure wireless to post-security incident forensics and evidence "chain-of-custody" issues.
Among the most important 800 publications are:
800-53 Security Controls
800-100 Information Security Handbook: A Guide for Managers
800-37 Guide for the Security Certification and Accreditation of Federal Information Systems
Site Managers and security personnel can use this link to view all the instructional documentation that informs the various components of a C&A package:
http://csrc.nist.gov/publications/nistpubs/
|
|
____________________________________________________________________________________ Back to Top
|
|
|
|
Call the Telecommunications Liaison in our office (916) 930-3981 x330 to help you coordinate the move of your circuit from the old building to the new one or to order a new circuit. Please keep in mind that Verizon requires, at a minimum, 41 business days to complete either request.
|
|
|