Health Information and Technology (HIT) maintains a Secure Clinical Subnet (SCSN) to aid the Medical Center in complying with regulatory requirements such as those mandated by HIPAA, HITECH and PCI DSS. The Secure Clinical Subnet offers better connectivity behind a firewall to protect Electronic Patient Health Information (EPHI) while providing a more reliable and secure network for the staff. Devices attached to the Secure Clinical Subnet must be configured in a way that minimizes the risk of network intrusion or compromise of data. Therefore, the following elements are required of any machine connecting to this network.
To define the requirements for connection to the Secure Clinical Subnet (SCSN).
This standard applies to all devices connected to the SCSN.
The Health Insurance Portability and Accountability Act (HIPAA) 164.312(c)(1) states, "protecting the integrity of EPHI is a primary goal of the security rule. EPHI that is improperly altered or destroyed can result in clinical quality problems for a covered entity, including patient safety issues."
I. Requirements for connection to the SCSN
A. Desktop PC’s, Laptops, Tablets
- Must be built with the HIT image (For a list of HIT supported models see Desktop Computing Standards).
- Must be running an approved and supported operating system (for a list see Desktop Computing Standards).
- Must be maintained by System Center Configuration Manager (SCCM).
- Must be running standard HIT login scripts.
- Must be running standard HIT anti-virus software.
- Must be running Dell Data Protection Encryption (DDPE) software.
- Must not have local admin accounts other than the primary account provided by the operating system.
- Devices with wireless network capability must be set to use the WPA2 wireless encryption standard.
B. Network devices
Network devices such as switches, hubs, routers, and Wireless Access Points are prohibited from the SCSN unless they are installed and managed by HIT.
- Must be from a supported manufacturer and model line.
- Must be manageable through the Simple Network Management Protocol (SNMP).
- Must have an administrative password to prevent unauthorized console access. The SNMP Community String must be changed from the manufacturer supplied default.
- Unless needed for a specific application, the following protocols must be disabled: IPX/SPX, AppleTalk, Telnet, DLC, mDNS, and FTP.
- If the printer contains a hard drive, overwrite software must be used to cleanse the drive of data after each print job.
- If the printer is leased, the hard drive must be destroyed before it leaves the Health System.
- For the list of supported models as well as other information, see Network Printer Configuration Standards.
II. Allowable Exceptions
All exceptions must go through the security exception process, as detailed in section III.
A. Medical 510K devices
- Must use a static IP address.
- Must have very limited access to Internet.
- Will be placed on HIT FDA Network with controlled access to other devices.
- Must not be used to read email.
B. Other Network Appliances such as cameras, door controllers, video encoders, and etc
- Must use a static IP address.
- Network and Internet access requirements must be reviewed by the Security Exception Committee.
- If it is running the Windows operating system, the device must be manually updated monthly with operating system patches and must have active virus protection with current signature files.
C. Vendor Imaged PCs
Vendor (non HITS) imaged PCs will be allowed on an as-needed basis when circumstances dictate that the HIT image cannot be used and the appropriate security measures are followed.
- Must either have SCCM install or be manually updated with operating system patches on a monthly or more frequent basis.
- Must have active virus protection with current signature files.
III. Security Exception Process
A. Personal Computer
If the device is a personal computer, an asset record must be contained in the HIT Remedy database before the Exception Request is submitted.
The Security Exception form must be submitted before obtaining access to the UVa Medical Center network.
Please follow these steps to submit the Security Exception Form:
- Go to the following link and login in with your Network User ID and password:https://www.healthsystem.virginia.edu/auth/login.cfm?referringurl=/alive/Computing/forms/ServiceRequest/formSvcReq.cfm
- Hover your mouse over Asset Management menu on the left side of the screen
- Click on Security Exception
- Enter the required information:
- User ID
- Last Name
- First Name
- Email Address
- IP Address (if available)
- Serial Number (if available)
- Asset Category
- Exception Category
- Exception Option
- Description and Additional Details
- Party Responsible for Maintenance
- Exit Strategy
- File Name (The Security Exception request must have an attached, written security plan from vendor which includes a review date.)
B. Medical Device
If the request is for a Medical Device the Exception form must include the 510k FDA number as well as a detailed description of the device, its usage and a justification for the exception.
- FDA 510k Number
- FDA Device Name
- FDA Vendor
- FDA Device Classification
The exception request will be reviewed by the Security Exception Committee which consists of the HIT Technical Services Administrator, the HIT Security Director, the Desktop Services Director, and the Network Control Supervisor. The Security Exception Committee meets weekly to review each exception and approves or denies the security exception request based on information received.
Vulnerability scans must be scheduled with the HIT Security team to ensure critical vulnerabilities are not present on the system. This can be done by emailing MCCSecurity and requesting a vulnerability scan be run the system prior to deployment.