Transcript Annual HMIS security Training

ANNUAL HMIS SECURITY TRAINING
The Institute for Community
Alliances
TRAINING OVERVIEW
1. Training Purpose
2. User Responsibilities
3. Security and Privacy Essentials
4. WISP System Security Features
5. WISP Policies
6. Data Visibility Explained
TRAINING PURPOSE
1. All users are required to attend annual
security training to retain their WISP
license (Page 7 of HMIS Policies and
Procedures Manual updated
5/15/2014.)
2. Training is based on privacy and
security standards set forth in the HUD
Data Standards and by the Wisconsin
HMIS Advisory Board.
3. Forthcoming changes from HUD will be
incorporated in the near future.
Resources:
WI Policies:
http://www.icalliances.org/index.php/
data-andreports/pit/doc_download/559-hmispolicy-and-procedure-may-2014
HUD HMIS Data Standards/Data
Dictionary:
https://www.onecpd.info/resources/doc
uments/HMIS-Data-Dictionary.pdf
USER RESPONSIBILITIES
Take appropriate measures to prevent unauthorized data disclosure.
Report any security violations.
Comply with relevant policies and procedures.
Input required data fields in a current and timely manner.
Ensure a minimum standard of data quality by accurately answering all the HUD Universal
Data Elements for every person entered into HMIS.
Inform clients about the agency’s use of HMIS.
Take responsibility for any actions undertaken with one’s username and password.
Complete required training.
Read the WISP News email newsletter.
SECURITY AND PRIVACY ESSENTIALS
NEVER share your username and password with anyone.
NEVER share your password with HMIS System Administrators.
NEVER rely on Post-It Note security.
Do not set your internet browser to save your WISP password.
Do not access WISP client data on a public computer (i.e. library.)
Do not access WISP client data in a public setting (i.e. coffee shops.)
Do not access WISP client data over unsecured public wi fi (i.e. free city
wi fi.)
Do not access WISP on computers that do not have locking screens.
WISP SYSTEM SECURITY FEATURES
User passwords are a minimum of 8 characters long, with a minimum of 2 numbers.
Strong passwords are important: https://howsecureismypassword.net
Passwords expire every 45 days.
Passwords can be alternated, meaning only two distinct passwords are necessary.
WISP System Admins do NOT know your passwords.
WISP is equipped with an audit trail tool that tracks all successful and unsuccessful log-in
attempts, including user, IP Address, date and time, and client data access (adds, deletes, views.)
WISP is encrypted and secure:
WISP POLICIES
WISP Privacy and Security standards are set forth in Section 3 (pages 16-21) of Wisconsin
Statewide HMIS Policies and Procedures Manual.
Key Items (Not an Inclusive List:)
 Client level data/personally identifiable information (PII) should be extracted from HMIS
only in very limited and specific cases (3.1).
Hard copies of client data should be extremely rare and destroyed immediately after it has
been used. Hard copies must never be left unattended or unsecured (3.1).
Electronic copies must be stored securely and accessible only via password protected means
(3.1).
ICA does not generate ART reports with client names or SSNs and will not do so in the future
(3.1, 3.2).
WISP POLICIES, CONTINUED
Only de-identified aggregate data will be released by ICA, with limited exceptions (3.2).
Grantors and funders are not granted automatic access to WISP. Access by funders is only
allowed when agreed upon in writing by both parties and must be a voluntary agreement.
That is, funding must not be contingent upon access to client level WISP data (3.3).
All persons subject to data collection in WISP must be able to access the Baseline Privacy
Policy upon request (3.4).
All persons subject to data collection in WISP have the right to inspect their data in the system
for accuracy and request changes where evidence is provided that data are inaccurate or
incomplete (3.4).
WISP users found in violation of any security protocols will be sanctioned after a review of the
violation (3.7).
WISP DATA VISIBILITY EXPLAINED
Access to client level data and information is determined by the structure of two
primary system elements:
User Access Level
Provider Setup
WISP DATA
VISIBILITY
EXPLAINED - USERS
Your user access level will have an
impact on what elements of the
system you can see.
WISP DATA VISIBILITY EXPLAINED - PROVIDER
WISP DATA VISIBILITY EXPLAINED – PROVIDER
WISP DATA VISIBILITY RULES
1. The user can always see the data the parent provider has entered (i.e. a Level 3 provider
can see data entered at the Level 2 provider.)
2. The user can always see their own provider’s data (including data entered while using Enter
Data As function.)
3. An agency administrator can always see the provider data entered.
4. System Admin IIs (ICA staff) can see every provider’s data, even closed data.
5. Data visibility changes are not retroactive.
6. If the item has a lock icon attached, it has its own distinct security settings that can be set
and adjusted.
7. Each data element has its own security setting, determined by its assessment security:
WISP DATA VISIBILITY – THE LOCKS
1. Open
Information is available/visible to all providers. Known also as “Global” sharing.
2. Open with Exceptions
Information is available/visible to all, EXCEPT those listed in the Deny Groups section of
Provider Admin.
3. Closed with Exceptions
Information is not available/visible to anyone, EXCEPT those listed in the Visibility Groups
section of Provider Admin.
4. Closed
Information is not available to anyone outside that specific provider.
WISP DATA VISIBILITY – CHANGING THE LOCKS
Client data visibility can be changed on a client by client basis.
Changes can be made from the default to another desired setting.
Changes made at a client level do NOT alter or change the Provider visibility
setting defaults.
WISP DATA VISIBILITY – GREEN OR RED?
Common* Green Lock/Open Items
Common* Red Lock/Closed Items
Profile
Case Notes
Household
File attachments
Demographics
Case Plans/Goals
Universal Data Elements
Program/Agency Specific Data
Elements
Shelter Stays
Services
Referrals
Program Entry/Exit**
*Denotes the typical settings, will vary by
agency and program type
QUESTIONS?
General Help Desk: [email protected]
Northeast Region Coordinator: [email protected]
Northwest Region Coordinator: [email protected]
Southern Region Coordinator: [email protected]
Milwaukee CoC: [email protected]
Racine CoC: [email protected]
www.icalliances.org/wisconsin