&lt;number&gt; This translates to: Any single computer or network on which a computer can access the HMIS or any PPI must meet baseline requirements.
&lt;number&gt; Unique username and password Must be alphanumeric Should not be stored in public place– no sticky notes on monitors or under keyboards Password must be: At least 8 characters long Alphanumeric Not found in dictionary forwards or backwards Signed receipt of privacy notice All HMIS users must commit to all processes described in the agencies privacy notice This may include: client notification procedures; disclosures of information; procedures for data collection; etc. Page 45931, column 2
&lt;number&gt; Users should also receive training on the HMIS system. Computer requirements apply to any computer accessing the HMIS within a CHO (Covered Homeless Organizations). Each of these requirements will be discussed in detail. Transmission encryption must be at least 128 bit.
&lt;number&gt; This model shows utilization of a Certificate server to meet the baseline PKI requirement- this would represent a Verisign model. Organizations may instead limit access to the HMIS through filtering by IP address to meet the PKI requirement.
&lt;number&gt; The most simple violation to security of any system is a user who writes his username and password on a sticky note and sticks it to his monitor– this reminder should be given in every training session that is conducted on HMIS.
&lt;number&gt; Users should not be allowed to log onto an HMIS system from multiple locations simultaneously. Page 45931, 4.3.1 & 4.3.2
&lt;number&gt; All computers accessing the HMIS should have up to date virus protection. This is not only a technical solution but it requires procedures to accompany it. How many of you have ignored that little pop-up in the right hand corner of your screen to update your virus protection? Updating virus protection is essential to protecting your machine. By virus protection, I don’t just mean scanning your computer for viruses, I mean protecting your computer from spy attacks. You would be amazed how many computers have spy software running behind the scenes usually capturing key stroke information that you would never know of unless you are updating your virus protection and scanning your computer on a regular basis. Protecting computers is just good practice and procedures should be applied to all computers in your agency, not just those accessing the HMIS.
&lt;number&gt; Conversion of plain text into encrypted data by scrambling it using a code that masks the meaning of the data to any unauthorized viewer. Computers encrypt data by using algorithms or formulas. Encrypted data are not readable unless they are converted back into plain text via decryption.
&lt;number&gt; Note: many implementations of Citrix or terminal services utilize only 40 bit encryption which is not sufficient for baseline standards
&lt;number&gt; As many HMIS applications are accessed via the Internet, HUD felt strongly about the need to require the implementation of access controls. What this means? Any HMIS that is accessed via the Internet (i.e. www.hmis.com) must be secured through use of digital certificates or IP filtering that limits HMIS access to approved computers. That is, only computers that have registered certificates or approved IP addresses can actually get to the primary HMIS logon screen and thus use the system. Filtering by IP is usually not a viable option for communities who have providers that use dial-up Internet accounts such as AOL or EarthLink or cable modems which typically use DHCP (Dynamic Host Configuration Protocol) utilizing dynamic IP addresses.
&lt;number&gt; Use Firewalls to protect outsiders from accessing your networks, usernames, passwords, etc. Most installations of Windows have individual firewalls that can be turned on. For agencies that have all computers networked together, the network should be protected by a firewall to protect from outside intrusion. For individual workstations accessing the HMIS via a direct Internet connection, a personal firewall can be used such as Zone Alarm, Norton Firewall, or the Microsoft built in personal firewall.
&lt;number&gt; Verisign model: A system administrator would administer a third party trust certificate authority, push out over the Internet certificates for verified users. Once the certificate has been downloaded to the local computer, the user then is verified through the Verisign site before being redirected to the HMIS logon page. Seattle: User has to get signed notarized document stating who they are, submitted two proofs of identify, mailed to service provider, verify that person is who they claimed they are—the token and software is mailed to person’s home address, software is installed on local computer by user- before the user opens the browser they have to plug in the USB token to identify themselves- asks for username and password associated with token- goes to Transact Washington that verifies users- the user then gets redirected to HMIS logon. The system administrator is responsible for creating and revoking user access. Los Angeles: Each provider agency participating in the HMIS has to purchase a static (stable) IP address from their local ISP. The system administrator limits access to the HMIS to only those agencies whose IP address has been assigned and verified.
&lt;number&gt; Shelter or homeless service organizations are busy environments, especially at times with clients awaiting appointments or waiting for beds. A case manager can frequently be called away from their desk or PC to deal with an emergency potentially leaving sensitive client data on their screen.
&lt;number&gt; Refer further questions to Security Monitoring handout.
&lt;number&gt; This list is not exhaustive nor is it all applicable. If communities host their own systems, additional details may need to be logged. Differences in hardware, software, HMIS product, and operating platform would all affect the way a system is monitored.
&lt;number&gt; As this broadcast today only detailed the baseline requirements for compliance with the final notice, it should be noted that there are additional privacy and security protocols recommended throughout the notice to further protect the system. Communities are encouraged to meet and discuss whether any of these additional protocols as listed are an additional protections the community should implement.
Prepared by Abt Associates for the U.S. Department of Housing ...
Prepared by Abt Associates for the U.S. Department of Housing and Urban Development
Homeless Management Information
System (HMIS) Data and Technical
Standards: Comply with the Security
Requirements in the Final Notice
Prepared by Abt Associates for the U.S. Department of Housing and2
HMIS Data and Technical Standards Training
• This is training module 4 of a 4 part series addressing the
following components of the Final HMIS Data and
– Training 1: Overview
– Training 2: Participation and Data Collection Requirements
– Training 3: Privacy Standards
– Training 4: Security and Technical Standards
• Other training modules are available at: www.hmis.info
Prepared by Abt Associates for the U.S. Department of Housing and3
Companion Training Materials
• This training module features an accompanying set of
training materials that includes:
– Data Standards Compliance Checklist for Agencies
– CoC/Implementing Jurisdictions Data Standards
Compliance Assessment Checklist
– System Monitoring Guidelines
Prepared by Abt Associates for the U.S. Department of Housing and4
• Security standards for HMIS users
• Security standards for HMIS computers
• System/Server level security standards
• Monitoring security at the system level
Prepared by Abt Associates for the U.S. Department of Housing and5
• Security refers to the protection of client personal
protected information and sensitive program information
from unauthorized access, use or modification.
Prepared by Abt Associates for the U.S. Department of Housing and6
Security Standards Framework
• Two-tiered: required baseline standards and additional
• Provide for technical controls to protect client data
• Require covered homeless organizations (CHO) to assess
their current technical infrastructure and make changes as
Prepared by Abt Associates for the U.S. Department of Housing and7
• All workstations, desktops, laptops, and servers that
connect to the CHO network or access the HMIS through
a Virtual Private Network (VPN) must comply with the
baseline security requirements.
• Handout: Agency Data Standards Checklist
Prepared by Abt Associates for the U.S. Department of Housing and8
What is a Virtual Private Network (VPN)?
• A private communications network that uses a public
network to connect remote sites or users
• VPN allows an employee to access his/her agency’s local
network from an off-site location using the Internet.
• VPN users typically have software that allows them to
access their network through the internet using a secure
• Learn more about VPNs:
Prepared by Abt Associates for the U.S. Department of Housing and9
Baseline HMIS Agency Security Requirements
• HMIS users
– Unique username and password
– Signed receipt of privacy notice
• HMIS computers and networks
– Secure location
– Workstation username and password
– Virus protection with automatic update
– Locking password protected screen saver
– Individual or network firewall
– Public Key Infrastructure (PKI) to prevent unauthorized
Prepared by Abt Associates for the U.S. Department of Housing and10
Baseline HMIS User and HMIS Computer
Prepared by Abt Associates for the U.S. Department of Housing and11
HMIS Computer Requirements
• Computers in public areas used to collect and store HMIS
data must be staffed at all times
• Password protected screen savers must be automatically
enabled when workstation is not in use
• CHOs may decide to automatically log users off the
system after a period of inactivity
Prepared by Abt Associates for the U.S. Department of Housing and12
HMIS Computer Requirements
• Virus protection
– Must automatically scan files; and
– User must regularly update software to detect new viruses.
– Free virus protection is available at:
• Individual or network firewall:
– Network firewall = baseline requirement if internet is accessed
through central server; and
– Individual firewall needed if internet is accessed through a
• Additional spyware software is strongly recommended
Prepared by Abt Associates for the U.S. Department of Housing and13
User Training (Strongly Recommended)
• Although not a baseline requirement, all users should participate in:
– Data and Technical Standards Training
• Participation and Data Collection Requirements; and
• Privacy and Security Protocols to Protect Client Data.
– Software training
• How to enter, edit, change, and delete data; and
• User and computer security requirements.
– Ethics and privacy training
• Consent protocol and privacy protocols; and
• How to interview clients in a sensitive manner.
– User groups are strongly encouraged to develop peer support
Prepared by Abt Associates for the U.S. Department of Housing and14
Baseline HMIS System / Server Requirements
• Multiple Access;
• Virus Protection with Auto Update;
• Firewalls - Individual workstations or network;
• Encryption transmission;
• Public Access – PKI – Public Key Infrastructure;
• Location Control;
• Back Up and Disaster Recovery;
• System Monitoring; and
• Secure Disposal.
Prepared by Abt Associates for the U.S. Department of Housing and15
Web Security Model
Prepared by Abt Associates for the U.S. Department of Housing and16
• Every user accessing the HMIS system must have a
unique username and password.
• Passwords must:
– Include at least one number and one letter;
– Be at least 8 characters long;
– Not be based on user’s name, organization, or software;
– Not be based on common words.
• Good: [Na$car#39]
• Bad: bobclark99
• Terrible: hmis
Prepared by Abt Associates for the U.S. Department of Housing and17
User Authentication (cont.)
• Both the workstation and the software used to access
HMIS data should require user authentication (e.g.,
• Logging on to the HMIS computer alone is not sufficient.
• Written information pertaining to user access should not
be stored or displayed in any publicly accessible location.
Prepared by Abt Associates for the U.S. Department of Housing and18
• An individual user must NOT be allowed access to the
HMIS from multiple workstations on the network at the
• An individual user must NOT be allowed to log onto the
local network from more than one location at a time.
Prepared by Abt Associates for the U.S. Department of Housing and19
System Level Virus Protection
• All systems on the network (including remote and VPN
users) must have anti-virus software installed and updated
regularly that automatically scans files.
Old Anti-Virus Software = No Anti-Virus Software
Prepared by Abt Associates for the U.S. Department of Housing and20
• All machines accessing HMIS must have firewall
protection from public networks (i.e., the Internet), typically
• Any machines accessing the Internet via dial-up modem
must have a personal firewall.
• Individual or network firewall:
– If you use Windows XP you can install a firewall using
Windows XP Service Pack 2; and
– Free or low cost firewall software can be downloaded at:
Prepared by Abt Associates for the U.S. Department of Housing and21
Firewall Behind a Network
Image found at: http://www.integration1.com.au/pages/default.cfm?page_id=21925
Prepared by Abt Associates for the U.S. Department of Housing and22
• A CHO must encrypt all HMIS data that are electrically
transmitted over the internet
• Encryption is the conversion of plain text into encrypted
• Encryption is used to protect a client’s sensitive personal
information from unauthorized viewing
Prepared by Abt Associates for the U.S. Department of Housing and23
Data Transmission Encryption
• Two options
– 128 bit encryption over the wire; and
• Secure Socket Layer (SSL): A communications protocol used
to secure all sensitive data. SSL is normally described as
wrapping an encrypted envelope around message
transmissions over the Internet.
– Secure direct connections.
• Virtual Private Network (VPN)
Prepared by Abt Associates for the U.S. Department of Housing and24
• HMIS that use public forums for data collection/reporting
must have additional security to limit access using Public
Key Infrastructure (PKI) or through IP filtering.
• Translation: Any Web-based HMIS accessed over the
Internet, needs digital certificates installed on all browsers
on all computers accessing the HMIS (PKI) or an extranet
to limit access based on IP address.
Prepared by Abt Associates for the U.S. Department of Housing and25
• Everything on the internet (servers, desktops,
blackberries) is assigned an internet protocol (IP) address;
• The internet uses IP addresses to move information from
one place to another;
• An IP address looks like this: 10.141.215.223; and
• Firewalls block suspicious IP addresses from accessing
Prepared by Abt Associates for the U.S. Department of Housing and26
What is Public Key Infrastructure?
• Each user is issued a private key to encrypt messages
and a public key to decode messages;
• Private key is kept secret and known only to user;
• Public key uses a digital certificate to authenticate the
identity of the user;
• Digital certificates must be issued by a recognized
Certificate Authority; and
• Secure socket layer “SSL” encryption does not meet the
baseline PKI requirements.
Prepared by Abt Associates for the U.S. Department of Housing and27
PKI: Public Key Infrastructure
• Options for implementing PKI:
– Self issued certificate authority-Example: Microsoft
– Third party certificate authority Example: Verisign or
– Seattle USB token; or
• Alternative to PKI: Limiting access to HMIS through IP
filtering. Community examples:
– Los Angeles-filtering by IP address.
Prepared by Abt Associates for the U.S. Department of Housing and28
• Access to workstations must be controlled and monitored.
– Options: locked offices, privacy screens, etc.
• Access to servers must be controlled to a greater degree.
– Options: locked cabinet or cage; secure facilities.
Prepared by Abt Associates for the U.S. Department of Housing and29
Backup and Disaster Recovery
• All HMIS data must be regularly backed up and stored in a
secure off-site location:
– Backup your data and applications;
– Save them to tape;
– Test the tapes;
– A Backup tape laying next to a server won’t help if the
server room catches fire!; and
– Alternatively, consider secure network-based offsite
Prepared by Abt Associates for the U.S. Department of Housing and30
• Tapes, disks and hard drives must be properly formatted
and erased before disposal.
– At least two erasure passes (three or more is
• Free and commercial software is available to prepare old
workstation hard drives, tapes, and floppies before
Prepared by Abt Associates for the U.S. Department of Housing and31
• Most security breaches are carried out by authorized
users of client record systems.
• All systems including central servers must be monitored
and “routinely” reviewed by staff.
• Monitoring decisions:
– Who monitors?;
– What is normal and what is abnormal usage and access?;
– How do I access the information?; and
– What variables to monitor?
• Handout: Security Monitoring
Prepared by Abt Associates for the U.S. Department of Housing and32
System Monitoring (cont.)
• What variables to monitor:
– Logon success/failure;
– Account management;
– Policy changes;
– Privilege use;
– Process tracking;
– System events; and
– Connection attempts (IP and port).
Prepared by Abt Associates for the U.S. Department of Housing and33
Additional security protocols
– Designating a Chief Security Officer to supervise
– Applying a firewall to all HMIS workstations where a
network firewall is installed; and
– Destroying HMIS media at a bonded vendor.
Prepared by Abt Associates for the U.S. Department of Housing and34
Key Security Points
• Applies to all machines on the CHO network or accessing
the network through a VPN;
• All computers must have virus protection;
• All servers or computers directly accessing the internet
must be protected by a firewall;
• Web-based HMIS must use PKI or IP filtering to limit
public access to data;
• Physical access to computers and servers must be
• Regular back-up and storage of HMIS data; and
• Regular monitoring of HMIS at the system level.
Prepared by Abt Associates for the U.S. Department of Housing and35
• HMIS Data and Technical Standards set requirements for:
– Data Elements and Data Collection Requirements (Training
– Privacy Standards (Training 3); and
– Security and Technical Standards (Training 4).
Prepared by Abt Associates for the U.S. Department of Housing and36
• National Institute of Standards and Technology Computer
and Security Resource Center
• Carnegie Mellon/CERT: Connecting to the Internet
• CERT Implementation Tips for Servers and Networks
• National Institutes of Health Center for Information
Technology Security Site
• Forum of Incident Response and Security Reform
Prepared by Abt Associates for the U.S. Department of Housing and37
• Final Notice:
• HMIS Related Info: