Medical Facility Network Design

For

[The Leon County Health Center]

LIS4482 – 01: Managing Networks and Telecommunication
December 09, 2010

Team 12:
Jana Giordani
Marlene Marte
Anthony McClurkin
Kwanhaun Belinda Ng
Roosevelt Woodley
EXECUTIVE SUMMARY
The Leon County Health Center IT team has defined a policy which assigns responsibility
for the design, deployment, management, coordination, and operation of the facility's future
reliable network infrastructure on the grounds of the Center. We are aware of the critical
nature of our organization, so we have optimized for 99.99% uptime, and aim for 100% uptime!

The Written Description describes the network in detail and references the diagrams in
the Appendix A & B of our network layouts, and includes all hardware & software information.
The Network Policies remind everyone that operation of these systems is a privilege, which can
be taken away at any point, and are designed to protect employees and clients from illegal or
damaging actions while using the network system. It basically outlines what you can and cannot
look at or perform while using our network, and the repercussions for violating this agreement.
It includes everything on the network, not just the Internet access, ranging from printing and
email usage to protocol standards and patches to the operating systems.

We are committed to respecting all patients’ and clinical research subjects’ rights to
maintain the privacy of their health information. Our standards are based on those of the
federal law known as the Health Insurance Portability and Accountability Act (HIPAA).
Therefore, the Security Policy does just that, and touches base on systems security as well as
physical security of the center. It provides a procedure for handling security violations as well.

Our Disaster Recovery Policy describes in detail the procedures and policies in event
that a "disaster" occurs. This includes how we plan to backup our servers, manage viruses in the
systems, disk/fault tolerance, power failure, and how we plan to bring all things to a "normal"
working order after an event happens. Our Budget spreadsheet outlines the costs relating to
our proposal, including all the hardware and software of the infrastructure.

Appendix A is a physical network diagram which lays out the location of every proposed
network device and their endpoints (workstations, servers, etc). Appendix B is the logical
diagram, and shows how our network will function, and how the information would flow with
all services provided.
WRITTEN DESCRIPTION

Looking at the Appendix A: Physical Network Diagram, it displays the actual layout of the
network. We designed the network very similarly to how the layout of the office within the
medical facility looks like (from the inside). We took the managing and head roles of the facility
(the Director, Chief Medical Officer, and 3 rotating Doctors), and combined them to share the
same printer labeled as “Management.” The Medical Supplies and Medical Records are also
sharing a printer. All of the other departments get their own printers (Human Resources, Billing
& Accounting, Public Outreach, Receptionist, Counseling, Officer Manager, and a general
mobile printer). This also includes the IT department of course (we get our own printer too!). As
far as the other 200 mobile users that need Wi-Fi, we designed and created a wireless access
point for them, and simulated the 200 users.

With the IT department, we decided to separate them from the medical facilities'
building. In the diagram, we included all the servers, the patch panel, and the PBX. The cabling
standard that was used was 100 Base T - Cat 5 UTP Ethernet, as labeled in the diagram. As far as
the part of the directions that says "The buildings are separated by a two lane paved street. The
city will not grant a permit to dig under the street to run cabling,” we simulated the IT
department to be able to use the WPA for internet connectivity (as seen in the diagram with
the yellow bolts).

In regards with the Appendix B: Logical Network Diagram, we decided to dedicate the
instructed address range to the servers (instructions asked for the 5 external IP addresses to be:
90.44.22.5 - 90.44.22.9). We have the servers connected to a switch. We decided on a switch
because they are more "intelligent" than a hub and faster in speed. Note that we didn't use a
hub also because they route data to all devices at one time, which would only slow our network
down. Also, we have the outside service router attached to a simulated Pix Firewall. This is
designed to keep the network as secure as possible. The firewall can check packets against an
access control list, flap packets, etc. Beyond the firewall, it is connected to the gateway router,
which directs traffic to the Internet. We are assuming that not everybody understands this
process, but this is the way a team member saw it done in the Military and it worked. It is more
designed for a mobile setup, but it can be used stationery as well.

For the internal network, the inside service router is using Network Address Translation
(NAT) to translate the private IP addressed to public IP addresses. We chose the private class C
address for the subnetting. Specifically, we used the IP address 192.168.1.0 /24 and broke it
down for what we needed. We implemented switches to group the users in different broadcast
domains as the instructions wanted it that way. Those different broadcast domains are Virtual
Local Area Networks (VLANs).

For the cabling, router-to-router used a cross-over cable. For router-to-switch, we used
straight-through cables. From PC-to-router, we used roll-over cables. Also, on the outside
network, we simulated some IP addresses for the firewall, gateway router, outside service
router, and outside switch.

For the different departments, we decided to put the Director, Chief, Medical Officer,
and the 3 rotating Doctors all on the same VLAN, and labeled them Management. All of the
other different departments got their own separate and respective VLANs. Doing this keeps the
different departments in their own broadcast domain. Keeping the different departments in
different broadcast domains also improves the traffic flow and makes it go faster. If they were
in the same domain, we would have one big collision domain which would make the network
very slow and cause more errors to occur.
NETWORK POLICIES
PURPOSE:

This policy is designed to protect employees and clients from illegal or damaging actions by
individuals, either knowingly or unknowingly.

The Leon County Health Center provides a communication network capable of offering
electronic mail (e-mail), Internet access, printing, where applicable, but not limited to computer
equipment, software, operating systems, storage media, and network accounts for employees
to assist in and make possible legitimate business communications. The Health Care Center’s
network and systems should be dedicated to providing service to its patients and used primarily
for medical business.

Operation of these systems is a privilege. Employees should never put information on or access
e-mail or Internet services unless they feel comfortable accessing or putting the same
information in a widely distributed office memo. By using the Leon County Health Center’s
network systems (including e-mail and Internet), employees agree that they are aware of,
understand and will comply with the provisions of the policy.

1.0.1 USE OF CENTER’S SYSTEMS:

The Center’s computer system is provided to assist employees to perform their jobs, store
confidential files, and communicate with each other internally and with outside individuals and
organizations, where applicable. The Center’s computer system should primarily be used for
medical business purposes. Inappropriate use exposes The Leon County Health Center to risks
including virus attacks, compromise of network systems and services, and legal issues.

1.0.1.1 INAPPROPRIATE USE:

A. Use of the Center’s computer systems is to engage in communication which violates federal,
state, or local laws, codes and regulations, Center’s policies and procedures is strictly
prohibited at all times.

B. In addition, the following uses of the Center’s systems are inappropriate and are prohibited
at all times unless there is legitimate business need. The need must be conveyed to and the
use authorized by the employee’s department director prior to such use. Inappropriate uses
of the Center’s system include, but are not limited to:

1. Personal commercial use;

 2. Usage for any type of harassment or illegal discrimination including transmission of
obscene or harassing messages to any other individual;
3. Gambling;
4. Access of pornographic, sexually explicit or offensive materials including materials of
lewd, risqué or course nature, or any other offensive or morally questionable materials;
5. Usage for recreational gain including the use of social networks;
6. Unauthorized copying of copyrighted/ confidential material;
7. Usage for any unethical activity that could adversely affect the Leon County Health
Center;
8. Usage which violates software license agreements;
9. Attempting to make unauthorized entry to other Center’s systems or to other networks;
or
10. Transmission of sensitive or proprietary information to unauthorized person or
organizations;
11. Usage which precludes or hampers the Center’s network performance;
12. Downloading games or software that is illegal or is not licensed to the Center.

C. Due to the adverse effect that instant messaging has on the network performance,
employees may not access instant messaging software. No personal access to instant
messaging will be allowed at any time.

1.0.2.2 APPROPRIATE USE:

A. The Center’s computer systems may be used by employees for business purposes.

1.0.3 WEB BROWSING:

A. The Internet is a great storehouse of information and contains resources that are invaluable
and can greatly enhance our ability to deliver cost-effective services to our patients. The
Center encourages exploration of the Internet for legitimate business-related or
professional activities.

B. During the employee’s normal work hours, the only use of the Center’s Internet account
should be legitimate Center business. Employees who work within the public’s visual site
should be cognizant of public perception and should use care and discretion in providing an
appropriate image of the Leon County Health Center.

1.0.4 COMPUTER STORAGE ALLOCATION:

Information Technology Services would be responsible for setting parameters and allocating
maximum disk space for all computer system users. Employees who can demonstrate
legitimate business needs for more disk space than which is allocated shall make a request to
increase their disk space. Such requests shall be evaluated and approved on a case-by-case
basis.

1.0.5 E-MAIL OR SYSTEM CORRUPTION:

Employees’ e-mail may become corrupt for a number of reasons. If the corruption is a direct
result of a significant technical failure or natural disaster, the Information Technology Services
will assist in rebuilding the mailboxes and recover lost files.

1.0.6 COMPUTER SYSTEM ACCESS:

The Center treats all information transmitted through or stored in the system, including e-mail
messages, as business information. An employee or anyone else using the Center’s computer
has no expectation of privacy in use of that computer.

1.0.7 RECORDS RETENTION:

The Leon County Health Center has the obligation to maintain all electronic files and records in
the same manner in which paper records are to be maintained in accordance with the State,
Federal, and Local archivist records retention schedule.

1.0.8 RECORD PRINTING:

All records should be printed solely for the use of a patient or business manner. In the event
that a file is printed and is no longer needed it should be properly discarded and shredded to
ensure our patients confidentiality.

1.0.9 WORKSTATION CONFIGURATION:

The purpose of the workstation configuration is to establish standards for the Center’s base
configuration of workstation computers that are authorized to operate within the Leon County
Health Center. Since data that is created, manipulated and stored on these systems may be
proprietary, sensitive or legally protected, it is essential that the computer systems and
computer network, as well as the data that is stores, be operated and maintaine4d in a secure
environment and in a responsible manner.

1.0.9.1 GENERAL CONFIGURATION REQUIREMENTS:

1. Operating systems configuration should in accordance with the industry standards and
HIPAA guidelines. Operating systems no longer supported by the vendor should be
upgraded or decommissioned.
2. Account and application passwords much comply with the Password Protection Policy.
3. All workstations must be kept up to date with the most recent patches and updates for the
workstations, the only exception being when immediate application would interfere with
business requirements.
4. All workstations much have antivirus protection software installed to prevent a virus.
5. Workstations may not connect to any other network.
6. Workstations that have access to sensitive information must be configured sot that
information cannot be viewed or copied by unauthorized users. Such workstations should
have appropriate tools such as password protected screen savers, data encryption, or
application which will automatically log off where practical.

1.0.9.2 PERSONALLY OWNED COMPUTERS:

1. No personal computers should be connected to the network

2. No sensitive information is to be stored or transmitted on personal computers.

1.0.10 USER ADMINISTRATION:

Leon County Health Center is committed to providing employees with reliable technology in a
stable operating condition while appropriately addressing the Center’s needs and maintaining
the medical system’s integrity and data security.

1.0.10.1 LEVELS OF ACCESS:

There are two security access levels at the Leon County Health Center: General and
Administrator.

1. The General access level allows most administrative power with some restrictions.
Installation of software or hardware would require the assistance of the IT department.
2. The Administrator access allows the employee to have complete and unrestricted access to
the computer. The ability to install hardware or software, edit the registry.
3. However, at a need to basis an employee’s access level might be changed to help facilitate
that job responsibilities.
4. Each employee will receive a username.

1.0.11 NAMING CONVENTIONS:

All Leon County Health Center owned computers on the center’s network should be using the
following standard naming convention so that the computers can be located quickly in
emergencies, and to assist the work of Information Technology staff.

1. Computer names should begin with the departmental abbreviation (e.g. HR).
2. Computers used primarily by one person, the name should end with a hyphen and that
person’s username (e.g. HR-1254). If a person has more than one computer it should be
used (e.g. HR-1254-2).
3. Only alphanumeric characters and hyphens should be used.
4. The computer name will normally stay the same for each staff members, so when they get a
new machine it will be set up with the same name as the old one.
5. All computers will be placed on the Active Directory.

1.0.12 NETWORK PROTOCOLS:

The purpose of the standards on the Leon County Health Center is to improve the durability and
efficiency of the network.

1. The Leon County Health Center has a multiple computer communication protocols on it
network. TCP/IP is the only protocol that is capable of communication across the Internet
and the only one that will be supported by all computers.
2. The routers will be placed strategically on the network to partition the traffic into sections
(LANs) and to direct traffic between the LANs as needed.
3. Any unregistered device on the network is subject to disconnection from the Leon County
Health Center network, without notice, whether or not they are disrupting network service.

The management of the network protocol shall be performed by information systems

administrators and network administrators to assure the efficiency, availability, and security of
the common resources, in accordance with the governing Leon County Health Center
Acceptable Use Policy.

1. Simple Mail Transfer Protocol (SMTP):

i. All email protocol traffic shall utilize the centralized mail gateways. Inbound mail traffic
with destination addressed for servers other than other operated by IT Services shall
utilize a DNS MX to relay that traffic through the centralized mail gateways.
2. Dynamic Host Configuration Protocol (DHCP):
i. All hosts on the network shall either obtain and use a static IP address or use the
Center’s DHCP server to obtain an assigned IP address.
3. Banned Protocols:
 i. IT Services keeps a list of banned protocols which have shown to interfere with the
architecture and management of the Center’s network environment.

1.0.13 NETWORK DEVICE PLACEMENT:

All the network devices (routers, hubs, etc.) should use the following policy:

1. The devices must be inventoried. By inventoried it is meant to be entered into the database
with the domain name service.
2. If a password is needed to access the device for querying its configuration, understanding
its operation or setting parameters in the device, then the passwords to all the devices need
to be in the database.
3. All storage servers must be kept offsite at a remote location to ensure security parameters.

1.0.14 POWER AND APPLYING PATCHES:

Each device on the network must have the recent and updated patches as long as they do not
have any immediate interface with the software.

Devices must be left on to ensure that the network can have a constant maintenance and up to
date software for the network.

1.0.15 POLICY COMPLIACE:

Use of the Leon County Health Center’s systems including e-mail, Internet services, and printing
is a privilege. Inappropriate use or violations of this policy may result in disciplinary action, up
to and including termination.

If in the course of their normal duties, department directors, managers, supervisors, employees
and Information Technology Services staff have any reason(s) to believe that an employee is
misusing the Center’s computer systems, they shall report the inappropriate use to the
observer’s Department Director.

All reports of alleged policy violations or inappropriate use of Center’s systems received by any
Department Director shall be reported to the Information Technology Manager to coordinate
an investigation or to recommend an appropriate course of action.

If, as a result of the investigation, sufficient facts are gathered to support the allegations, it is
the responsibility of the Department Director to administer any disciplinary action(s) necessary
after consultation with the Leon County Health Center HR.
1.0.16 CHANGES TO THIS POLICY:

This policy may be temporarily changed by IT Services Manager for any reason, but typically in
response to new types of threats or risks. Notice of the change in the policy will be distributed
to all Leon County Health Center and departmental computer support divisions. Temporary
changes normally will not be extended over six (6) months without being submitted and
approved formally through policy change process.
SECURITY POLICY

The Leon County Health Center is committed in providing the highest quality health
care, which includes respecting patients’ and clinical research subjects’ rights to maintain the
privacy of their health information. The standards for protecting patient health information are
described in the federal law known as the Health Insurance Portability and Accountability Act
(HIPAA). The Leon County Health Center’s HIPAA policies are designed to ensure the
appropriate security of all patient health information across the County, in compliance with the
law. Our HIPAA privacy and security compliance policies are available at
www.leonhealthcenter.org for a more in-depth viewing.

OUR HIPAA SECURITY RULE OVERVIEW:

The focus of the security rule is to maintain the confidentiality, integrity, and availability of
electronic protected health information (ePHI) that the Leon County Health Center covered
components creates, accesses, transmits or receives.
 ePHI is any Protected Health Information (PHI) which is stored, accessed, transmitted or
received electronically. Hence, the “e” at the beginning of ePHI.
 Confidentiality is the assurance that ePHI data is shared only among authorized persons
or organizations.
 Integrity is the assurance that ePHI data is not changed unless an alteration is known,
required, documented, validated and authoritatively approved. Most important to
HIPAA, data integrity ensures that we can rely on data in making medical decisions. It is
an assurance that the information is authentic and complete, and that the information
can be relied upon to be sufficiently accurate for its purpose.
 Availability is the assurance that systems responsible for delivering, storing and
processing critical ePHI data are accessible when needed, by those who need them
under both routine and emergency circumstances.
PRIVACY VS SECURITY:
HIPAA regulations cover both security and privacy. Security and privacy are distinct, but related.
 The Privacy rule pertains to the right of an individual to control the use of his or her personal
information. Protected health information (PHI) should not be divulged or used by others
without their consent. The Privacy rule covers the confidentiality of PHI in all formats
including electronic, paper and oral. Confidentiality is an assurance that the information will
be safeguarded from unauthorized disclosure. The physical security of PHI in all formats is an
element of the Privacy rule.
 The Security rule focuses on administrative, technical and physical safeguards specifically as
they relate to electronic PHI (ePHI). Protection of ePHI data from unauthorized access,
whether external or internal, stored or in transit.

POLICIES AND PROCEDURES RELATED TO HIPAA SECURITY:

5100 HIPAA Security Anchor Policy: ePHI Security Compliance

5111 PHYSICAL SECURITY POLICY

5111 PR.1 procedure: Physical Facility Security Plan for Leon County Health Center and ITS Data
Centers

The Center is responsible for maintaining a Physical Facility Security Plan for Leon
County Health Center and ITS-Med Data Centers. The Health Center’s Physical Facility Security
Plan ensures that PHI (Protected Health Information) in any format (electronic, paper, audio
tapes, transcripts, videotapes, etc.) that is housed in Center and ITS-Med data center locations
meets HIPAA requirements for physical security at a level that is consistent with the criticality
and risk of the PHI.

5111 PR.2 procedure: Physical Access and Environmental Supports to Protected Health
Information
 The current recommendations are to use alarm keypad systems (change key codes
often) or ID key card swipes for labs, hospital rooms or areas accessed by multiple individuals.
Keep current documentation of who can authorize access to the area and individuals who
currently have access and status at the Center.

Electronic storage devices (diskettes, CDs/DVDs, zip drives, external drives, video/audio
tapes, USB drives, etc) and non-electronic PHI (images, medical records, lab results, paper files,
etc.) should be kept in secure locations when not in use. Locked cabinets, closets and offices
can provide this protection.

PHYSICAL SECURITY OF PORTABLE DEVICES:

Portable electronic devices used to create, access, transmit or receive Protected Health
Information (PHI) are subject to special requirements designed to minimize the risk of
inappropriate disclosure of PHI through theft or accidental loss. Portable devices include, but
are not limited to, laptop, notebook and sub-notebook computers, hand-held computers,
palmtops, Personal Digital Assistants (PDAs), and smart phones.
Physical security is the responsibility of the device owner, who is also responsible for
appropriate disposition of the device when it is retired from use (see Policy 1609: Media
Control).
You must implement current security standards for smart phones & PDAs that store,
access or transmit ePHI, whether Leon-issued or personal, including:
 Password protection
 Limitation of the email stored on the device to 250 messages or 7 days
 Subscription to a service that allows for remote purging of messages stored on the
device
 Completion of a Security Design Review for smart phone applications that might access
or receive
  You may never store ePHI on thumb drives of other removable media devices unless
they comply with Leon County Health Center ITS standards to protect ePHI with
encryption.
 For technical security compliance issues see Policies 1610 (Systems and Network
Security); 1607 PR1 (Encryption); and 5100) Electronic Protected Health Information
(ePHI) Security Compliance.

5123 ELECTRONIC COMMUNICATION OF HEALTH RELATED INFORMATION

(Email, Voice Mail and other Electronic Messaging Systems)
5123 PR.1 procedure: Communication of PHI via Electronic Messaging

General Guidelines:
Electronic Mail Communication of PHI -- 5123 PR.1 04
1. Email systems used by Leon County Health Center personnel must be configured to
require SSL/TLS encryption when transmitting an email message to the SMTP server
AND when retrieving messages from an IMAP or POP server.
2. Except where PHI relates specifically to treatment, any PHI transmitted by email should
be limited to the minimum necessary to meet the recipient’s needs.
3. Email messages containing PHI must not be forwarded to non-Leon County Health Center
email addresses either individually or by an automated forwarding mechanism unless an
approved Secure Electronic Messaging option is employed (end-to-end encryption).
4. Instant Messaging (IM) software should not be installed or used for electronic messaging
until an approved secure Instant Messaging (IM) option is available.

Approved Secure Electronic Messaging Options (end-to-end encryption):

1) POL: Patient Online® is a secure, Web-based application allowing patients or research
subjects to view portions of their medical record and electronically communicate with their
clinicians.
 2) Leon County Health Center File Transfer Facility - File transfer facility utilizes a secure
web-based method for the actual data transfer, but retains the flexibility of email for the
communications. This facility uses https: all transactions are encrypted. This encryption
ensures that the data cannot be intercepted in transit. Retrieval of the file(s) to the
intended individual should be restricted by providing a username/password pair that the
recipient must know in order to retrieve the data:
Do not send the password via File Transfer facility.
• Call the recipient to communicate the password.
• Use a clue that only the recipient would know, such as “the password is the color of the
scarf you wore last night.”

5142 INFORMATION SYSTEM ACTIVITY REVIEW

5142 PR.1 procedure: Information Systems Activity Review Procedure

Configuration Compliance and Activity Review:

Information Security office (ISO) will utilize the data in the Above-Threshold ePHI
Systems Inventory Database to identify Above-Threshold systems that may need remediation to
meet HIPAA requirements. Those systems will be prioritized according to data criticality and the
apparent extent of deviation from Center’s standards for HIPAA Security compliance. ISO will
assist System Owners to carry out a detailed risk analysis to determine possible steps to
eliminate deviation from Center’s standards.
ISO will pay particular attention to optimizing system logging activities and the
development of procedures for the review of system logs.

Log and audit standards for Above-Threshold systems:

Log and Audit messages must contain at a minimum:
• Unique timestamp
• System name
• User or daemon where applicable
 • Resulting message

For Basic Systems, periodic sampling, or spot checks will be used to review system logs and
access reports.

Review of Security Incident Response Reports

ISO will review Security Incident Response reports and link incident reports to corresponding
system records in the Above-Threshold ePHI Systems Inventory Database. ISO will provide
summary reports to the HIPAA Privacy Officer and to the Center’s CIO.

User-Level System Access, Activity, and Transaction Logs

ISO and/or Internal Audit will carry out spot checks of user-level access, activity and transaction
and exception logs.

5143 IT SECURITY INCIDENT RESPONSE POLICY

5143.1 Identification of Incidents
5143.2 Establishment of an IT Security Incident Response Team
5143.3 Risk Assessment Classification Matrix
5143.4 Documentation and Communication of Incidents
5143.5 Subordinate Procedures

1601 Information Access and Security

1601 PR.3 procedure: Access Control for Protect Health Information (ePHI)

Review User Access Profiles

Data owners and system administrators must periodically review user access to ensure that
each person’s access privileges are appropriate.

Monitor Employee Status and Duties

A system activity review shall be conducted by the System Owners, Systems Administrators or
their designees to evaluate who has access and whether access is still required and appropriate.
Monitor the following types of events within the organizations to determine if individual user
access needs to be modified or deleted:
 termination of employment or student status

1607 INFORMATION TECHNOLOGY APPROPRIATE USE POLICY

1607 PR.1 procedure: Center’s Endorsed Encryption Implementations

ENCRYPTION OF DATA
Users are encouraged to encrypt files, documents, and messages for protection against
inadvertent or unauthorized disclosure while in storage or in transit over data networks. The
Center makes available software and protocols endorsed by the Information Security Office
that provide robust encryption, as well as the capability for properly designated Center’s
officials to decrypt the information, when required and authorized under this policy. Users
encrypting information are encouraged to use only the given software and protocols. Users
who elect not to use the specified encryption software and protocols on IT Systems are
expected to decrypt information upon official, authorized request.

1609 MEDIA CONTROL

1609 PR.1 procedure: Disposal of Media Containing Confidential or Protected Health
Information

1610 SYSTEMS AND NETWORK SECURITY POLICY

1610 PR.1 procedure: Systems and Network Security Procedure

SPECIAL PROVISIONS FOR SYSTEMS WITH EPHI

The IT security procedures described herein are mandatory for network connected computing
devices that create, access, transmit or receive electronic Protected Health Information (ePHI).
SPECIFIC PROCEDURES FOR COMPUTING DEVICE SECURITY
Note that the following procedures apply to every individual who uses a computing device for
Center’s business. Some of the technical provisions may be impracticable for computers not
connected to a network. However, even in that situation, the procedures should be
implemented to the extent possible, especially if there is any possibility that the device may be
connected to a network in the future.

1610 PR.2 procedure: Disposal of Obsolete Computers and Peripheral

Used or broken electronics such as desktop, laptop computers and computer peripherals are
now considered Leon County Health Center’s Waste and are banned from normal trash
dumpsters. These items are now required to be collected and sent to a licensed disposal facility.

DATA REMOVAL PRIOR TO DISPOSAL

Prior to redeployment, donation, selling, or recycling of any computer, the data must be
removed. Desktop Support Providers can help clients navigate the data removal process. In
addition, the Computing Center offers a free hard drive data erasure service as well as a
CD/DVD and floppy disk shredding.

All staff, trainees, students and others in Leon County Health Care Center HIPAA Covered
Components must comply with the following policies:
1. Everyone must complete HIPAA Privacy and HIPAA Security Training and thoroughly
understand the HIPAA Electronic Protected Health Information Security Compliance
Policy. Voluntary staff who do not access, store, transmit or receive Leon County Health
Center ePHI as part of the duties associated with their appointment at Leon County
Health Center are exempted from HIPAA Security training.
 HIPAA Training: This pertains to those using computing or communications systems
during the course of work at Leon County Health Center. This includes systems use on
remote locations, such as home, hotels and other off–center locations.

Based on your role, please overlook the following courses:

 HIPAA Security Training
If you are a faculty member, student or staff member in the Center AND you
store, access, transmit or receive electronic protected health information
(ePHI) or have oversight responsibilities of staff who do.
OR
You are an IT support provider for one or more people in the Center.

 HIPAA Security Training for Business Managers

If you are a business manager in the Center.

2. General Security Training

If you use email or other networked resources, as a faculty member, student or staff
member in the Center, you DO NOT store, access, transmit or receive electronic
protected health information (ePHI) without the general security training. You DO NOT
have oversight responsibilities or provide IT support for staff who do.

HIPAA ePHI Security Compliance Policy

1. Everyone must use “strong” passwords (8 – 14 characters, with 2 letters and 2
non-letters) for computer and application access, and comply with ITS password
security standards.
 ITS Password Security Standards Guide 1610
2. Everyone must immediately report all incidents that may involve a potential
breach of ePHI such as a loss or theft of a computer, smart phone, or thumb
drive that might contain ePHI to the HIPAA Security Officer hotline.
 3. You must secure paper records that include protected health information:
You must immediately report all incidents that may involve the loss or theft of
any such paper records.

All faculty, staff, trainees, students and others who store, access, transmit or receive Protected
Health Information on paper (PHI) or electronically (ePHI) must comply with the following
policies:

1. All Leon County Health Center laptop and desktop computers used to
store, access, transmit or receive ePHI must follow these current secure
configuration standards, including:
 Whole Disk Encryption
 Automatic distribution of security and other patches via central
computer management software
 Installation and update of anti-virus /anti-spyware software
 Automatic locking and password protection of desktops after 15
minutes of inactivity
 Registration in the ITS Backup service
o Protection via proxy servers or removal of administrative
privileges
o Removal of applications that increase the vulnerability of
computers such as Peer to Peer (P2P) file sharing
o A locking cable or equivalent device for physical security
o All new desktop and laptop computers must be purchased
from Leon County Health Center
o Other safeguards as they become technically feasible.
2. You must implement current security standards for smart phones and
other devices that store, access, transmit or receive ePHI, whether Leon
County Health Center-issued or personal, including:
 Password protection
 Encryption
 Limitation of the email stored on the device to 250 messages or 7
days
 Subscription to a service that allows for remote purging of
messages stored on the device
DISASTER RECOVERY POLICIES

PURPOSE:

The Disaster Recovery Plan is intended to provide a framework for reconstructing vital
operations to ensure the safety of employees and the resumption of time-sensitive operations
and services in the event of an emergency. At the same time, it is intended to be a guide and
not a series of defined instructions void of flexibility. The nature of the interruption should
determine how a business continuation plan is used.

BACKUP PROCEDURES:

 Restore OS and application systems software to workstations

 Restore “off-the-shelf” software on local workstations
 Restore access rights
 Physicians will work from available pooled workstations daily.
 Employees involved in recovery will have access to recovery site 24/7.
 Work with the Technical Recovery Team members in establishing connectivity to
servers (network connectivity)
  Ensure all team leaders/alternates involved with recovery are aware of the Recovery
Time Objectives as well as the Recovery Point Objective
 Problems associated with workstation recovery should be directed through a
member of the Crisis Management Team.

VIRUS MANAGEMENT:

While logging may show you after the fact that a virus has been found, you probably
want to know as soon as possible when a virus hits

This task includes ensuring that we have effective virus protection running on our
network. Just having virus protection software on your workstations isn’t enough. We will also
run virus protection software on your server. While logging may show you after the fact that a
virus has been found, you probably want to know as soon as possible when a virus hits. To
counter the virus threats, we have file servers is to provide a central location for storing and
accessing files. Run virus scanners constantly on your workstations. Since there is a specific
amount of clients on the network, visit each workstation on the network to update the virus
signature files. Deduce running workstation-based virus scanning to detect files loading from
the network can potentially slow down processing at the workstation level. Server-side
scanners will be used to log the virus scanning activity for both your servers and your
workstations in a central location, which allows you to keep tabs on what the software is doing
and what it has detected.

Server-side virus protection software immediately notifies you of a virus with e-mail,
pager alerts, or network broadcasts.

DISK/FAULT TOLERANCE:

There are several different ways to achieve disk fault tolerance. The most common
implementation is known as RAID, or Redundant Array of Independent (or Inexpensive) Disks.
Multiple disks can be configured in a number of different ways to create a fault-tolerant array.
Data can simply be mirrored from one disk to another, or parity information can be stored that
will enable the regeneration of lost data. RAID can be implemented either as a hardware or
software solution. There are many different “levels? Of RAID: 0, 1, 2, 3, 4, 5, 6, 7, 10, 0+1, and
53 are the most common.

Windows Server 2003 has built-in support for three levels of software-implemented
RAID:

 level 0 (disk striping, no parity)

 level 1 (disk mirroring)

 level 5 (striping with parity)

The biggest advantage of hardware RAID is performance; disk access is faster because
you don’t have the operating system overhead (the RAID disks appear as one to the operating
system). The big advantage of software RAID is cost; you don’t have to buy extra expensive
RAID controllers or other additional hardware to use it.

POWER FAILURE:

Electricity:

To analyze the power outage risk, it is important to study the frequency of power
outage and the duration of each outage. It is also useful to determine how many powers feeds
operate within the facility and if necessary make the power system redundant.

Telephones:

Telephones are a particularly crucial service during a disaster. A key factor in evaluating
risks associated with telephone systems is to study the telephone architecture and determine if
any additional infrastructure is required to mitigate the risk of losing the entire
telecommunication service during a disaster.

Water:

There are certain disaster scenarios where water outages must be considered very
seriously, for instance the impact of a water cutoff on computer cooling systems.
BUDGET
Product Type Estimated Price
Patch Panel $388
TalkSwitch PBX Phone Systems $695
100 Base T - Cat 5 UTP Ethernet Cable $59
Switches $140
Cisco PIX Firewall Bundle $1395
Internet (Wi-Fi WPA) $24/month
Gateway Router $100
Other Routers $200
Servers (Email, HTTP, DNS, File & Print, Databases) $3,100
VLANs $800
Printers $2,519

Cross-Over Cables $200

Straight-Through Cables $150
Roll-Over Cables $250

Computer Workstations $32,000

Security Software (Personal Anti-Virus Protection & $3,000
Server-side Virus Protection)
Backup/Storage/Archive Software $1,300
OS/Application Systems Software $2,000
Backup Power Generators $5,385

Other $1,319
Total Estimated Budget $55,000 + $24/month

The above spreadsheet simply outlines estimated costs related to our proposal. The
company does not already have an asset, so any of these may be eliminated. All estimated
prices were researched on Google for the best and lowest prices for a small business.
The following items that we will be justifying costs for are needed to hook up the
network together. The patch panel was found to be $388 for the cheapest price. The switches
and routers estimated together as $440. A bundle of the 100 Base T - Cat 5 UTP Ethernet Cable
was $59 for more than we would need in length. The servers needed to be online with the cost
of setting up VLANs across the facility estimated as $3,900. Cross-Over Cables, Straight-Through
Cables, and Roll-Over Cables are all needed to connect the routers, switches, and PCs together
and total to an estimated $600 for more than needed so we would have extra in case we need
to replace some cables.
Black-and-white laser inkjet printers were found to be around $229, and we would need
at least 11 (one for each department as shown in the Physical Diagram), which brings the total
to $2,519. The TalkSwitch PBX Phone Systems are $695 for everything (phones, setup, and the
PBX), and connects to up to 64 phones, which is more than enough for our Health Center. The
Cisco PIX Firewall Bundle, which we would need to keep intruders and unwanted guests out of
our network systems, was found to be $1,395. Our computer workstations cost $32,000 as we
calculated for about 64 workstations, each costing $500 for the computers and accessories. We
assume this would be enough workstations for the users coming in and out to access records
and did not bring their laptops.
Security Software, which includes personal Anti-Virus Protection & Server-side Virus
Protection for each workstation and computer, would cost about $3,000 for a business bundle.
This would ensure each computer is protected against the simplest viruses and malware that
happen to penetrate the system’s firewall security. Backup/Storage/Archive Software costs
about $1,300, and would include the programs to backup computers that have for some reason
crashed or just to allocate more storage room for records and files. OS/Application Systems
Software costs $2,000 to keep all computers up-to-date on all applications and running the
same operating system. Finally, the Internet (Wi-Fi-WPA preferred) would be $24 a month to
keep it up and running.
We put in the backup Power Generators for $5,385 in the case a power failure were to
occur and we needed to access medical records. The remaining $1,319 not accounted for in the
total so far that we have listed under as “Other” is allocated for anything that we have looked
over and missed that we would need for the setup or maintaining of our proposed network
infrastructure. Everything else that we have listed totals to $53,681 ($55,000 with the $1,319),
and then the $24 a month for the Internet Wi-Fi. Our team will look over and re-evaluate
anything deemed unreasonable or unnecessary.
APPENDIX A: PHYSICAL NETWORK DIAGRAM
See attached diagrams in the back.
APPENDIX B: LOGICAL NETWORK DIAGRAM
See attached diagrams in the back.
MEMBER CONTRIBUTION
Each of the members contributed to the final product. The amounts varied due to time constraints and
schedules as well as reliability. Members are listed in order by last name alphabetically.

How we ended up dividing the parts of the project up:

Jana Giordani – She volunteered to work on Security Policy.

Marlene Marte – She volunteered to work on the Network Policies.

Anthony McClurkin – He volunteered to work on the Disaster Recovery Policies.

Kwanhaun Belinda Ng – She volunteered to work on the Executive Summary, compose the
Budget spreadsheet , and help with the Written Description. She also did the final editing for producing
the final product.

Roosevelt Woodley – He volunteered to work on both of the diagrams (Appendix B: Logical

Network Diagram and Appendix A: Physical Network Diagram). He also helped compose most of the
Written Description since he was in charge of designing the diagrams.