HomeMy WebLinkAbout20121957.tiff RESOLUTION
RE: APPROVE BUSINESS-TO-BUSINESS VPN / SITE-TO-SITE ACCESS REQUEST
FORM AND AUTHORIZE CHAIR TO SIGN - BANNER HEALTH
WHEREAS, the Board of County Commissioners of Weld County, Colorado, pursuant to
Colorado statute and the Weld County Home Rule Charter, is vested with the authority of
administering the affairs of Weld County, Colorado, and
WHEREAS, the Board has been presented with a Business to Business VPN/Site-to-
Site Access Request Form between the County of Weld, State of Colorado, by and through the
Board of County Commissioners of Weld County, and Banner Health, commencing upon full
execution, with further terms and conditions being as stated in said Request Form, and
WHEREAS, after review, the Board deems it advisable to approve said Request Form, a
copy of which is attached hereto and incorporated herein by reference.
NOW, THEREFORE, BE IT RESOLVED by the Board of County Commissioners of
Weld County, Colorado, that the Business to Business VPN/Site-to-Site Access Request Form
between the County of Weld, State of Colorado, by and through the Board of County
Commissioners of Weld County, and Banner Health be, and hereby is, approved.
BE IT FURTHER RESOLVED by the Board that the Chair be, and hereby is, authorized
to sign said Request Form.
The above and foregoing Resolution was, on motion duly made and seconded, adopted
by the following vote on the 25th day of July, A.D., 2012.
BOARD OF COUNTY COMMISSIONERS
WELD COUNTY, COLORADO
ATTEST: _ �
6-7
Sean P. nway, chair
Weld County Clerk to the Board % �(
■. Will'. m Garcia, Pro-Te
BY: d`�,►�LiLi1r'i..•I�-
Deputy CI to th Board ��' �� �- / • G 44 . 2 1-111/4/2A___
a Kirkmeyer
�
APPR D AS - M �'� «J � r r}�
E. Long y
oun y Attorney �*U1114
i� J o
Dougl-. Rademach-r
Date of signature: ?a/-/qR
CR Yno"' 2012-1957
`Va3 I a BC0043
Banner Health
Confidential. Information Security Department
Business-to-Business VPN / Site-to-Site Access Request Form
Created 6/11/2012
Version 5.06112012; Ken Bruder
Purpose:
1) Used to complete a risk assessment of any requested business-to-business VPN\Site-to-Site access
between Banner and non-Banner entities.
2) Used to document and archive information about business-to-business VPN\Site-to-Site access between
Banner and non-Banner entities.
Instructions:
1) Review and complete the form.
a. Sections I and 2 -Is to be completed by a Banner Health employee.
b. Sections 3 - Is to be completed by Business Partner with the assistance of a Banner Health employee.
c. Section 4—Needs to be signed by the business partner's Vice President or higher with some exceptions
granted.
2) Submit signed and completed form to Banner Health I/T Security:
a. Preferred-scanned version and attached to request center request assigned to Banner Health I/T
Security
b. Alternatives:
i. Email to messase@bannerhealth.com;
ii. Fax to 602.747.4406 with"Attention:IT Security Department"on the cover page.
Notes:
• It takes approximately 14 calendar days to set up and test a business-to-business\Site-to-Site VPN after the
Banner Health I\T Security receives the initial and signed copy of this form.
• Banner does not set up NATs on B2B connection.
• A Business Associate Agreement is not required if PHI is not being accessed,or PHI is being used for
treatment (HIPAA45CFR164.502(e)(1).
• A Business Associate Agreement,(optional: Data Transfer Agreement,or Data Transmission Agreement)
must be signed prior to any data being transferred,viewed,or transmitted to a business partner or third
party(i.e.,an entity contracted,or hired by a Banner business partner to perform a service for tem).Blank
versions of these forms are located at http://intranet.bannerhealth.com/infosec. Please email
David.Jahneabannerhealth.com or Robert.Rost@bannerhealth.com with any questions.
Approval,VPN Setup,and Maintenance Process:
a) A Banner Health director(or higher)is required to sponsor a site-to-site VPN.
b) A Banner Health I/T representative(such as an I/T Project Manager or 1/T Facility Liaison)downloads the
latest version of the"B2B and S2S VPN Request Access Form"from HERE.
c) The Banner Health I/T representative and business partner completes the"Site-to-Site Access Request
Form"with the as needed assistance of Banner Health I/T Security via email or phone conference.
d) A Banner Health I/T representative submits a Request Center ticket to Banner Health I/T Security by
selecting the Request Center "Site-to-Site VPN"template from the "Information Security"team area.
Note:—As of 2012/06/11,VT Request Center does not have a dedicated template for a Site-to-Site VPN.
You can utilize the general task template or email the form to informationsecurity(a,bannerhealth.com.
2012-1957
1
Banner Health
Confidential. Information Security Department
e) Banner Health 1/T Security will complete a risk assessment of the requested site-to-site VPN connection and
schedule as needed conference calls to resolve any outstanding issues.
0 If approved,I/T Security will create and submit a subtask to Banner Health I/T Network Planning and
Integration to create the site-to-site VPN tunnel. The completed and signed documents are indexed and
stored in Banner's imaging system.
g) Banner Health I/T Network Planning and Integration contacts the technical contact at our business partner to
share information and create tunnel.
1. Business partner is expected to complete any required network address translation statement. Banner
Health typically does not configure NAT statements for site-to-site VPN connections.
2. Each tunnel configuration entry will include comments, including: date,request number, director's
name sponsoring the site-to-site VPN,and the employee's name setting up the tunnel.
3. B2B Tunnel Configuration and Contact Information spreadsheet is updated with appropriate
information.
h) If needed, a Banner Health VT representative will submit a separate request to have additional hosts added to
an existing tunnel to 1/T Network Planning and Integration.
i) VT takes approximately 14 calendar days to set up a site-to-site VPN after Banner Health 1/T Security
receives the initial and signed copy of the site-to-site access request form.
Section 1: To be completed by a Banner Health employee only.
Table la: Banner Health Employee Contact
information:
Name of Banner employee completing this section: Dave Roberts
Who is the Banner owner/sponsor of this VPN Steve Rains
connection? (This must be a Director or higher):
Date: 7/19/2012
Table lb: Administrative Information:
What is the name of this vendor/contractor?: Weld County
Transition of Weld County Paramedic Services to
What is the purpose for dedicated B2B connection?: Banner
Connection request type: (New, Revalidating, Modifying): New
2
Banner Health
Confidential. Information Security Department
Section 2: To be completed by a Banner Health employee only.
Table 2a: List the applications and computers that will initiate communication FROM the vendor's/
contractor's\Business Partner's network TO the Banner network:
Application: Transport and 3i4 Party/business Banner's hosts:
destination port: partner's hosts/subnet:
(example) FTP (example) TCP 20, 21 (example) 150.2.0.0/16 (example) 10.64.1.4
(example) Remote Desktop (example) TCP 3389 (example) 150.2.0.0./16 (example) 10.64.1.5
Zoll-DB Any 10.100.11.105/32 Any
Zoll-Web Any 10.100.11.110/32 Any
Zoll-Bill Any 10.100.14.40/32 Any
Zoll-FaxSrvr Any 10.100.11.109/32 Any
Arbitrator Any 10.100.16.93/32 Any
Telestaff Any 10.100.10.40/32 Any
Telestaff2 Any 10.100.?.?/32 Any
1. Do any of the hosts, listed in Table 2a, store confidential or Protected Health Information(PHI)on them?
If so,which ones?
Yes;Zoll-DB,Zoll-Bill,Telestaff
2. Will the non-Banner entity\Vendor\Contractor\Business partner or a Banner employee be transmitting
confidential or PHI info to or from the host(s) listed in Table 2a to a 3`°Party business partner or entity?
Yes—Banner PFS and IT Staff will be working with the data hosted on the Weld County Paramedic
Services servers until they are moved to the Banner Data Centers
a. If yes,will the patient's private information always be de-identified*?no
* De-identification ensures that any anticipated or unanticipated recipient of the patient information CANNOT
identify an individual AND ensures that all of the following identifiers have been REMOVED:
1) Names.
2) Geographic designations smaller than a State,including street address,city,county,precinct,and zip code.
3) Dates directly related to an Individual,including birth date,admission date,discharge date,date of death,
and for all ages over 89. (All elements of date including year indicative of such age,except that such ages
may be aggregated into a single category of age 90 or older.)
4) Telephone numbers and Fax numbers.
5) Email addresses.
6) Social Security numbers.
7) Medical record numbers (Facility Identifiers).
8) Health plan beneficiary numbers.
9) Account numbers (Facility Identifiers).
10) Certificate/license numbers.
11) Vehicle identifiers, serial numbers, and license plate numbers.
3
Banner Health
Confidential. Information Security Department
12) Device identifiers and serial numbers.
13) Web URLs(Universal Resource Locators).
14) Internet Protocol(IP)addresses.
15) Biometric identifiers, such as fingerprints, full-face photographs and any comparable images.
16) Any other unique identifying number, characteristic, or code. (Refer to Banner Health Policy-
Identifying and De-Identifying Protected Health Information(PHI)and Creation of a Limited Data Set—
Policy 2873.3.)
Section 3: To be completed by our contracted Business Partner with the
assistance of a Banner employee.
Table 3a: Business Partner Contact Information: The people listed in this section are responsible for ensuring
all the information in this section is up to date and will be the contact points Banner will communicate
with regarding any changes to the VPN connection. At least two contacts are required.
Name of business partner
employee that is Monica Mika
completing this section:
Date: 7/19/2012
Phone number(s): (970)356-4000
Email address: mmika(iPco.weld.co.us
Weld County Colorado
Mailing address: PO Box 758
Greeley,CO 80632
Alternate contact name: Aleksei Churyk
Phone number(s): (970)304-6570 x.2555
Email address: achurvk ci co.weld.co,us
Weld County Colorado
Mailing address: PO Box 758
Greeley,CO 80632
Table 3b: List the applications and computers that will initiate communication from the Banner network TO
the 3'd Party\Business Partner network.
3"°Party 1 Business Partner
Application: Transport&Destination Port: Banner Hosts:
Hosts/Subnet:
(example) ICMP (example) Echo&echo reply (example) 10.64.1.4 (example) 150.2.0.0/16
(example) X Windows (example) TCP 6000-6200 (example) 10.64.1.5 (example) 150.2.0.0./16
Any Unknown 10.x.x.x 10.100.11.105/32
Any Unknown 10.x.x.x 10.100.11.110/32
Any Unknown 10.x.x.x 10.100.14.40/32
Any Unknown 10.x.x.x 10.100.11.109/32
Any Unknown 10.x.x.x 10.100.16.93/32
Any Unknown 10.x.x.x ,10.100.10.40/32
Any Unknown 10.x.x.x 10.100.?.?/32
4
Banner Health
Confidential. Information Security Department
Table 3c: IPSEC Parameters to Configure Business-to-Business VPN: (This section is to be
completed by the business partner. Please fill out all values except for the pre-shared key parameter.)
3`"Party\Business Partner
VPN Device:
3`°Party\Business Partner
IPsec Peer IP address:
Purpose of connection:
3ro Party\Business Partner
Encryption Domain:
Pre-share secret key
(provide out-of-band):
Key Alogrithm:
ISAKMP Auth Mode:
ISAKMP Hash:
ISAKMP Ecnryption:
ISASKMP Diffe-Hellman:
ISAKMP Key Lifetime:
ISAKMP Key Mode:
Perfect Forward Secrecy:
IPSec Encapsuation:
IPSec Protocol Type:
IPSec Cipher Algorith:
IPSec Authentication:
IPSec Lifetime :
Question n/a—not accessing Banner equipment YES NO
Does the 3th Party\Business Partner regularly monitor audit logs to verify which Banner equipment x
is accessed,who accessed it,why,and what data is/was transferred from the Banner network to the
3`d Party\Business Partner?
I. Does the 3`"Party\Business Partner regularly monitor audit logs to verify which Banner equipment is accessed,
who accessed it,why,and what data is transferred from the Banner to the 3r°Party\Business Partner?
YES: NO:x
Banner will be accessing the Weld County Paramedic Services servers—this is temporary access until the
servers are moved to the Banner data centers
2. Will the 3r°Party\Business Partner alert Banner about security issues with equipment?
YES:x NO:
3. Will the 3`a P \Business Partner alert Banner about security incidents involving their network?
YES:x 40:
4. How will the remote support affect network performance? Please describe the bandwidth requirements for a
typical session(KB/sec and KB)?How are larger files such as software upgrades and patches handled?
n/a
5
Banner Health
Confidential. Information Security Department
5. Has a member of Banner's WAN team reviewed the 3`'Party\Business Partner's network connectivity diagram
(see Appendix A for template)?
YES:x NO:
6. Please describe the facilities hosting the 3n°Party\Business Partner's VPN equipment and hosts listed in Tables
2 and 3(e.g.,monitoring 24x7,365 days a year,setup in separate,securely locked room that only authorized
personnel can enter).
Meets all the requirements listed above.
7. Please describe the login authentication process for 3`'Party\Business Partner personnel to access Banner's
equipment. (EG.Three-tiered process? (l)Authenticate to 3`'Party\business partner network? (2)
authenticate when establishing a connection between business partner and Banner? Authenticate to business
partner's application or host at Banner)?
n/a—Banner is accessing Weld County Paramedic Services equipment,not vice versa.
8. Does the 3`'Party\Business Partner have automated programs managing computer virus scanning?
YES:x NO:
9. What is the 3`'Party\Business Partner's security patching policy?
Matches Banner's monthly patch procedure.
Section 4: (REQUIRED) Needs to be signed by a Vice President or higher at
the business partner, with some exceptions granted.
The below signature represents the stated business partner's:
• Commitment to comply with all applicable policy and procedures,
• Understanding that the signer is responsible for all actions of the assigned tunnel,
• Understanding of service agreements and compliance with support requirements.
Business Weld County
Partner Name:
(970)356-4000
Phone number:
Signature:
Title of Person
Signing: Sean P. Conway, Chair, Board of County Commissioners
E-mail Address: sconway@co.weld.co.us
7/19/2012 Date: JUL 2 5 2012
6
aoy&- /957
a� \ \ a )}, \§
§! @w !«3 /!
/{ ) ' : :
$ t
To
o
) LT--
]
U
\
\
t
\
S \
/ _ \
t \
C }
\ uE3
a = =
§ / \\
2 @ 2
rt
II L.
----
.11 ( \
\ / ) § ! -
= u = )
k (�
\ 2 !
_______!:
6) \
Hello