Loading...
HomeMy WebLinkAbout20121957.tiff RESOLUTION RE: APPROVE BUSINESS-TO-BUSINESS VPN / SITE-TO-SITE ACCESS REQUEST FORM AND AUTHORIZE CHAIR TO SIGN - BANNER HEALTH WHEREAS, the Board of County Commissioners of Weld County, Colorado, pursuant to Colorado statute and the Weld County Home Rule Charter, is vested with the authority of administering the affairs of Weld County, Colorado, and WHEREAS, the Board has been presented with a Business to Business VPN/Site-to- Site Access Request Form between the County of Weld, State of Colorado, by and through the Board of County Commissioners of Weld County, and Banner Health, commencing upon full execution, with further terms and conditions being as stated in said Request Form, and WHEREAS, after review, the Board deems it advisable to approve said Request Form, a copy of which is attached hereto and incorporated herein by reference. NOW, THEREFORE, BE IT RESOLVED by the Board of County Commissioners of Weld County, Colorado, that the Business to Business VPN/Site-to-Site Access Request Form between the County of Weld, State of Colorado, by and through the Board of County Commissioners of Weld County, and Banner Health be, and hereby is, approved. BE IT FURTHER RESOLVED by the Board that the Chair be, and hereby is, authorized to sign said Request Form. The above and foregoing Resolution was, on motion duly made and seconded, adopted by the following vote on the 25th day of July, A.D., 2012. BOARD OF COUNTY COMMISSIONERS WELD COUNTY, COLORADO ATTEST: _ � 6-7 Sean P. nway, chair Weld County Clerk to the Board % �( ■. Will'. m Garcia, Pro-Te BY: d`�,►�LiLi1r'i..•I�- Deputy CI to th Board ��' �� �- / • G 44 . 2 1-111/4/2A___ a Kirkmeyer � APPR D AS - M �'� «J � r r}� E. Long y oun y Attorney �*U1114 i� J o Dougl-. Rademach-r Date of signature: ?a/-/qR CR Yno"' 2012-1957 `Va3 I a BC0043 Banner Health Confidential. Information Security Department Business-to-Business VPN / Site-to-Site Access Request Form Created 6/11/2012 Version 5.06112012; Ken Bruder Purpose: 1) Used to complete a risk assessment of any requested business-to-business VPN\Site-to-Site access between Banner and non-Banner entities. 2) Used to document and archive information about business-to-business VPN\Site-to-Site access between Banner and non-Banner entities. Instructions: 1) Review and complete the form. a. Sections I and 2 -Is to be completed by a Banner Health employee. b. Sections 3 - Is to be completed by Business Partner with the assistance of a Banner Health employee. c. Section 4—Needs to be signed by the business partner's Vice President or higher with some exceptions granted. 2) Submit signed and completed form to Banner Health I/T Security: a. Preferred-scanned version and attached to request center request assigned to Banner Health I/T Security b. Alternatives: i. Email to messase@bannerhealth.com; ii. Fax to 602.747.4406 with"Attention:IT Security Department"on the cover page. Notes: • It takes approximately 14 calendar days to set up and test a business-to-business\Site-to-Site VPN after the Banner Health I\T Security receives the initial and signed copy of this form. • Banner does not set up NATs on B2B connection. • A Business Associate Agreement is not required if PHI is not being accessed,or PHI is being used for treatment (HIPAA45CFR164.502(e)(1). • A Business Associate Agreement,(optional: Data Transfer Agreement,or Data Transmission Agreement) must be signed prior to any data being transferred,viewed,or transmitted to a business partner or third party(i.e.,an entity contracted,or hired by a Banner business partner to perform a service for tem).Blank versions of these forms are located at http://intranet.bannerhealth.com/infosec. Please email David.Jahneabannerhealth.com or Robert.Rost@bannerhealth.com with any questions. Approval,VPN Setup,and Maintenance Process: a) A Banner Health director(or higher)is required to sponsor a site-to-site VPN. b) A Banner Health I/T representative(such as an I/T Project Manager or 1/T Facility Liaison)downloads the latest version of the"B2B and S2S VPN Request Access Form"from HERE. c) The Banner Health I/T representative and business partner completes the"Site-to-Site Access Request Form"with the as needed assistance of Banner Health I/T Security via email or phone conference. d) A Banner Health I/T representative submits a Request Center ticket to Banner Health I/T Security by selecting the Request Center "Site-to-Site VPN"template from the "Information Security"team area. Note:—As of 2012/06/11,VT Request Center does not have a dedicated template for a Site-to-Site VPN. You can utilize the general task template or email the form to informationsecurity(a,bannerhealth.com. 2012-1957 1 Banner Health Confidential. Information Security Department e) Banner Health 1/T Security will complete a risk assessment of the requested site-to-site VPN connection and schedule as needed conference calls to resolve any outstanding issues. 0 If approved,I/T Security will create and submit a subtask to Banner Health I/T Network Planning and Integration to create the site-to-site VPN tunnel. The completed and signed documents are indexed and stored in Banner's imaging system. g) Banner Health I/T Network Planning and Integration contacts the technical contact at our business partner to share information and create tunnel. 1. Business partner is expected to complete any required network address translation statement. Banner Health typically does not configure NAT statements for site-to-site VPN connections. 2. Each tunnel configuration entry will include comments, including: date,request number, director's name sponsoring the site-to-site VPN,and the employee's name setting up the tunnel. 3. B2B Tunnel Configuration and Contact Information spreadsheet is updated with appropriate information. h) If needed, a Banner Health VT representative will submit a separate request to have additional hosts added to an existing tunnel to 1/T Network Planning and Integration. i) VT takes approximately 14 calendar days to set up a site-to-site VPN after Banner Health 1/T Security receives the initial and signed copy of the site-to-site access request form. Section 1: To be completed by a Banner Health employee only. Table la: Banner Health Employee Contact information: Name of Banner employee completing this section: Dave Roberts Who is the Banner owner/sponsor of this VPN Steve Rains connection? (This must be a Director or higher): Date: 7/19/2012 Table lb: Administrative Information: What is the name of this vendor/contractor?: Weld County Transition of Weld County Paramedic Services to What is the purpose for dedicated B2B connection?: Banner Connection request type: (New, Revalidating, Modifying): New 2 Banner Health Confidential. Information Security Department Section 2: To be completed by a Banner Health employee only. Table 2a: List the applications and computers that will initiate communication FROM the vendor's/ contractor's\Business Partner's network TO the Banner network: Application: Transport and 3i4 Party/business Banner's hosts: destination port: partner's hosts/subnet: (example) FTP (example) TCP 20, 21 (example) 150.2.0.0/16 (example) 10.64.1.4 (example) Remote Desktop (example) TCP 3389 (example) 150.2.0.0./16 (example) 10.64.1.5 Zoll-DB Any 10.100.11.105/32 Any Zoll-Web Any 10.100.11.110/32 Any Zoll-Bill Any 10.100.14.40/32 Any Zoll-FaxSrvr Any 10.100.11.109/32 Any Arbitrator Any 10.100.16.93/32 Any Telestaff Any 10.100.10.40/32 Any Telestaff2 Any 10.100.?.?/32 Any 1. Do any of the hosts, listed in Table 2a, store confidential or Protected Health Information(PHI)on them? If so,which ones? Yes;Zoll-DB,Zoll-Bill,Telestaff 2. Will the non-Banner entity\Vendor\Contractor\Business partner or a Banner employee be transmitting confidential or PHI info to or from the host(s) listed in Table 2a to a 3`°Party business partner or entity? Yes—Banner PFS and IT Staff will be working with the data hosted on the Weld County Paramedic Services servers until they are moved to the Banner Data Centers a. If yes,will the patient's private information always be de-identified*?no * De-identification ensures that any anticipated or unanticipated recipient of the patient information CANNOT identify an individual AND ensures that all of the following identifiers have been REMOVED: 1) Names. 2) Geographic designations smaller than a State,including street address,city,county,precinct,and zip code. 3) Dates directly related to an Individual,including birth date,admission date,discharge date,date of death, and for all ages over 89. (All elements of date including year indicative of such age,except that such ages may be aggregated into a single category of age 90 or older.) 4) Telephone numbers and Fax numbers. 5) Email addresses. 6) Social Security numbers. 7) Medical record numbers (Facility Identifiers). 8) Health plan beneficiary numbers. 9) Account numbers (Facility Identifiers). 10) Certificate/license numbers. 11) Vehicle identifiers, serial numbers, and license plate numbers. 3 Banner Health Confidential. Information Security Department 12) Device identifiers and serial numbers. 13) Web URLs(Universal Resource Locators). 14) Internet Protocol(IP)addresses. 15) Biometric identifiers, such as fingerprints, full-face photographs and any comparable images. 16) Any other unique identifying number, characteristic, or code. (Refer to Banner Health Policy- Identifying and De-Identifying Protected Health Information(PHI)and Creation of a Limited Data Set— Policy 2873.3.) Section 3: To be completed by our contracted Business Partner with the assistance of a Banner employee. Table 3a: Business Partner Contact Information: The people listed in this section are responsible for ensuring all the information in this section is up to date and will be the contact points Banner will communicate with regarding any changes to the VPN connection. At least two contacts are required. Name of business partner employee that is Monica Mika completing this section: Date: 7/19/2012 Phone number(s): (970)356-4000 Email address: mmika(iPco.weld.co.us Weld County Colorado Mailing address: PO Box 758 Greeley,CO 80632 Alternate contact name: Aleksei Churyk Phone number(s): (970)304-6570 x.2555 Email address: achurvk ci co.weld.co,us Weld County Colorado Mailing address: PO Box 758 Greeley,CO 80632 Table 3b: List the applications and computers that will initiate communication from the Banner network TO the 3'd Party\Business Partner network. 3"°Party 1 Business Partner Application: Transport&Destination Port: Banner Hosts: Hosts/Subnet: (example) ICMP (example) Echo&echo reply (example) 10.64.1.4 (example) 150.2.0.0/16 (example) X Windows (example) TCP 6000-6200 (example) 10.64.1.5 (example) 150.2.0.0./16 Any Unknown 10.x.x.x 10.100.11.105/32 Any Unknown 10.x.x.x 10.100.11.110/32 Any Unknown 10.x.x.x 10.100.14.40/32 Any Unknown 10.x.x.x 10.100.11.109/32 Any Unknown 10.x.x.x 10.100.16.93/32 Any Unknown 10.x.x.x ,10.100.10.40/32 Any Unknown 10.x.x.x 10.100.?.?/32 4 Banner Health Confidential. Information Security Department Table 3c: IPSEC Parameters to Configure Business-to-Business VPN: (This section is to be completed by the business partner. Please fill out all values except for the pre-shared key parameter.) 3`"Party\Business Partner VPN Device: 3`°Party\Business Partner IPsec Peer IP address: Purpose of connection: 3ro Party\Business Partner Encryption Domain: Pre-share secret key (provide out-of-band): Key Alogrithm: ISAKMP Auth Mode: ISAKMP Hash: ISAKMP Ecnryption: ISASKMP Diffe-Hellman: ISAKMP Key Lifetime: ISAKMP Key Mode: Perfect Forward Secrecy: IPSec Encapsuation: IPSec Protocol Type: IPSec Cipher Algorith: IPSec Authentication: IPSec Lifetime : Question n/a—not accessing Banner equipment YES NO Does the 3th Party\Business Partner regularly monitor audit logs to verify which Banner equipment x is accessed,who accessed it,why,and what data is/was transferred from the Banner network to the 3`d Party\Business Partner? I. Does the 3`"Party\Business Partner regularly monitor audit logs to verify which Banner equipment is accessed, who accessed it,why,and what data is transferred from the Banner to the 3r°Party\Business Partner? YES: NO:x Banner will be accessing the Weld County Paramedic Services servers—this is temporary access until the servers are moved to the Banner data centers 2. Will the 3r°Party\Business Partner alert Banner about security issues with equipment? YES:x NO: 3. Will the 3`a P \Business Partner alert Banner about security incidents involving their network? YES:x 40: 4. How will the remote support affect network performance? Please describe the bandwidth requirements for a typical session(KB/sec and KB)?How are larger files such as software upgrades and patches handled? n/a 5 Banner Health Confidential. Information Security Department 5. Has a member of Banner's WAN team reviewed the 3`'Party\Business Partner's network connectivity diagram (see Appendix A for template)? YES:x NO: 6. Please describe the facilities hosting the 3n°Party\Business Partner's VPN equipment and hosts listed in Tables 2 and 3(e.g.,monitoring 24x7,365 days a year,setup in separate,securely locked room that only authorized personnel can enter). Meets all the requirements listed above. 7. Please describe the login authentication process for 3`'Party\Business Partner personnel to access Banner's equipment. (EG.Three-tiered process? (l)Authenticate to 3`'Party\business partner network? (2) authenticate when establishing a connection between business partner and Banner? Authenticate to business partner's application or host at Banner)? n/a—Banner is accessing Weld County Paramedic Services equipment,not vice versa. 8. Does the 3`'Party\Business Partner have automated programs managing computer virus scanning? YES:x NO: 9. What is the 3`'Party\Business Partner's security patching policy? Matches Banner's monthly patch procedure. Section 4: (REQUIRED) Needs to be signed by a Vice President or higher at the business partner, with some exceptions granted. The below signature represents the stated business partner's: • Commitment to comply with all applicable policy and procedures, • Understanding that the signer is responsible for all actions of the assigned tunnel, • Understanding of service agreements and compliance with support requirements. Business Weld County Partner Name: (970)356-4000 Phone number: Signature: Title of Person Signing: Sean P. Conway, Chair, Board of County Commissioners E-mail Address: sconway@co.weld.co.us 7/19/2012 Date: JUL 2 5 2012 6 aoy&- /957 a� \ \ a )}, \§ §! @w !«3 /! /{ ) ' : : $ t To o ) LT-- ] U \ \ t \ S \ / _ \ t \ C } \ uE3 a = = § / \\ 2 @ 2 rt II L. ---- .11 ( \ \ / ) § ! - = u = ) k (� \ 2 ! _______!: 6) \ Hello