Following these measures will greatly reduce the likelihood of security attacks and loss of data.
Physical Safeguards
Place computers (especially laptops and mobile devices) in a location where only authorized users have access. For example, never leave a laptop unattended and visible in a car.
Position the screen so it is difficult for others to see. This is particularly when viewing/editing screens that contain PII (Personal Identifiable Information, such as social security numbers, birth dates, medical records, etc.)
Access
Cincinnati/Hamilton County CoC's policy is that Two-Factor Authentication (2FA) is mandatory for use on all Clarity HMIS devices (desktop computers, laptops, mobile devices). 2FA is a method of confirming the identity of a Clarity user. Strategies to End Homelessness provides an article with more information about setting up and using 2FA: https://steh.freshdesk.com/support/solutions/articles/43000507239-using-two-factor-authentication-2fa-
Under no circumstances should any HMIS user access Clarity HMIS through any publicly available computer, such as at a library, hotel lobby, community center, etc.
Passwords
Do not write down your username or password. However, if you must write down this information, make sure you keep it in a secure location, such as a locked drawer. We are stewards of our clients' data.
Do not share your login information with anyone, including site or system administrators. If you have trouble logging into Clarity, contact HMISsupport@end-homelessness.org or call 513-263-2790 (9 a.m. -5 p.m. Monday through Friday, excluding holidays). Sharing usernames or passwords is a severe violation of the HMIS User Agreement, and you will be held responsible for any activity that occurred under your login.
When Away from Your Computer
When you're away from your computer, even for a short time, either log out of Clarity HMIS or lock down your workstation (CTRL-ALT-DELETE). Clarity is enabled with a timeout feature which automatically logs you out after approximately one hour of inactivity with a 5-minute warning. However, for maximum security, lock or shut down your workstation before leaving it unattended.
Time Outs
Agency personnel in charge of workstations should make sure all equipment times out and automatically turns on a password protected screen saver when the terminal is not in use.
Virus Protection
Agencies are responsible for protecting all devices which access Clarity HMIS by using commercially available virus protection software. This protection must include automated file scanning, and must be updated regularly.
Firewall
Agencies must implement a firewall to protect systems from malicious attacks. It is not necessary to install a firewall for every workstation, but there must be a firewall between all workstations and the agency's systems, including the internet and outside computer networks.
Disaster Protection and Recovery
Clarity HMIS is cloud-based (available over the internet). Support and maintenance are provided by the vendor, Bitfocus. If you have questions, problems, or issues with Clarity HMIS, contact HMIS Support at HMISsupport@end-homelessness.org or call 513-263-2790 (9-5 M-F excluding holidays).
Disaster Recovery Plan
While Bitfocus and HMIS Support handle Clarity HMIS, agencies also have locally used applications, such as Word, Excel, etc. stored on hard drives, and in some cases, their own servers.
As a result, it's recommended that each agency have their own disaster recovery plan in place. Every agency is different, so there are no hard and fast rules, but here are some suggestions:
- Create a plan and document it. Store it in a place where all staff members can reference it.
- Compile an inventory of hardware (desktop computers, laptops, mobile devices). Keep track of the inventory and update as necessary.
- Identify critical software applications and the appropriate hardware to run them. Upgrade both software and hardware as necessary to stay up-to-date. The more recent, the more likely it is to be secure.
- Schedule regular data backups.
- Make sure you have copies of software in case re-installation is necessary.
- All agency staff (not just IT) should know how to take the precautions listed in this article.
- All staff members should know how to securely save a file. This can be password protecting a Word document, saving a file to a secured network drive only accessible by authorized agency personnel, or encrypting data.
Hard Copy Protection
Any paper or other hard copy generated by HMIS that contains PII must be protected. When staff are not present, hard copies must be secured in areas not accessible by the general public or unauthorized personnel. Suggestions for safeguarding documents containing PII include, but are not limited to:
- When handling documents, keep them out of view and out of reach of unauthorized personnel.
- Making sure all doors and windows in offices and records storage areas have strong locks.
- Keeping filing cabinets and other records storage areas locked at all times when not in use.
- Labeling all files, folders, and boxes clearly with descriptions of their contents.
- Limiting access to record storage areas to qualified personnel.
- Inspecting record storage areas regularly to make sure documents are secure.
- Shredding any unneeded documents. DO NOT THROW PII IN THE TRASH!
Contact Information
If you need help, or wish to offer suggestions or feedback, please contact the Cincinnati/Hamilton County HMIS Support Team at HMISsupport@end-homelessness.org or by calling 513-263-2790 9 a.m. -3 p.m. Monday-Friday excluding holidays.
When contacting HMIS Support, please do not include any Personal Identifiable Information such as social security numbers, birth dates, etc. Acceptable information is first name and last 4 digits of SSN, or Clarity Unique Identifier found on the Clarity client's profile page.