Section 4: Security Plan

Introduction to the Homeless Management Information System Security Plan

Homeless Management Information System (HMIS) security standards are established to ensure the confidentiality, integrity, and availability of all HMIS information. The security standards are designed to protect against any reasonably anticipated threats or hazards to security and must be enforced by system administrators, agency administrators as well as end users. This section is written to comply with section 4.3 of the 2004 Homeless Management Information Systems (HMIS) Data and Technical Standards Final Notice (69 Federal Register 45888) as well as local legislation pertaining to maintaining an individual’s personal information.

Meeting the minimum standards in this Security Plan is required for participation in the HMIS. Any agency may exceed the minimum standards described in this plan and are encouraged to do so. All Agency Data Administrators are responsible for understanding this policy and effectively communicating the Security Plan to individuals responsible for security at their agency.

Security Plan Applicability

The HMIS and all agencies must apply the security standards addressed in this Security Plan to all the systems where personal protected information is stored or accessed. Additionally, all security standards must be applied to all networked devices. This includes, but is not limited to, an agency’s networks, desktops, laptops, mobile devices, mainframes, and servers.

All agencies, including the HMIS Lead, will be monitored by the HMIS System Administrators annually to ensure compliance with the Security Plan. Agencies that do not adhere to the security plan will be given a reasonable amount of time to address any concerns. Egregious violations of the security plan may result in immediate termination of an agency or user’s access to the HMIS as determined by the HMIS Lead.

System Security

User Authentication

Agency Data Administrators and System Administrators shall limit access to those who meet each of the following requirements:

• Access is required for the purpose of data assessment, entry, or reporting
• New User Training has been completed including the Standard Operating Procedures, Agency Privacy Policies, the Standard Workflow, and the overall HMIS software orientation.
• User is covered by the agency privacy notice
• User has signed and agreed to the HMIS End User Policy and Code of Ethics.
• Have an agency email address to ensure HMIS access is granted to active employees only. Publicly available domain names are not appropriate (gmail.com, Hotmail.com, etc.) unless the agency uses these domain names as their agency standard.

It is the responsibility of Agency Data Administrators to provide 24-hour notice to the System Administrators when the person leaves or is scheduled to leave the agency or no longer requires access to the HMIS.  Users who have not successfully logged into HMIS for 30 or more days may be inactivated by the System Administrator to further assure that access is only granted to those who require it.

The HMIS System only permits users to be logged into HMIS from one workstation or device at any given time.

UseraccessanduseraccesslevelswillbedeterminedbytheSystemAdministratorinconsultationwiththeAgencyDataAdministrator to ensure the correct level of access is provided for the user to complete their required tasks in the system.

Each user must have a unique user ID and password.  The User ID and a default password will be set up by the System Administrator upon completion of training.  The user will then use the “Forgot Password” feature in HMIS to establish a new password at initial log-in.

Passwords are the individual’s responsibility and must meet minimum system requirements, be kept secure, and be difficult to guess.  Users are prohibited from sharing user IDs or passwords.  If a user forgets their password or is locked out after multiple failed attempts, they may use the ‘forgot password’ feature in HMIS or contact the HMIS Help Desk for support, nilhmis.cayzu.com.

Passwords will expire every 45 days and users will be prompted upon log-in to reset their password.  If a user has not logged into the system for more than 30 days, their account will be inactivated, and they will need to contact the HMIS Help Desk for support, nilhmis.cayzu.com.

Virus Protection

Industry-compliant virus protection software must be installed on all devices directly accessing the HMIS or accessing the HMIS via a network. The virus protection software must also include anti-spyware functionality.

Virus definitions must be set to be updated and applied automatically and virus scans must be completed weekly, at minimum.

Operating Systems

Operating Systems must be supported by their vendors and must have updates or patches checked for, and applied, monthly, at minimum.  Monthly computer restarts of system are recommended to ensure that any pending updates are applied.

Firewalls

An agency must protect the HMIS and client data from malicious intrusion behind a secure and up-to-date firewall.  Each individual device does not need its own firewall if there is a firewall between that device and any systems, including the Internet and other computer networks, located outside of the organization.  For example, a device that accesses the Internet through a modem, Wi-Fi or cellular data network would need its own firewall.  A device that accesses the Internet through a central server would not need a firewall if the server has a firewall. Firewalls are commonly included with all new operating systems.

Physical Access

All computers and devices must be controlled through physical security measures and/or a password.

Users must logoff from the HMIS and their device if they leave their workstation.   The HMIS System automatically logs users off after 30 minutes of inactivity.  When devices are not in use, a password protected screensaver or lock screen should automatically turn on within 15 minutes of inactivity. Users on mobile devices or working in outreach locations in addition to system administrators are encouraged to decrease this time to 5 minutes.

Users should be trained on how to quickly lock their computer or device if they need to step away. On windows workstations, this is achieved by typing the command “Windows Key + L.” Different operating systems have different locking mechanisms.

If users are going to be away from the computer or device for an extended period of time, they are encouraged to shut down the computer or device. Users should follow their agency’s “shut-down procedures” to ensure proper device, network, and virus updates.

Disposal

Agency policies, consistent with applicable state and federal laws, should be established regarding appropriate locations for storage, transmission, use and disposal of HMIS generated hardcopy or digital data. Reasonable care should be used, and media should be secured when left unattended. Magnetic media containing HMIS data which is released and/or disposed of from the participating organization and central server should first be processed to destroy any data residing on that media. Degaussing and overwriting are acceptable methods of destroying data.  On request, DuPage County IT may also be able to destroy hard drives or SSDs that have been used to access HMIS data.

System Monitoring

The HMIS maintains an audit trail that tracks user log-in attempts and modifications to client records. Each audit entry reflects the user that created the entry and the date and name of the user that made the most recent modification.

These user logs will be checked routinely according to best practices established by the HMIS Lead Agency. Possible mechanisms the HMIS Lead may utilize are comparing the volume of search records accessed compared to the size of the agency, looking for multiple user logins from multiple locations, client searches occurring without record adjustment, users logging into the system at strange times and looking at the frequency of user password reset and lockout.

Hard Copy Data

Printed versions (hardcopy) of confidential data should not be left unattended and open to compromise.  Media containing HMIS client identified data may not be shared with any person or agency other than the owner of the data for any reason not disclosed within the agency’s Privacy Notice.

HMIS information in hardcopy format should be disposed of properly.  This may include shredding finely enough to ensure that the information is unrecoverable.

Data Purge

Annually, Client records without any activity (program entries, needs, calls, case notes, etc.) for 7 or more years will be removed from HMIS by the software vendor.

Software Application Security

Disaster Recovery

The Northern Illinois (NIL) HMIS Technical Lead Agency is responsible for ensuring that its vendors meet all regulated Disaster Protection and Recovery requirements. NIL HMIS is covered under WellSky’s “Basic Disaster Recovery Plan.”

Electronic Data Transmission

The NIL HMIS Technical Lead Agency is responsible for ensuring that its vendors meet all regulated Electronic Data Transmission requirements.

Electronic Data Storage

TheNIL HMIS TechnicalLeadAgencyisresponsibleforensuringthatitsvendorsmeetallregulatedElectronicDataStoragerequirements.

Workstation Minimum Requirements

Any computer that interfaces with the HMIS must meet the minimum specifications or functionality cannot be guaranteed. Three main factors that can impact system performance are data transfer efficiency, memory management, and machine speed.  Currently, the requirements are as follows:

• Operating System – Windows 11 (Windows 10 will reach End-Of-Support on Oct 14, 2025)
• Memory – 2GB RAM minimum, 4GB recommended
• Monitor – Screen Display – 1024 x 768 (XGA)
• Processor – Dual-Core processor
• Internet Connection – Broadband
• Internet Browsers: Google Chrome, Mozilla Firefox, Microsoft Edge, Apple Safari.

There may be additional requirements for report creation.

Computer Crime

Computer crimes violate state and federal law. They include but are not limited to: unauthorized disclosure, modification or destruction of data, programs or hardware; theft of computer services; illegal copying of software; invasion of privacy; theft of hardware, software, peripherals, data or printouts; misuse of communication networks; promulgation of malicious software such as viruses; and breach of contract. Perpetrators may be prosecuted under state or federal law, held civilly liable for their actions, or both. The System Administrator and users must comply with license agreements for copyrighted software and documentation. Licensed software must not be copied unless the license agreement specifically provides for it. Copyrighted software must not be loaded or used on systems for which it is not licensed. All users agree to this upon logging into the system for the first time and accepting the software’s End User License Agreement.

Illinois Personal Information Protection Act

As discussed in Section 1 of this standard operating procedure, all agencies and users are bound to follow state and federal law and following those laws precede following this standard operating procedure. The steps outlined here are requirements of HMIS System Participation and should not be considered legal advice.

The Illinois Personal Information Protection Act (815 ILCS 530/5)^[1] requires that data collectors who maintain Social Security numbers take sufficient measures to ensure the security of the data and to notify Illinois Residents if a data breach occurs. The collection of Social Security numbers is a mandatory requirement of HUD’s minimum data collection requirements and thus both individual agencies as well as the HMIS are “Data Collectors” and are bound to the law. A client may be notified multiple times by each level of ‘data holding’ (HMIS Vendor, HMIS Lead, and individual agencies).

If a Breach Occurs at the Individual Agency

Upon detection of a breach of the security of the agency’s data, the agency’s Executive Director or Agency Data Administrator, must take the following actions:

1. Notification will be made to all Continuum of Care Contacts as listed on the Alliance to End Homelessness website, https://suburbancook.org/hmis.
2. Notification will be made to individual agency clients in one of the following ways
   1. Written notice
   2. Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures for notices legally required to be in writing as set forth in section 7001 of title 15 of the united states code^[2]; or
   3. Substitute notice, if the data collector demonstrates that the cost of providing notice would exceed $250,000 or that the affected class of subject persons to be notified exceeds $500,000, or the data collector does not have sufficient contact information. Substitute notice shall consist of all the following:
      • Email notice if the data collector has an email address for the subject persons;
      • Conspicuous posting of the notice on the data collector’s web site page if the data collector maintains one; and
      • Notification to major statewide media

If Breach Occurs at a System Level

Upon detection of a breach of the security of the system data, the HMIS Lead must take the following actions:

1. Notification will be made to all Continuum of Care Contacts as listed on the Alliance to End Homelessness website, https://suburbancook.org/hmis.
2. Notify each participating agency’s Agency Data Administrator and Executive Director
3. The HMIS does not maintain adequate records for individual notification if a breach occurs (current address, phone number or email address). Provide a substitute notification by completing all the following:
   1. Email Notice when an email address is available
   2. Conspicuous Posting to be added to the HMIS website
   3. Press Release to major statewide media

In either situation, the notice(s) must contain the following information:

1. The actual or approximate date of the security breach
2. The nature of the breach
3. A description of the steps that have or will be taken to address the breach
4. Toll-free number and address for each major consumer reporting agency and the Federal Trade Commission
5. Include a statement informing the individual that they can obtain information from each of the consumer reporting agencies about fraud alerts and security

[1] http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702&ChapterID=67

[2] http://www.gpo.gov/fdsys/pkg/USCODE-2011-title15/pdf/USCODE-2011-title15-chap96-subchapI-sec7001.pdf

Last Reviewed 4/9/2025