Skip to site content

Chapter 22 - Monitoring Information Technology Data and Resource Use by Individual Users

Part 8 - Information Resources Management

Title Section
Introduction 8-22-1
    Purpose 8-22.1A
    Background 8-22.1B
    Scope 8-22.1C
    Applicability 8-22.1D
    Policy 8-22.1E
    Applicable Laws, Rules, and Guidance 8-22.1F
    Acronyms 8-22.1G
    Definitions 8-22.1H
Responsibilities 8-22.2
    Director, IHS 8-22.2A
    Chief Medical Officer 8-22.2B
    Chief Information Officer 8-22.2C
    Chief Information Security Officer 8-22.2D
    Managers and Supervisors 8-22.2E
Employee Procedures 8-22.3
    Employee Warning Screen 8-22.3A
    Warnings Banner 8-22.3B
Management Procedures - Focused Monitoring 8-22.4
    Request for Focused Monitoring 8-22.4A
    Focused Monitoring Requested by External Law Enforcement Authorities 8-22.4B
    Written Authorization 8-22.4C
    Limiting the Time, Scope, and Invasiveness of Monitoring 8-22.4D
    Sensitive Communications 8-22.4E
    Legal Review 8-22.4F
    Periodic Review of Monitoring 8-22.4G
    Special Circumstances 8-22.4H
Exhibit Description
Manual Exhibit 8-22-A Indian Health Service Division of Information Security Form F06-11m

8-21.1  INTRODUCTION

  1. Purpose.  The purpose of this chapter is to establish Indian Health Service (IHS) requirements for requesting, authorizing, documenting, analyzing, and managing special requests for monitoring information technology (IT) data and/or IT resource use by individual users.
  2. Background.  Indian Health Service management recognized the need to effectively document, analyze, authorize, and manage requests for individual IHS computer monitoring, per the Department of Health and Human Services (HHS) policy, for focused, targeted monitoring.
  3. Scope.  This chapter applies to non-routine monitoring of an individual's use of IHS IT systems, including both retrospective retrieval of data and information about use as well as prospective monitoring.  This chapter does not apply to routine passive system and network monitoring relating to national security, the Federal Information Security Management Act (FISMA) of 2002, or to examinations of computers for malware or vulnerabilities.
  4. Applicability.  This chapter:
    1. Applies to the use of all IHS IT systems, regardless of the mode of access, including direct network connections, virtual private network connections, or through mobile applications or internet browsers.
    2. Applies to all individuals of all IHS organizational components who access IHS IT resources, including Federal employees, United States Public Health Service (USPHS) Commissioned Corps Officers, Tribal users, contracted personnel, interns, and any other users accessing IHS IT systems.
    3. Covers real-time observation, prospective monitoring (for example, using monitoring software), and retrospective review and analysis (for example, after-the-fact review of email sent or received or of computer hard drive contents) targeting an individual.  It excludes review and analysis requested by the individual being monitored.
    4. Applies to retrospective searches for documents in response to valid information requests in the context of litigation, Congressional oversight, Freedom of Information Act requests, and investigations by the Government Accountability Office and the Office of Special Counsel.
    5. Does not apply to passive monitoring (computer incident response monitoring) of systems relating to national security or FISMA that performs general system and network monitoring, or examinations of computers for malware.
    6. Does not supersede any other applicable law or higher level Agency directive, or existing labor management agreement in place as of this policy's effective date.
  5. Policy.  It is IHS policy to carry out focused monitoring by using a method that protects individual interests and ensures that the need for monitoring has been thoroughly vetted and documented.  Except in special circumstances involving outside law enforcement authorities or the Office of Inspector General (OIG), all requests for IT system user monitoring must be made by a supervisor or manager.  Focused monitoring must be:
    1. Warranted under the requirements of this policy.
    2. Authorized in writing in advance by the Director, IHS, or the IHS Chief Information Officer (CIO).
    3. Limited in scope as much as possible to a specific date range, purpose, activity, or system.
    4. Authorized at the CIO level and may not be delegated below the IHS CIO. Prior to approving a monitoring request, the IHS CIO must consider alternative approaches to achieving the intended purpose and may consult with the HHS Office of the General Counsel (OGC).
    5. Initiated only with advanced written authorization. No agency official may initiate focused monitoring without advance written authorization by the Director, IHS, or the CIO. The requestor must complete a "User Data Request Form" to document and initiate the request for focused monitoring.  (See IHM Exhibit 8-22-A)
  6. Applicable Laws, Rules, and Guidance.
    1. Department of Health and Human Services policies:
      1. HHS Policy for Information Systems Security and Privacy - 2014 Edition, July 30, 2014
      2. HHS Policy for Monitoring Employee Use of IT Resources, June 26, 2013
    2. Executive Order 12731, "Principles of Ethical Conduct for Government Officers and Employees," October 17, 1990
    3. Federal Information Processing Standards Publications (FIPS PUB):
      1. FIPS PUB 199, "Standards for Security Categorization of Federal Information and Information Systems"
      2. FIPS PUB 200, "Minimum Security Requirements for Federal Information and Information Systems"
    4. Federal Information Security Management Act of 2002, Public Law (Pub. L.) 107-347, Title III
    5. Freedom of Information Act, 5 United States Code (U.S.C.) § 552 as amended by Pub. L. 110-175, 121 Stat. 2524
    6. Inspector General Act of 1978 (5 U.S.C. Appendix 3)
    7. Indian Health Service directives:
      1. IHS Rules of Behavior for Use of IT Resources
      2. Part 8, Chapter 6, "Limited Personal Use of IT Resources," Indian Health Manual (IHM)
      3. Indian Health Service Division of Information Security Standard Operating Procedure for User Data Requests
    8. National Institute of Standards and Technology Special Publication 800-53 Revision 4, "Security and Privacy Controls for Federal Information Systems and Organizations"
    9. Privacy Act of 1974, Pub. L. 93-579, 5 U.S.C. § 552a
    10. Security and Privacy, Title 45 Code of Federal Regulations (CFR) Part 164
    11. Standards of Ethical Conduct for Employees of the Executive Branch, 5 CFR 2635
    12. Whistleblower Protection Act of 1989, Pub. L. 101-12, April 10, 1989
    13. Whistleblower Protection Enhancement Act of 2012, Pub. L. 112-199, November 27, 2012
  7. Acronyms.
    1. CIO   Chief Information Officer
    2. CISO   Chief Information Security Officer
    3. CFR   Code of Federal Regulations
    4. FIPS PUB   Federal Information Processing Standards Publication
    5. FISMA   Federal Information Security Management Act
    6. HHS   Department of Health and Human Services
    7. HIPAA   Health Insurance Portability and Accountability Act
    8. IHM   Indian Health Manual
    9. IHS   Indian Health Service
    10. IT   Information Technology
    11. MOU   Memorandum of Understanding
    12. OGC   Office of the General Counsel
    13. OIG   Office of Inspector General
    14. Pub. L.   Public Law
    15. U.S.C.   United States Code
  8. Definitions.
    1. Computer Monitoring.  Computer Monitoring is the electronic tracking (focused observation) of an individual employee's internet activities and/or email messages, either sent or received.  The focused observation process includes real-time observation, prospective monitoring, and retrospective review and analysis.  For example, using monitoring software and retrospective review and analysis; using after-the-fact review of email that was sent or received; or a review and analysis of the individual's computer hard drive contents.
    2. Information Technology Resources.  Information Technology resources are any equipment or interconnected system or subsystem of equipment used by the Agency in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or receipt of data or information.  Information technology includes computers, ancillary equipment, software, firmware and similar products, services (including support services), and related resources.  It also includes contractor equipment connected to the IHS network.  It does not include devices owned by individual users unless the Agency has specifically authorized their use for official duties through the IHS Security Waiver process.
    3. Information Technology System.  The IT system is an interconnected set of information resources under the same direct management control that shares common functionality.  A system normally includes hardware, software, information, data, applications, communications, and people.
    4. Information Technology Systems User.  This term includes all individuals who access IHS IT resources:  Federal employees, contractors, U.S. Public Health Service Commissioned Corps Officers, interns, volunteers, and Tribal employee users.
    5. Intrusion.  Intrusion is an unauthorized act of bypassing the IT security mechanisms of an IHS system.
    6. Law Enforcement Authority.  Law enforcement authority includes local, Tribal, State, and Federal law enforcement personnel, as well as national security and intelligence agencies of the U.S. Government.
    7. Malware.  Malware is a program inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the target's data, applications, or operating system or otherwise annoying or disrupting the victim.
    8. Memorandum of Understanding.  An MOU is established between two or more parties to define their respective responsibilities in accomplishing a particular goal or mission.
    9. Unauthorized Disclosure.  Unauthorized disclosure occurs when information is communicated to an individual or entity who does not have authorization to receive it or a business need to know.
    10. Warning Banner.  A warning banner appears on the opening screen to inform users of the security implications of accessing a computer resource.

8-22.2  RESPONSIBILITIES

  1. Director, IHS.  The Director, IHS, is responsible for:
    1. Establishing policy and procedures to strengthen the ability to effectively document, analyze, authorize, and manage requests for IHS computer monitoring.
    2. Providing authorization for focused monitoring.
  2. Chief Medical Officer.  If a user data request is denied by the CIO and appealed, the IHS Chief Medical Officer is responsible for performing a review of the facts and making a recommendation to the IHS Director.
  3. Chief Information Officer.  The IHS CIO is responsible for:
    1. Consulting with the OGC prior to approving a monitoring request.
    2. Documenting the justification for approving or disapproving IT use monitoring requests.
    3. Developing an MOU with outside law enforcement authorities as a precondition for approving IT use monitoring requests from these organizations.
    4. Authorizing computer monitoring that is appropriately narrow in scope and time-limited and takes the least invasive approach to accomplish monitoring objectives.
    5. Protecting and controlling information collected during computer monitoring.
    6. Limiting distribution of information collected from computer monitoring to individuals identified in the monitoring request and other individuals with a specific need-to-know.
    7. Reviewing all ongoing computer monitoring on a monthly basis and, in consultation with the party who requested the monitoring and the OGC, assessing whether it remains justified or should be discontinued.  All decisions to continue monitoring must be documented in writing.
    8. Reporting at least monthly to the Director, IHS, regarding the status of any ongoing IT use monitoring that continues longer than one month.
    9. Maintaining a record of all monitoring requests, search terms, and techniques utilized.
  4. Chief Information Security Officer.  The IHS CISO is responsible for:
    1. Reviewing requests to determine whether appropriate justification and a specific date range, purpose, activity, and system(s) have been provided to support the request.  If the necessary information has not been provided the request will be returned.
    2. Considering alternative information-gathering methods IHS can use to address the request in lieu of monitoring.
    3. Providing a recommendation to the CIO to either approve or deny the request.
  5. Managers and Supervisors.  Managers and supervisors are responsible for:
    1. Obtaining advance written authorization by the IHS CIO before initiating computer monitoring.
    2. Describing in detail the factual basis justifying a request for computer monitoring and the proposed scope of the request, using the IHS "User Data Request Form" (Manual Exhibit 8-22-A).
    3. Describing in detail how the information collected during monitoring will be controlled and protected.
    4. Collaborating with Area Information Systems Coordinators, Area Information Systems Security Officers, and Privacy Officers, as needed.
    5. Notifying the IHS CIO when computer monitoring is no longer needed.

8-22.3  EMPLOYEE PROCEDURES

  1. Employee Warning Screen.  When an employee turns on his or her work computer, a warning screen prompts the employee to press the CTRL, ALT, and Delete keys.  After pressing the 3 keys, a logon message appears, with a warning banner that states (in part), "There is no right of privacy in the use of this system."
  2. Warning Banner.  A warning banner is displayed prior to system login.  The warning banner states that by accessing the IHS IT system, the user acknowledges having no reasonable expectation of privacy regarding any communication or data transmitted or stored on that system.  Although the warning banner gives the IHS the authority to monitor use of its IT resources, the IHS must carry out focused monitoring in a fashion that protects the user and ensures thorough vetting and a documented need for it.

8-22.4  MANAGEMENT PROCEDURES - FOCUSED MONITORING

  1. Requests for Focused Monitoring.  Requests for focused monitoring may originate from the IT system user's internal chain of command or may come from external law enforcement authorities (for example the Federal Bureau of Investigation or the Department of Homeland Security) or the HHS OIG.  Focused monitoring may be authorized only for the following reasons:
    1. There are reasonable grounds to believe that the individual to be monitored may have violated an applicable law or regulation, an HHS or IHS policy or procedure, or the Rules of Behavior.
    2. There are reasonable grounds to conclude that the individual to be monitored may be responsible for an unauthorized disclosure of legally protected information, e.g., "Personally Identifiable Information" or "Protected Health Information."
    3. Note that routine IT equipment examinations are permissible when malware searches are involved.  Any unintended discoveries of problematic content and resulting follow-up actions are not subject to this policy, although follow-up actions that involve focused monitoring are subject to this policy.
  2. Focused Monitoring Requested by External Law Enforcement Authorities.  Requests for focused monitoring may originate from external law enforcement authorities (for example the Federal Bureau of Investigation or the Department of Homeland Security) or the HHS OIG.  All requests from external law enforcement authorities must be coordinated through the HHS OIG, except for requests relating to national security or noncriminal insider threat matters, which must be coordinated with the HHS Office of Security and Strategic Information and/or its Directorate of Intelligence and Counterintelligence.  Such external requests for computer monitoring are subject to different standards, partly because they are covered by the internal controls of the requesting agency or judicial process.  The following procedures must be followed to ensure appropriate measures are taken when monitoring information resource activities:
    1. Special Requests from the OIG.  In circumstances where the HHS OIG requests focused monitoring for an OIG investigation, or where OIG requires assistance in conducting focused monitoring, the HHS OIG will provide IHS information or notification consistent with its responsibilities, duties, and obligations under the Inspector General Act of 1978.
    2. Special Requests from Outside Law Enforcement.  In concert with the HHS OGC, IHS will develop a Memorandum of Understanding (MOU) or similar written agreement with outside law enforcement authorities as a precondition for approving focused monitoring requests from these organizations.  The MOU must include:
      1. The title and organizational component of the person(s) authorized to make focused monitoring requests on behalf of the law enforcement agency.
      2. Documentation of the source of the official request, demonstrating approval by an official of the governmental entity that has the authority to request the initiation of such monitoring, such as a subpoena (administrative or grand jury), warrant, national security letter, or other acceptable documented request (e.g. a written law enforcement administrative request that meets Privacy Act and/or the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule requirements for certain disclosures to law enforcement agencies).
      3. Any restrictions applicable to the handling and disclosure of confidential information that may be produced by monitoring.
      4. Other items consistent with this policy, including the handling of sensitive communications, as described in section 8-22.3E below.
  3. Written Authorization.  The written authorization for focused monitoring must describe the reason for the monitoring.  If the focused monitoring is initiated at the request of outside law enforcement authorities, the authorization must document official approval as listed above in Section 8-22.4B(2).
    1. Except for focused monitoring initiated at the request of the HHS OIG or an outside law enforcement authority, the party requesting the monitoring must document the factual basis that justifies the request and its proposed scope. Requests for focused monitoring must include:
      1. An explanation of how the monitoring will be conducted.
      2. The means of controlling and protecting the information collected during monitoring.
      3. A list of individuals who will have access to the resultant monitoring information.
    2. A record of all requests for monitoring must be maintained by the IHS CIO or his or her designee, along with any other summary results or documentation produced during the period of monitoring.  The record also must reflect the scope of the monitoring by documenting search terms and techniques.  All information collected during focused monitoring must be controlled and protected, with distribution limited to the individuals identified in the request for monitoring, and other individuals specifically designated by the IHS CIO as having a specific need to know such information.
  4. Limiting the Time, Scope, and Invasiveness of Monitoring.  The Director, IHS or the CIO will authorize focused monitoring that is appropriately narrow in scope, time-limited, and takes the least invasive approach to accomplish monitoring objectives.  The Director, IHS or the IHS CIO, in reviewing requests for focused monitoring, must also consider alternative information-gathering methods that the IHS can use to address the concern in lieu of monitoring.  When the focused monitoring request originates from the HHS OIG or outside law enforcement authority, the Director, IHS or the IHS CIO will grant appropriate deference to a request made in accordance with this policy.
  5. Sensitive Communications.  No focused monitoring may target communications with law enforcement entities, the Office of Special Counsel, members of Congress or their staff, employee union officials, or private attorneys.  If such communications are inadvertently collected or inadvertently identified from more general searches, they may not be shared with a non-law enforcement party who requested the monitoring, or anyone else, without express written authorization from OGC and other appropriate IHS officials.
  6. Legal Review.  When a request for focused monitoring is made by a party other than an outside law enforcement authority or the OIG, the IHS CIO shall consult with the OGC, and other parties, as to whether the monitoring is consistent with all applicable legal requirements, including the Whistleblower Protection Act, the Privacy Act, and the HIPAA Privacy and Security Rules, and consider whether there should be any additional limits.  In addition, except for monitoring initiated at the request of outside law enforcement authority or the OIG, parties who receive information derived from monitoring must consult with the OGC regarding potential restrictions on the use of such information under applicable law.
  7. Periodic Review of Monitoring.  The IHS CIO must review all focused monitoring on a monthly basis and, in consultation with the party who requested it, assess whether it remains justified or must be discontinued.  The IHS CIO should consider whether the decision for ongoing monitoring should be reviewed by the OGC.  The IHS CIO must explain and document in writing a decision to continue monitoring, and must report at least monthly to the Director, IHS regarding the status of any ongoing monitoring.
  8. Special Circumstances.  The IHS CIO and the OGC may recommend to the Director, IHS additional procedures for addressing specific circumstances not addressed in this policy.  However, policies and procedures that deviate from the elements of this policy may not be implemented without the written concurrence of the IHS CIO, in consultation with the OGC.