Medi-Cal Minimum Computer Security Requirements

It is the responsibility of every California Medicaid (Medi-Cal) medical provider to comply with these minimum requirements. We, at The Tech Info Group, have a great deal of experience ensuring that you are in continuous compliance with these and other medical computer related data and network security requirements.

Are your records safe and protected from hacking, internal theft, accidental loss and/or disclosure? Is your MDS and data always in compliance and ready for an audit? We make sure that the answer to both of these questions is "YES."

The following requirements are being provided to all Medi-Cal users in an ongoing effort to assist all users in understanding the importance of the protection of Protected Health Information (PHI) and how it relates to computer security measures.

Any computer accessing the Medi-Cal Web site is required to abide by all applicable State and Federal laws enacted today or in the future.

All provider computers that access Medi-Cal data must meet the following requirements, in addition to any State and Federal required administrative, technical, physical and organizational safeguards:

1. Anti-virus software. All workstations, laptops and other systems that access the Medi-Cal Web site or process and/or store Medi-Cal PHI must install and actively use a comprehensive anti-virus software solution with automatic updates scheduled at least daily.
2. Patch Management. All workstations, laptops and other systems that access the Medi-Cal Web site or process and/or store Medi-Cal PHI must have critical security patches applied, with system reboot if necessary. There must be a documented patch management process, which determines installation timeframe based on risk assessment and vendor recommendations. At a maximum, all applicable patches must be installed within 30 days 
   of vendor release.
3. System Timeout. The systems that access the Medi-Cal Web site or process and/or store Medi-Cal PHI must provide an automatic timeout, requiring re-authentication of the user session. It is recommended that the automatic timeout be after no more than 20 minutes of inactivity.
4. User Name and Password Controls. The systems that access the Medi-Cal Web site or process and/or store Medi-Cal PHI should be accessed using a unique user name.  The user name must be promptly disabled, deleted, or the password changed upon the transfer or termination of an employee with knowledge of the password. Passwords are not to be shared. 
   
   Passwords must:

• Be at least eight characters
• Be a non-dictionary word
• Not be stored in readable format on the computer
• Be changed every 90 days, preferably 60 days
• Be changed if revealed or compromised, and
• Be composed of characters from at least three of the following four groups from the standard keyboard:
  • Uppercase letters (A-Z)
  • Lowercase letters (a-z)
  • Arabic numerals (0-9)
  • Non-alphanumeric characters (punctuation symbols)

1. Workstation/Laptop Encryption. All workstations and laptops that access the Medi-Cal Web site or process and/or store Medi-Cal PHI are recommended to be encrypted using a FIPS 140-2 certified algorithm, which is 128-bit or higher, such as Advanced Encryption Standard (AES); full disk encryption is recommended.

Note: Fines for non-compliance may be imposed under Sections 130200 – 130205 of the California Health and Safety Code and Section 13410(d) of the Federal Health Information Technology for Economic and Clinical Health (HITECH) Act.