aaancnnccn contract no. 21c4457

DocuSign Envelope ID: 97738D07-CEE8-4951-9CF0-C611FAF71ECB

Contract No. 21C4457

Signed for and on behalf of

COUNTY

Date:

Jim HartSheriff=CoronerSanta Cruz County

Approved as to Insurance:

By: u~—County of Santa ruz Risk Management

Date: l ~ ~2~

As to Form:

Ryan Thompson, Assistant County Counsel

Date: ~~~/ZC)L J

THE REGENTS OF THE UNIVERSITY OF CALIFORNIA,ON BEHALF OF ITS SANTA CRUZ CAMPUS

Date:

Scott BrandtVice Chancellor for ResearchThe University of California, Santa Ci•uz

D


9/4/2020

9/9/2020

UCSC and Partner Cybersecurity Plan for

Provider Portal/LIMS

v1.2 Last updated: 8/26/2020 Page 1 of 5

1.0 UCSC Provider Portal

2.0 UCSC Cybersecurity Controls

2.1 Account Management and Access Control

2.2 Network Controls

2.3 Encryption

2.4 Endpoint Controls

2.5 Logging and Monitoring

2.6 Vulnerability Management

2.7 Change Management

2.8 Incident Response

2.9 Training

2.10 Risk Assessment

2.11 Disaster Recovery

3.0 Cybersecurity Controls for Partner Access

3.1 Mandatory Controls

3.2 Temporary Exception to Mandatory Control

3.2.1 Risk of Temporary Exception

3.3 Remote Clinician

4.0 More Information

1.0 UCSC Provider Portal UCSC provides the IT Resource called, “Provider Portal”, that a Partner1 will use in conjunction with

Covid-19 testing.

Partner medical staff (“clinician”) can log into the Provider Portal and enter patient data associated with

the particular UCSC-provided barcode on a patient’s test sample. The test samples are sent to the UCSC

Molecular Diagnostic Lab (MDL).

MDL staff perform the testing and enter the barcode and test results into the backend database, LockBox

LIMS (“LIMS”); the barcode is used to associate the test results with the patient information2.

The clinician can see the test results within the Provider Portal, or they may obtain test results from

SCHIO via login or HL7 interface3 (UCSC provides result information to SCHIO as well as CalREDIE).

1 A “Partner” is a Hospital, Medical Clinic, Health Center or other institution that enters into an agreement with UCSC. 2 The Provider Portal is a web frontend designed to interact with LIMS. 3 UCSC may provide additional software that supports an HL7 interface with partner information systems, which automates

information exchange between UCSC and partners, as well as with the County and State.


https://thirdwaveanalytics.com/?gclid=EAIaIQobChMIuO_0noHk6gIVvj2tBh3CUw9pEAAYASAAEgIpdPD_BwE

https://thirdwaveanalytics.com/?gclid=EAIaIQobChMIuO_0noHk6gIVvj2tBh3CUw9pEAAYASAAEgIpdPD_BwE

https://www.santacruzhie.org/

https://www.cdph.ca.gov/Programs/CID/DCDC/Pages/CalREDIE.aspx




2.0 UCSC Cybersecurity Controls Cybersecurity controls are defined by the UC Information Security Policy and Standards, IS-3, which

maps to HIPAA regulation.

UCSC strives to maintain a reasonable and continuous process for implementing, reviewing, improving,

and documenting security and privacy of the Provider Portal, and recognize that this is a never-ending

process given the speed and frequency of change in cybersecurity threats such that perfection is

impossible.

IS-3 defines the variety of cybersecurity controls we use to manage threats to the Provider Portal and

LIMS, including (but not limited to) those described in following sub-sections.

2.1 Account Management and Access Control

Accounts to the Provider Portal and LIMS are managed by the MDL staff.

Authentication to the Provider Portal is distinct from authentication to LIMS (e.g., the Provider Portal

authentication will not allow access to LIMS, and vice versa):

● Partner clinicians authenticate to the Provider Portal to enter patient information and view test

results

● MDL staff authenticate to LIMS to upload test results

Two-factor authentication (2FA) is required upon login: the account holder must enter their unique user ID

and password, and a 2FA one-time passcode presented via the required smartphone app.

2.2 Network Controls

Network VLANs have been configured for all MDL lab endpoints and instruments, and are monitored for

in and outbound traffic. Firewall rules limit in and outbound traffic to specific sources and destinations.

MDL staff use the UCSC Virtual Private Network (VPN), which is required for remote access to UCSC

systems and prompts for 2FA upon login.

2.3 Encryption

Encryption in-transit is accomplished using SSL/TLS (e.g., HTTPS).

Encryption at-rest:

Provider Portal / LIMS uses 256-bit Advanced Encryption Standard (AES) ● UCSC Endpoints uses Full Disk Encryption (FDE)


https://security.ucop.edu/policies/it-policies.html




2.4 Endpoint Controls

All computers (“endpoints”) used by UCSC staff to access the Provider Portal and LIMS are UCSC owned

and managed computers, which are configured to reduce vulnerabilities and prevent compromise from

internal and external threats. For example, but not limited to:

Physical controls

Monitoring for changes

Logging access and use

Anti-virus and anti-malware

Updates and patches to operating system and software

Secure disposal

2.5 Logging and Monitoring

All access to the Provider Portal and LIMS is logged. We are working towards establishing alerts for

anomalous login, which will be sent to MDL staff who may disable access until confirmation that an

account, system, or endpoint is not compromised.

2.6 Vulnerability Management

Vulnerability scans of the Provider Portal and LIMS occur on a regular basis. UCSC uses commercially

acceptable efforts to remediate any vulnerability rated as CVE High or Critical.

2.7 Change Management

Changes to the Provider Portal and LIMS will be tracked from inception to completion.

If changes may affect a Partner’s access, use of the Provider Portal, or delay in the upload of test results,

UCSC will notify the Partner before changes are implemented in production.

2.8 Incident Response

An incident report is to be submitted to the UCSC CISO:

● In the event a Partner suspects or detects a breach to their clinician accounts or Partner systems,

or to the Provider Portal

● In the event MDL staff suspect or detect a breach to accounts or systems

The UCSC CISO will initiate an investigation, and coordinate communications and remediation activities

with MDL and affected Partners.





2.9 Training

All UCSC staff supporting the MDL are required to complete HIPAA training before access is granted to

the Provider Portal and LIMS, as well as UCSC lab locations, devices and instruments used as part of the

testing process.

2.10 Risk Assessment

Risk Assessments are performed on a periodic basis, prior to implementation and generally every three

years thereafter (frequency may vary depending on significance of changes).

2.11 Disaster Recovery

The Provider Portal and LIMS is mirrored in real time, with automatic failover should the primary fail.

Secure alternative methods for delivery of test results may be used should the Provider Portal or LIMS be

unavailable for an extended period of time.

3.0 Cybersecurity Controls for Partner Access

3.1 Mandatory Controls

1. Partner ensures their clinicians and IT resources meet HIPAA requirements.

2. Partner provides names and contact information for clinicians who will have access to the

Provider Portal to MDL staff.

3. MDL staff create accounts in the Provider Portal and configure two-factor authentication (2FA) for

each account.

4. Partner must notify MDL when a Clinician no longer requires access to the Provider Portal (for

example, change in responsibility or departure from Partner workforce), or when the Partner

terminates the testing agreement4.

3.2 Temporary Exception to Mandatory Control

UCSC recognizes that a Partner may not allow the use of cell phones within a patient room nor in

contaminated areas. If a Clinician requires access to the Provider Portal but cannot use a cell phone for

4 See agreement for terms.





2FA, a temporary exception may be available5 pending review by the UCSC CISO of the following

additional controls:

1. Partner provides an IP address that is protected by a Virtual Private Network (VPN), which will be

placed on an allow list at the Provider Portal.

2. Partner ensures that its computers used to access the Provider Portal are not accessible outside

of the allowed IP address, and are managed such that appropriate security controls6 reduce

vulnerabilities and prevent tampering or compromise from internal and external threats.

3. Clinician must use 2FA for login to the Partner’s VPN.

4. Clinician must use 2FA for login to the Partner’s computer used to access the Provider Portal.

3.2.1 Risk of Temporary Exception

Allowing a Partner’s IP address in lieu of 2FA for authentication to the Provider Portal introduces

additional security risk to the portal. The Partner accepts this risk as part of the testing agreement.

In the event of a breach, suspected or otherwise, UCSC will remove the Partner’s IP address from the

allow list and disable Partner accounts, which will result in their loss of access to the Provider Portal while

an investigation and remediation is in progress7.

3.3 Remote Clinician

Clinicians working outside of their Partner’s location (for example, from home or while on travel) must use

2FA for login to the Provider Portal:

● Exception for remote clinician IP address is not allowed.

● Partner ensures that the remote clinician’s computer used to access the Provider Portal is

protected by appropriate security controls6 that reduce vulnerabilities and prevent theft or

compromise from internal and external threats.

4.0 More Information For more information about UCSC cybersecurity controls, to report an incident, or request help, please

email [email protected]

5 UCSC may, at its discretion and at any time, remove the exception, and require use of 2FA for login to the Provider Portal. Unless

a breach occurs (suspected or otherwise), UCSC will assist the Partner in establishing a 2FA method that is both secure and supportable by all parties before the expectation is removed. 6 For example, but not limited to, monitoring, logging, anti-virus, anti-malware, vulnerability scans, updates and patches to operating

system and software, change control, and 2FA. 7 Completion of an investigation and remediation of a breach does not imply that a Partner will regain access to the Provider Portal.


Certificate Of CompletionEnvelope Id: 97738D07CEE849519CF0C611FAF71ECB Status: Completed

Subject: Please DocuSign: UCSC SC County Agreement Sheriff-coroner for COVID testing 8.27.20 FINAL 4820-...

Source Envelope:

Document Pages: 10 Signatures: 2 Envelope Originator:

Supplemental Document Pages: 5 Initials: 0 Michele Chamberlin

Certificate Pages: 5

AutoNav: Enabled

EnvelopeId Stamping: Enabled

Time Zone: (UTC-08:00) Pacific Time (US & Canada)

1156 High Street

Santa Cruz, CA 95064

[email protected]

IP Address: 128.114.225.216

Record TrackingStatus: Original

9/4/2020 11:51:00 AM

Holder: Michele Chamberlin

[email protected]

Location: DocuSign

Signer Events Signature TimestampScott Brandt

[email protected]

Vice Chancellor, Research

University of California, Santa Cruz

Security Level: Email, Account Authentication (Optional)

Signature Adoption: Pre-selected Style

Using IP Address: 67.180.133.1

Sent: 9/4/2020 11:56:48 AM

Viewed: 9/4/2020 11:58:12 AM

Signed: 9/4/2020 11:58:31 AM

Electronic Record and Signature Disclosure: Accepted: 4/19/2020 7:29:40 AM ID: f7a408a5-7632-43f4-9b78-2ff0130d8982

Jim Hart

[email protected]

Security Level: Email, Account Authentication (Optional)

Signature Adoption: Pre-selected Style

Using IP Address: 63.194.190.100

Sent: 9/4/2020 11:58:32 AM

Viewed: 9/9/2020 1:29:13 PM

Signed: 9/9/2020 1:29:55 PM

Electronic Record and Signature Disclosure: Accepted: 9/9/2020 1:29:13 PM ID: f6450a38-6f19-4cee-9239-2bdd8060a08f

In Person Signer Events Signature Timestamp

Editor Delivery Events Status Timestamp

Agent Delivery Events Status Timestamp

Intermediary Delivery Events Status Timestamp

Certified Delivery Events Status Timestamp

Carbon Copy Events Status Timestamp

Witness Events Signature Timestamp

Notary Events Signature Timestamp

Envelope Summary Events Status Timestamps

Envelope Summary Events Status TimestampsEnvelope Sent Hashed/Encrypted 9/4/2020 11:58:32 AM

Certified Delivered Security Checked 9/9/2020 1:29:13 PM

Signing Complete Security Checked 9/9/2020 1:29:55 PM

Completed Security Checked 9/9/2020 1:29:55 PM

Payment Events Status Timestamps

Electronic Record and Signature Disclosure

DOCUSIGN ELECTRONIC RECORD AND SIGNATURE DISCLOSURE From time to time, the Regents of the University of California, on behalf of its Santa Cruz

campus (we, us, UCSC, or the University) may provide to you certain written forms, notices, or

disclosures. Described below are the terms and conditions for providing to you such notices and

disclosures electronically through the DocuSign system. Please read the information below

carefully and thoroughly, and if you can access this information electronically to your

satisfaction and agree to this Electronic Record and Signature Disclosure (ERSD), please

confirm your agreement by selecting the check-box next to ‘I agree to use electronic records and

signatures’ before clicking ‘CONTINUE’ within the DocuSign system.

Getting paper copies At any time, you may request from us a paper copy of any record provided or made available

electronically to you by us. You will have the ability to download and print documents we send

to you through the DocuSign system during and immediately after the signing session and, if you

elect to create a DocuSign account, you may access the documents for a limited period of time

(usually 30 days) after such documents are first sent to you. After such time, if you wish for us to

send you paper copies of any such documents from our office to you, you will be charged a

reasonable per-page fee. You may request delivery of such paper copies from us by following the

procedure described below.

Withdrawing your consent If you decide to receive forms, notices and disclosures from us electronically, you may at any

time change your mind and tell us that thereafter you want to receive required notices and

disclosures only in paper format. How you must inform us of your decision to receive future

forms, notices, and disclosure in paper format and withdraw your consent to receive forms,

notices, and disclosures electronically is described below.

Consequences of changing your mind If you elect to receive and/or return required forms, notices, and disclosures only in paper format,

it will slow the speed at which we can complete certain steps in transactions with you and

delivering services to you because we will need first to send the required notices or disclosures to

you in paper format, and then wait until we receive back from you your acknowledgment of your

receipt of such paper notices or disclosures or your completed forms. Further, you will no longer

be able to use the DocuSign system to receive required forms, notices and consents electronically

from us or to sign electronically documents from us. Forms, Notices, and Disclosures may be

sent to you electronically Unless you tell us otherwise in accordance with the procedures

described herein, we may provide electronically to you through the DocuSign system forms,

notices, disclosures, authorizations, acknowledgments, and other documents that are required to

be provided or made available to you during the course of our relationship with you. If you do

not agree to receive a certain form, notice or disclosure electronically, please let us know as

described below. Please also see the paragraph immediately above that describes the

consequences of your electing not to receive delivery of the notices and disclosures

electronically from us or return completed forms electronically to us

How to contact us You may contact us to let us know of your changes as to how we may contact you electronically,

Electronic Record and Signature Disclosure created on: 10/28/2019 5:14:57 PMParties agreed to: Scott Brandt, Jim Hart

to request paper copies of certain information from us, and to withdraw your prior consent to

receive notices and disclosures electronically as follows: To advise us of your new email address

for DocuSign Usage: To let us know of a change in your email address where we should send

certain forms, notices, and disclosures electronically to you, you must send an email message to

your primary contact with the University of California, Santa Cruz regarding the documents at

issue, and in the body of such email request you must state: your previous email address, your

new email address. If you created a DocuSign account, you may update it with your new email

address through your account preferences. To request paper copies of documents previously

provided to you electronically through this DocuSign account from the University of California,

Santa Cruz for routine business and operational transactions: To request delivery from us of

paper copies of the notices and disclosures previously provided by us to you electronically, send

an email to your primary contact with the University of California, Santa Cruz regarding the

documents or transactions at issue and in the body of such request you must state your email

address, full name, mailing address, and telephone number. You may be charged a reasonable

per-page fee as well as any applicable postage. Note that to request any documents or copies of

any documents other than documents previously provided to you through this DocuSign account

for routine business and operational transactions, including requests made pursuant to the

California Public Records Act (CPRA) and/or the California Information Practices Act (IPA),

submit the appropriate Request for Records through the UCSC Information Practices Office,

available at https://infopractices.ucsc.edu/

To withdraw your consent To inform us that you no longer wish to receive certain forms, notices, and disclosures in

electronic format you may: i. Decline to sign a document from within your signing session, and

on the subsequent page, select the check-box indicating you wish to withdraw your consent;

OR

Send an email to your primary contact with the University of California, Santa Cruz regarding

the documents or transactions at issue, and in the body of such request you must state your email,

full name, mailing address, and telephone number. Note that if you withdraw your consent to

receive documents from us electronically it will slow the speed at which we can complete certain

steps in transactions with you and delivering services to you because we will need first to send

the required forms, notices or disclosures to you in paper format, and then wait until we receive

back from you your acknowledgment of your receipt of such paper notices, disclosures, and/or

completed forms.

Required hardware and software The minimum system requirements for using the DocuSign system may change over time. The

current system requirements are found here: https://support.docusign.com/guides/signer-guide-

signingsystem-requirements.

Acknowledging your access and consent to receive and sign documents electronically To confirm to us that you can access this information electronically, which will be similar to

other electronic forms, notices, and disclosures that we will provide to you, please confirm that

you have read this ERSD, and (i) that you are able to print on paper or electronically save this

ERSD for your future reference and access; or (ii) that you are able to email this ERSD to an

email address where you will be able to print on paper or save it for your future reference and

access. Further, if you consent to receiving and returning forms, notices, and disclosures in

electronic format as described herein, then select the check-box next to ‘I agree to use electronic

records and signatures’ before clicking ‘CONTINUE’ within the DocuSign system. By selecting

the check-box next to ‘I agree to use electronic records and signatures’, you confirm that:

You can access and read this Electronic Record and Signature Disclosure; and

You can print on paper this Electronic Record and Signature Disclosure, or save or send

this Electronic Record and Disclosure to a location where you can print it, for future

reference and access; and

Until or unless you notify The University of California, Santa Cruz as described above,

you consent to receive through electronic means forms, notices, disclosures,

authorizations, acknowledgments, and other documents that are required to be provided

or made available to you by us during the course of your relationship with The University

of California, Santa Cruz.

aaancnnccn contract no. 21c4457

Documents