aaancnnccn contract no. 21c4457
TRANSCRIPT
Signed for and on behalf of
COUNTY
Date:
Jim HartSheriff=CoronerSanta Cruz County
Approved as to Insurance:
By: u~—County of Santa ruz Risk Management
Date: l ~ ~2~
As to Form:
Ryan Thompson, Assistant County Counsel
Date: ~~~/ZC)L J
THE REGENTS OF THE UNIVERSITY OF CALIFORNIA,ON BEHALF OF ITS SANTA CRUZ CAMPUS
Date:
Scott BrandtVice Chancellor for ResearchThe University of California, Santa Ci•uz
D
DocuSign Envelope ID: 97738D07-CEE8-4951-9CF0-C611FAF71ECB
9/4/2020
9/9/2020
UCSC and Partner Cybersecurity Plan for
Provider Portal/LIMS
v1.2 Last updated: 8/26/2020 Page 1 of 5
1.0 UCSC Provider Portal
2.0 UCSC Cybersecurity Controls
2.1 Account Management and Access Control
2.2 Network Controls
2.3 Encryption
2.4 Endpoint Controls
2.5 Logging and Monitoring
2.6 Vulnerability Management
2.7 Change Management
2.8 Incident Response
2.9 Training
2.10 Risk Assessment
2.11 Disaster Recovery
3.0 Cybersecurity Controls for Partner Access
3.1 Mandatory Controls
3.2 Temporary Exception to Mandatory Control
3.2.1 Risk of Temporary Exception
3.3 Remote Clinician
4.0 More Information
1.0 UCSC Provider Portal UCSC provides the IT Resource called, “Provider Portal”, that a Partner1 will use in conjunction with
Covid-19 testing.
Partner medical staff (“clinician”) can log into the Provider Portal and enter patient data associated with
the particular UCSC-provided barcode on a patient’s test sample. The test samples are sent to the UCSC
Molecular Diagnostic Lab (MDL).
MDL staff perform the testing and enter the barcode and test results into the backend database, LockBox
LIMS (“LIMS”); the barcode is used to associate the test results with the patient information2.
The clinician can see the test results within the Provider Portal, or they may obtain test results from
SCHIO via login or HL7 interface3 (UCSC provides result information to SCHIO as well as CalREDIE).
1 A “Partner” is a Hospital, Medical Clinic, Health Center or other institution that enters into an agreement with UCSC. 2 The Provider Portal is a web frontend designed to interact with LIMS. 3 UCSC may provide additional software that supports an HL7 interface with partner information systems, which automates
information exchange between UCSC and partners, as well as with the County and State.
DocuSign Envelope ID: 97738D07-CEE8-4951-9CF0-C611FAF71ECB
UCSC and Partner Cybersecurity Plan for
Provider Portal/LIMS
v1.2 Last updated: 8/26/2020 Page 2 of 5
2.0 UCSC Cybersecurity Controls Cybersecurity controls are defined by the UC Information Security Policy and Standards, IS-3, which
maps to HIPAA regulation.
UCSC strives to maintain a reasonable and continuous process for implementing, reviewing, improving,
and documenting security and privacy of the Provider Portal, and recognize that this is a never-ending
process given the speed and frequency of change in cybersecurity threats such that perfection is
impossible.
IS-3 defines the variety of cybersecurity controls we use to manage threats to the Provider Portal and
LIMS, including (but not limited to) those described in following sub-sections.
2.1 Account Management and Access Control
Accounts to the Provider Portal and LIMS are managed by the MDL staff.
Authentication to the Provider Portal is distinct from authentication to LIMS (e.g., the Provider Portal
authentication will not allow access to LIMS, and vice versa):
● Partner clinicians authenticate to the Provider Portal to enter patient information and view test
results
● MDL staff authenticate to LIMS to upload test results
Two-factor authentication (2FA) is required upon login: the account holder must enter their unique user ID
and password, and a 2FA one-time passcode presented via the required smartphone app.
2.2 Network Controls
Network VLANs have been configured for all MDL lab endpoints and instruments, and are monitored for
in and outbound traffic. Firewall rules limit in and outbound traffic to specific sources and destinations.
MDL staff use the UCSC Virtual Private Network (VPN), which is required for remote access to UCSC
systems and prompts for 2FA upon login.
2.3 Encryption
Encryption in-transit is accomplished using SSL/TLS (e.g., HTTPS).
Encryption at-rest:
Provider Portal / LIMS uses 256-bit Advanced Encryption Standard (AES) ● UCSC Endpoints uses Full Disk Encryption (FDE)
DocuSign Envelope ID: 97738D07-CEE8-4951-9CF0-C611FAF71ECB
UCSC and Partner Cybersecurity Plan for
Provider Portal/LIMS
v1.2 Last updated: 8/26/2020 Page 3 of 5
2.4 Endpoint Controls
All computers (“endpoints”) used by UCSC staff to access the Provider Portal and LIMS are UCSC owned
and managed computers, which are configured to reduce vulnerabilities and prevent compromise from
internal and external threats. For example, but not limited to:
Physical controls
Monitoring for changes
Logging access and use
Anti-virus and anti-malware
Updates and patches to operating system and software
Secure disposal
2.5 Logging and Monitoring
All access to the Provider Portal and LIMS is logged. We are working towards establishing alerts for
anomalous login, which will be sent to MDL staff who may disable access until confirmation that an
account, system, or endpoint is not compromised.
2.6 Vulnerability Management
Vulnerability scans of the Provider Portal and LIMS occur on a regular basis. UCSC uses commercially
acceptable efforts to remediate any vulnerability rated as CVE High or Critical.
2.7 Change Management
Changes to the Provider Portal and LIMS will be tracked from inception to completion.
If changes may affect a Partner’s access, use of the Provider Portal, or delay in the upload of test results,
UCSC will notify the Partner before changes are implemented in production.
2.8 Incident Response
An incident report is to be submitted to the UCSC CISO:
● In the event a Partner suspects or detects a breach to their clinician accounts or Partner systems,
or to the Provider Portal
● In the event MDL staff suspect or detect a breach to accounts or systems
The UCSC CISO will initiate an investigation, and coordinate communications and remediation activities
with MDL and affected Partners.
DocuSign Envelope ID: 97738D07-CEE8-4951-9CF0-C611FAF71ECB
UCSC and Partner Cybersecurity Plan for
Provider Portal/LIMS
v1.2 Last updated: 8/26/2020 Page 4 of 5
2.9 Training
All UCSC staff supporting the MDL are required to complete HIPAA training before access is granted to
the Provider Portal and LIMS, as well as UCSC lab locations, devices and instruments used as part of the
testing process.
2.10 Risk Assessment
Risk Assessments are performed on a periodic basis, prior to implementation and generally every three
years thereafter (frequency may vary depending on significance of changes).
2.11 Disaster Recovery
The Provider Portal and LIMS is mirrored in real time, with automatic failover should the primary fail.
Secure alternative methods for delivery of test results may be used should the Provider Portal or LIMS be
unavailable for an extended period of time.
3.0 Cybersecurity Controls for Partner Access
3.1 Mandatory Controls
1. Partner ensures their clinicians and IT resources meet HIPAA requirements.
2. Partner provides names and contact information for clinicians who will have access to the
Provider Portal to MDL staff.
3. MDL staff create accounts in the Provider Portal and configure two-factor authentication (2FA) for
each account.
4. Partner must notify MDL when a Clinician no longer requires access to the Provider Portal (for
example, change in responsibility or departure from Partner workforce), or when the Partner
terminates the testing agreement4.
3.2 Temporary Exception to Mandatory Control
UCSC recognizes that a Partner may not allow the use of cell phones within a patient room nor in
contaminated areas. If a Clinician requires access to the Provider Portal but cannot use a cell phone for
4 See agreement for terms.
DocuSign Envelope ID: 97738D07-CEE8-4951-9CF0-C611FAF71ECB
UCSC and Partner Cybersecurity Plan for
Provider Portal/LIMS
v1.2 Last updated: 8/26/2020 Page 5 of 5
2FA, a temporary exception may be available5 pending review by the UCSC CISO of the following
additional controls:
1. Partner provides an IP address that is protected by a Virtual Private Network (VPN), which will be
placed on an allow list at the Provider Portal.
2. Partner ensures that its computers used to access the Provider Portal are not accessible outside
of the allowed IP address, and are managed such that appropriate security controls6 reduce
vulnerabilities and prevent tampering or compromise from internal and external threats.
3. Clinician must use 2FA for login to the Partner’s VPN.
4. Clinician must use 2FA for login to the Partner’s computer used to access the Provider Portal.
3.2.1 Risk of Temporary Exception
Allowing a Partner’s IP address in lieu of 2FA for authentication to the Provider Portal introduces
additional security risk to the portal. The Partner accepts this risk as part of the testing agreement.
In the event of a breach, suspected or otherwise, UCSC will remove the Partner’s IP address from the
allow list and disable Partner accounts, which will result in their loss of access to the Provider Portal while
an investigation and remediation is in progress7.
3.3 Remote Clinician
Clinicians working outside of their Partner’s location (for example, from home or while on travel) must use
2FA for login to the Provider Portal:
● Exception for remote clinician IP address is not allowed.
● Partner ensures that the remote clinician’s computer used to access the Provider Portal is
protected by appropriate security controls6 that reduce vulnerabilities and prevent theft or
compromise from internal and external threats.
4.0 More Information For more information about UCSC cybersecurity controls, to report an incident, or request help, please
email [email protected]
5 UCSC may, at its discretion and at any time, remove the exception, and require use of 2FA for login to the Provider Portal. Unless
a breach occurs (suspected or otherwise), UCSC will assist the Partner in establishing a 2FA method that is both secure and supportable by all parties before the expectation is removed. 6 For example, but not limited to, monitoring, logging, anti-virus, anti-malware, vulnerability scans, updates and patches to operating
system and software, change control, and 2FA. 7 Completion of an investigation and remediation of a breach does not imply that a Partner will regain access to the Provider Portal.
DocuSign Envelope ID: 97738D07-CEE8-4951-9CF0-C611FAF71ECB
Certificate Of CompletionEnvelope Id: 97738D07CEE849519CF0C611FAF71ECB Status: Completed
Subject: Please DocuSign: UCSC SC County Agreement Sheriff-coroner for COVID testing 8.27.20 FINAL 4820-...
Source Envelope:
Document Pages: 10 Signatures: 2 Envelope Originator:
Supplemental Document Pages: 5 Initials: 0 Michele Chamberlin
Certificate Pages: 5
AutoNav: Enabled
EnvelopeId Stamping: Enabled
Time Zone: (UTC-08:00) Pacific Time (US & Canada)
1156 High Street
Santa Cruz, CA 95064
IP Address: 128.114.225.216
Record TrackingStatus: Original
9/4/2020 11:51:00 AM
Holder: Michele Chamberlin
Location: DocuSign
Signer Events Signature TimestampScott Brandt
Vice Chancellor, Research
University of California, Santa Cruz
Security Level: Email, Account Authentication (Optional)
Signature Adoption: Pre-selected Style
Using IP Address: 67.180.133.1
Sent: 9/4/2020 11:56:48 AM
Viewed: 9/4/2020 11:58:12 AM
Signed: 9/4/2020 11:58:31 AM
Electronic Record and Signature Disclosure: Accepted: 4/19/2020 7:29:40 AM ID: f7a408a5-7632-43f4-9b78-2ff0130d8982
Jim Hart
Security Level: Email, Account Authentication (Optional)
Signature Adoption: Pre-selected Style
Using IP Address: 63.194.190.100
Sent: 9/4/2020 11:58:32 AM
Viewed: 9/9/2020 1:29:13 PM
Signed: 9/9/2020 1:29:55 PM
Electronic Record and Signature Disclosure: Accepted: 9/9/2020 1:29:13 PM ID: f6450a38-6f19-4cee-9239-2bdd8060a08f
In Person Signer Events Signature Timestamp
Editor Delivery Events Status Timestamp
Agent Delivery Events Status Timestamp
Intermediary Delivery Events Status Timestamp
Certified Delivery Events Status Timestamp
Carbon Copy Events Status Timestamp
Witness Events Signature Timestamp
Notary Events Signature Timestamp
Envelope Summary Events Status Timestamps
Envelope Summary Events Status TimestampsEnvelope Sent Hashed/Encrypted 9/4/2020 11:58:32 AM
Certified Delivered Security Checked 9/9/2020 1:29:13 PM
Signing Complete Security Checked 9/9/2020 1:29:55 PM
Completed Security Checked 9/9/2020 1:29:55 PM
Payment Events Status Timestamps
Electronic Record and Signature Disclosure
DOCUSIGN ELECTRONIC RECORD AND SIGNATURE DISCLOSURE From time to time, the Regents of the University of California, on behalf of its Santa Cruz
campus (we, us, UCSC, or the University) may provide to you certain written forms, notices, or
disclosures. Described below are the terms and conditions for providing to you such notices and
disclosures electronically through the DocuSign system. Please read the information below
carefully and thoroughly, and if you can access this information electronically to your
satisfaction and agree to this Electronic Record and Signature Disclosure (ERSD), please
confirm your agreement by selecting the check-box next to ‘I agree to use electronic records and
signatures’ before clicking ‘CONTINUE’ within the DocuSign system.
Getting paper copies At any time, you may request from us a paper copy of any record provided or made available
electronically to you by us. You will have the ability to download and print documents we send
to you through the DocuSign system during and immediately after the signing session and, if you
elect to create a DocuSign account, you may access the documents for a limited period of time
(usually 30 days) after such documents are first sent to you. After such time, if you wish for us to
send you paper copies of any such documents from our office to you, you will be charged a
reasonable per-page fee. You may request delivery of such paper copies from us by following the
procedure described below.
Withdrawing your consent If you decide to receive forms, notices and disclosures from us electronically, you may at any
time change your mind and tell us that thereafter you want to receive required notices and
disclosures only in paper format. How you must inform us of your decision to receive future
forms, notices, and disclosure in paper format and withdraw your consent to receive forms,
notices, and disclosures electronically is described below.
Consequences of changing your mind If you elect to receive and/or return required forms, notices, and disclosures only in paper format,
it will slow the speed at which we can complete certain steps in transactions with you and
delivering services to you because we will need first to send the required notices or disclosures to
you in paper format, and then wait until we receive back from you your acknowledgment of your
receipt of such paper notices or disclosures or your completed forms. Further, you will no longer
be able to use the DocuSign system to receive required forms, notices and consents electronically
from us or to sign electronically documents from us. Forms, Notices, and Disclosures may be
sent to you electronically Unless you tell us otherwise in accordance with the procedures
described herein, we may provide electronically to you through the DocuSign system forms,
notices, disclosures, authorizations, acknowledgments, and other documents that are required to
be provided or made available to you during the course of our relationship with you. If you do
not agree to receive a certain form, notice or disclosure electronically, please let us know as
described below. Please also see the paragraph immediately above that describes the
consequences of your electing not to receive delivery of the notices and disclosures
electronically from us or return completed forms electronically to us
How to contact us You may contact us to let us know of your changes as to how we may contact you electronically,
Electronic Record and Signature Disclosure created on: 10/28/2019 5:14:57 PMParties agreed to: Scott Brandt, Jim Hart
to request paper copies of certain information from us, and to withdraw your prior consent to
receive notices and disclosures electronically as follows: To advise us of your new email address
for DocuSign Usage: To let us know of a change in your email address where we should send
certain forms, notices, and disclosures electronically to you, you must send an email message to
your primary contact with the University of California, Santa Cruz regarding the documents at
issue, and in the body of such email request you must state: your previous email address, your
new email address. If you created a DocuSign account, you may update it with your new email
address through your account preferences. To request paper copies of documents previously
provided to you electronically through this DocuSign account from the University of California,
Santa Cruz for routine business and operational transactions: To request delivery from us of
paper copies of the notices and disclosures previously provided by us to you electronically, send
an email to your primary contact with the University of California, Santa Cruz regarding the
documents or transactions at issue and in the body of such request you must state your email
address, full name, mailing address, and telephone number. You may be charged a reasonable
per-page fee as well as any applicable postage. Note that to request any documents or copies of
any documents other than documents previously provided to you through this DocuSign account
for routine business and operational transactions, including requests made pursuant to the
California Public Records Act (CPRA) and/or the California Information Practices Act (IPA),
submit the appropriate Request for Records through the UCSC Information Practices Office,
available at https://infopractices.ucsc.edu/
To withdraw your consent To inform us that you no longer wish to receive certain forms, notices, and disclosures in
electronic format you may: i. Decline to sign a document from within your signing session, and
on the subsequent page, select the check-box indicating you wish to withdraw your consent;
OR
Send an email to your primary contact with the University of California, Santa Cruz regarding
the documents or transactions at issue, and in the body of such request you must state your email,
full name, mailing address, and telephone number. Note that if you withdraw your consent to
receive documents from us electronically it will slow the speed at which we can complete certain
steps in transactions with you and delivering services to you because we will need first to send
the required forms, notices or disclosures to you in paper format, and then wait until we receive
back from you your acknowledgment of your receipt of such paper notices, disclosures, and/or
completed forms.
Required hardware and software The minimum system requirements for using the DocuSign system may change over time. The
current system requirements are found here: https://support.docusign.com/guides/signer-guide-
signingsystem-requirements.
Acknowledging your access and consent to receive and sign documents electronically To confirm to us that you can access this information electronically, which will be similar to
other electronic forms, notices, and disclosures that we will provide to you, please confirm that
you have read this ERSD, and (i) that you are able to print on paper or electronically save this
ERSD for your future reference and access; or (ii) that you are able to email this ERSD to an
email address where you will be able to print on paper or save it for your future reference and
access. Further, if you consent to receiving and returning forms, notices, and disclosures in
electronic format as described herein, then select the check-box next to ‘I agree to use electronic
records and signatures’ before clicking ‘CONTINUE’ within the DocuSign system. By selecting
the check-box next to ‘I agree to use electronic records and signatures’, you confirm that:
You can access and read this Electronic Record and Signature Disclosure; and
You can print on paper this Electronic Record and Signature Disclosure, or save or send
this Electronic Record and Disclosure to a location where you can print it, for future
reference and access; and
Until or unless you notify The University of California, Santa Cruz as described above,
you consent to receive through electronic means forms, notices, disclosures,
authorizations, acknowledgments, and other documents that are required to be provided
or made available to you by us during the course of your relationship with The University
of California, Santa Cruz.