The Management Information System (MIS) for all Maternal and Child Health Programs is Cornerstone. All MCH staff must follow the Cornerstone User Manual expectations for entering and utilizing data to ensure proper service delivery.
Local agencies must adhere to the following system security requirements according to the Cornerstone System Security Plan in the Cornerstone User Manual pdf.
1.9.1 - Management Controls
Each program should have a designated security coordinator. The security coordinator's duties are to:
- Coordinate with the Department on system access for staff and appropriate access levels.
- Ensure MCH employees receive security training via the Cornerstone system, both prior to being granted system access and as annual refresher training for all staff
- Ensure that State owned equipment and resources are secure, and that equipment is accounted for by conducting an annual inventory
- Conduct yearly audits of active IDs in Cornerstone and terminate any employees no longer working in the program.
- Report security incidents to the Department immediately
- Ensure continued operations during system disruption
1.9.2 - Operation Controls
- Personnel Security (see HB 901): All personnel responsible for the management, maintenance, operations, or use of system resources and access to sensitive information should have the appropriate management approval. Personnel security also includes establishing and maintaining procedures for enforcing personnel controls.
- The Department must:
- Issue and revoke user IDs and passwords
- Determine appropriate staff access levels
- Ensure separation of duties so as to not compromise system data or undermine technical controls.
1.9.3 - Physical Controls
Physical Controls are measures designed to prevent unauthorized physical access to equipment, facilities, material, information, and documents. Physical resources include, but are not limited to: desktop computers, portable computers, personal information devices, and printers. Rooms containing system hardware and software, such as local area network rooms or telephone closets, should be secured to ensure that they are accessible to authorized personnel only. The Local Agency Grant Agreement identifies specific guidance local agencies must follow to address physical security.
1.9.4 - Continuity of Operations
- Local agency information must be updated in Cornerstone including:
- Location information
- Holiday schedules
- Hours of operation
- Services provided
- Site contact information
1.9.5 - System Disruptions
- In the case of a brief (<24 hours) system disruption such as interruption of communication and or connectivity the local agency must:
- Advise the Department
- Determine if clients will be rescheduled or if paper data collection and documentation processes will be initiated.
- When services are disrupted for more than a day by disasters or security failures, essential operations will continue.
1.9.6 - Incident Reporting
All actual or suspected instances of information asset misuse, theft, or abuse, as well as potential threats (e.g. hackers, computer viruses) or obvious weaknesses affecting security, must be reported to your immediate supervisor.
- All serious infractions including, but not limited to, pornography or violence, must be immediately reported to the appropriate supervisor.
- Any actual or suspected security breach, including any lost or broken Cornerstone equipment, must be immediately reported to the appropriate supervisor.
- Local agency security coordinators are responsible for reporting such incidents. Within 24 hours of the report of the incident, the security coordinator is to submit a brief report of the incident that includes the type of breach, the individual responsible for the breach, and that individual's Cornerstone identification number. The report is to be addressed to the BMCH Bureau Chief at the Department of Human Services.
1.9.7 - Security Awareness, Training, and Education
MCH employees who manage, operate, program, maintain, or use Cornerstone should be aware of their security responsibilities.
- Security training must be provided before system users are allowed access to the system.
- Periodic refresher (e.g. annual) security training is required for continued access to the system.
- Security training is designed to help system users become familiar with using Cornerstone's security features. Security training also ensures that users understand their responsibilities and security procedures for protecting any sensitive information they manage. Security training includes:
- The importance of protecting client privacy and data confidentiality.
- How to identify a security incident.
- Secure use of user IDs and passwords
- D. Security training will be available through Cornerstone and authorized user access is dependent on successful completion of the course.
1.9.8 - Cornerstone Annual Access Report Reconcilliation
To comply with state policies local agencies are expected to monitor the IDHS HSPR1118 Cornerstone Active Employee report annually to ensure only those staff currently working for the agency have Cornerstone access and are assigned to only those programs in which they currently work. Bureau of Maternal and Child Health Program staff will send each local agency the HSPR1118 report annually (N.B. Agencies providing multiple services will receive the report more than once and will need to respond to each program as requested).
Local agencies are responsible for:
- Ensuring only active staff currently working for the agency are on the report. This includes those with no Citrix access.
- Terminating any staff appearing on the report that are not current employees.
- Correcting program access for staff who have changed positions (i.e. left WIC but now work in Case Management).
The following steps should be taken once agencies have received the HSPR1118 report from the Department.
- Does the staff person work for the agency?
- Move on to step 2.
- In the Cornerstone AD15 Employee Information Screen, terminate any staff appearing on the report that are not current employees.
- Document by writing on the HSPR1118 report any terminations that were made
- Is the staff person assigned to the correct program(s)?
- Move on to step 3
- In the Cornerstone AD15 Employee Information Screen, terminate staff from programs they no longer work in and/or add new programs they should be assigned to.
- Document by writing on the HSPR1118 report any changes that were made
- Sign and Date the HSPR1118 Report & return by email to DHS.BMCHEDF@illinois.gov.