CHAPTER 9
WIC INFORMATION SYSTEM - HuBERT
9.2-1
11/10
SECTION 9.1 INTRODUCTION The WIC Information System is an essential and integral part in providing nutrition services and
benefits to WIC participants. This chapter describes policies necessary for the ongoing operation
of the WIC Information System.
• WIC Information System
• Data Security
• Equipment Inventory -- WIC Information System
9.1-1
11/10 SECTION 9.2
Subject: WIC Information System (IS)
References: MN Operations Manual, Sections 9.3, 9.4, 9.5, 9.6; Functional Requirements
Document (FReD) Version 2008 2.0; MN Data Practices Act
Policy: All Local Agencies are required to use and maintain the HuBERT (Health Benefits Real
Time) system, as well as State provided or State approved hardware and software. Local
Agencies must provide and support a secure and reliable network.
Purpose: To ensure consistency of the system, maximize operational efficiencies and maintain
data integrity.
Procedures:
Support
 Local Agencies must use the Help Desk as the first point of contact when in need of
assistance in operating the WIC IS. Local Agencies must contact the Help Desk in the
event of a hardware or software system failure, or when any error message is received.

Local Agencies must provide technical support for initial set-up, maintenance and
support of the network including any ongoing connectivity issues. The support can be
from county or Local IT staff, contractors or Internet Service Providers. Wireless
connectivity options are only to be used when the wired communications cannot be
achieved.
Software/Hardware
 The State will provide all software and hardware needed to use the WIC Information
System. This includes computers, printers, scanners and signature pads.

Local Agencies will receive computers with an operating system, HuBERT (the WIC
application), Office Suite, full disk encryption, and an anti-virus suite installed.
o The anti-virus software may be replaced with a Local standard, and must be
supported by the Local IT staff.
o Any Local applications needed for WIC staff can be installed but must be supported
Locally.
o Computers can be configured as needed to connect to the Local network.

Local Agencies can install other software needed by WIC staff for WIC business.

Local Agencies must contact their Program Consultant if there is a need for part-time
WIC staff to use the State owned computers for ongoing non-WIC business.

Local Agencies may provide their own computers for using the WIC Information system
but must submit a request to the State and meet the following criteria:
9.2-1
11/10
o
o
o
o
o
o
o
o
o

Provide adequate IT support that is available, responsive and effective
Provide and maintain adequate inventory and replacement-replace within 24 hours
Meet needs for new staff or if hardware fails
Meet State security standards and specifications
Provide specified Windows operating system (currently Windows XP) and Office
Suite
Provide real-time/on-access anti-virus protection
Provide regular updates of operating system and anti-virus software and virus
definitions
Install the WIC HuBERT application only on computers designated for WIC business
Install State provided full disk encryption software. Full disk encryption software
may be replaced by a Local standard if approved by the State
Local Agencies must submit a request and receive approval from the State for
hardware/software additions or changes. A request can be submitted through the MDH
WIC website.
Data
Local Agency staff must enter only actual and accurate participant data.
Training
In partnership with the State Agency, Local Agencies must assure staff are adequately trained to
use the WIC Information System. See Guidance.
Additional information:

HuBERT is a .NET based application designed to update and pull data from a centralized
database over the Internet. The system requires a connection to the web servers to
function and the client-side install serves only to send and retrieve the necessary data,
much like an Internet browser.

HuBERT is a smart-client web based application. The application must be installed on
any computer that will need to use it and access the central database.

HuBERT requires user authentication via the application. This is separate from any other
system authentications, e.g., Windows, Novell, or Active Directory

HuBERT uses encrypted (SSL) connections over the internet to connect to the web
servers which connect to the central database
o “Security with regard to communications is achieved by using SSL to encrypt the
XML service payloads being exchanged. Application security is controlled by a
specialized application authentication and authorization model that leverages a
database driven user profile and role-based privilege model to control access to
various application features. Customized credentials are used to exchange tokenized
authentication during service invocations.”
Source: SPIRIT Detailed Technical Specifications Document PAT.
9.2-2
11/10
Guidance:

Local Agency Coordinators should assure staff are trained on how to use the system.
The State will provide, via the MDH WIC website, pre-recorded on-demand training
sessions, training modules, step-by-step “how-to” guidance and structured exercises.
Agencies can request a computer with the HuBERT application installed to access the
HuBERT de-sensitized training database. If Agencies have their own test lab, the
HuBERT application can be provided for Local Agency installation on their test
computer(s).

The HuBERT application has On-Line Help. The user can access On-Line Help by
clicking on Help in the menu bar or pressing the F1 key. The F1 key jumps directly to
the topic for the screen currently displayed in HuBERT or, if a field is highlighted, to
information about that particular field.

The Get Started Planning for HuBERT: First Steps guide covers many of the initial
questions and concerns when setting up a clinic for the WIC IS application. The
documents, Minnesota WIC HuBERT Environment - State-Owned Computers and Use of
Locally Owned Computers with WIC HuBERT Environment provide guidance for Local
IT staff. These documents can be found on the MDH WIC Website.
9.2-3
11/10
SECTION 9.3 Subject: Security of WIC Information System: Networks, Data and
Equipment
References: MN Data Practices Act; Functional Requirements Document (FReD) Version
2008 2.0; MDH Information Security Policy.
Policy: Local Agencies must ensure the security of WIC Information System networks, data
and computer equipment. Information obtained from individuals applying for, or participating in
the WIC Program is considered private and may not be disclosed to any unauthorized person(s).
(See the Data Privacy policy, MOM Section 1.7.)
Purpose: To prevent fraud, avoid theft, and ensure data privacy and integrity.
Procedures:

Local Agencies must follow Local network and internet usage policies.

Local Agencies must ensure that all computers use a firewall. This can be a software
firewall or a hardware device.

Local Agencies must contact their network administrators to assist with any planning or
installation of any network device or functionality on their network.

Each staff must use her/his own username and password when accessing the system. The
system tracks all activities by username. Never use a computer without entering your
unique user name and password.

It is recommended to create Local users’ Windows accounts with limited privileges

The system will require all users to change their password every 90 days.

Local Agency coordinators must submit username and password request/change form via
the MDH WIC website for both new and departing staff.

In case of an unplanned departure of staff, Local Agency Coordinators must call the Help
Desk to immediately deactivate the user name account.

Local Agencies must secure WIC computer equipment and software at all times including
during transport and storage; storage facilities must be adequately secured.

Local Agencies must secure any copies of the Minnesota WIC computer image.
9.3-1
11/10
 Local Agencies must maintain the inventory of WIC computer equipment received from
the Contractor. The Local Agency must verify its accuracy and work with the Contractor
to make corrections as needed. Refer to Section 9.4.
 If there is a breach of security such as stolen computer equipment or media with participant data, Local Agencies must immediately contact: o WIC Operations Unit Supervisor
o WIC Operations Information Technology Specialist
o WIC Program Unit Supervisor
o WIC Program Consultant
Provide the following information:
 List of missing equipment
 Agency name and number
 Location where/loss theft occurred
 Date and time loss/theft occurred (actual if know or estimated)
 Circumstances involved
 Provide a copy of the police report information if applicable

Local Agencies should follow any additional or more stringent Local security policies
Guidance:
Passwords
Create good (strong) passwords; most importantly, keep your passwords strong:
 Use eight or more characters
 Mix upper-case and lower-case letters with numbers and special characters
 No dictionary words, proper nouns, or foreign words
 Do not use a correctly spelled word in any language, because "dictionary attack" software
can crack these in minutes
 Do not use personal information such as your name (or the name of a relative or pet),
birthday or hobby, because these are easy to guess
 Choose a password that is difficult to guess or hack, but that you can remember without
having to write it down. For example:
o Choose the first letters of words in a title, song or poem. For example, Book One:
Harry Potter and the Sorcerer's Stone becomes b1HP&tss
o String several words together (the resulting password is also known as a
"passphrase") and insert numbers and special characters. For example, turn -go to
town" into go2^*ToWn
9.3-2
11/10
o Insert punctuation or numbers into a regular word. For example, turn "regular" into
rEgu!4lar
o Deliberately misspell a word (don't use a common misspelling). For example, turn
"common" into koM*7on
 Changing your password means to “significantly” change your password. Changing just a
letter or a number or two in your password is not considered “significantly” changing
your password. Your password should also be changed immediately if you think for any
reason it could have been compromised.
Protect your Password:
Your password is secret and confidential; be sure to keep it that way. Never divulge your
password to anyone, whether in person or over the phone -- no matter who asks, no matter why
they say they need it.
Intruders look for passwords posted on your computer, under your keyboard, inside your desk,
on your bulletin board and in every other area of your workspace. This is why it is best not to
write down your password at all. If you must write down your password, treat it like money and
keep it in your wallet or another secure location. If you take a laptop out of the office, please
ensure that the password is not written down on the laptop or in the computer bag. Use a
completely different password scheme at work and home. If the password you use at home were
compromised for any reason, we would not want that situation to cause your work computer
accounts to be put at additional risk of compromise.
Other Security Measures
Enable Screen Savers:
Enable screen savers with passwords on all computers. This protects the confidentiality of
participant data and protects the logged-in user from other staff entering data, making
modifications, or printing vouchers.
Lock Computers:
A workstation should also be locked when not in use or when left unattended. Press Ctrl + Alt +
Del and click the Lock Workstation button. The logged in user’s password will need to be
entered to unlock the computer. The Windows key + ‘L’ will also lock the computer.
Kensington Locks:
 Use Kensington Locks to secure all desktops and laptops to stationary objects.
 Kensington Locks come with two keys.
o The spare key should be stored in a secure location.
o The key used daily should be kept on your person while the lock is being used and
not stored in your desk drawer or bag.
9.3-3
11/10
Transportation of Equipment:
Computers, portable printers, scanners signature pads and should not be left in automobiles
overnight. Bring equipment inside to protect them from theft and extreme temperature changes.
Removable Storage:
 An acceptable use of removable storage is:
o Copying documents and screen shots from a WIC computer for printing on a nonHuBERT printer.
 Other Removable Storage Guidelines:
o Storage of data on removable media or devices is meant for short-term use only and
should be removed immediately after its use.
o All removable storage that contains ANY participant information should be protected
at the same level as other computer equipment.
o When not in use, store the removable storage media and devices in a locked location,
such as a locked desk or locked file cabinet.
o All removable storage media and devices should be treated as if they contain private
information even after they have been erased.
o WIC associated CD or DVD material, which contains participant data, should be
erased, broken, or shredded before disposal.
9.3-4
11/10
SECTION 9.4 Subject: Equipment Inventory -- WIC Information System
References: CFO 3016.32
Policy: Local Agencies must annually review and verify the WIC Information System
equipment inventory.
Purpose: To maintain an accurate inventory of specific major equipment needed for operation
of the WIC Information System.
Procedures:
Inventoried equipment includes: computers, printers, printer bags, monitors, networking
equipment, scanners, and signature pads.
 The Local Agency will receive annually from the State Agency a copy of its inventory as
well as guidance for inventory verification and follow-up.
 The Local Agency must use the inventory provided to verify the equipment at its site(s) is
accurately listed in the inventory. Discrepancies should be noted on the inventory when:
o A piece of equipment’s serial number or bar code number does not match the serial
number or bar code number listed on the inventory.
o A piece of equipment is not listed on the inventory.
o A piece of equipment listed on the inventory does not exist at the Local Agency.
 When the Local Agency has completed verification of the inventory, notify the State
Agency Hardware Specialist that the inventory review has been completed and
discrepancies noted.
 Local Agencies must insure that non-inventoried peripheral items are maintained along
with inventoried equipment
 Program Consultants will also verify the inventory as part of each management evaluation.  The Local Agency may contact the Help Desk for a copy of its inventory at any time.
Guidance:
 Non-inventoried peripheral equipment: When reviewing the inventory, Local
Agencies should ensure the following peripheral equipment is maintained with the
appropriate piece of equipment.
9.4-1
11/10
o Items associated with Desktop Computers
 Keyboard
 Mouse
 Power Cord
 Monitor with Power Cord
 Key Lock
 Network Cable
 Signature Pad
o Items associated with Laptop Computers:
 Mouse
 Power Cord & Power Adapter
 Key Lock
 Network Cable
 Signature Pad
o Items associated with Printers:
 Power Cord
 Network Cable
 Printer Cable
o Miscellaneous Equipment:
 Network Equipment
 Scanner with Power Cord & Power Adaptor
If any of the above items are missing or damaged, the Local Agency should contact the
Help Desk for a replacement.
 The following items are disposable and should not be returned to the contractor when
they fail:
o Keyboards
o Mice
o Network Cables (Generally under 100 feet long)
 If the above items are in working condition, they should not be returned as single
items, but should be shipped in lots or with the corresponding computer or printer. For
example, when returning a computer that is no longer needed but in working condition
include the keyboard, mouse, and power cords used with the system.
9.4-2
11/10