Table of Contents
Information security policy refers to a well documented structure with senior management support that is crucial for the defense in-depth cause. Threats exist from both within the walls of each organization and from external sources like the hackers, foreign governments and competitors. Information security policy constitutes of privacy, confidentiality, access, accountability, availability, authentication, and information technology system and network maintenance. Note that all these components work hand-in-hand in enhancing a comprehensive information security policy . Confidentiality refers to the needs of the medical centre, its obligations and desires to secure private, proprietary and other crucial information from the people who don’t have the right and need to obtain it. These include people like the outsiders and or competitors who may wish to pull you down. Therefore, this element must be taken into consideration in order to secure your medical centre.
Access refers to the privileges, rights and ways of protecting assets from access or loss. Accountability refers to the responsibilities of users, operation staff and management. Authentication defines the development of password and authentication policy to safeguard information. Availability builds hours of resource redundancy, availability, recovery, and maintenance (ISACA, 2006). Other essential elements for security policy include the policy statement, scope, roles and responsibilities, security directives, acceptable use policy (AUP), incident response procedure and document control factors. Any information security policy that comprises of the above factor is comprehensive and very safe for any organization (Dhillon, 2007). Therefore, the CEO and physicians of this new medical practice must be sensitive to these elements in order to come up with the best information security policy for their firm. This is because the security policy will be able to fulfill the following purposes;
- Protect people and information
- Authorize security personnel to monitor, investigate and probe
- Set the principles for anticipated behaviors by the users, administrator, management and security personnel
- Describe and authorize the outcomes of violation
- Describe the consequence baseline stance on security for the health centre and
- Minimize risks
Considerations for Developing Information Security Policy
Before the health centre establishes its information security policy, it must consider the following four essential issues (Lambo, 2006). The problem that has been facing several companies when they develop information security policy is they develop a policy which is both organizational specific and implementable. These important factors to consider are as follows.
- What task does the management aim to serve by establishing a security policy? This looks at the risks the management is attempting to address through the information security policy
- What does the management anticipate individuals or employees who are responsible to perform or achieve once the policy is in place? (this covers the entire activities of the employees from drugs, usage of technology, machines, operations and meeting the needs of the patients)
- What process does the management intend to put in place to make certain conformance with the policy?
- What process does the management requires to be familiar with the risk of a policy non-compliance; if the fulfillment fails what corrective action should the management take? In other words, what extenuating measures would the management prefer to have?
The above four factors combined can assist the management of the Medical Practice center in making an critical decision while formulating information security policies (ISACA, 2006).
- Policy types
The medical center that the CEO and the physicians intend to establish must have its main information security policy covering the two main types of policies used in hospitals and healthcare centers. These policies are governing policy and technical policy.
- Governing Policy
This policy covers the concepts of information security at a high degree, describes these concepts, states why they are essential, and detail what the health center’s stand is on them. For example, the policy covers information regarding patients such as their HIV/AIDS status, their will when they are in critical conditions and their health in general. Of course, no patient would like an outsider to recognize his or her status especially when there is nothing they can help other than gossip. Managers and end users will look at this policy; examine its importance, its safety and how it can be implemented. By default it will also be examined by technical custodians (especially security technical custodians) since are they also part of the end users. All these groups will employ policy to increase a sense of the healthcare’s general policy philosophy. However, this entire group apart from the 15 physicians, will have to be appointed by the CEO or the committee that involves the physicians. This policy need to be nearby lined up with the available and future human resources and other policies of the healthcare.
- Technical policies
The technical guardians will employ these policies as they perform their security responsibilities for the system with work. They will be highly detailed than the governing policy, as they will give out specific like an AS-400 technical policy or technical physical security policy. They will also cover the equipments in the center to ensure there is no failure in their operation and that they are all secure. These equipments will include things like computers, networking equipments, printers, hardcover materials, scanners and any other equipment that are consistent with information. They also deal with handbook that contains the details of operating system or a network device and how they should be secured. However, their focus will be on computer security because all the information concerning the administration and patients will be stored in them. Besides, all the plans and strategies of the health center will be stored in them meaning that if handled carelessly, competitors can hack the information and use it to pull them down. In detailed level, the technical policy need to address the “what” (in detail), “who”, “when”, and “where” in terms of information security policy.
- General standards and Regulations to be established
The CEO and the physicians should of the Medical center need to establish information security standards and regulations just the way other organizations have done. The standards should be centered on user consensus or international adaptation. For example, the ISO/IEC 17799 international standard is based on security requirement developed by British Government form BS 7799 part I. Its main purpose is to issue recommendations for information security management for use by individuals who are liable for commencing, implementing or maintaining security in their organization (Aceituno, 2005). The other one is “The Center for Internet Security (CIS)” which is an upcoming worldwide standard consortium establishing benchmarks to identify if minimum standards of outstanding care are taken.
Remember that these international standards are used by several organizations and can as well be used by the new Health center. In fact, the internal health bodies like World Health Organization (WHO) are responsible for establishing health standards and regulations. However, there are other small standards and regulations that have to be established locally by the CEO and the management of the health center and must address specific departments like the administration, drugs, and technological equipments, handling of the patients, financial issues and simple rules to be obeyed by patients while in hospital (ISACA, 2006).
- Policy development team and how responsibility should be assigned for implementing and administering policy
The overall composition on the policy development team will differ according to the policy document that is being established, but the following is the list of people and or group who may be involved. It is classified into primary involvement and secondary involvement. Primary involvement contains the information security team that has to be assigned the general responsibility for development the policy documents. Control of the operation will be under the CEO while the Information security team will comprise of 15 physicians. It also contains the technical writer whose function is to help in writing security policies and an in-house technical writer who may be hired for that purpose (Lambo, 2006). Since policies are to be used to safeguard information in the new Health Center, the in-house technical writer should be one of the committee members in order to avoid information leakage when the job is done by an outsider. The secondary involvement includes technical personnel, legal counsel, human resources, adult and compliance and user group. All these are involved in performing other duties like undertaking the information security work, maintaining technical equipments, control field activities among many other tasks.
Certification of the personnel to be employed for the above stated functions must look into all important areas related to medical. The stuff must contain certifying certificates in medical studies and nurse training to be employed at this health center. This is where the CEO must be very careful in order to acquire comprehensive team that will ensure the clients/patients are satisfied and also maintain a strong competitive advantage. All these individuals should be well familiar with information security policy and work towards meeting its needs.