HB 174—2003

Information security management

This is a free 13 page sample. Access the full version online.

Implementation guide for the health sector

This is a free 13 page sample. Access the full version online.

This Handbook was prepared by Committee IT-014, Health Informatics. It was published on 10 March 2003.

The following are represented on Committee IT-014: Australian Association of Pathology Practices Inc Australian Health Insurance Association Australian Information Industry Association Australian Institute of Health and Welfare Australian Institute of Radiography Australian Medical Association Australian Private Hospitals Association Australian and New Zealand College of Anaesthetists Central Queensland University Commonwealth Department of Health and Ageing Consumers’ Federation of Australia Consumers’ Health Forum of Australia Department of Human Services, South Australia Department of Human Services, Victoria General Practice Computing Group Health Department of Western Australia Health Information Management Association of Australia Health Insurance Commission Health Professions Council of Australia Institution of Engineers Australia Medical Industry Association of Australia Inc Medical Software Industry Association New South Wales Health Department National Health Information Management Group Pharmaceutical Society of Australia Queensland Health Royal Australian College of Medical Administrators Royal College of Nursing, Australia Royal College of Pathologists of Australia Society of Hospital Pharmacists of Australia The Pharmacy Guild of Australia The Royal Australia and New Zealand College of Radiologists The University of Sydney .

HB 174—2003

This is a free 13 page sample. Access the full version online.

Handbook Information security management— Implementation guide for the health sector

First published as HB 174—2003.

COPYRIGHT © Standards Australia International All rights are reserved. No part of this work may be reproduced or copied in any form or by any means, electronic or mechanical, including photocopying, without the written permission of the publisher. Published by Standards Australia International Ltd GPO Box 5420, Sydney, NSW 2001, Australia ISBN 0 7337 4886 4

HB 174—2003

This is a free 13 page sample. Access the full version online.

Information Security Management

This page left intentionally blank

HB 174—2003 Information Security Management

Preface

This is a free 13 page sample. Access the full version online.

The purpose of these guidelines is to interpret AS/NZS 17799:2001— Information Technology—Code of Practice for Information Security Management, and apply this standard specifically to the interests and unique information security requirements of the Australian Health Sector. This handbook provides a set of detailed controls, which may be considered best practices in information security. These guidelines have been developed by Standards Australia/Standards New Zealand Committee on Health Informatics Privacy & Security (IT-01404) with assistance from various Australian health sector professionals. This handbook has been developed to address the special considerations that are required for the health sector, with particular emphasis on individuals and small to medium sized health practitioners. Overall, the AS/NZS 17799 standard provides an excellent information security management strategy, but as this standard has been designed to encompass a broad range of industries and organisations, and of all sizes, the standard alone cannot be targeted effectively or appropriately to the Health Sector. The protection and security of information is of prime importance to all individuals, government agencies and firms. For the Health Sector, there is added emphasis on the requirements for confidentiality, privacy, integrity and availability. Naturally, all organisations, regardless of size, must have stringent controls in place for the protection of information. It is therefore critical for an organisation to implement a suitable set of controls and procedures to address information security, and once implemented, the organisation must retain a pre-requisite level of security. With increasing electronic exchange of patient information between Health Providers, there is a clear benefit in adopting a common reference handbook for information security management. Not all of the controls described in this Standard will be relevant to every situation. This guide cannot take account of local, environmental and technological constraints, nor can it be presented in a form that is completely applicable to every Health Provider. Health Providers must apply the recommendations to each of their unique circumstances. In drafting this guide, we have assumed that a health service professional or a member of the supporting administration staff (and not necessarily an information security professional) will most likely undertake the execution of recommendations. For this reason, we have designed this guide such that it appeals to health professionals and non-computing professionals and we have ensured that the guide is clear, concise and easy to understand and interpret. The content is therefore not of a highly technical nature.

3

HB 174—2003 Information Security Management

Our guidelines shall serve two fundamental objectives, specifically: 1.

Guidance to ensure that patient privacy is maintained by securing paper and electronic based health records and ensuring the long term integrity and quality of this stored information.

2.

Assistance in establishing an appropriate level of health information security for your organisation as a whole.

By following these guidelines, in addition to undertaking an information security management best practice initiative, we aim to greatly assist your health organisation in compliance with the Privacy Amendment (Private Sector) Act 2000*, or your relevant state privacy legislation.

Application

This is a free 13 page sample. Access the full version online.

This handbook has been written for health professionals seeking to conform to the information security management specifications of the AS/NZS 17799 standard. Whilst these guidelines are specifically focussed on individuals and small to medium sized health organisations, larger businesses and government departments, who may have specialised information security or privacy personnel, will also find these guidelines of significant use and benefit. Our intended audience may include, but is not limited to: •

Health Consumers

•

Health Service Providers

•

Medical Centres

•

Public and Private Hospitals

•

Pharmacies

•

Information Repositories

•

Clinical Registries

•

Health Funders

•

Health Agencies

A glossary covering Computing, Security and Privacy terms and definitions has been included. We recommend that all readers of the handbook make themselves familiar with our definitions.

* More information about the Act can be obtained from the Federal Privacy Commission website. www.privacy.gov.au. You will find specific information about how the Privacy Act may affect your health business.

4

HB 174—2003 Information Security Management

For the purposes of this guide and in the context of the health sector, the Australian Bureau of Statistics has provided the following definitions covering small and medium businesses: A Small business—This may range from small groups of people through to businesses that operate with up to 20 staff members. Examples include pharmacies and general medical practices.

•

A Medium business—Those businesses with staff members of approximately 20-199 people. Examples include small private hospitals, medical facilities, and pathology practices.

This is a free 13 page sample. Access the full version online.

•

5

HB 174—2003 Information Security Management

Contents Introduction ................................................................................................... 8 1

Scope ................................................................................................. 11

2

Key Control 1: Information Security Policy ........................................ 12

This is a free 13 page sample. Access the full version online.

3

4

5

6

7

6

2.1

What should be included in an Information Security Policy?.... 12

2.2

The need for supporting policies and procedures ...................... 13

Key Control 2: Security Organisation.................................................. 15 3.1

Who should manage the Health Information Security in my business? .................................................................................. 15

3.2

Third party access to data ......................................................... 16

3.3

What if I outsource? ................................................................. 16

Key Control 3: Asset Classification and Control ................................. 18 4.1

What assets does a health business own? .................................. 18

4.2

Identification of custodians—the information caretaker! .......... 19

4.3

What is the value of information classification? ....................... 20

4.4

How do I classify information?................................................. 20

4.5

Labelling my information ......................................................... 23

4.6

Risks to Information ................................................................. 23

Key Control 4: Personnel Security ...................................................... 27 5.1

Informing staff of their security responsibilities ....................... 27

5.2

What considerations should I make when recruiting staff? ....... 27

5.3

Information security education, training and awareness............ 29

5.4

Responding to security incidents .............................................. 29

Key Control 5: Physical and Environmental Security .......................... 32 6.1

What is Physical Security? ....................................................... 32

6.2

How do I protect my premises? ................................................ 33

6.3

How do I protect my equipment?.............................................. 33

6.4

How do I protect my most critical equipment?.......................... 33

6.5

Environmental Security ............................................................ 36

Key Control 6: Communications and operations management............. 39 7.1

The Importance of maintaining data integrity ........................... 39

7.2

Controlling system and reference information changes ............. 39

7.3

What is Malicious Code?.......................................................... 40

7.4

The Back up of Information...................................................... 42

7.5

What is Network Management?................................................ 43

HB 174—2003 Information Security Management

8

This is a free 13 page sample. Access the full version online.

9

10

7.6

When and how should we exchange information? .................... 44

7.7

e-Health Security ...................................................................... 46

7.8

Security of electronic mail ........................................................ 47

Key Control 7: Access Control............................................................ 49 8.1

What is access control?............................................................. 49

8.2

What methods can I use to control access? ............................... 51

8.3

Controlling access to your PC or laptop.................................... 52

8.4

Controlling access to your network or mainframe..................... 52

8.5

Remote Access ......................................................................... 54

8.6

The need for a firewall.............................................................. 55

8.7

Cryptographic controls ............................................................. 56

Key Control 8: Business Continuity Management ............................... 59 9.1

What is Business Continuity Management? .............................. 59

9.2

What can go wrong? ................................................................. 59

9.3

The need for a plan!.................................................................. 60

9.4

What should be included in the plan? ....................................... 61

Key Control 9: Compliance ................................................................. 64 10.1

Compliance with legal requirements ......................................... 64

10.2

Professional Codes of Conduct ................................................. 68

APPENDICES A

Public Key Infrastructure: PKI ............................................................ 74

B

Outsourcing Contract Considerations .................................................. 76

C

Sample confidentiality agreement........................................................ 77

D

Risk Matrix Template.......................................................................... 80

E

Roles and Responsibilities................................................................... 81

F

References........................................................................................... 83

7

HB 174—2003 Information Security Management

Introduction What is Health Information Security? Health Information is an important asset for Health Providers, and this asset needs to be adequately protected. The primary focus of Health Information Security relates to the protection and safeguarding of patient information and the requirement to protect the privacy of patients. In addition, Health Providers must ensure that information is accurate and available whenever required.

This is a free 13 page sample. Access the full version online.

Information may exist in many forms. From the perspective of the Health Sector, information is not necessarily only words and numbers, but this may also extend to photographs, drawings, video footage, slides, and x-rays. Information can be printed or written, stored electronically, transmitted by post or using electronic means, shown on film or spoken as part of normal conversation. Whatever form the information takes, or means by which it is shared or stored, the information should always be appropriately protected. In essence, the protection of information involves the preservation of the following: •

Confidentiality—information should only be accessible and available to those authorised to have access.

•

Integrity—information should be stored, used, transferred and retrieved in manners such that there is confidence that the information has not been tampered with or modified other than as authorised.

•

Availability—ensures that information is accessible to authorised individuals when and where required.

It is important to note that there are differences between privacy and confidentiality. Privacy is concerned with information handling processes of personal and sensitive information. Privacy deals with ensuring that this information is not disclosed for any purpose other than for which it was collected, without appropriate consent.

How do I secure my health information? Information security is achieved by implementing a suitable set of controls. A control may constitute a policy, a practice, a set of procedures, or perhaps a software function. These controls need to be established in order to ensure that the specific security objectives of the organisation are met. Although at first this may appear daunting, this handbook will help you to understand what controls are available and how they may be implemented. By reading this handbook you will be in a position to better understand the information that you are protecting and then you will be able to select those controls appropriate for providing protection in your unique health environment.

8

HB 174—2003 Information Security Management

Information security is particularly important within the Health Sector because of the ramifications for patients and providers when security is breached. If information is disclosed, accessed incorrectly, tampered with or lost the consequences for a patient may be life threatening. Furthermore, unauthorised access to patient information may be illegal, may compromise patient confidence or may result in a loss of reputation for the health provider.

How do I use these Guidelines? What Controls Do I Need?

This is a free 13 page sample. Access the full version online.

An organisation cannot address information security concerns without possessing a basic understanding and awareness of the threats, risks and vulnerabilities. This may be a simple process, but no matter how small your organisation, you should perform a risk assessment. From this assessment, your security requirements may be identified and controls can be selected and implemented to ensure that risks are reduced to an acceptable level. It will be evident that there are many different ways of securing your health information and this handbook provides examples of common approaches that are applicable. However, it is necessary to recognise that some of the controls are not applicable to every information system or environment, and might not be practicable for all health professionals. This will be particularly evident if you are an individual or work in a small health practice. As there has been an increase in the amount of health information that is stored and transmitted in electronic format and the ease and speed of dissemination has increased, your organisation must implement adequate mechanisms to ensure the protection of information. Special care needs to be demonstrated in the area of email, which has become a common medium for the dissemination of health information. Email has inherent security risks. Unless you send an email in encrypted form, it is like sending a postcard. It is available to be read by anybody it passes through, or intercepts. The specific of this guide is to address the 10 key areas of information security controls of AS/NZS 17799 and to interpret these in a context that is applicable to Health Organisations. For each control addressed in the AS/NZS 17799 Standards there will be a corresponding sub-section recommending appropriate actions *. As appropriate, controls may therefore be selected from this handbook or new controls can be designed to meet the specific needs of your organisation. For some of the key controls there may be multiple controls that will be applicable. Users of this handbook will be able to read each key control chapter and decide on the applicability to their organisation. The 10 key controls of AS/NZS 17799 include: 1. Security Policy 2. Security Organisation 3. Asset Classification and Control 4. Personnel Security 5.

Physical and Environmental Security

* The key control system development and maintenance has not been given its own sub-section, it has been incorporated within the other key controls. 9

HB 174—2003 Information Security Management

6.

Communications and Operations Management

7.

Access Control

8.

System Development and Maintenance

9.

Business Continuity Management

This is a free 13 page sample. Access the full version online.

10. Compliance

10

HB 174—2003 Information Security Management

1

Scope These guidelines provide direction for all health service providers to undertake best practice strategies to secure information. The review and interpretation is based upon the Information Security Management standard AS/NZS 17799. The intention of this Handbook is that it is to be used as a document for the initiation, implementation and maintenance of information security measures within a health business.

This is a free 13 page sample. Access the full version online.

The focus of this handbook is aimed towards small to medium sized health care providers, and not Information Technology professionals. Therefore the AS/NZS 17799 key control area of Systems Development and Maintenance has not been given its own sub-section. Health care providers who are the custodians of confidential information must ensure that information is effectively protected against improper disclosure, modification and use. This guide outlines effective security management practices to provide confidence in inter-health organisational dealings.

 Standards Australia

11

This is a free preview. Purchase the entire publication at the link below:

This is a free 13 page sample. Access the full version online.

HB 174-2003 Information security management Implementation guide for the health sector

Looking for additional Standards? Visit SAI Global Infostore Subscribe to our Free Newsletters about Australian Standards® in Legislation; ISO, IEC, BSI and more Do you need to Manage Standards Collections Online? Learn about LexConnect, All Jurisdictions, Standards referenced in Australian legislation Do you want to know when a Standard has changed? Want to become an SAI Global Standards Sales Affiliate? Learn about other SAI Global Services: LOGICOM Military Parts and Supplier Database Metals Infobase Database of Metal Grades, Standards and Manufacturers Materials Infobase Database of Materials, Standards and Suppliers Database of European Law, CELEX and Court Decisions

Need to speak with a Customer Service Representative - Contact Us