Elements of Good Information Security Policy For Every Healthcare Organization.

1.0 INFORMATION SECURITY POLICY

1.1 Information Security Policy (ISP) is a set of rules enacted by an organization to ensure that all users or networks of the IT structure within the organization’s domain abide by the prescriptions regarding the security of data stored digitally within the boundaries the organization stretches its authority.(Kostadinov, 2018).

1.1.1 A policy is guidance or instructions that an organization’s senior management implements to regulate the activities of the organization members who make decisions, take actions, and perform other duties. Policies are like laws in that they dictate acceptable and unacceptable behavior within the organization. Like laws, policies define what is right and what is wrong, what the penalties are for violating policies, and what the appeal process is. Standards, although they have the same compliance requirement as policies, are more detailed descriptions of what must be done to comply with policy. The standards may be informal or part of an organizational culture; these are referred to as de facto standards. Alternatively, standards may be published, scrutinized, and ratified by a group; these are referred to as de jure standards. Practices, procedures, and guidelines effectively explain how to comply with policy.(Berra, n.d.)

1.1.2 The Importance of an Information Security Policy

Creating an effective security policy and taking steps to ensure compliance is a critical step to prevent and mitigate security breaches. To make your security policy truly effective, update it in response to changes in your company, new threats, conclusions drawn from previous breaches, and other changes to your security posture.(Cassetto, 2019)

2.0 INTRODUCTION

The evolution of computer networks has made the sharing of information ever more prevalent. Information is now exchanged at the rate of trillions of bytes per millisecond, daily numbers that might extend beyond comprehension or available nomenclature. A proportion of that data is not intended for sharing beyond a limited group and much data is protected by law or intellectual property. An information security policy endeavors to enact those protections and limit the distribution of data not in the public domain to authorized recipients.(Techopedia, n.d.).

The current reliance on information systems is forcing the health care organizations to consider two security management issues: information control and security policy(Clark & Lin, 1994)

Healthcare managers are become aware that information and information systems are critical organizational resources in the health care environment, considering the fact that medical information has been documented as being more sensitive than some other information. And thus the need for healthcare organization to develop and implement appropriate information security policy.

Information Security Policy supports appropriate behavior among employees by providing clear instruction of responsibilities to follow terms and conditions of such policies. Employees who properly follow Information Security Policy are assets to organizational security. Information Security Policy bridges the gap between the expectations of an organization and how people contribute to the proper implementation of Information Security Policy, which should be very clear to understand and implement (Fayez H, 2017).

2.1 Key elements of an information security policy.

According to (Tunggal, 2020) an information security policy can be as broad as you want it to be. It can cover IT security and/or physical security, as well as social media usage, lifecycle management and security training. (Tunggal, 2020) share nine key elements that a security policy should have. They include:

2.1.1.1.?Purpose

The organization should outline the purpose of its information security policy which could be to:

• Create an organizational model for information security
• Detect and preempt information security breaches caused by third-party vendors, misuse of networks, data, applications, computer systems and mobile devices.
• Protect the organization's reputation
• Uphold ethical, legal and regulatory requirements
• Protect customer data and respond to inquiries and complaints about non-compliance of security requirements and data protection

2.1.2.2. Audience or Scope

Define who the information security policy applies to and who it does not apply to (Kostadinov, 2018). Information Security Policy should address all data, programs, systems, facilities, other tech infrastructure, users of technology and third parties in a given organization, without exception.

Third-party, fourth party risk and Vendor risks should be accounted for. Whether or not you have a legal or regulatory duty to protect your customer's data from third-party?data breaches and data leaks?isn't important. Customers may still blame your organization for breaches that were not in your total control and the reputational damage can be huge.

2.1.3.3. Information security objectives

These are the goals management has agreed upon, as well as the strategies used to achieve them.?

In the end, information security is concerned with the CIA triads:

• Confidentiality:?data and information are protected from unauthorized access?
• Integrity:?Data is intact, complete and accurate
• Availability:?IT systems are available when needed

Donn Parker, one of the pioneers in the field of IT security, expanded this threefold paradigm by suggesting also “authenticity” and “utility”.(Kostadinov, 2018) should be included in the information security concern.

2.1.4.4. Authority and access control policy

This part is about deciding who has the authority to decide what data can be shared and what can't. Remember, this may not be always up to your organization. For example, if you are the CSO at a hospital. You likely need to comply with HIPAA and its data protection requirements. If you store medical records, they can't be shared with an unauthorized party whether in person or online.(Tunggal, 2020)?

According to (Cassetto, 2019) Authority and access control policy can take?Hierarchical pattern— that is a senior manager may have the authority to decide what data can be shared and with whom. The security policy may have different terms for a senior manager vs. a junior employee. The policy should outline the level of authority over data and IT systems for each organizational role.

Network security policy—users are only able to access company networks and servers via unique logins that demand authentication, including passwords, biometrics, ID cards, or tokens. You should monitor all systems and record all login attempts.

An?access control?policy can help outline the level of authority over data and IT systems for every level of your organization. It should outline how to handle?sensitive data, who is responsible for security controls, what access control is in place and what security standards are acceptable.?

It may also include a?network security?policy that outlines who can have access to company networks and servers, as well as what authentication requirements are needed including?strong password requirements,?biometrics, ID cards and access tokens.?(Tunggal, 2020).

2.1.5.5. Data classification

Another information security policy element is data classification. Security policy must classify data into categories. A good way to classify the data is into five levels that dictate an increasing need for protection:

1. Level 1:?Public information?
2. Level 2:Information your organization has chosen to keep confidential but disclosure would not cause material harm
3. Level 3:?Information has a risk of material harm to individuals or your organization if disclosed
4. Level 4:?Information has a high risk of causing serious harm to individuals or your organization if disclosed
5. Level 5:?Information will cause severe harm to individuals or your organization if disclosed

In this classification, levels 2-5 would be classified as confidential information and would need some form of protection.(Tunggal, 2020)

The objective of data classification is to:

• To ensure that sensitive data cannot be accessed by individuals with lower clearance levels.
• To protect highly important data, and avoid needless security measures for unimportant data.(Cassetto, 2019)

2.1.6.6. Data support and operations

Once data has been classified, you need to outline how data is each level will be handled. There are generally three components to this part of your information security policy:

• Data protection regulations:?Organizations that store?Personal identifiable information (PPI)?or?sensitive data must be protected according to organizational standards, best practices, industry compliance standards and regulation
• Data backup requirements:?Outlines how data is backed up, what level of?encryption is used and what third-party service providers are used
• Movement of data:?Outlines how data is communicated. Data that is deemed classified in the above data classification should be securely communicated with encryption and not transmitted across public networks to avoid?Man-in-the-middle-attacks.(Tunggal, 2020)

2.1.7.7. Security awareness training/behavior

According to (Cassetto, 2019), it is very important to share the IT security policies with organization employees. Conduct training sessions to inform employees of your security procedures and mechanisms, including data protection measures, access protection measures, and sensitive data classification.

• Social engineering-place a special emphasis on the dangers of social engineering attacks (such as phishing emails). Make employees responsible for noticing, preventing and reporting such attacks.
• Clean desk policy-secure laptops with a cable lock. Shred documents that are no longer needed. Keep printer areas clean so documents do not fall into the wrong hands.
• Acceptable Internet usage policy-define how the Internet should be restricted. Do you allow YouTube, social media websites, etc.? Block unwanted websites using a proxy.

A perfect information security policy that no one follows is to having no policy at all. The employees need to be made to understand what is required of them. Training should be conducted to inform employees of security requirements, including data protection, data classification, access control and general?cyber threats.

According to (Tunggal, 2020)Security training should include:

• Social engineering:?Training the employees about phishing,?spear phishing?and other common social engineering?cyber-attacks.
• Clean desk policy:?Laptops should be taken home and documents shouldn't be left on desks at the end of the work day
• Acceptable usage:?What can employees use their work devices and Internet for and what is restricted?

2.1.8.8. Responsibilities, duties and rights of employees

According to (Cassetto, 2019) staff need to beappoint?to carry out user access reviews, education, change management, incident management, implementation, and periodic updates of the security policy. Responsibilities should be clearly defined as part of the security policy.

This is where information security policy is operationalized. This part of information security policy needs to outline the owners of the below areas of security policy.(Tunggal, 2020)

• ?Security programs
• Acceptable use?policies
• Network security
• Physical security
• Business continuity
• Access management
• Security awareness
• Risk assessments
• Incidence response.
• Data security.
• Disaster recovery
• Incident management

2.1.9.9. Other items in ISP (Information Security Policy) may include

Incident handling and response:?Specify what procedures to follow in the event of a security breach or incident. Include policies such as how to evaluate a security incident, how the incident should be reported, how the problem should be eradicated, and what key personnel your organization should engage in the process (?Laura Taylor, 2001).

Virus protection procedure, malware protection procedure,?network intrusion detection procedure, remote work procedure, technical guidelines, consequences for non-compliance, physical security requirements, references to supporting documents, etc.

3.0 Requirements of Information Security Policy

Clear and practical Information Security Policies can help organizations improve Information Security programmes. After designing and developing an Information Security Policy, an organization should frequently observe and address any variances that may arise in Information Security assets. These intermittent observations can help organizations determine if the continuance alteration in organizational structure or procedures influences the effectiveness of its Information Security Policies. Keeping in mind organizational security objectives, Information Security Policy compliance behavior should not hinder an organization in terms of safeguarding data and information security (Fayez H, 2017).

Documentation of technical or administrative security measures processes required scheduling of activity that all support in protection of business information. Designing of these type of security measures processes involves two steps. In first step, identification of process is required for business needs, followed by mapping of existing business processes, as a second step. This designing work of new processes covers the specific security processes at the operational level. at strategic and tactical levels some general processes are required to govern and manage information security work. Some of the general processes like operational process, risk management processes have been discussed by Andersson et al. (2011) that shows the transition level from the strategic to the operational level (Rishab Dixit1 , Dr Pankaj Kumar, 2019)

4.0 Conclusion.

There is no one information security policy that is fit for all healthcare organization. Each healthcare organization should develop its own information security policy clearly defining their objectives and scope. Different levels of healthcare organization require different ISP and since this an entirely management responsibility, the management of healthcare organization should tailor make ISP that suits their organization.

Development of an ISP for healthcare organization is the beginning of implementation of control measure to the access to patient’s information. It’s important for healthcare organization to remember that:

No health care organization can sustain a quality and reputation with the loss of patient trust. As such, Healthcare information system should be a crucial concern to everyone within a health care organization.

5.0 REFERENCES

1.??????Berra, Y. (n.d.). Security policies Standards and planning.

2.??????Cassetto, O. (2019). The 8 Elements of an Information Security Policy

3.??????Clark, L., & Lin, B. (1994). Information control and security policy in health care information systems

4.??????Fayez Hussain Alqahtani, Developing an Information Security Policy: A Case Study Approach, Procedia Computer Science, Volume 124, 2017, Pages 691-697, ISSN 1877-0509, https://doi.org/10.1016/j.procs.2017.12.206.

5.??????Kostadinov, D. (2018). Key Elements of an Information Security Policy

6.??????Kostadinov, D. (2018). Key Elements of an Information Security Policy.

7.??????Rishab Dixit1 , Dr Pankaj Kumar, L. (2019). Strategy for The Development of Information Security Policy Document: A Systematic Liteature Review. Retrieved from https://www.iosrjen.org/Papers/Conf.19007-2019/Volume-1/6.%2021-28.pdf

8.??????Taylor, L. (2001). Seven elements of highly effective security policies. Retrieved from https://www.zdnet.com/article/seven-elements-of-highly-effective-security-policies/

9.??????Techopedia. (n.d.). Information Security Policy

10.??Tunggal, A. T. (2020). What is an Information Security Policy