hb 174-2003 information security management - implementation guide for the health sector

7/31/2019 HB 174-2003 Information Security Management - Implementation Guide for the Health Sector

1/14

1

Information security management

Implementation guide for the health sector


2/14

This Handbook was prepared by Committee IT-014, Health Informatics. It waspublished on 10 March 2003.

The following are represented on Committee IT-014:

Australian Association of Pathology Practices IncAustralian Health Insurance AssociationAustralian Information Industry AssociationAustralian Institute of Health and WelfareAustralian Institute of RadiographyAustralian Medical Association

Australian Private Hospitals AssociationAustralian and New Zealand College of Anaesthetists

Central Queensland UniversityCommonwealth Department of Health and AgeingConsumers Federation of AustraliaConsumers Health Forum of Australia

Department of Human Services, South AustraliaDepartment of Human Services, VictoriaGeneral Practice Computing GroupHealth Department of Western AustraliaHealth Information Management Association of AustraliaHealth Insurance Commission

Health Professions Council of AustraliaInstitution of Engineers AustraliaMedical Industry Association of Australia Inc

Medical Software Industry AssociationNew South Wales Health DepartmentNational Health Information Management Group

Pharmaceutical Society of AustraliaQueensland HealthRoyal Australian College of Medical AdministratorsRoyal College of Nursing, AustraliaRoyal College of Pathologists of AustraliaSociety of Hospital Pharmacists of Australia

The Pharmacy Guild of AustraliaThe Royal Australia and New Zealand College of RadiologistsThe University of Sydney

.


3/14

HB 1742003

Handbook

Information security managementImplementation guide for the healthsector

First published as HB 1742003.

COPYRIGHT

Standards Australia InternationalAll rights are reserved. No part of this work may be reproduced or copied in any form or by anymeans, electronic or mechanical, including photocopying, without the written permission of thepublisher.

Published by Standards Australia International LtdGPO Box 5420, Sydney, NSW 2001, Australia

ISBN 0 7337 4886 4


4/14

HB 1742003

Information Security Management

This page left intentionally blank


5/14

HB 1742003


3

Preface

The purpose of these guidelines is to interpret AS/NZS 17799:2001Information TechnologyCode of Practice for Information SecurityManagement, and apply this standard specifically to the interests and uniqueinformation security requirements of the Australian Health Sector. This

handbook provides a set of detailed controls, which may be considered

best practices in information security.

These guidelines have been developed by Standards Australia/StandardsNew Zealand Committee on Health Informatics Privacy & Security (IT-014-04) with assistance from various Australian health sector professionals. This

handbook has been developed to address the special considerations that arerequired for the health sector, with particular emphasis on individuals andsmall to medium sized health practitioners. Overall, the AS/NZS 17799

standard provides an excellent information security management strategy,but as this standard has been designed to encompass a broad range ofindustries and organisations, and of all sizes, the standard alone cannot be

targeted effectively or appropriately to the Health Sector.

The protection and security of information is of prime importance to allindividuals, government agencies and firms. For the Health Sector, there is

added emphasis on the requirements for confidentiality, privacy, integrityand availability. Naturally, all organisations, regardless of size, must havestringent controls in place for the protection of information. It is therefore

critical for an organisation to implement a suitable set of controls andprocedures to address information security, and once implemented, theorganisation must retain a pre-requisite level of security.

With increasing electronic exchange of patient information between HealthProviders, there is a clear benefit in adopting a common reference handbook

for information security management.

Not all of the controls described in this Standard will be relevant to everysituation. This guide cannot take account of local, environmental and

technological constraints, nor can it be presented in a form that iscompletely applicable to every Health Provider. Health Providers mustapply the recommendations to each of their unique circumstances.

In drafting this guide, we have assumed that a health service professional ora member of the supporting administration staff (and not necessarily an

information security professional) will most likely undertake the execution

of recommendations. For this reason, we have designed this guide such thatit appeals to health professionals and non-computing professionals and wehave ensured that the guide is clear, concise and easy to understand andinterpret. The content is therefore not of a highly technical nature.


6/14

HB 1742003


4

Our guidelines shall serve two fundamental objectives, specifically:

1. Guidance to ensure that patient privacy is maintained by securingpaper and electronic based health records and ensuring the long term

integrity and quality of this stored information.

2. Assistance in establishing an appropriate level of health information

security for your organisation as a whole.

By following these guidelines, in addition to undertaking an informationsecurity management best practice initiative, we aim to greatly assist yourhealth organisation in compliance with the Privacy Amendment (PrivateSector) Act 2000*, or your relevant state privacy legislation.

Application

This handbook has been written for health professionals seeking to conform

to the information security management specifications of the AS/NZS 17799standard. Whilst these guidelines are specifically focussed on individualsand small to medium sized health organisations, larger businesses andgovernment departments, who may have specialised information security orprivacy personnel, will also find these guidelines of significant use andbenefit.

Our intended audience may include, but is not limited to:

Health Consumers

Health Service Providers

Medical Centres

Public and Private Hospitals

Pharmacies

Information Repositories

Clinical Registries

Health Funders

Health Agencies

A glossary covering Computing, Security and Privacy terms and definitions

has been included. We recommend that all readers of the handbook makethemselves familiar with our definitions.

* More information about the Act can be obtained from the Federal Privacy Commission website.

www.privacy.gov.au. You will find specific information about how the Privacy Act may affect yourhealth business.


7/14

HB 1742003


5

For the purposes of this guide and in the context of the health sector, theAustralian Bureau of Statistics has provided the following definitionscovering small and medium businesses:

ASmallbusinessThis may range from small groups of people through

to businesses that operate with up to 20 staff members. Examples

include pharmacies and general medical practices.

A Medium businessThose businesses with staff members ofapproximately 20-199 people. Examples include small private hospitals,

medical facilities, and pathology practices.


8/14

HB 1742003


6

ContentsIntroduction ...................................................................................................8

1 Scope ................................................................................................. 11

2 Key Control 1: Information Security Policy ........................................ 12

2.1 What should be included in an Information Security Policy?.... 12

2.2 The need for supporting policies and procedures ...................... 13

3 Key Control 2: Security Organisation.................................................. 15

3.1 Who should manage the Health Information Security in mybusiness? .................................................................................. 15

3.2 Third party access to data ......................................................... 16

3.3 What if I outsource? ................................................................. 16

4 Key Control 3: Asset Classification and Control ................................. 18

4.1 What assets does a health business own? .................................. 18

4.2 Identification of custodiansthe information caretaker! .......... 19

4.3 What is the value of information classification? ....................... 20

4.4 How do I classify information?................................................. 20

4.5 Labelling my information ......................................................... 23

4.6 Risks to Information..................... ............................................ 23

5 Key Control 4: Personnel Security ...................................................... 27

5.1 Informing staff of their security responsibilities ....................... 27

5.2 What considerations should I make when recruiting staff? ....... 27

5.3 Information security education, training and awareness............ 29

5.4 Responding to security incidents .............................................. 29

6 Key Control 5: Physical and Environmental Security .......................... 32

6.1 What is Physical Security? ....................................................... 32

6.2 How do I protect my premises? ................................................ 336.3 How do I protect my equipment?.............................................. 33

6.4 How do I protect my most critical equipment?.......................... 33

6.5 Environmental Security ............................................................ 36

7 Key Control 6: Communications and operations management............. 39

7.1 The Importance of maintaining data integrity ........................... 39

7.2 Controlling system and reference information changes............. 39

7.3 What is Malicious Code?.......................................................... 40

7.4 The Back up of Information...................................................... 42

7.5 What is Network Management?................................................ 43


9/14

HB 1742003


7

7.6 When and how should we exchange information? .................... 44

7.7 e-Health Security...................................................................... 46

7.8 Security of electronic mail ........................................................ 47

8 Key Control 7: Access Control............................................................ 49

8.1 What is access control?............................................................. 49

8.2 What methods can I use to control access? ............................... 51

8.3 Controlling access to your PC or laptop....................................52

8.4 Controlling access to your network or mainframe..................... 52

8.5 Remote Access ......................................................................... 54

8.6 The need for a firewall.............................................................. 55

8.7 Cryptographic controls ............................................................. 56

9 Key Control 8: Business Continuity Management ............................... 59

9.1 What is Business Continuity Management?.............................. 59

9.2 What can go wrong?................................................................. 59

9.3 The need for a plan!.................................................................. 60

9.4 What should be included in the plan? ....................................... 61

10 Key Control 9: Compliance ................................................................. 64

10.1 Compliance with legal requirements......................................... 64

10.2 Professional Codes of Conduct................................................. 68

APPENDICES

A Public Key Infrastructure: PKI ............................................................ 74

B Outsourcing Contract Considerations .................................................. 76

C Sample confidentiality agreement........................................................ 77

D Risk Matrix Template.......................................................................... 80

E Roles and Responsibilities................................................................... 81

F References........................................................................................... 83


10/14

HB 1742003


8

Introduction

What is Health Information Security?

Health Information is an important asset for Health Providers, and this asset

needs to be adequately protected. The primary focus of Health InformationSecurity relates to the protection and safeguarding of patient informationand the requirement to protect the privacy of patients. In addition, HealthProviders must ensure that information is accurate and available wheneverrequired.

Information may exist in many forms. From the perspective of the Health

Sector, information is not necessarily only words and numbers, but this mayalso extend to photographs, drawings, video footage, slides, and x-rays.Information can be printed or written, stored electronically, transmitted bypost or using electronic means, shown on film or spoken as part of normalconversation. Whatever form the information takes, or means by which it isshared or stored, the information should always be appropriately protected.

In essence, the protection of information involves the preservation of thefollowing:

Confidentialityinformation should only be accessible and available tothose authorised to have access.

Integrityinformation should be stored, used, transferred and retrievedin manners such that there is confidence that the information has notbeen tampered with or modified other than as authorised.

Availabilityensures that information is accessible to authorisedindividuals when and where required.

It is important to note that there are differences between privacy and

confidentiality. Privacy is concerned with information handling processes ofpersonal and sensitive information. Privacy deals with ensuring that thisinformation is not disclosed for any purpose other than for which it was collected,

without appropriate consent.

How do I secure my health information?Information security is achieved by implementing a suitable set of controls.

A control may constitute a policy, a practice, a set of procedures, or perhapsa software function. These controls need to be established in order to ensurethat the specific security objectives of the organisation are met. Although at

first this may appear daunting, this handbook will help you to understandwhat controls are available and how they may be implemented. By readingthis handbook you will be in a position to better understand theinformation that you are protecting and then you will be able to selectthose controls appropriate for providing protection in your unique healthenvironment.


11/14

HB 1742003


9

Information security is particularly important within the Health Sectorbecause of the ramifications for patients and providers when security isbreached. If information is disclosed, accessed incorrectly, tampered with or

lost the consequences for a patient may be life threatening. Furthermore,unauthorised access to patient information may be illegal, may compromisepatient confidence or may result in a loss of reputation for the health

provider.

How do I use these Guidelines?

What Controls Do I Need?

An organisation cannot address information security concerns withoutpossessing a basic understanding and awareness of the threats, risks andvulnerabilities. This may be a simple process, but no matter how small yourorganisation, you should perform a risk assessment. From this assessment,

your security requirements may be identi fied and controls can be selected

and implemented to ensure that risks are reduced to an acceptable level.

It will be evident that there are many different ways of securing your healthinformation and this handbook provides examples of common approachesthat are applicable. However, it is necessary to recognise that some of thecontrols are not applicable to every information system or environment, and

might not be practicable for all health professionals. This will beparticularly evident if you are an individual or work in a small healthpractice.

As there has been an increase in the amount of health information that isstored and transmitted in electronic format and the ease and speed of

dissemination has increased, your organisation must implement adequatemechanisms to ensure the protection of information. Special care needs to bedemonstrated in the area of email, which has become a common medium for

the dissemination of health information. Email has inherent security risks.Unless you send an email in encrypted form, it is like sending a postcard. Itis available to be read by anybody it passes through, or intercepts.

The specific of this guide is to address the 10 key areas of informationsecurity controls of AS/NZS 17799 and to interpret these in a context that isapplicable to Health Organisations. For each control addressed in theAS/NZS 17799 Standards there will be a corresponding sub-sectionrecommending appropriate actions*. As appropriate, controls may therefore

be selected from this handbook or new controls can be designed to meet thespecific needs of your organisation. For some of the key controls there maybe multiple controls that will be applicable. Users of this handbook will be

able to read each key control chapter and decide on the applicability to theirorganisation. The 10 key controls of AS/NZS 17799 include:

1. Security Policy

2. Security Organisation

3. Asset Classification and Control

4. Personnel Security

5. Physical and Environmental Security

* The key control system development and maintenance has not been given its own sub-section, it has

been incorporated within the other key controls.


12/14

HB 1742003


10

6. Communications and Operations Management

7. Access Control

8. System Development and Maintenance

9. Business Continuity Management

10. Compliance


13/14

HB 1742003


Standards Australia 11

1 ScopeThese guidelines provide direction for all health service providers toundertake best practice strategies to secure information. The review andinterpretation is based upon the Information Security Management standardAS/NZS 17799. The intention of this Handbook is that it is to be used as a

document for the initiation, implementation and maintenance of informationsecurity measures within a health business.

The focus of this handbook is aimed towards small to medium sized healthcare providers, and not Information Technology professionals. Therefore the

AS/NZS 17799 key control area of Systems Development and Maintenancehas not been given its own sub-section.

Health care providers who are the custodians of confidential informationmust ensure that information is effectively protected against improper

disclosure, modification and use. This guide outlines effective securitymanagement practices to provide confidence in inter-health organisationaldealings.


14/14

This is a free preview. Purchase the entire publication at the link below:

Looking for additional Standards? Visit SAI Global Infostore

Subscribe to ourFree Newsletters about Australian Standards in Legislation; ISO, IEC, BSI and more

Do you need to Manage Standards Collections Online?

Learn about LexConnect, All Jurisdictions, Standards referenced in Australian legislation

Do you want to know when a Standard has changed?

Want to become an SAI Global Standards Sales Affiliate?

Learn about other SAI Global Services:

LOGICOM Military Parts and Supplier DatabaseMetals Infobase Database of Metal Grades, Standards and Manufacturers

Materials Infobase Database of Materials, Standards and Suppliers

Database of European Law, CELEX and Court Decisions

Need to speak with a Customer Service Representative - Contact Us

HB 174-2003, Information security management -Implementation guide for the health sector
http://infostore.saiglobal.com/store?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Newsletters/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Collections/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Law/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/StandardsWatch/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Affiliate/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/LOGICOM/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/LOGICOM/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/Metals/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/Materials/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/European-Law/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://infostore.saiglobal.com/store/getpage.aspx?path=/InformationServices/shop/pages/ContactingUs.htm&utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://infostore.saiglobal.com/store/Details.aspx?ProductId=568742&utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://infostore.saiglobal.com/store/getpage.aspx?path=/InformationServices/shop/pages/ContactingUs.htm&utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/European-Law/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/Materials/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/Metals/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/LOGICOM/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Affiliate/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/StandardsWatch/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Law/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Collections/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Newsletters/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://infostore.saiglobal.com/store?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSites

hb 174-2003 information security management - implementation guide for the health sector

Documents