hb 174-2003 information security management - implementation guide for the health sector
TRANSCRIPT
-
7/31/2019 HB 174-2003 Information Security Management - Implementation Guide for the Health Sector
1/14
1
Information security management
Implementation guide for the health sector
-
7/31/2019 HB 174-2003 Information Security Management - Implementation Guide for the Health Sector
2/14
This Handbook was prepared by Committee IT-014, Health Informatics. It waspublished on 10 March 2003.
The following are represented on Committee IT-014:
Australian Association of Pathology Practices IncAustralian Health Insurance AssociationAustralian Information Industry AssociationAustralian Institute of Health and WelfareAustralian Institute of RadiographyAustralian Medical Association
Australian Private Hospitals AssociationAustralian and New Zealand College of Anaesthetists
Central Queensland UniversityCommonwealth Department of Health and AgeingConsumers Federation of AustraliaConsumers Health Forum of Australia
Department of Human Services, South AustraliaDepartment of Human Services, VictoriaGeneral Practice Computing GroupHealth Department of Western AustraliaHealth Information Management Association of AustraliaHealth Insurance Commission
Health Professions Council of AustraliaInstitution of Engineers AustraliaMedical Industry Association of Australia Inc
Medical Software Industry AssociationNew South Wales Health DepartmentNational Health Information Management Group
Pharmaceutical Society of AustraliaQueensland HealthRoyal Australian College of Medical AdministratorsRoyal College of Nursing, AustraliaRoyal College of Pathologists of AustraliaSociety of Hospital Pharmacists of Australia
The Pharmacy Guild of AustraliaThe Royal Australia and New Zealand College of RadiologistsThe University of Sydney
.
-
7/31/2019 HB 174-2003 Information Security Management - Implementation Guide for the Health Sector
3/14
HB 1742003
Handbook
Information security managementImplementation guide for the healthsector
First published as HB 1742003.
COPYRIGHT
Standards Australia InternationalAll rights are reserved. No part of this work may be reproduced or copied in any form or by anymeans, electronic or mechanical, including photocopying, without the written permission of thepublisher.
Published by Standards Australia International LtdGPO Box 5420, Sydney, NSW 2001, Australia
ISBN 0 7337 4886 4
-
7/31/2019 HB 174-2003 Information Security Management - Implementation Guide for the Health Sector
4/14
HB 1742003
Information Security Management
This page left intentionally blank
-
7/31/2019 HB 174-2003 Information Security Management - Implementation Guide for the Health Sector
5/14
HB 1742003
Information Security Management
3
Preface
The purpose of these guidelines is to interpret AS/NZS 17799:2001Information TechnologyCode of Practice for Information SecurityManagement, and apply this standard specifically to the interests and uniqueinformation security requirements of the Australian Health Sector. This
handbook provides a set of detailed controls, which may be considered
best practices in information security.
These guidelines have been developed by Standards Australia/StandardsNew Zealand Committee on Health Informatics Privacy & Security (IT-014-04) with assistance from various Australian health sector professionals. This
handbook has been developed to address the special considerations that arerequired for the health sector, with particular emphasis on individuals andsmall to medium sized health practitioners. Overall, the AS/NZS 17799
standard provides an excellent information security management strategy,but as this standard has been designed to encompass a broad range ofindustries and organisations, and of all sizes, the standard alone cannot be
targeted effectively or appropriately to the Health Sector.
The protection and security of information is of prime importance to allindividuals, government agencies and firms. For the Health Sector, there is
added emphasis on the requirements for confidentiality, privacy, integrityand availability. Naturally, all organisations, regardless of size, must havestringent controls in place for the protection of information. It is therefore
critical for an organisation to implement a suitable set of controls andprocedures to address information security, and once implemented, theorganisation must retain a pre-requisite level of security.
With increasing electronic exchange of patient information between HealthProviders, there is a clear benefit in adopting a common reference handbook
for information security management.
Not all of the controls described in this Standard will be relevant to everysituation. This guide cannot take account of local, environmental and
technological constraints, nor can it be presented in a form that iscompletely applicable to every Health Provider. Health Providers mustapply the recommendations to each of their unique circumstances.
In drafting this guide, we have assumed that a health service professional ora member of the supporting administration staff (and not necessarily an
information security professional) will most likely undertake the execution
of recommendations. For this reason, we have designed this guide such thatit appeals to health professionals and non-computing professionals and wehave ensured that the guide is clear, concise and easy to understand andinterpret. The content is therefore not of a highly technical nature.
-
7/31/2019 HB 174-2003 Information Security Management - Implementation Guide for the Health Sector
6/14
HB 1742003
Information Security Management
4
Our guidelines shall serve two fundamental objectives, specifically:
1. Guidance to ensure that patient privacy is maintained by securingpaper and electronic based health records and ensuring the long term
integrity and quality of this stored information.
2. Assistance in establishing an appropriate level of health information
security for your organisation as a whole.
By following these guidelines, in addition to undertaking an informationsecurity management best practice initiative, we aim to greatly assist yourhealth organisation in compliance with the Privacy Amendment (PrivateSector) Act 2000*, or your relevant state privacy legislation.
Application
This handbook has been written for health professionals seeking to conform
to the information security management specifications of the AS/NZS 17799standard. Whilst these guidelines are specifically focussed on individualsand small to medium sized health organisations, larger businesses andgovernment departments, who may have specialised information security orprivacy personnel, will also find these guidelines of significant use andbenefit.
Our intended audience may include, but is not limited to:
Health Consumers
Health Service Providers
Medical Centres
Public and Private Hospitals
Pharmacies
Information Repositories
Clinical Registries
Health Funders
Health Agencies
A glossary covering Computing, Security and Privacy terms and definitions
has been included. We recommend that all readers of the handbook makethemselves familiar with our definitions.
* More information about the Act can be obtained from the Federal Privacy Commission website.
www.privacy.gov.au. You will find specific information about how the Privacy Act may affect yourhealth business.
-
7/31/2019 HB 174-2003 Information Security Management - Implementation Guide for the Health Sector
7/14
HB 1742003
Information Security Management
5
For the purposes of this guide and in the context of the health sector, theAustralian Bureau of Statistics has provided the following definitionscovering small and medium businesses:
ASmallbusinessThis may range from small groups of people through
to businesses that operate with up to 20 staff members. Examples
include pharmacies and general medical practices.
A Medium businessThose businesses with staff members ofapproximately 20-199 people. Examples include small private hospitals,
medical facilities, and pathology practices.
-
7/31/2019 HB 174-2003 Information Security Management - Implementation Guide for the Health Sector
8/14
HB 1742003
Information Security Management
6
ContentsIntroduction ...................................................................................................8
1 Scope ................................................................................................. 11
2 Key Control 1: Information Security Policy ........................................ 12
2.1 What should be included in an Information Security Policy?.... 12
2.2 The need for supporting policies and procedures ...................... 13
3 Key Control 2: Security Organisation.................................................. 15
3.1 Who should manage the Health Information Security in mybusiness? .................................................................................. 15
3.2 Third party access to data ......................................................... 16
3.3 What if I outsource? ................................................................. 16
4 Key Control 3: Asset Classification and Control ................................. 18
4.1 What assets does a health business own? .................................. 18
4.2 Identification of custodiansthe information caretaker! .......... 19
4.3 What is the value of information classification? ....................... 20
4.4 How do I classify information?................................................. 20
4.5 Labelling my information ......................................................... 23
4.6 Risks to Information..................... ............................................ 23
5 Key Control 4: Personnel Security ...................................................... 27
5.1 Informing staff of their security responsibilities ....................... 27
5.2 What considerations should I make when recruiting staff? ....... 27
5.3 Information security education, training and awareness............ 29
5.4 Responding to security incidents .............................................. 29
6 Key Control 5: Physical and Environmental Security .......................... 32
6.1 What is Physical Security? ....................................................... 32
6.2 How do I protect my premises? ................................................ 336.3 How do I protect my equipment?.............................................. 33
6.4 How do I protect my most critical equipment?.......................... 33
6.5 Environmental Security ............................................................ 36
7 Key Control 6: Communications and operations management............. 39
7.1 The Importance of maintaining data integrity ........................... 39
7.2 Controlling system and reference information changes............. 39
7.3 What is Malicious Code?.......................................................... 40
7.4 The Back up of Information...................................................... 42
7.5 What is Network Management?................................................ 43
-
7/31/2019 HB 174-2003 Information Security Management - Implementation Guide for the Health Sector
9/14
HB 1742003
Information Security Management
7
7.6 When and how should we exchange information? .................... 44
7.7 e-Health Security...................................................................... 46
7.8 Security of electronic mail ........................................................ 47
8 Key Control 7: Access Control............................................................ 49
8.1 What is access control?............................................................. 49
8.2 What methods can I use to control access? ............................... 51
8.3 Controlling access to your PC or laptop....................................52
8.4 Controlling access to your network or mainframe..................... 52
8.5 Remote Access ......................................................................... 54
8.6 The need for a firewall.............................................................. 55
8.7 Cryptographic controls ............................................................. 56
9 Key Control 8: Business Continuity Management ............................... 59
9.1 What is Business Continuity Management?.............................. 59
9.2 What can go wrong?................................................................. 59
9.3 The need for a plan!.................................................................. 60
9.4 What should be included in the plan? ....................................... 61
10 Key Control 9: Compliance ................................................................. 64
10.1 Compliance with legal requirements......................................... 64
10.2 Professional Codes of Conduct................................................. 68
APPENDICES
A Public Key Infrastructure: PKI ............................................................ 74
B Outsourcing Contract Considerations .................................................. 76
C Sample confidentiality agreement........................................................ 77
D Risk Matrix Template.......................................................................... 80
E Roles and Responsibilities................................................................... 81
F References........................................................................................... 83
-
7/31/2019 HB 174-2003 Information Security Management - Implementation Guide for the Health Sector
10/14
HB 1742003
Information Security Management
8
Introduction
What is Health Information Security?
Health Information is an important asset for Health Providers, and this asset
needs to be adequately protected. The primary focus of Health InformationSecurity relates to the protection and safeguarding of patient informationand the requirement to protect the privacy of patients. In addition, HealthProviders must ensure that information is accurate and available wheneverrequired.
Information may exist in many forms. From the perspective of the Health
Sector, information is not necessarily only words and numbers, but this mayalso extend to photographs, drawings, video footage, slides, and x-rays.Information can be printed or written, stored electronically, transmitted bypost or using electronic means, shown on film or spoken as part of normalconversation. Whatever form the information takes, or means by which it isshared or stored, the information should always be appropriately protected.
In essence, the protection of information involves the preservation of thefollowing:
Confidentialityinformation should only be accessible and available tothose authorised to have access.
Integrityinformation should be stored, used, transferred and retrievedin manners such that there is confidence that the information has notbeen tampered with or modified other than as authorised.
Availabilityensures that information is accessible to authorisedindividuals when and where required.
It is important to note that there are differences between privacy and
confidentiality. Privacy is concerned with information handling processes ofpersonal and sensitive information. Privacy deals with ensuring that thisinformation is not disclosed for any purpose other than for which it was collected,
without appropriate consent.
How do I secure my health information?Information security is achieved by implementing a suitable set of controls.
A control may constitute a policy, a practice, a set of procedures, or perhapsa software function. These controls need to be established in order to ensurethat the specific security objectives of the organisation are met. Although at
first this may appear daunting, this handbook will help you to understandwhat controls are available and how they may be implemented. By readingthis handbook you will be in a position to better understand theinformation that you are protecting and then you will be able to selectthose controls appropriate for providing protection in your unique healthenvironment.
-
7/31/2019 HB 174-2003 Information Security Management - Implementation Guide for the Health Sector
11/14
HB 1742003
Information Security Management
9
Information security is particularly important within the Health Sectorbecause of the ramifications for patients and providers when security isbreached. If information is disclosed, accessed incorrectly, tampered with or
lost the consequences for a patient may be life threatening. Furthermore,unauthorised access to patient information may be illegal, may compromisepatient confidence or may result in a loss of reputation for the health
provider.
How do I use these Guidelines?
What Controls Do I Need?
An organisation cannot address information security concerns withoutpossessing a basic understanding and awareness of the threats, risks andvulnerabilities. This may be a simple process, but no matter how small yourorganisation, you should perform a risk assessment. From this assessment,
your security requirements may be identi fied and controls can be selected
and implemented to ensure that risks are reduced to an acceptable level.
It will be evident that there are many different ways of securing your healthinformation and this handbook provides examples of common approachesthat are applicable. However, it is necessary to recognise that some of thecontrols are not applicable to every information system or environment, and
might not be practicable for all health professionals. This will beparticularly evident if you are an individual or work in a small healthpractice.
As there has been an increase in the amount of health information that isstored and transmitted in electronic format and the ease and speed of
dissemination has increased, your organisation must implement adequatemechanisms to ensure the protection of information. Special care needs to bedemonstrated in the area of email, which has become a common medium for
the dissemination of health information. Email has inherent security risks.Unless you send an email in encrypted form, it is like sending a postcard. Itis available to be read by anybody it passes through, or intercepts.
The specific of this guide is to address the 10 key areas of informationsecurity controls of AS/NZS 17799 and to interpret these in a context that isapplicable to Health Organisations. For each control addressed in theAS/NZS 17799 Standards there will be a corresponding sub-sectionrecommending appropriate actions*. As appropriate, controls may therefore
be selected from this handbook or new controls can be designed to meet thespecific needs of your organisation. For some of the key controls there maybe multiple controls that will be applicable. Users of this handbook will be
able to read each key control chapter and decide on the applicability to theirorganisation. The 10 key controls of AS/NZS 17799 include:
1. Security Policy
2. Security Organisation
3. Asset Classification and Control
4. Personnel Security
5. Physical and Environmental Security
* The key control system development and maintenance has not been given its own sub-section, it has
been incorporated within the other key controls.
-
7/31/2019 HB 174-2003 Information Security Management - Implementation Guide for the Health Sector
12/14
HB 1742003
Information Security Management
10
6. Communications and Operations Management
7. Access Control
8. System Development and Maintenance
9. Business Continuity Management
10. Compliance
-
7/31/2019 HB 174-2003 Information Security Management - Implementation Guide for the Health Sector
13/14
HB 1742003
Information Security Management
Standards Australia 11
1 ScopeThese guidelines provide direction for all health service providers toundertake best practice strategies to secure information. The review andinterpretation is based upon the Information Security Management standardAS/NZS 17799. The intention of this Handbook is that it is to be used as a
document for the initiation, implementation and maintenance of informationsecurity measures within a health business.
The focus of this handbook is aimed towards small to medium sized healthcare providers, and not Information Technology professionals. Therefore the
AS/NZS 17799 key control area of Systems Development and Maintenancehas not been given its own sub-section.
Health care providers who are the custodians of confidential informationmust ensure that information is effectively protected against improper
disclosure, modification and use. This guide outlines effective securitymanagement practices to provide confidence in inter-health organisationaldealings.
-
7/31/2019 HB 174-2003 Information Security Management - Implementation Guide for the Health Sector
14/14
This is a free preview. Purchase the entire publication at the link below:
Looking for additional Standards? Visit SAI Global Infostore
Subscribe to ourFree Newsletters about Australian Standards in Legislation; ISO, IEC, BSI and more
Do you need to Manage Standards Collections Online?
Learn about LexConnect, All Jurisdictions, Standards referenced in Australian legislation
Do you want to know when a Standard has changed?
Want to become an SAI Global Standards Sales Affiliate?
Learn about other SAI Global Services:
LOGICOM Military Parts and Supplier DatabaseMetals Infobase Database of Metal Grades, Standards and Manufacturers
Materials Infobase Database of Materials, Standards and Suppliers
Database of European Law, CELEX and Court Decisions
Need to speak with a Customer Service Representative - Contact Us
HB 174-2003, Information security management -Implementation guide for the health sector
http://infostore.saiglobal.com/store?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Newsletters/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Collections/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Law/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/StandardsWatch/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Affiliate/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/LOGICOM/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/LOGICOM/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/Metals/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/Materials/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/European-Law/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://infostore.saiglobal.com/store/getpage.aspx?path=/InformationServices/shop/pages/ContactingUs.htm&utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://infostore.saiglobal.com/store/Details.aspx?ProductId=568742&utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://infostore.saiglobal.com/store/getpage.aspx?path=/InformationServices/shop/pages/ContactingUs.htm&utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/European-Law/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/Materials/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/Metals/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/LOGICOM/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Affiliate/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/StandardsWatch/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Law/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Collections/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Newsletters/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://infostore.saiglobal.com/store?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSites