Information Security Guidelines for ABC Hospital - Research Paper Example

In the context of protecting information security, three fundamental factors must be considered to make use of digitized information effectively i.e. Confidentiality, Integrity, and Availability. As there is a requirement of protecting this digital information internally and externally, the policy is a control that provides necessary steps, procedures, and processes to protect information. These are also considered high-level statements derived from the board of the organization. The policy is considered to be an essential tool for any organization, as it leverages management intent and defines high-level objectives. However, information security policy is customized from company to company and department to department. Different factor that may influence tailoring the policy includes organization size, dependence on information systems, regulatory compliance, and information classification scheme. Addressing all issues related to information security via a single policy is not possible, however, to cover all aspects related to information security, a set of information security policy documents focusing on different groups of employees within the organization is more suitable. This paper will discuss different factors that must be taken into account when constructing and maintaining an information security policy. However, there are many methods available for constructing an information security policy, the initial step before adopting any one of the methods is to identify the current maturity level of the policy construction process within the organization. The outputs will be either no information security policy development process in place or there is an extensive policy development process exists.
Information security training and awareness are initially evaluated, as the determination of training requirements for the organization is required on an initial basis. Likewise, the training and awareness program is initiated by conducting interviews with key stakeholders and business owners. These training and awareness sessions are focused on identifying security and training requirements. Moreover, types of awareness and training are also identified, as requirements for a hospital will differ as compared to a health insurance company. Furthermore, there is a requirement of measuring the current maturity among employees of the hospital for making the training and awareness session more precise and focused. If the current awareness and training maturity are measured, considerations for further improvement are carried out. For instance, NIST awareness and training models can be implemented that are meant for dividing groups of savvy and non-savvy users.
Procedures and responsibilities for evaluating awareness and training programs in the hospital are carried out by a chief information security officer or information security manager. HIPAA (Health Insurance Portability and Accountability Act) focuses on Health care access, portability and renewability, and prevention of healthcare fraud and abuse. It is one of the primary responsibilities of the information security manager to incorporate HIPAA complaint procedures within each department of the hospital. However, procedures vary from organization to organization, as the IT infrastructure is not the same. Moreover, the incorporation of user access logs, audit trails, and defined responsibilities also fall under the responsibilities of a security manager. Security metrics can be defined to monitor and measure policy violations for each control objective that is put in place. As the data classification is already in place, it is the responsibility of the information security manager to decide the methodology for providing access to systems, applications, and data.
Security Policy
Security policies are considered administrative controls that are acknowledged and enforced in an organization. Apart from employees of the organization, trade partners, and third parties such as contractors must sign a non-disclosure or confidentiality agreement and understand the security practices. Policy enforcement is critical, as it delivers a strong message to the organizational staff to follow the security policy or else policy violation will lead to disciplinary actions and maybe terminations of employment. For maintaining policy for each department of the hospital, the following processes are carried out:
1. What to do if a security breach of confidentiality has taken place?
2. To whom the confidentiality breach is reportable?
3. What is the process of investigating and reviewing the confidentiality breach?
4. The process of sharing and discussing the breach with the victim i.e. the patient, the staff who identified the breach, the staff who carried out this breach, and the staff’s supervisor
5. What is the procedure for punishing the breach
6. Procedure for monitoring and reporting overall activity of the breach
It is necessary to enforce compliance with the policy. However, the level of strictness must not be too high otherwise it may subject to a higher cost of ownership i.e. more resources may be required to enforce a policy (Isaca, 3).

Punishment for this level incorporates verbal warnings, training and awareness, and termination of employment if the employee repeats mistakes.
Level II
Level II is associated with an intentional breach where patient records are accessed for no legitimate or business reason. Likewise, this may lead to accessing friends' or relatives’ records and illegitimately exposing patient information. This security breach incorporates a written warning for the first time and termination of employment for the same repeated offense.
Level III
Level III is associated with a planned security breach and on purpose. This may include accessing a patient’s record and using it for personal objectives. Level III violations incorporate immediate termination of employment. Read More