Information Technology Policies of the Healthcare Setting

Need help with assignments?

Our qualified writers can create original, plagiarism-free papers in any format you choose (APA, MLA, Harvard, Chicago, etc.)

Order from us for quality, customized work in due time of your choice.

Click Here To Order Now

The primary goal of this document is to delineate the information and communication technology (ICT) procedures of the healthcare setting as well as the framework for communicating, reinforcing, and implementing these policies. The hospital consists of approximately 150 employees, including healthcare practitioners, ancillary workers, the administrative unit, and IT workers. This policy document has been created to establish and support the minimal requirements deemed essential in safeguarding assets, including data, against improper disclosure, unintentional or unauthorized access, destruction, modification, and unavailability. This will be done to uphold the sensitivity, value, and criticality of the hospitals operations and the safety of its clients.

The assets protected under these guidelines include software, hardware, and data, including populace and patient health information (PHI). The stipulations contained in this document apply to all employees as well as contractors and vendors working in partnership with the healthcare setting or those who access the institutions computing platforms remotely. By developing a practical and feasible policy system and using the recommended policy establishment procedure, the hospital aims to gain significant volitional compliance.

Policy Orientation

Vision

To implement sophisticated decisions promptly with feasible security procedures for safeguarding PHI and health systems.

Mission

The policys mission is to surpass expectations in the application and adherence to the hospitals internal security merits. We intend to provide quality protection to our clients by offering reliable healthcare services without subjecting them and the organization to cyber-related security threats.

Policy Objectives

  • To offer users appropriate guidance regarding the utilization of various data and its associated assets within the healthcare setting.
  • To foster the implementation of proper data security management systems in the healthcare facility with clearly established responsibilities and roles.
  • To reinforce the adequate protection of the institutions data assets and avoid infringements of any contractual, regulatory, statutory, and legislative obligations.
  • To ensure that the healthcare facilitys employees comprehend their duties, they fit in their assigned roles, and to minimize threats linked to the misuse of resources, fraud, and human error.

To promote the secure dissemination, storage, and processing of health data through proper planning, network management, media handling, change management, backups, and operating processes.

Acceptable Use

Password Use

  • Users will not reserve password copies in any electronic or written form. However, passwords of essential accounts may be saved securely.
  • Users may modify passwords in instances where there is evidence of potential password or system compromise.
  • Users are required to modify passwords at a 90-day regular interim or according to the periods accessed.
  • Users will adjust interim passwords upon the initial login.
  • It is recommended that users do not include passwords in automated login procedures.
  • Users are warned against sharing their passwords with other individuals.
  • Users must ensure that they have no audience when entering their respective passwords.

Password Construction

  • Users will select passwords that are hard to guess but easy to recall. The chosen password should consist of eight characters as the minimum length and constitute a blend of numerals, capital letters, and unique characters (! @ #).
  • Do not utilize number or word patterns or sequences such as 122333411 or aabbcc.
  • A users workplace password should not be similar to their non-work-related passwords.

Anti-Virus

  • Anti-virus will be installed on all laptops and workstations; it should be running and be updated regularly. A corporate anti-virus will be installed across the healthcare settings appropriate electronic devices.
  • All hosts utilized by employees and connected to the hospitals Extranet/Intranet/Internet, irrespective of their ownership, must have the sanctioned virus-scanning software with an up-to-date virus database, except in instances where the gadget has been overridden by group or departmental policy.
  • Users are warned against modifying the anti-virus settings.
  • Users are advised against disabling or changing the anti-virus agent or its delineated settings upon installation.
  • Users should not interrupt the automatic virus scan programmed on their desktop.
  • Any virus detected by users should be reported to the reporting head or manager in their specific units, as per the required protocol or in the System-to-System Administrators.
  • Extreme caution should be observed when accessing email attachments from unidentified senders that could contain Trojan horse codes, email bombs, or viruses.

Internet Usage

Users will not access or use the Internet for non-official purposes. Personal internet usage shall be limited to news, knowledge, and educational sites. Visiting unethical, offensive, and non-business sites which contravene security policies shall be strictly avoided.

Users will not utilize Internet facilities to:

  • Disseminate or download malicious tools or software or intentionally spread any virus.
  • Infringe any license or copyright agreement by distributing or downloading safeguarded material.
  • Upload data, software, or files belonging to the hospital to any website on the Internet without the consent of the organization.
  • Share any sensitive or confidential hospital information with any website on the Internet unless sanctioned by management or superiors.
  • Post any hospital propriety data online, share bulletin boards, newsrooms, public forums, or Briefcase/drives. This is strictly proscribed. Any contravention will be liable for disciplinary actions, including lawful consequences.
  • In case of Internet access misuse, the responsible users Internet access shall be terminated by sanctioned personnel and disciplinary actions taken.
  • Users shall ensure that security on the Internet browser is activated or enabled according to these guidelines: 1. Browsers must be configured not to remember passwords of web applications, and 2. Browser security settings should be set to medium.
  • The hospital reserves the entitlement to review and track users Internet usage to ensure policy compliance. Monitoring will be sanctioned by the IT Security Officer.

Email Usage

  • An email is a communication tool for business operations, and users should utilize this tool in a lawful, effective, and responsible manner.
  • Users must adhere to the hospitals email policy regarding effective and proper email utilization.
  • Users will archive their emails regularly and safeguard their accounts on the hospitals server using strong passwords and will not communicate their passwords to any other individual.
  • Users are required to report all suspicious security issues or vulnerabilities noticeable within their email system promptly and to the appointed system administrators.
  • The hospital has the right to disclose, intercept, or help in disclosing or intercepting conversations via email to ensure users abide by the organizations policies.
  • Users are required strictly use only email accounts provided by the hospital to convey official information.
  • Users will avoid the forging or unsanctioned utilization of email header data.
  • The healthcare facility reserves the authority to track email messages.

Cloud-based Database Storage

The access to the hospitals cloud-based data storage system shall not be accessed for the purpose of health information exchange, manipulation, and storage, without the IT security managers consent.

Data Management and Security Personnel

The Commitment of the Management to Data Security

  • The hospital shall develop an IT security monitoring forum (ITSMF) comprising senior administrative or leadership representatives from various units and functions.
  • The ITSMF team will review the hospitals IT security policies quarterly or as needed, and the meetings minutes will be recorded and preserved appropriately.
  • ITSMF conclaves shall be conducted twice annually to review the appropriateness of the data security policy implementation.
  • ITSMF will ensure the adequate or sufficient allocation of resources for data security projects.
  • The ITSMF will create an IT security implementation team to aid in the application of these procedures.
  • In collaboration with the IT security officer, the ITSMF will oversee the maintenance and implementation of IT security controls and policy implementation.
  • ITSMF gatherings will be held quarterly to facilitate the reviewing and assessment of IT security cases and endorse effective preventive or corrective actions.
  • The ITSMF group shall employ strategies that facilitate regular data security training, education, and awareness among workers within the healthcare setting.

Designation of IT Security Roles

  • The ITSMF team will be tasked with assigning data security responsibilities and roles. The hospitals IT security manager will coordinate and oversee all data security operations within the healthcare setting.
  • The IT security officer will be tasked with preparing, disseminating, and maintaining IT-related procedures and pertinent policies. He/she shall ensure that all business processes assets are recorded with a distinguished owner.
  • The IT security manager, in coordination with asset owners, will be tasked with distinguishing and evaluating asset-related risks at least once annually.
  • The HIT unit shall sanction the acquisition of brand-new data processing equipment.
  • The management unit heads, in coordination, will authorize software and hardware following the assessment of their compatibility or congruence with other pre-existing systems and security control requirements.
  • The legal units approval will be crucial in the acquisition procedure to facilitate compliance with statutory requirements for new IT processing equipment.
  • The IT security officer will sanction the utilization of privately or individually-owned data processing tools for processing the organizations business data.

Confidentiality Treaties

  • The HIT and human resource (HR) team will create confidentiality consent forms.
  • The HR manager will oversee the signing of confidentiality treaties by third-party institutions and workers prior to allowing access to sensitive data or pertinent data processing equipment.
  • The head of the hospitals legal unit will ensure the on-disclosure and confidentiality consents conform to all applicable legislation, e.g., the HIPAA (Health Insurance Portability and Accountability Act) (Health information privacy, 2018).

The Protection of Pertinent Software and Hardware

Network Security Management

  • Networks will be controlled and managed adequately to ensure that they are safe from threats and to reinforce the safety of applications and systems utilizing the network, including data in transit.
  • General network activities management will be distinctly allocated to an individual. The duty for executing specific tasks will be allotted to individuals capable of performing them adequately.
  • The likelihood of staff interfering with the networks operation by malicious intent or error will be minimized by separating the responsibilities of team members operating the network, ensuring that all employees sign confidentiality and non-disclosure treaties, and organizing tasks to reduce the possibility of unsanctioned data modification, error, fraud, or theft.

Network Service Security

  • The IT security manager will oversee the implementation of adequate technology controls while acquiring network and security services from pertinent service providers.
  • The IT security manager will ensure that these controls conform to the data availability, integrity, and confidentiality stipulations during information transmission between the service provider and client.
  • The IT security manager will also oversee the signing of operational level agreements by units providing security and network services.
  • The IT security officer will track the services offered by these departments regularly. Preventive and corrective actions will be conducted to ensure these units are as stipulated in the agreement.

Data Exchange Guidelines and Policies

  • Effective controls will be applied to safeguard against malicious codes during electronic data transmission.
  • Approaches such as the use of passwords or encryption will be used to protect classified or sensitive information, particularly when being dispatched as an attachment via email. HIT systems and email messaging will be safeguarded adequately, as per their vulnerabilities.
  • Disposal procedures will be applied during the destruction of sensitive data.

End-users are advised not to:

  • leave classified data unattended at printers and scanners.
  • Auto-forward emails, especially to external ids.
  • Disclose classified information and answering gadgets.

Wireless Communication

  • Testing of wireless routers will be done before their selection.
  • WAP (Wireless Access Point) within the hospitals networks will not be utilized by third parties unless necessary and following the authorization by the IT security manager.
  • All wireless network access will be reinforced with a robust authentication approach to intercept unsanctioned users.
  • The configuration of the wireless devices SSID will be done to ensure that it does not indicate or contain any data regarding the healthcare setting, its personnel, and units.
  • Due to WAP and WEPs vulnerability, they shall not be utilized for wireless operations or deployments. Instead, the use of WAP2 enhanced with EAP-TLS is recommended.
  • In-depth security evaluations of wireless connections will be conducted at random and regular intervals.
  • The access password for the WAP shall be modified periodically within a three-month period.

Compliance

Compliance with Regulatory Requirements

  • In coordination with the legal unit, the IT security manager will distinguish and document all pertinent contractual, regulatory, and statutory requirements, for instance, the HIPAA and HITECH, relevant to the healthcare settings practice.
  • The above-mentioned personnel will be responsible for distinguishing controls to be applied to help the hospital meet the applicable legislative expectations.
  • The IT security manager will record all duties required during control implementation to ensure they meet relevant legislative stipulations.
  • The HIT department will ensure that all pertinent software is licensed and purchased from credible vendors.
  • Annual training on intellectual property rights (IPR) shall be organized and conducted under the guidance of the IT security manager.
  • The installation or downloading of pirated software belonging to third parties using the hospitals systems is strictly proscribed.
  • The IT security manager will delineate appropriate procedures for maintaining a precise monitoring approach for all licenses during software disposal or transfer (Mbonihankuye et al., 2019).
  • The IT security manager will distinguish and record all files that should be maintained to ensure conformity with legal requirements, identify the documentations retention period, and employ protection measures to safeguard the documents availability, integrity, and confidentiality.
  • The IT security head will initiate technical and policy compliance reviews annually and quarterly, respectively.

N/B: Non-compliance will be liable for disciplinary actions, including legal consequences and the termination of user access and employment contract.

Independent Data Security Review

  • The organization will perform an independent implementation review of these policies annually.
  • The IT security manager will ensure improvement recommendations are implemented within a one-month period where feasible.
  • The IT security manager will ensure the independent review outcomes are addressed during the ISMF gatherings and the records of these conclaves are maintained.

Data System Control Audits

  • Audit exercises, including external audits within the hospital, will be conducted regularly, i.e., annually.
  • The IT security head will document and convey pertinent audit requirements to the appropriate units before the audits initiation. He shall also seek managements approval.
  • The audit group will have read-only access to audited data and software. This activity (auditing) shall be conducted in the presence of an IT team member.

Evaluation and Monitoring

The healthcare settings senior managers and relevant IT security personnel will oversee the policys implementation, tracking, and evaluation to ensure the protection of data resources against unsanctioned disclosure, destruction, modification, and access.

Works Cited

Health Information Privacy Law and Policy. HealthIT. 2018. Web.

Mbonihankuye, Scholas et al. Healthcare Data Security Technology: HIPAA Compliance. Wireless Communications and Mobile Computing, vol. 2019, pp. 17. Web.

Need help with assignments?

Our qualified writers can create original, plagiarism-free papers in any format you choose (APA, MLA, Harvard, Chicago, etc.)

Order from us for quality, customized work in due time of your choice.

Click Here To Order Now