final it policy and procedure 05-09-2012

7/28/2019 Final IT Policy and Procedure 05-09-2012

1/62

GULFDIAGNOSTICCENTER

HOSPITAL

INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12

TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012

Revision No.: Original

Department : Information Technology Revision Date : June 2012

Section : IT Next Revision : June 2014

Distribution : Hospital Wide Page 1 of 62

INFORMATION TECHNOLOGY PLAN 2012

APPROVAL SHEET

Prepared by:

Name Signature Date

Zuher Arawi

Information Technology Manager

Reviewed by:

Name Signature Date

Mr. Zuher Arawi

Quality Assurance Manager

Ms. Lara Kaddoura

Administrator & ManagementRepresentative

Approved by:

Name Signature Date

Mr. Rami Kaddoura

Executive President & C.O.O

Mrs. Jamal KaddouraCo-founder & Hospital Director

DOCUMENT AMENDMENT RECORD SHEET

1


2/62


HOSPITAL







Date Description of Change Page EffectedRevision

Number

TABLE OF CONTENTS:

2


3/62


HOSPITAL







SUBJECTS PAGE

PURPOSE 4

POLICY 5

INTRODUCTION 6

POLICIES PAGE

Knowing Installation, Upgrade and Testing of Hardware, Systems, and Equipment 9

Knowing cabling, UPS (Uninterruptible Power Supply), Printers, and Modems, 11and supplying continuous power to critical equipment.

Using Fax Machines/Fax Modems 12

Using Modems/ISDN/DSL Connections, Using Centralized, Networked, 13or Stand Alone Printers, Securing Network Cabling.

Consumables, using removable storage media, including, USBs, DVDs, CDs and Diskettes 15

Working off GDC or Using Outsourced Processing, Contracting, Use of Laptop / Portable 16Computers, Portable Electronic Devices and the Removal of Equipment off Hospital System

(Teleworking) or Working from Home or Other Off-Site Location 18

Other Hardware Issues Destruction and/or Reuse of Equipment 19

Controlling Access to Information and Systems and Managing Access Control Standards 21

Securing Unattended Workstations 23

POLICIES PAGE

Managing Network Access Controls 24

3


4/62


HOSPITAL







Managing Application Access Control 25

Managing Passwords 26

Unauthorized Physical Access Security 28

Monitoring System Access and Use 29

Emergency Access 31

Configuring Networks, Managing the Network 32

Defending Network Information against Malicious Attack 33

System Operations and Administration, Appointing System Administrators 35

Ensuring Information Integrity, Commissioning Facilities Management 36

E-mail and the World-wide Web, Downloading Files and Information from the Internet

Sending Electronic Mail (E-Mail) and/or Other Forms of Digital Communication

Receiving and sending electronic mails and/or any other form of digital communication 38

Misdirected Information by E-Mail and/or Any Other Form of Digital Communication 39

Website Maintenance 41

Data Management, Transferring and Exchanging Data, Managing Data Storage 42

Purchasing and Maintaining Commercial Software 43

Developing and Maintaining Custom Software, Controlling Software Code 45Managing Operational Program Libraries

Testing and Training Environments, the Use of Protected Data for Training 46

POLICIES PAGE

New System Training 47

4


5/62


HOSPITAL







Complying with Legal and Policy Requirements, Complying with Legal Obligations, 48

Awareness of Legal Obligation, Copyright Compliance, Computer Misuse

External Suppliers/Other Vendor Contracts 49

Personnel Information Security Responsibilities - Passwords and PIN Numbers 50

Employment Termination - Staff Resignations

Procedures for Staff Leaving Employment, Training and Staff Awareness 51

Awareness for Temporary Staff, Security Information Updates to Staff

Information Security Training on New Systems 53

New System Staff and Physicians Training in Information SecurityPreparing Hospital for Placement of Computers

Protecting For, Detecting and Responding to Information Security Incidents 54Reporting Information Security Incidents

Defending Against Unauthorized or Criminal Activity

Security Incident Procedures 55

Responding to Information Security Incidents 56

1. PURPOSE

5


6/62


HOSPITAL







Complete and comprehensive Information Technology policies are necessary, not only to

communicate hospital expectations clearly to staff, but to protect the hospital. For example,

a hospital was recently forced to settle a lawsuit filed by four employees claiming they were

sexually harassed via the hospital's email system. The incident may have been averted, and

millions are saved, if the hospitals management had instituted simple precautionary measures,

such as implementing and enforcing an email policy. Information Technology policies and

procedures, properly administered, can often mitigate or eliminate risk and help address common

workplace issues.

Lawsuits are not the only problems hospitals can encounter. Anytime employees can accessemail or the Internet, the organization is at risk of a broad range of potential and costly liabilities.

For example, hospitals working toward compliance fear the loss or exposure of confidential

information. Data can be exposed to email viruses, and untold productive hours can be lostsurfing the Web for information unrelated to jobs.

Internet access is only one Information Technology service that needs protecting. An Internet

usage policy is the first battle in the seemingly never-ending war to protect employees and

maintain efficiency. There is no single productindeed, no single protocolthat provides

complete protection and all the equipment necessary to enforce an organizations policies andprocedures. Hospitals must manage a variety of issues beyond Internet usage. Security concerns

extend beyond the network to physical aspects, such as the upkeep of hospital equipment. Thereis also a vast amount of offline data that must be protected.

Faced with problems like this, Information Technology and Internet usage policies are the best

lines of defense hospital managers can adopt. Not only are they proactive steps that help setnecessary alarms, but they also provide guidance for disciplinary action. Such policy-based

management has caught on as an effective method for reducing administrative costs, tightening

security, and helping troubleshooting efforts. Information Technology policies need to address

all of these issues, not only to avoid disaster, but to know what to do if and when disaster doesstrike. Policies in this document deal not only with technical security issues, such as viruses and

the privacy of protected, confidential information, but also for more general management issues,such as network passwords and unauthorized software use. This document also addresses theactions supervisors can take when policies are not adhered to.

2. POLICY

6


7/62


HOSPITAL







Hospital Information Technology Policies

The following Information Technology policies and procedures are reevaluated and revisedtwice a year, or as required. Every staff member is expected to read these policies and comply

with them. If there are any questions or concerns they should be raised with your supervisor or

Head of department/manager. After reading these policies sign and date this document torepresent that you have read and understand the policies.

Hospital Information Technology Policies include:

1. Internet / Email Policies

1.1. Internet / Email Acceptable Use

1.2. Downloads and Executables

1.3. Peer-to-peer File Sharing and Streaming Media

1.4. Internet Messaging

2. Security Policies

2.1. Computer Viruses

2.2. Physical Security

2.3. Passwords

2.4. Backup

2.5. Continuance

2.6. Data retention

3. Acknowledgement of Policies

3.1. Signature Page

Date issued: 16-06-2012

Authorized by: IT Manager, Quality Manager, Executive Director, Hospital CO-Founder

Next scheduled review: 12-2012.

INTRODUCTION

The purpose of this document is to provide the procedures for the GDC-Hospital to meet the mandates

of JCIA System Information Security Plan.

7


8/62


HOSPITAL







Most hospitals have a tiered policy and procedure system. Administrative policies comprise the hospital-

wide or interdepartmental directives while there are departmental based policies for intradepartmental

subjects. This document was written using this scheme.

8


9/62


HOSPITAL







1. PURPOSE

Knowing Installation, Upgrade and Testing of Hardware, Systems, and Equipment.2. POLICY

All hardware installations shall be planned and related parties impacted by the installationnotified and given the opportunity to comment prior to the proposed installation date. Allequipment, systems, software, upgrades and patches shall be fully and comprehensively tested

and authorized by management prior to being converted to a live environment. The extent of

planning and testing shall be reasonable given the size and complexity of the installation toensure successful implementation with a minimal disruption of operation.

3. SCOPE

The base plan describes the policies and procedures, GDC Hospital will follow to prepare for,

respond to, and manage installation and hardware/systems upgrade

4. TARGET AUDIENCE

Staff, doctors, Patients, visitors

5. RESPONSIBILITY

IT Team, Hospital wide, all personnel in hospital.

6. PROCEDURE

1. Any significant system change that has the likely or expected potential to affect a usergroup shall be planned with the knowledge and cooperation of that group.

2. A significant system change is any change to hardware, software, or communications lines

that has the potential to affect the availability or integrity of a program or its data.3. To meet the criteria of likely or expected, the change could have documentation of

known faults, be provided untested by the vendor, being applied to a program that has local

customizations that could not be tested by the vendor, or an extended downtime may beneeded for the change.

9


10/62


HOSPITAL







4. Certain trusted changes such as virus protection updates and operating system patches that are

routinely released by the original software vendor can be applied to workstations and file

servers of non-critical applications without extended testing.5. Any system that contains restricted or protected information should be backed up with a

restore point prior to implementing the change.

6. All change actions should be weighed against the potential outcome of not making the change.

7. Critical software updates for known vulnerabilities may take precedent over a groupsproductivity.

8. Protecting the program and data is always the top priority.

9. All significant changes to a system should be documented with the change and the date itoccurred.

7. REFERENCE

Null

10


11/62


HOSPITAL







1. PURPOSE

Knowing cabling, UPS (Uninterruptible Power Supply), Printers, and Modems, and supplying

continuous power to critical equipment.

2. POLICY

All information systems identified as critical to LSU Hospital system operations shall be

protected by an uninterruptible power supply adequate to provide continuity of services and/ororderly shutdown to preserve data integrity.

3. SCOPE

Describing the policy of doing cabling for UPSs, printers and modems, IT will follow up the

proper cabling and ensure the proper way of laying cables within proper trunks to protect from

electrical hazards.

4. TARGET AUDIENCE

Staff, maintenance people, service department.

5. RESPONSIBILITY

Maintenance department and IT support team

6. PROCEDURE

1. Selection of equipment for support by uninterruptible power supply shall be based on the

critical equipment inventory.2. For data storage devices the uninterruptible power supply should be connected to computing

device for orderly shutdown in a backup power supply system failure.

3. Uninterruptible power supplies shall be maintained and tested according to manufactures'recommendations.

7. REFERENCE

Null

11


12/62


HOSPITAL







1. PURPOSE

Using Fax Machines/Fax Modems

2. POLICY

Protected or restricted information shall only be faxed when more secure methods are notavailable

3. SCOPE

Enhance the understanding the usage of fax machines and modems among users/staff

4. TARGET AUDIENCE

Receptionists, Pharmacists, Insurance and HR Staff.

5. RESPONSIBILITY

IT Support team and Public Relation Officer.

6. PROCEDURE

The sender of the protected or restricted information and the intended recipient shall agree to the

fax transmittal prior to sending

Documents with personal identifiers can only be faxed with appropriate safeguards. A list ofmedical record numbers without other personal identifiers may be faxed, providing there is no

reference to medical conditions on either the faxed copy or the cover sheet. Users are responsible

for ensuring that faxes are not left on the fax machine.

7. REFERENCE

Null

12


13/62


HOSPITAL







1. PURPOSE

Using Modems/ISDN/DSL Connections, Using Centralized, Networked, or Stand AlonePrinters.

Securing Network Cabling.

2. POLICY

Protected or restricted information shall only be sent via System network lines when more secure

methods are not feasible. In that event, additional precautions e.g. encryption of data, virtualprivate network, etc., shall be employed to ensure against unauthorized interception and/or

disclosure of protected information.

Protected or restricted information shall not be sent to a network printer in an unsecured areawithout appropriate physical safeguards or an authorized person present to safeguard this

information during and after printing.

All cabling in System networks shall be secured to prevent unauthorized interception or damage.

3. SCOPE

Defining the usage of modems and stand alone printers and granting authorizations to people in

charge of networked peripherals with a proper plan in order to secure network cabling.

4. TARGET AUDIENCE

Doctors, nurses, receptionists, secretaries, and other hospital staff

5. RESPONSIBILITY

IT Support team

6. PROCEDURE

In the event that protected or restricted information cannot be sent via NO network lines,additional precautions (e.g. encryption of data, virtual private network, etc.) shall be employed to

ensure against unauthorized interception and/or disclosure of protected information.

13


14/62


HOSPITAL







7. REFERENCE

Null

14


15/62


HOSPITAL







1. PURPOSE

Consumables, using removable storage media, including, USBs, DVDs, CDs and Diskettes.

2. POLICY

All protected or restricted information stored on removable media, including USBs, DVDs, CDs,and diskettes shall be kept in a safe, secure environment in accordance with the manufacturers

specifications when not in use. The removal of protected or restricted information from hospital

premises shall require specific authorization from the hospital designated official.

3. SCOPE

The base plan describes the policies and procedures, GDC Hospital staff using systems will

follow and respond and manage the proper usage in a secure manner the mentioned peripherals.

4. TARGET AUDIENCE

Restricted to authorized GDC Hospital staff using networked systems

5. RESPONSIBILITY

IT Department and authorized GDC Hospital staff using networked systems

6. PROCEDURE

The use of removable media to transport protected or restricted media is strongly discouraged.

Specific administrative approval is required for the removal of protected information from the

hospital when stored on removable media. The user should obtain electronic or writtendocumentation of the approval from the appropriate department director.

USBs, CDs, All diskettes (If still available) and other storage media that contain confidential

information that has not been completely de-identified.

7. REFERENCE

Null

15


16/62


HOSPITAL







1. PURPOSE

Working off GDC or Using Outsourced Processing, Contracting, Use of Laptop/PortableComputers, Portable Electronic Devices and the Removal of Equipment off Hospital System.

2. POLICY

Individuals responsible for commissioning outsourced computer processing of protected or

restricted information shall ensure the services used are from companies that operate in

accordance the GDC's information security standards which include a Business AssociateAgreement or similar document that communicates the expectation of compliance with these

standards and the remedies available in the instance of non-compliance.

Laptops and other portable computing devices issued to hospital System employees shall not beused for activities unrelated to IT organizational goals. The designated hospital official shall

document who is in possession of each device and that the individual understands his

responsibility for the confidentiality, integrity, and availability of the information on said device.Each IT Hospital system employee who is assigned a portable or mobile computing device shall

be responsible for ensuring that data stored on that device is properly backed up, that the

operating system is patched in a timely fashion, and where applicable, anti-virus software withcurrent virus data file (including spyware detection and firewalls) is installed and running

continuously. In addition, only authorized personnel shall be permitted to take any equipment

belonging to the IT Hospital system off the premises and are responsible for its security at all

times.

3. SCOPE

Planning the needed services and taking into consideration the information security measures

for the required services/hardware/software application for hospital day to day work continuity.

4. TARGET AUDIENCE

GDC Hospital staff , using IT Application/hardware.

5. RESPONSIBILITY

IT Manager, Support Team, and GDC Hospital staff.

16


17/62


HOSPITAL







6. PROCEDURE

The IT Director at each facility or designee shall keep a listing of all portable computing devices

(PCD) and who is in possession of the device. Any change in the possession of the portable

computing device shall be reported to the IT Director immediately.

Each employee with a PCD shall have appropriate approval stating the need for the device prior

to possession. The employee shall sign an LSU Portable Computing Device Release prior to

using the device.

Handling and Storage of Laptops.

Safety and security of the PCD is the responsibility of the employee that it is assigned to.

PCDs are stored in a secure, locked location within the office when not in use. Confidential

information on PCD removable drives should be carried in a secure vessel. If possible the mediacontaining the confidential, encrypted data should be locked in a location apart from the laptop

when not in use.

Loss of any PCD shall be reported immediately to the IT Director/IT Security Lead of the

hospital.

7. REFERENCE

Null

17


18/62


HOSPITAL







1. PURPOSE

(Teleworking) or Working from Home or Other Off-Site Location

2. POLICY

IT Hospital systems which allow teleworking or working from home shall establish proceduresthat ensure the confidentiality, integrity and availability of protected data accessed during any

teleworking session.

3. SCOPE

Preparing and describing the policy and procedure for IT Support team and service companiesgranted the permissions to access the relevant servers to do installation/ configuration.

4. TARGET AUDIENCE

IT Manager, DB Administrator and Application Developer.

5. RESPONSIBILITY

IT Manager, DB Administrator and Application Developer.

6. PROCEDURE

1) When using a desktop computer from home or when traveling the screen should be placed soit not visible to non-authorized personnel walking by the office or through a hallway.

Additionally, computer screens should be situated so that they are not visible through

windows.2) When laptop computers are used, the screens are managed so as to prevent viewing by others.

The laptop is never out of sight of the employee when not secured.

3) All teleworking sessions require a virtual private network (VPN) connection, a Citrix Desktop

connection, or a dialup connection through an enterprise RAS solution.

7. REFERENCE

Null

18


19/62


HOSPITAL







1. PURPOSE

Other Hardware Issues Destruction and/or Reuse of Equipment.

2. POLICY

IT equipment and/or media owned by IT Hospital systems shall only be disposed of byauthorized personnel in accordance with the National Industrial Security Program Operations

Manual. IT equipment and/or media owned by the IT Hospital system which is to be reassignedto another employee or reused shall be evaluated as to whether protected or restricted

information needs to be purged in accordance with the above standard prior to reassignment

and/or reuse or disposal.

3. SCOPE

Defining the base plan and evaluation sheet of destruction and reuse of the equipment and mediaowned by GDC Hospital system.

4. TARGET AUDIENCE

GDC Hospital staff using mentioned equipment and system.

5. RESPONSIBILITY

IT manager

6. PROCEDURE

Any computing equipment possessing media with protected or restricted information shall havethe media wiped of all information in accordance with the Management of Information

Technology specifications.

Media Procedure(s)

Magnetic Tape

Magnetic Disk

Optical Disk

Read Many, Write Many (e.g., CD-RW) l

19


20/62


HOSPITAL







Read Only l

Write Once, Read Many l

(e.g., CD-R,CD+R, DVD+R)

Memory

Dynamic Random Access Memory (DRAM)

Flash memory (e.g., USB drives, Picture cards)

Programmable ROM (PROM)Nonvolatile RAM (NOVRAM)

Read Only Memory (ROM)

Static Random Access Memory (SRAM)

7. REFERENCE

Null

20


21/62


HOSPITAL







1. PURPOSE

Controlling Access to Information and Systems and Managing Access Control Standards

2. POLICY

Each IT Hospital system shall ensure that all access to information systems is based on thelowest level of privilege needed to perform ones job.

Access to application supervisor-level commands shall require authorization from theemployees supervisor and/or the owner of the application. Access to operating system

supervisor and/or administrator commands shall be restricted to those persons who are

authorized to perform systems administration/management functions.

Managing User Access to any IT Hospital system information system shall be authorized by the

owner and/or hospital designated official(s). Each staff, and contractor shall be assigned a uniqueuser ID. When generic IDs are required by operational necessity, each hospital shall develop

procedures to prevent abuse. For audit purposes, such access, including the appropriate access

rights or privileges.

Generic Accounts that are used to provide access to network resources for third-party software

supporters, contractors, or computer supporters that need application service accounts.

Acquiring a Generic Account The owner of the resource will notify Enterprise InformationSecurity via email that a vendor, contractor, or computer supporter will need a generic account to

access the network. Before creating the account, shall determine the method to allow access into

the network. This may require discussions between the vendor, IT contact, and the firewalladministrator. If it has been decided that a generic account is required, the account will be set up

according to Enterprise Information Security procedures.

Vendor Account Requirements - Vendors and contractors must submit a vendor account policywhich contains a vendor account agreement before being given access to the network. These

policies are kept on file by the Enterprise Information Security group.

Enabling a Generic Account - Activation of generic accounts must be authorized by the IT

contact. The default activation period is 24 hours unless requested otherwise. Prolongedactivation periods must be justified. When a generic account is activated, an email must be sent

to the ITO contact notifying them of the new expiration date.

21


22/62


HOSPITAL







Generic Account Agreement for Vendors

a) I acknowledge that I am responsible for all activity attributable to the account assigned

to my organization.b) I will use my organization's account to perform authorized activities only

(i.e., to carry out contract-related responsibilities).

c) If I abuse or gain unauthorized access to computer resources, I understand that IT head may

immediately revoke my account and report my conduct to law enforcement authorities.d) I understand that, upon change or termination of my organization's relationship with IT

department, my organization's access to resources on the network will be reviewed and

modified or terminated as appropriate.e) I understand the importance of privacy and confidentiality of information and in particular

patient information, student records, and employee personal data. I pledge to handle all

sensitive data I access with the appropriate care and precautions.f) I will abide by IT policy regarding appropriate use of its network infrastructure.

3. SCOPE

Preparing a plan that states controlling the access to information and systems and steps to

manage the access control standards.

4. TARGET AUDIENCE

Each staff, and contractor assigned a unique user ID and generic account.

5. RESPONSIBILITY

IT Support team and GDC Staff and contractors, having unique user ID

6. PROCEDURE

To be performed on case by case basis according to granted access to end-users/contractors.

7. REFERENCE

Null

22


23/62


HOSPITAL







1. PURPOSE

Securing Unattended Workstations

2. POLICY

Precautions shall be taken to prevent tampering of unattended equipment by unauthorizedpersons.

3. SCOPE

Preparing memos states clearly the responsibility of systems (workstations) custodians/in charge.

4. TARGET AUDIENCE

GDC Hospital Doctors/staff using GDC Hospital systems/workstations.

5. RESPONSIBILITY

GDC Hospital Doctors/staff working on GDC Hospital workstations.

6. PROCEDURE

All workstations should be placed in a secured location. By means in locations that are not at all

times occupied and cannot be secured the PC should be secured to the work area.

Viewing screens should be located so that unauthorized personnel cannot view the informationon the screen. Where it is impossible to protect the peripheral view of the screen privacy filters

shall be employed.

Private or restricted information shall not be stored on a computer in a public use or untenablearea.

7. REFERENCE

Null

23


24/62


HOSPITAL







1. PURPOSEManaging Network Access Controls

2. POLICY

Access to Hospital system information systems networks shall be strictly controlled to prevent

unauthorized access. Each hospitals IT department shall develop procedures and standards forsecuring network electronics against unauthorized tampering.

3. SCOPE

Prepare a base plan that describe the policies and procedures, GDC Hospital IT department will

develop the plan and follow to prepare for, respond, and manage system access triggers.

4. TARGET AUDIENCE

IT Manager and IT team.

5. RESPONSIBILITY

IT Manager and IT Team.

6. PROCEDURE

Access to the information systems networks shall be strictly controlled to prevent unauthorized

access. The Office of Computer Services network equipment standards shall be utilized to secure

network electronics against unauthorized tampering.

7. REFERENCE

Null

24


25/62


HOSPITAL







1. PURPOSE

Managing Application Access Control

2. POLICY

The Hospital system procedure for authorizing supervisor-level access shall require approvalfrom the designated hospital IT authority.

3. SCOPE

Prepare a base plan that describe the policies and procedures, GDC Hospital IT department will

develop the plan and follow to prepare for, respond, and manage system access triggers.

4. TARGET AUDIENCE


5. RESPONSIBILITY


6. PROCEDURE

Access to application supervisor-level commands shall require authorization from the

employees supervisor and/or the owner of the application. Access to operating systemsupervisor and/or administrator commands shall be restricted to those persons who are

authorized to perform systems administration/management functions.

7. REFERENCE

Null

25


26/62


HOSPITAL







1. PURPOSE

Managing Passwords.

2. POLICY

All information systems that use passwords as the primary method of user authentication shallrequire that all user accounts be password protected with non-null (weak) passwords and require

all users to change passwords on a periodic basis(every six month at least). The IT department of

the Hospital shall develop and/or adopt standards for password length, password change intervaland password complexity that are appropriate for the system being protected. These standards

shall be reviewed periodically.

3. SCOPE

A plan to be defined in order to control, maintain and monitor the password at all authorizedlevels on quarterly/half yearly basis.

4. TARGET AUDIENCE

GDC Hospital Doctors/staff and IT Staff using systems/servers.

5. RESPONSIBILITY

IT support team and GDC Hospital doctors and staff using systems.

6. PROCEDURE

All computer accounts must be password protected in accordance with password policy. Thispolicy shall not be any less restrictive than Information Technology password policy. These

password standards shall be reviewed no less frequently than every three years and revised to

incorporate advances in technology.

The Password Policy requires that:Minimum password length and format shall be no less than eight (8) characters.

26


27/62


HOSPITAL







Minimum password complexity should contain at least 3 of the 4 categories: English upper case

characters (A-Z), English lower case characters (a-z), Base 10 digits (0-9), and non-

alphanumeric characters (%,&,!).Maximum validity periods for passwords to be no greater than 180 days, with specific

exemptions granted for special purposes such as enabling a stored procedure to run against a

database.

7. REFERENCE

Null

27


28/62


HOSPITAL







1. PURPOSE

Unauthorized Physical Access Security.

2. POLICY

Physical access to server rooms and network infrastructure closets shall be protected using all

reasonable and appropriate safeguards. Strong authentication and identification techniques shallbe used when they are available and can be reasonably deployed.

3. SCOPE

A base plan that describes the policies and procedures, GDC Hospital will follow to prepare for,

respond to, and manage physical access security.

4. TARGET AUDIENCE

Information Technology Department

5. RESPONSIBILITY


6. PROCEDURE

Physical access to server rooms and network infrastructure closets shall be protected using all

reasonable and appropriate safeguards. Strong authentication and identification techniques shallbe used when they are available and can be reasonably deployed.

7. REFERENCE

Null

28


29/62


HOSPITAL







1. PURPOSE

Monitoring System Access and Use

2. POLICY

All information systems that contain protected or restricted information shall be configured tolog any and all information necessary to detect and record attempts of unauthorized access and

system errors, to the extent that the logging facility exists and is capable. These logs with

significant activity shall be examined in a timely fashion by staff determined as qualified by thehospital IT department. Security incidents shall be reported to the Security Officer (one of IT

team members for appropriate action and follow up.

3. SCOPE

A base plan that describes the policies and procedures, GDC Hospital will follow to prepare for,respond to, and manage physical access security.

4. TARGET AUDIENCE


5. RESPONSIBILITY


6. PROCEDURE

All information systems that contain protected or restricted information shall be configured tolog any and all information necessary to detect and record attempts of unauthorized access and

system errors, to the extent that the logging facility exists and is capable. These logs with

significant activity shall be examined in a timely fashion by staff determined as qualified by the

IT department for Computer Services. Reporting of suspected security incidents shall follow theprocess defined in the Information Security Response Procedure.

29


30/62


HOSPITAL







7. REFERENCE

Null

30


31/62


HOSPITAL







1. PURPOSE

Emergency Access

2. POLICY

All Hospital systems shall develop and implement a procedure to provide access to electronicinformation on an emergency basis (i.e., an employee is incapacitated and another employee

must enter the system to continue his job function). For audit purposes, each instance of suchaccess provision shall be documented and shall be maintained on file for a period of no less than

one year, if the information accessed is protected information.

3. SCOPE

A base plan that describes the policies and procedures, GDC Hospital will follow to prepare for,respond to, and manage physical access security.

4. TARGET AUDIENCE


5. RESPONSIBILITY


6. PROCEDURE

Emergency access (i.e. an employee is incapacitated and another employee must enter the system

to continue his job function) to electronic information shall be handled by the EIS duringbusiness hours and the Enterprise Information Security Analyst on call after business hours. For

audit purposes, each instance of such access provision shall be documented and shall be

maintained on file for a period of no less than one year, if the information accessed is protectedinformation.

7. REFERENCENull

31


32/62


HOSPITAL







1. PURPOSE

Configuring Networks

Managing the Network

2. POLICY

All System information system networks shall be designed and configured to deliver high

availability, confidentiality, and integrity to meet business needs.Each Hospital system shall ensure that those responsible for managing the hospital network and

preserving its integrity in collaboration with the individual system owners does so in accordance

to the hospitals IT department standards and job descriptions.

3. SCOPE

A base plan that describes the policies and procedures, GDC Hospital IT Manager and support

team will follow to prepare for, respond to, and manage Hospitals network.

4. TARGET AUDIENCE


5. RESPONSIBILITY


6. PROCEDURE

Those responsible for managing the network and preserving its integrity shall do so inaccordance with the Office of Computer Services standards and job descriptions.

7. REFERENCE

Null

32


33/62


HOSPITAL







1. PURPOSE

Defending Network Information against Malicious Attack

2. POLICY

Each Hospital system shall develop and implement procedures to adequately configure andsafeguard its information system hardware, operation and application software, networks and

communication systems against both physical attack and unauthorized network intrusion. All

servers and work stations shall run anti-virus software (including spyware detection andfirewalls) while connected to the network infrastructure. In the event that the system will not

operate properly with the anti-virus software, appropriate information security safeguards shall

be instituted.

3. SCOPE

A base plan that describes the policies and procedures, GDC Hospital IT Manager and support

team will follow to prepare for, respond to, and manage Hospitals network.

4. TARGET AUDIENCE


5. RESPONSIBILITY


6. PROCEDURE

All servers and workstations shall be configured according to Information Security standards in

order to safeguard information system hardware, operation and application software, networks,

and communication systems against both physical attack and unauthorized network intrusion.

All servers and workstations shall run anti-virus software (including spyware detection) whileconnected to the network infrastructure. In the event that the system will not operate properly

with the anti-virus software, appropriate information security safeguards shall be instituted.

33


34/62


HOSPITAL







7. REFERENCE

Null

34


35/62


HOSPITAL







1. PURPOSE

System Operations and Administration, Appointing System Administrators

2. POLICY

Each Hospital system shall appoint systems administrators who demonstrate the qualificationsestablished by the hospitals IT department to manage the information technology systems and

oversee the day to day security of these systems.

3. SCOPE

Is to prepare definite measures for operating systems used for software applications and end-users, and monitoring the appointed system administrators running those operating systems.

4. TARGET AUDIENCE


5. RESPONSIBILITY


6.PROCEDURE

The Office of Computer Services (CS) in IT department shall appoint systems administratorswho demonstrate the qualifications established by the department to manage the information

technology systems and oversee the day to day security of these systems. Only qualified staff or

third party technicians should repair information system hardware faults. System administratorsmust meet stringent qualifications for hire assuring that IT analysts are capable of handling

analytic processes.

7. REFERENCE

Null

35


36/62


HOSPITAL







1.PURPOSE

Ensuring Information IntegrityCommissioning Facilities Management

E-mail and the World-wide Web

Downloading Files and Information from the Internet

Sending Electronic Mail (E-Mail) and/or Other Forms ofDigital Communication

2.POLICY

All Hospital systems shall develop and implement procedures to ensure that the integrity of

electronic protected or restricted information is maintained in the event of processing errors,system failure, human errors, natural disasters and deliberate acts.

Hospital shall implement the appropriate procedures within the Disaster Recovery Plan (DRP) to

ensure that the integrity of electronic protected or restricted information is maintained in theevent of processing errors, system failure, human errors, natural disasters, and deliberate acts.

Any facilities management company engaged by a Hospital system shall be expected to comply

with the System Information Security policies and to execute a Business Associate Agreement orsimilar document that communicates the performance expected and the remedies available in the

instance of noncompliance.

Each Hospital system IT department shall develop standards and guidelines to ensure

information, software and media downloaded from the Internet does not jeopardize its operationsor the security of information systems.

Each Hospital system shall develop procedures that require all email and/or any other form of

digital communication generated by its information systems that contains protected or restrictedinformation, including data attachments, shall only be permitted after confirming that such action

is consistent with the restriction specified by the security classification of the information being

sent. In addition, the file shall be scanned for the possibility of a virus or other malicious code. Inno case shall protected or restricted information be sent outside the information infrastructure

without taking precautions to ensure the confidentiality and integrity of the information.

3.SCOPE

Define a plan for the hospital system IT department to develop standards and guidelines to

ensure information, software and media downloaded from the Internet does not jeopardize its

36


37/62


HOSPITAL







operations or the security of information systems, including e-mails (sending and receiving),

www, data extraction/download from internet, and digital communications.

4.TARGET AUDIENCE

All hospital End-users granted hospital systems (computers).

5.RESPONSIBILITY

IT department and all end-users using hospital computers.

6. PROCEDURE

All email and/or any other form of digital communication generated by information systems that

contain protected or restricted information, including data attachments, shall only be permitted

after confirming that such action is consistent with the restriction specified by the securityclassification of the information being sent. In addition, the file shall be scanned for the

possibility of a virus or other malicious code. In no case shall protected or restricted information

be sent outside the information infrastructure without taking precautions to ensure theconfidentiality and integrity of the information.

7. REFERENCE

Null

37


38/62


HOSPITAL







1. PURPOSE

Receiving and sending electronic mails and/or any other form of digital communication.

2. POLICY

Each Hospital system shall develop and implement standards and procedures that will ensure thatmalicious code is not delivered to or executed on the information systems by receiving email

and/or any other form of digital communication.

3. SCOPE

Define a plan for the hospital data exchange between hospital end-users and outside world, andto develop standards and guidelines to ensure electronic data/e-mails received and sent do not

jeopardize the security of information systems and digital communications.

4.TARGET AUDIENCE

All hospital End-users granted hospital systems (computers).

5.RESPONSIBILITY

IT department and all end-users using hospital computers.

6. PROCEDURE

All workstations shall have anti-virus software that scans emails and attachments. All inbound

and outbound external and internal email shall be scanned for viruses on the email servers. The

Office of Computer Services may also implement any procedures it feels necessary to ensure thatmalicious code is not delivered to or executed on the information systems by receiving email

and/or any other form of digital communication.

7. REFERENCE

Null

38


39/62


HOSPITAL







1. PURPOSE

Misdirected Information by E-Mail and/or Any Other Form of Digital Communication

2. POLICY

Each Hospital system shall develop and implement procedures that ensure that emails and/or anyother form of digital communication that contain protected or restricted information, including

attachments, are correctly addressed and only being sent to appropriate persons. This procedure

shall include a mechanism in which the misdirected communication is correctly deliveredwithout the content being viewed any further than is necessary to identify the appropriate

recipient and deleted from the mistaken recipients computer system.

3. SCOPE

Define a plan for the hospital data exchange between hospital end-users and outside world, andto develop standards and guidelines to ensure that the appropriate data being sent to proper

receiver.

4. TARGET AUDIENCE

All hospital end-users granted hospitals email user name/password.

5. RESPONSIBILITY

IT Department (End-user support) and all hospital end-users granted hospitals email username/password.

6. PROCEDURE

Protected and/or restricted information should not be sent via email until has developed and

implemented procedures that ensure that emails and/or any other form of digital communication

that contains protected or restricted information, including attachments, are correctly addressedand only being sent to appropriate persons. This procedure when developed shall include a

mechanism in which the misdirected communication is correctly delivered without the content

39


40/62


HOSPITAL







being viewed any further than is necessary to identify the appropriate recipient and deleted from

the mistaken recipients computer system.

Protected and/or restricted information can be sent electronically via Secure FTP, encrypted dataon PCDs, or by giving protected access to a data drive.

7. REFERENCE

Null

40


41/62


HOSPITAL







1. PURPOSE

Website Maintenance

2. POLICY

Hospital system shall develop and implement a procedure which ensures System websites thatcontain protected or restricted information are protected from unauthorized intrusion.

3. SCOPE

Having a proper plan describes the policies and procedures to define and maintain an in-

house/out-sourced website managed internally by IT department.

4. TARGET AUDIENCE

GDC Hospitals employees and outside customers (Patients).

5. RESPONSIBILITY

Information Technology Department.

6. PROCEDURE

Websites that contain protected or restricted information should be protected from unauthorized

intrusion using website security standards. Only personnel who demonstrate the qualificationsestablished by the Office of Computer Services should modify the hospital website, especially if

it contains protected information. These modifications shall be documented for audit purposes.

7. REFERENCE

Null

41


42/62


HOSPITAL







1. PURPOSE

Data Management, Transferring and Exchanging Data, Managing Data Storage

2. POLICY

All restricted or protected information shall only be transferred outside of hospital networks, orcopied to other media, when the confidentiality and integrity of the data can reasonably be

assured. All data stored on information systems shall be managed to ensure the confidentiality,

integrity, and availability of the data.

3. SCOPE

The base plan describes the policies and procedures to maintain GDC Hospital data storage,

backups, data confidentiality, integrity, and proper restoring indexing.

4. TARGET AUDIENCE

GDC Hospital employees, Doctors, and Medical recordsdepartment (archive system).

5. RESPONSIBILITY


6. PROCEDURE

Storage Array with fair capacity that contains all saved data on all nodes, protected or restricted

information should be mirrored and duplicated and incrementally updated in the backup system

with IT department for retrieval purposes in case of loss in addition to transferred and exchangeddata on daily basis.

7. REFERENCE

Null

42


43/62


HOSPITAL







1. PURPOSE

Purchasing and Maintaining Commercial Software1-Purchasing and Installing Software

2-Using Licensed Software (Software Maintenance and Upgrade)

3-Supporting Application Software

4-Disposing of Information System Software

2. POLICY

Each Hospital system shall make every effort to ensure that all terms and conditions of End User

License Agreements (EULA) are strictly adhered to in order to comply with applicable laws and

to ensure ongoing vendor support.All application software shall be supported to ensure that the hospital business is not

compromised. Every effort shall be made to resolve software problems efficiently and within an

acceptable time period.Disposal of information systems software shall not occur unless the disposal is authorized by the

appropriate hospital official, the information systems software is no longer required, and its

related data can be archived and will not require restoration in the future.

3. SCOPE

The base plan describes the policies and procedures for purchasing, installing, using, upgrading,supporting, and maintaining licensed software and describing a proper way for disposing

information system software.

4. TARGET AUDIENCE

All GDC Hospital employees using in-house application software.

5. RESPONSIBILITY

GDC Hospital Information Technology Department.

43


44/62


HOSPITAL







6. PROCEDURE

The Disposition Phase represents the end of the systems life cycle. It provides for the systematictermination of a system to ensure that vital information is preserved for potential future access

and/or reactivation. The system, when placed in the Disposition Phase, has been declared surplus

and/or obsolete, and is scheduled to be shut down. The emphasis of this phase is to ensure that

the system (e.g. software, data, procedures, and documentation) is packaged and archived in anorderly fashion, enabling the system to be reinstalled later, if desired.

7. REFERENCE

Null

44


45/62


HOSPITAL







1. PURPOSE

Developing and Maintaining Custom SoftwareControlling Software Code

Managing Operational Program Libraries

2. POLICY

Each Hospital system shall implement a procedure in which only authorized staff may access

operational program libraries.

3. SCOPE

Defining a plan that describes different authorization levels for all end-users with different

access permissions.

4. TARGET AUDIENCE

GDC Hospital end-users, using hospital systems and software applications (databases).

5. RESPONSIBILITY

IT Department.

6. PROCEDURE

All operational program libraries for critical applications that developed shall reside on

enterprise servers. Access to operational program libraries shall be controlled by the Information

Security group and will be provided on an as needed basis.

7. REFERENCE

Null

45


46/62


HOSPITAL







1. PURPOSE

Testing and Training EnvironmentsThe Use of Protected Data for Training

2. POLICY

Each Hospital system shall implement a procedure that requires adequate controls for the

security of protected or restricted data when used in the testing of new systems or system

changes.

3. SCOPE

Defining a plan for data security policy and procedure that protects database live data accessed

and used for training purposes.

4. TARGET AUDIENCE

New doctors, employees, and receptionists.

5. RESPONSIBILITY

IT Department.

6. PROCEDURE

The use of protected or restricted data in the testing of new systems or system changes shall be

adequately controlled. Access to operational test environments for critical applications shall be

controlled by the Information Security group and will be provided on an as needed basis.

7. REFERENCE

Null

46


47/62


HOSPITAL







1. PURPOSE

New System Training

2. POLICY

Each Hospital system shall implement a procedure in which users and technical staff are trained

in the functionality and operations of all new systems.

3. SCOPE

Defining a plan for data security policy and procedure that protects database live data accessedand used for training purposes

4. TARGET AUDIENCE

New doctors, new employees and receptionists

5. RESPONSIBILITY

IT Department.

6. PROCEDURE

IT Director will work with the application vendors, HR, Staff Development, and the developersof new applications to implement training plans for each new application prior to the application

being put into production.

7. REFERENCE

Null

47


48/62


HOSPITAL







1. PURPOSE

Complying with Legal and Policy RequirementsComplying with Legal Obligations, Awareness of Legal Obligations

Copyright Compliance, Computer Misuse: Legal Safeguards

2. POLICY

All Hospital systems shall develop and implement procedures to inform employees of their legal

responsibilities in relation to the use of computer based information and data.All Hospital systems shall develop and implement procedures to inform employees of their

obligation to comply with applicable copyright laws.

Each Hospital system shall implement a procedure by which employees are informed of changesin computer misuse law, as well as hospital policy, as it directly impacts their job duties.

3. SCOPE

Defining a plan to develop and implement policy and procedures for employees roles and

responsibilities in using data and understanding copyrights where applicable.

4. TARGET AUDIENCE

Employees that are using GDC Hospital systems.

5. RESPONSIBILITY

IT Support team to guide and GDC end-users when they apply policies and procedures.

6. PROCEDURE

IT Director will work on copyrights procedures.

7. REFERENCE

Null

48


49/62


HOSPITAL







1. PURPOSE

External Suppliers/Other Vendor Contracts

2. POLICY

All Hospital systems suppliers/vendors who handle protected or restricted information shallacknowledge compliance with the hospital information security procedures prior to the delivery

of services.

3. SCOPE

Defining a plan that clearly describes most restricted information and acknowledges complinacywith GDC Hospital.

4. TARGET AUDIENCE

External Suppliers and software vendors

5. RESPONSIBILITY

IT Department and Hospital Legal advisors.

6. PROCEDURE

Lending of keys, both physical and electronic, should be prohibited by each Hospital system.In the event that access to an area or information secured by a physical or electronic key is

required by an individual without such key, that individual should be accompanied and

supervised by someone who has been issued such a key.

7. REFERENCE

Null

49


50/62


HOSPITAL







1. PURPOSE

Personnel Information Security Responsibilities - Passwords and PIN NumbersEmployment Termination - Staff Resignations

2. POLICY

All Hospital system users, staff and physicians are expected to treat passwords as private and

highly confidential.

All Hospital systems shall ensure that the appropriate Security Officer is notified of all employeeterminations and that access to the Hospital system information systems is revoked. If in the

judgment of the appropriate hospital official, it is determined that an employee represents a risk

to the security of the Hospital system information, all access shall be terminated immediately.

3. SCOPE

Defining measures in steps in order to secure hospital information/data

4. TARGET AUDIENCE

Any terminated employee, used to work on hospitals systems/data.

5. RESPONSIBILITY

GDC Human Resources Department and IT Department.

6. PROCEDURE

The HR Manager will contact IT Department to immediately disable the account of anyemployee that represents a risk to the security of the Hospital system information.

The Enterprise Information Security group generates reports to determine terminations and

transfers of users with access to computer resources.

7. REFERENCE

Null

50


51/62


HOSPITAL







1. PURPOSE

Procedures for Staff Leaving EmploymentTraining and Staff Awareness

Awareness for Temporary Staff

Security Information Updates to Staff

2. POLICY

GDC Hospital systems shall develop and implement a procedure to ensure that all Hospitalsystem property previously assigned to a departing employee is returned, and also that all keys,

access cards and forms of employee identification are returned.

All Hospital systems temporary staff with access privileges to the hospital networks shallacknowledge compliance with the hospital Information Security policies prior to beginning

work with the hospital. Updates on Information Security awareness shall be provided to the staff

on an evolving, ongoing basis as events warrant.

3. SCOPE

Defining a plan to make sure that people on leave will be revoked from any remote access to

hospital data/information during their leave, including changing access passwords where

required/applicable.

4. TARGET AUDIENCE

GDC Hospital employees on leave

5. RESPONSIBILITY

HR Department and IT Department.

6. PROCEDURE

Proposed changes or amendments to policies will be presented to the hospital Compliance

Committee for approval.

Updated policies will be distributed to Hospital personnel and to the HR for implementation.

51


52/62


HOSPITAL







In all of the training, it will be emphasized that the Compliance Officer/ Privacy Officer or

Security Officer must be notified if these policies are not followed At that point, it will be

determined if the employee/resident requires more in-depth education and training, or if thematter needs to be referred to Human Resources for disciplinary action.

7. REFERENCE

Null

52


53/62


HOSPITAL







1. PURPOSE

Information Security Training on New SystemsNew System Staff and Physicians Training in Information Security

Preparing Hospital for Placement of Computers

2. POLICY

Each Hospital system staff and physicians shall complete information security training

appropriate for their job function. If the users job responsibilities change, then the userstraining requirements shall be reassessed and new training must occur, if required/applicable.

All new Hospital system staff and physicians shall receive application training/mandatory

Information Security training appropriate for their job or educational function within 3 calendardays of their start date.

All Hospital system information systems hardware and media that contain protected or restricted

information shall be located in areas that are protected from physical intrusion, theft, fire,excessive temperature/humidity or other hazards.

3. SCOPE

Prepare a training plan including manuals (if required) and other training materials.

4. TARGET AUDIENCE

GDC system end-users and physicians

5. RESPONSIBILITY

Hospital HR Department and IT Department.

6. PROCEDURE

IT Management to define according procedures.

7. REFERENCE

Null

53


54/62


HOSPITAL







1. PURPOSE

Protecting For, Detecting and Responding to Information Security IncidentsReporting Information Security Incidents

Defending Against Unauthorized or Criminal Activity

2. POLICY

GDC Hospital system shall develop and implement procedures to defend hospital networks and

information systems that contain protected or restricted information against vandalism,unauthorized physical intrusion, and unauthorized access, denial of service, virus attack, spyware

or malware.

3. SCOPE

Preparing a scope of work to develop policy and procedures to protect hospitals NIS (NetworkInformation System).

4. TARGET AUDIENCE

GDC Hospital network and information systems

5. RESPONSIBILITY

IT Department.

6. PROCEDURE

Hospitals shall adhere to the Information Security (IS) and Incident Response Procedure aboveand shall adhere to the Workstation and Server Standards and the Network Standards in to help

defend hospital networks and information systems that contain protected or restricted

information against unauthorized physical intrusion, unauthorized access, denial of service, virus

attack, spyware/malware or criminal activity.

7. REFERENCE

Null

54


55/62


HOSPITAL







1. PURPOSE

Security Incident Procedures

2. POLICY

All hospital systems shall develop and implement procedures requiring that all suspected oractual information security incidents as defined by the hospital IT department are promptly

reported to the Information Technology Manager.

3. SCOPE

Develop policy and procedures for suspected information incidents defined by the hospital inorder to protect hospitals information and software application (management database).

4. TARGET AUDIENCE

Hospital software application, Database, and Information system.

5. RESPONSIBILITY

IT Department.

6. PROCEDURE

Hospital shall adhere to the Information Security (IS) and Incident Response Procedure above.Each hospital system should adhere to industry recognized best practices when collecting and

protecting evidence from information systems so that criminal perpetrators can be prosecuted to

the fullest extent of the law.

7. REFERENCE

Null

55


56/62


HOSPITAL







1. PURPOSE

Responding to Information Security Incidents

2. POLICY

All Hospital's systems shall develop and implement procedures for the response to informationsystem security incidents, as defined by the hospital IT department. Every effort shall be made

to mitigate the adverse impact on the confidentiality, integrity and availability of data, and to

preserve any evidence that could be used in the investigation of the incident.

3. SCOPE

Develop policy and procedures for suspected information incidents defined by the hospital in

order to protect hospitals information and software application (management database).

Prepare a backup plan to restore data in case of loss.

4. TARGET AUDIENCE

Hospital software application, Database, and Information system.

5. RESPONSIBILITY


6. PROCEDURE

Hospital shall adhere to the Information Security (IS) and Incident Response Procedure above.

Every effort shall be made to mitigate the adverse impact on the confidentiality, integrity, andavailability of data, and to preserve any evidence that could be used in the investigation of the

incident.

7. REFERENCE

Null

56


57/62


HOSPITAL







APPENDIX A

WORKSTATION AND SERVER STANDARDS

The purpose of these standards is to provide guidelines for best security practices when installing

new workstations and servers (or reconfiguring older workstations and servers) on the network. It is

not the purpose of this document to provide the information necessary to correctly administer a

workstation or server. It is assumed that the computer supporters responsible for implementing thesestandards are knowledgeable of the operating system they have chosen, the hardware on which it

runs, and any applications they intend to install.

A.1 Workstation Standards

No workstation should be connected to the network until the following items have beenaccomplished:

1. All security patches for the OS and any applications have been acquired using a local

connection that does not require an IP address (e.g. USB hard drive, zip drive, CD, etc.)2. All documentation for the workstation should be properly stored in a secure location.

3. The OS has been properly installed and configured and all relevant security patches for both

the OS and any applications have been applied.4. All