final it policy and procedure 05-09-2012
TRANSCRIPT
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
1/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 1 of 62
INFORMATION TECHNOLOGY PLAN 2012
APPROVAL SHEET
Prepared by:
Name Signature Date
Zuher Arawi
Information Technology Manager
Reviewed by:
Name Signature Date
Mr. Zuher Arawi
Quality Assurance Manager
Ms. Lara Kaddoura
Administrator & ManagementRepresentative
Approved by:
Name Signature Date
Mr. Rami Kaddoura
Executive President & C.O.O
Mrs. Jamal KaddouraCo-founder & Hospital Director
DOCUMENT AMENDMENT RECORD SHEET
1
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
2/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 2 of 62
Date Description of Change Page EffectedRevision
Number
TABLE OF CONTENTS:
2
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
3/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 3 of 62
SUBJECTS PAGE
PURPOSE 4
POLICY 5
INTRODUCTION 6
POLICIES PAGE
Knowing Installation, Upgrade and Testing of Hardware, Systems, and Equipment 9
Knowing cabling, UPS (Uninterruptible Power Supply), Printers, and Modems, 11and supplying continuous power to critical equipment.
Using Fax Machines/Fax Modems 12
Using Modems/ISDN/DSL Connections, Using Centralized, Networked, 13or Stand Alone Printers, Securing Network Cabling.
Consumables, using removable storage media, including, USBs, DVDs, CDs and Diskettes 15
Working off GDC or Using Outsourced Processing, Contracting, Use of Laptop / Portable 16Computers, Portable Electronic Devices and the Removal of Equipment off Hospital System
(Teleworking) or Working from Home or Other Off-Site Location 18
Other Hardware Issues Destruction and/or Reuse of Equipment 19
Controlling Access to Information and Systems and Managing Access Control Standards 21
Securing Unattended Workstations 23
POLICIES PAGE
Managing Network Access Controls 24
3
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
4/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 4 of 62
Managing Application Access Control 25
Managing Passwords 26
Unauthorized Physical Access Security 28
Monitoring System Access and Use 29
Emergency Access 31
Configuring Networks, Managing the Network 32
Defending Network Information against Malicious Attack 33
System Operations and Administration, Appointing System Administrators 35
Ensuring Information Integrity, Commissioning Facilities Management 36
E-mail and the World-wide Web, Downloading Files and Information from the Internet
Sending Electronic Mail (E-Mail) and/or Other Forms of Digital Communication
Receiving and sending electronic mails and/or any other form of digital communication 38
Misdirected Information by E-Mail and/or Any Other Form of Digital Communication 39
Website Maintenance 41
Data Management, Transferring and Exchanging Data, Managing Data Storage 42
Purchasing and Maintaining Commercial Software 43
Developing and Maintaining Custom Software, Controlling Software Code 45Managing Operational Program Libraries
Testing and Training Environments, the Use of Protected Data for Training 46
POLICIES PAGE
New System Training 47
4
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
5/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 5 of 62
Complying with Legal and Policy Requirements, Complying with Legal Obligations, 48
Awareness of Legal Obligation, Copyright Compliance, Computer Misuse
External Suppliers/Other Vendor Contracts 49
Personnel Information Security Responsibilities - Passwords and PIN Numbers 50
Employment Termination - Staff Resignations
Procedures for Staff Leaving Employment, Training and Staff Awareness 51
Awareness for Temporary Staff, Security Information Updates to Staff
Information Security Training on New Systems 53
New System Staff and Physicians Training in Information SecurityPreparing Hospital for Placement of Computers
Protecting For, Detecting and Responding to Information Security Incidents 54Reporting Information Security Incidents
Defending Against Unauthorized or Criminal Activity
Security Incident Procedures 55
Responding to Information Security Incidents 56
1. PURPOSE
5
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
6/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 6 of 62
Complete and comprehensive Information Technology policies are necessary, not only to
communicate hospital expectations clearly to staff, but to protect the hospital. For example,
a hospital was recently forced to settle a lawsuit filed by four employees claiming they were
sexually harassed via the hospital's email system. The incident may have been averted, and
millions are saved, if the hospitals management had instituted simple precautionary measures,
such as implementing and enforcing an email policy. Information Technology policies and
procedures, properly administered, can often mitigate or eliminate risk and help address common
workplace issues.
Lawsuits are not the only problems hospitals can encounter. Anytime employees can accessemail or the Internet, the organization is at risk of a broad range of potential and costly liabilities.
For example, hospitals working toward compliance fear the loss or exposure of confidential
information. Data can be exposed to email viruses, and untold productive hours can be lostsurfing the Web for information unrelated to jobs.
Internet access is only one Information Technology service that needs protecting. An Internet
usage policy is the first battle in the seemingly never-ending war to protect employees and
maintain efficiency. There is no single productindeed, no single protocolthat provides
complete protection and all the equipment necessary to enforce an organizations policies andprocedures. Hospitals must manage a variety of issues beyond Internet usage. Security concerns
extend beyond the network to physical aspects, such as the upkeep of hospital equipment. Thereis also a vast amount of offline data that must be protected.
Faced with problems like this, Information Technology and Internet usage policies are the best
lines of defense hospital managers can adopt. Not only are they proactive steps that help setnecessary alarms, but they also provide guidance for disciplinary action. Such policy-based
management has caught on as an effective method for reducing administrative costs, tightening
security, and helping troubleshooting efforts. Information Technology policies need to address
all of these issues, not only to avoid disaster, but to know what to do if and when disaster doesstrike. Policies in this document deal not only with technical security issues, such as viruses and
the privacy of protected, confidential information, but also for more general management issues,such as network passwords and unauthorized software use. This document also addresses theactions supervisors can take when policies are not adhered to.
2. POLICY
6
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
7/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 7 of 62
Hospital Information Technology Policies
The following Information Technology policies and procedures are reevaluated and revisedtwice a year, or as required. Every staff member is expected to read these policies and comply
with them. If there are any questions or concerns they should be raised with your supervisor or
Head of department/manager. After reading these policies sign and date this document torepresent that you have read and understand the policies.
Hospital Information Technology Policies include:
1. Internet / Email Policies
1.1. Internet / Email Acceptable Use
1.2. Downloads and Executables
1.3. Peer-to-peer File Sharing and Streaming Media
1.4. Internet Messaging
2. Security Policies
2.1. Computer Viruses
2.2. Physical Security
2.3. Passwords
2.4. Backup
2.5. Continuance
2.6. Data retention
3. Acknowledgement of Policies
3.1. Signature Page
Date issued: 16-06-2012
Authorized by: IT Manager, Quality Manager, Executive Director, Hospital CO-Founder
Next scheduled review: 12-2012.
INTRODUCTION
The purpose of this document is to provide the procedures for the GDC-Hospital to meet the mandates
of JCIA System Information Security Plan.
7
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
8/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 8 of 62
Most hospitals have a tiered policy and procedure system. Administrative policies comprise the hospital-
wide or interdepartmental directives while there are departmental based policies for intradepartmental
subjects. This document was written using this scheme.
8
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
9/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 9 of 62
1. PURPOSE
Knowing Installation, Upgrade and Testing of Hardware, Systems, and Equipment.2. POLICY
All hardware installations shall be planned and related parties impacted by the installationnotified and given the opportunity to comment prior to the proposed installation date. Allequipment, systems, software, upgrades and patches shall be fully and comprehensively tested
and authorized by management prior to being converted to a live environment. The extent of
planning and testing shall be reasonable given the size and complexity of the installation toensure successful implementation with a minimal disruption of operation.
3. SCOPE
The base plan describes the policies and procedures, GDC Hospital will follow to prepare for,
respond to, and manage installation and hardware/systems upgrade
4. TARGET AUDIENCE
Staff, doctors, Patients, visitors
5. RESPONSIBILITY
IT Team, Hospital wide, all personnel in hospital.
6. PROCEDURE
1. Any significant system change that has the likely or expected potential to affect a usergroup shall be planned with the knowledge and cooperation of that group.
2. A significant system change is any change to hardware, software, or communications lines
that has the potential to affect the availability or integrity of a program or its data.3. To meet the criteria of likely or expected, the change could have documentation of
known faults, be provided untested by the vendor, being applied to a program that has local
customizations that could not be tested by the vendor, or an extended downtime may beneeded for the change.
9
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
10/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 10 of 62
4. Certain trusted changes such as virus protection updates and operating system patches that are
routinely released by the original software vendor can be applied to workstations and file
servers of non-critical applications without extended testing.5. Any system that contains restricted or protected information should be backed up with a
restore point prior to implementing the change.
6. All change actions should be weighed against the potential outcome of not making the change.
7. Critical software updates for known vulnerabilities may take precedent over a groupsproductivity.
8. Protecting the program and data is always the top priority.
9. All significant changes to a system should be documented with the change and the date itoccurred.
7. REFERENCE
Null
10
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
11/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 11 of 62
1. PURPOSE
Knowing cabling, UPS (Uninterruptible Power Supply), Printers, and Modems, and supplying
continuous power to critical equipment.
2. POLICY
All information systems identified as critical to LSU Hospital system operations shall be
protected by an uninterruptible power supply adequate to provide continuity of services and/ororderly shutdown to preserve data integrity.
3. SCOPE
Describing the policy of doing cabling for UPSs, printers and modems, IT will follow up the
proper cabling and ensure the proper way of laying cables within proper trunks to protect from
electrical hazards.
4. TARGET AUDIENCE
Staff, maintenance people, service department.
5. RESPONSIBILITY
Maintenance department and IT support team
6. PROCEDURE
1. Selection of equipment for support by uninterruptible power supply shall be based on the
critical equipment inventory.2. For data storage devices the uninterruptible power supply should be connected to computing
device for orderly shutdown in a backup power supply system failure.
3. Uninterruptible power supplies shall be maintained and tested according to manufactures'recommendations.
7. REFERENCE
Null
11
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
12/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 12 of 62
1. PURPOSE
Using Fax Machines/Fax Modems
2. POLICY
Protected or restricted information shall only be faxed when more secure methods are notavailable
3. SCOPE
Enhance the understanding the usage of fax machines and modems among users/staff
4. TARGET AUDIENCE
Receptionists, Pharmacists, Insurance and HR Staff.
5. RESPONSIBILITY
IT Support team and Public Relation Officer.
6. PROCEDURE
The sender of the protected or restricted information and the intended recipient shall agree to the
fax transmittal prior to sending
Documents with personal identifiers can only be faxed with appropriate safeguards. A list ofmedical record numbers without other personal identifiers may be faxed, providing there is no
reference to medical conditions on either the faxed copy or the cover sheet. Users are responsible
for ensuring that faxes are not left on the fax machine.
7. REFERENCE
Null
12
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
13/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 13 of 62
1. PURPOSE
Using Modems/ISDN/DSL Connections, Using Centralized, Networked, or Stand AlonePrinters.
Securing Network Cabling.
2. POLICY
Protected or restricted information shall only be sent via System network lines when more secure
methods are not feasible. In that event, additional precautions e.g. encryption of data, virtualprivate network, etc., shall be employed to ensure against unauthorized interception and/or
disclosure of protected information.
Protected or restricted information shall not be sent to a network printer in an unsecured areawithout appropriate physical safeguards or an authorized person present to safeguard this
information during and after printing.
All cabling in System networks shall be secured to prevent unauthorized interception or damage.
3. SCOPE
Defining the usage of modems and stand alone printers and granting authorizations to people in
charge of networked peripherals with a proper plan in order to secure network cabling.
4. TARGET AUDIENCE
Doctors, nurses, receptionists, secretaries, and other hospital staff
5. RESPONSIBILITY
IT Support team
6. PROCEDURE
In the event that protected or restricted information cannot be sent via NO network lines,additional precautions (e.g. encryption of data, virtual private network, etc.) shall be employed to
ensure against unauthorized interception and/or disclosure of protected information.
13
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
14/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 14 of 62
7. REFERENCE
Null
14
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
15/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 15 of 62
1. PURPOSE
Consumables, using removable storage media, including, USBs, DVDs, CDs and Diskettes.
2. POLICY
All protected or restricted information stored on removable media, including USBs, DVDs, CDs,and diskettes shall be kept in a safe, secure environment in accordance with the manufacturers
specifications when not in use. The removal of protected or restricted information from hospital
premises shall require specific authorization from the hospital designated official.
3. SCOPE
The base plan describes the policies and procedures, GDC Hospital staff using systems will
follow and respond and manage the proper usage in a secure manner the mentioned peripherals.
4. TARGET AUDIENCE
Restricted to authorized GDC Hospital staff using networked systems
5. RESPONSIBILITY
IT Department and authorized GDC Hospital staff using networked systems
6. PROCEDURE
The use of removable media to transport protected or restricted media is strongly discouraged.
Specific administrative approval is required for the removal of protected information from the
hospital when stored on removable media. The user should obtain electronic or writtendocumentation of the approval from the appropriate department director.
USBs, CDs, All diskettes (If still available) and other storage media that contain confidential
information that has not been completely de-identified.
7. REFERENCE
Null
15
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
16/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 16 of 62
1. PURPOSE
Working off GDC or Using Outsourced Processing, Contracting, Use of Laptop/PortableComputers, Portable Electronic Devices and the Removal of Equipment off Hospital System.
2. POLICY
Individuals responsible for commissioning outsourced computer processing of protected or
restricted information shall ensure the services used are from companies that operate in
accordance the GDC's information security standards which include a Business AssociateAgreement or similar document that communicates the expectation of compliance with these
standards and the remedies available in the instance of non-compliance.
Laptops and other portable computing devices issued to hospital System employees shall not beused for activities unrelated to IT organizational goals. The designated hospital official shall
document who is in possession of each device and that the individual understands his
responsibility for the confidentiality, integrity, and availability of the information on said device.Each IT Hospital system employee who is assigned a portable or mobile computing device shall
be responsible for ensuring that data stored on that device is properly backed up, that the
operating system is patched in a timely fashion, and where applicable, anti-virus software withcurrent virus data file (including spyware detection and firewalls) is installed and running
continuously. In addition, only authorized personnel shall be permitted to take any equipment
belonging to the IT Hospital system off the premises and are responsible for its security at all
times.
3. SCOPE
Planning the needed services and taking into consideration the information security measures
for the required services/hardware/software application for hospital day to day work continuity.
4. TARGET AUDIENCE
GDC Hospital staff , using IT Application/hardware.
5. RESPONSIBILITY
IT Manager, Support Team, and GDC Hospital staff.
16
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
17/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 17 of 62
6. PROCEDURE
The IT Director at each facility or designee shall keep a listing of all portable computing devices
(PCD) and who is in possession of the device. Any change in the possession of the portable
computing device shall be reported to the IT Director immediately.
Each employee with a PCD shall have appropriate approval stating the need for the device prior
to possession. The employee shall sign an LSU Portable Computing Device Release prior to
using the device.
Handling and Storage of Laptops.
Safety and security of the PCD is the responsibility of the employee that it is assigned to.
PCDs are stored in a secure, locked location within the office when not in use. Confidential
information on PCD removable drives should be carried in a secure vessel. If possible the mediacontaining the confidential, encrypted data should be locked in a location apart from the laptop
when not in use.
Loss of any PCD shall be reported immediately to the IT Director/IT Security Lead of the
hospital.
7. REFERENCE
Null
17
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
18/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 18 of 62
1. PURPOSE
(Teleworking) or Working from Home or Other Off-Site Location
2. POLICY
IT Hospital systems which allow teleworking or working from home shall establish proceduresthat ensure the confidentiality, integrity and availability of protected data accessed during any
teleworking session.
3. SCOPE
Preparing and describing the policy and procedure for IT Support team and service companiesgranted the permissions to access the relevant servers to do installation/ configuration.
4. TARGET AUDIENCE
IT Manager, DB Administrator and Application Developer.
5. RESPONSIBILITY
IT Manager, DB Administrator and Application Developer.
6. PROCEDURE
1) When using a desktop computer from home or when traveling the screen should be placed soit not visible to non-authorized personnel walking by the office or through a hallway.
Additionally, computer screens should be situated so that they are not visible through
windows.2) When laptop computers are used, the screens are managed so as to prevent viewing by others.
The laptop is never out of sight of the employee when not secured.
3) All teleworking sessions require a virtual private network (VPN) connection, a Citrix Desktop
connection, or a dialup connection through an enterprise RAS solution.
7. REFERENCE
Null
18
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
19/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 19 of 62
1. PURPOSE
Other Hardware Issues Destruction and/or Reuse of Equipment.
2. POLICY
IT equipment and/or media owned by IT Hospital systems shall only be disposed of byauthorized personnel in accordance with the National Industrial Security Program Operations
Manual. IT equipment and/or media owned by the IT Hospital system which is to be reassignedto another employee or reused shall be evaluated as to whether protected or restricted
information needs to be purged in accordance with the above standard prior to reassignment
and/or reuse or disposal.
3. SCOPE
Defining the base plan and evaluation sheet of destruction and reuse of the equipment and mediaowned by GDC Hospital system.
4. TARGET AUDIENCE
GDC Hospital staff using mentioned equipment and system.
5. RESPONSIBILITY
IT manager
6. PROCEDURE
Any computing equipment possessing media with protected or restricted information shall havethe media wiped of all information in accordance with the Management of Information
Technology specifications.
Media Procedure(s)
Magnetic Tape
Magnetic Disk
Optical Disk
Read Many, Write Many (e.g., CD-RW) l
19
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
20/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 20 of 62
Read Only l
Write Once, Read Many l
(e.g., CD-R,CD+R, DVD+R)
Memory
Dynamic Random Access Memory (DRAM)
Flash memory (e.g., USB drives, Picture cards)
Programmable ROM (PROM)Nonvolatile RAM (NOVRAM)
Read Only Memory (ROM)
Static Random Access Memory (SRAM)
7. REFERENCE
Null
20
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
21/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 21 of 62
1. PURPOSE
Controlling Access to Information and Systems and Managing Access Control Standards
2. POLICY
Each IT Hospital system shall ensure that all access to information systems is based on thelowest level of privilege needed to perform ones job.
Access to application supervisor-level commands shall require authorization from theemployees supervisor and/or the owner of the application. Access to operating system
supervisor and/or administrator commands shall be restricted to those persons who are
authorized to perform systems administration/management functions.
Managing User Access to any IT Hospital system information system shall be authorized by the
owner and/or hospital designated official(s). Each staff, and contractor shall be assigned a uniqueuser ID. When generic IDs are required by operational necessity, each hospital shall develop
procedures to prevent abuse. For audit purposes, such access, including the appropriate access
rights or privileges.
Generic Accounts that are used to provide access to network resources for third-party software
supporters, contractors, or computer supporters that need application service accounts.
Acquiring a Generic Account The owner of the resource will notify Enterprise InformationSecurity via email that a vendor, contractor, or computer supporter will need a generic account to
access the network. Before creating the account, shall determine the method to allow access into
the network. This may require discussions between the vendor, IT contact, and the firewalladministrator. If it has been decided that a generic account is required, the account will be set up
according to Enterprise Information Security procedures.
Vendor Account Requirements - Vendors and contractors must submit a vendor account policywhich contains a vendor account agreement before being given access to the network. These
policies are kept on file by the Enterprise Information Security group.
Enabling a Generic Account - Activation of generic accounts must be authorized by the IT
contact. The default activation period is 24 hours unless requested otherwise. Prolongedactivation periods must be justified. When a generic account is activated, an email must be sent
to the ITO contact notifying them of the new expiration date.
21
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
22/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 22 of 62
Generic Account Agreement for Vendors
a) I acknowledge that I am responsible for all activity attributable to the account assigned
to my organization.b) I will use my organization's account to perform authorized activities only
(i.e., to carry out contract-related responsibilities).
c) If I abuse or gain unauthorized access to computer resources, I understand that IT head may
immediately revoke my account and report my conduct to law enforcement authorities.d) I understand that, upon change or termination of my organization's relationship with IT
department, my organization's access to resources on the network will be reviewed and
modified or terminated as appropriate.e) I understand the importance of privacy and confidentiality of information and in particular
patient information, student records, and employee personal data. I pledge to handle all
sensitive data I access with the appropriate care and precautions.f) I will abide by IT policy regarding appropriate use of its network infrastructure.
3. SCOPE
Preparing a plan that states controlling the access to information and systems and steps to
manage the access control standards.
4. TARGET AUDIENCE
Each staff, and contractor assigned a unique user ID and generic account.
5. RESPONSIBILITY
IT Support team and GDC Staff and contractors, having unique user ID
6. PROCEDURE
To be performed on case by case basis according to granted access to end-users/contractors.
7. REFERENCE
Null
22
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
23/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 23 of 62
1. PURPOSE
Securing Unattended Workstations
2. POLICY
Precautions shall be taken to prevent tampering of unattended equipment by unauthorizedpersons.
3. SCOPE
Preparing memos states clearly the responsibility of systems (workstations) custodians/in charge.
4. TARGET AUDIENCE
GDC Hospital Doctors/staff using GDC Hospital systems/workstations.
5. RESPONSIBILITY
GDC Hospital Doctors/staff working on GDC Hospital workstations.
6. PROCEDURE
All workstations should be placed in a secured location. By means in locations that are not at all
times occupied and cannot be secured the PC should be secured to the work area.
Viewing screens should be located so that unauthorized personnel cannot view the informationon the screen. Where it is impossible to protect the peripheral view of the screen privacy filters
shall be employed.
Private or restricted information shall not be stored on a computer in a public use or untenablearea.
7. REFERENCE
Null
23
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
24/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 24 of 62
1. PURPOSEManaging Network Access Controls
2. POLICY
Access to Hospital system information systems networks shall be strictly controlled to prevent
unauthorized access. Each hospitals IT department shall develop procedures and standards forsecuring network electronics against unauthorized tampering.
3. SCOPE
Prepare a base plan that describe the policies and procedures, GDC Hospital IT department will
develop the plan and follow to prepare for, respond, and manage system access triggers.
4. TARGET AUDIENCE
IT Manager and IT team.
5. RESPONSIBILITY
IT Manager and IT Team.
6. PROCEDURE
Access to the information systems networks shall be strictly controlled to prevent unauthorized
access. The Office of Computer Services network equipment standards shall be utilized to secure
network electronics against unauthorized tampering.
7. REFERENCE
Null
24
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
25/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 25 of 62
1. PURPOSE
Managing Application Access Control
2. POLICY
The Hospital system procedure for authorizing supervisor-level access shall require approvalfrom the designated hospital IT authority.
3. SCOPE
Prepare a base plan that describe the policies and procedures, GDC Hospital IT department will
develop the plan and follow to prepare for, respond, and manage system access triggers.
4. TARGET AUDIENCE
IT Manager and IT team.
5. RESPONSIBILITY
IT Manager and IT team.
6. PROCEDURE
Access to application supervisor-level commands shall require authorization from the
employees supervisor and/or the owner of the application. Access to operating systemsupervisor and/or administrator commands shall be restricted to those persons who are
authorized to perform systems administration/management functions.
7. REFERENCE
Null
25
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
26/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 26 of 62
1. PURPOSE
Managing Passwords.
2. POLICY
All information systems that use passwords as the primary method of user authentication shallrequire that all user accounts be password protected with non-null (weak) passwords and require
all users to change passwords on a periodic basis(every six month at least). The IT department of
the Hospital shall develop and/or adopt standards for password length, password change intervaland password complexity that are appropriate for the system being protected. These standards
shall be reviewed periodically.
3. SCOPE
A plan to be defined in order to control, maintain and monitor the password at all authorizedlevels on quarterly/half yearly basis.
4. TARGET AUDIENCE
GDC Hospital Doctors/staff and IT Staff using systems/servers.
5. RESPONSIBILITY
IT support team and GDC Hospital doctors and staff using systems.
6. PROCEDURE
All computer accounts must be password protected in accordance with password policy. Thispolicy shall not be any less restrictive than Information Technology password policy. These
password standards shall be reviewed no less frequently than every three years and revised to
incorporate advances in technology.
The Password Policy requires that:Minimum password length and format shall be no less than eight (8) characters.
26
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
27/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 27 of 62
Minimum password complexity should contain at least 3 of the 4 categories: English upper case
characters (A-Z), English lower case characters (a-z), Base 10 digits (0-9), and non-
alphanumeric characters (%,&,!).Maximum validity periods for passwords to be no greater than 180 days, with specific
exemptions granted for special purposes such as enabling a stored procedure to run against a
database.
7. REFERENCE
Null
27
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
28/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 28 of 62
1. PURPOSE
Unauthorized Physical Access Security.
2. POLICY
Physical access to server rooms and network infrastructure closets shall be protected using all
reasonable and appropriate safeguards. Strong authentication and identification techniques shallbe used when they are available and can be reasonably deployed.
3. SCOPE
A base plan that describes the policies and procedures, GDC Hospital will follow to prepare for,
respond to, and manage physical access security.
4. TARGET AUDIENCE
Information Technology Department
5. RESPONSIBILITY
Information Technology Department
6. PROCEDURE
Physical access to server rooms and network infrastructure closets shall be protected using all
reasonable and appropriate safeguards. Strong authentication and identification techniques shallbe used when they are available and can be reasonably deployed.
7. REFERENCE
Null
28
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
29/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 29 of 62
1. PURPOSE
Monitoring System Access and Use
2. POLICY
All information systems that contain protected or restricted information shall be configured tolog any and all information necessary to detect and record attempts of unauthorized access and
system errors, to the extent that the logging facility exists and is capable. These logs with
significant activity shall be examined in a timely fashion by staff determined as qualified by thehospital IT department. Security incidents shall be reported to the Security Officer (one of IT
team members for appropriate action and follow up.
3. SCOPE
A base plan that describes the policies and procedures, GDC Hospital will follow to prepare for,respond to, and manage physical access security.
4. TARGET AUDIENCE
Information Technology Department
5. RESPONSIBILITY
Information Technology Department
6. PROCEDURE
All information systems that contain protected or restricted information shall be configured tolog any and all information necessary to detect and record attempts of unauthorized access and
system errors, to the extent that the logging facility exists and is capable. These logs with
significant activity shall be examined in a timely fashion by staff determined as qualified by the
IT department for Computer Services. Reporting of suspected security incidents shall follow theprocess defined in the Information Security Response Procedure.
29
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
30/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 30 of 62
7. REFERENCE
Null
30
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
31/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 31 of 62
1. PURPOSE
Emergency Access
2. POLICY
All Hospital systems shall develop and implement a procedure to provide access to electronicinformation on an emergency basis (i.e., an employee is incapacitated and another employee
must enter the system to continue his job function). For audit purposes, each instance of suchaccess provision shall be documented and shall be maintained on file for a period of no less than
one year, if the information accessed is protected information.
3. SCOPE
A base plan that describes the policies and procedures, GDC Hospital will follow to prepare for,respond to, and manage physical access security.
4. TARGET AUDIENCE
Information Technology Department
5. RESPONSIBILITY
Information Technology Department
6. PROCEDURE
Emergency access (i.e. an employee is incapacitated and another employee must enter the system
to continue his job function) to electronic information shall be handled by the EIS duringbusiness hours and the Enterprise Information Security Analyst on call after business hours. For
audit purposes, each instance of such access provision shall be documented and shall be
maintained on file for a period of no less than one year, if the information accessed is protectedinformation.
7. REFERENCENull
31
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
32/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 32 of 62
1. PURPOSE
Configuring Networks
Managing the Network
2. POLICY
All System information system networks shall be designed and configured to deliver high
availability, confidentiality, and integrity to meet business needs.Each Hospital system shall ensure that those responsible for managing the hospital network and
preserving its integrity in collaboration with the individual system owners does so in accordance
to the hospitals IT department standards and job descriptions.
3. SCOPE
A base plan that describes the policies and procedures, GDC Hospital IT Manager and support
team will follow to prepare for, respond to, and manage Hospitals network.
4. TARGET AUDIENCE
Information Technology Department
5. RESPONSIBILITY
Information Technology Department
6. PROCEDURE
Those responsible for managing the network and preserving its integrity shall do so inaccordance with the Office of Computer Services standards and job descriptions.
7. REFERENCE
Null
32
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
33/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 33 of 62
1. PURPOSE
Defending Network Information against Malicious Attack
2. POLICY
Each Hospital system shall develop and implement procedures to adequately configure andsafeguard its information system hardware, operation and application software, networks and
communication systems against both physical attack and unauthorized network intrusion. All
servers and work stations shall run anti-virus software (including spyware detection andfirewalls) while connected to the network infrastructure. In the event that the system will not
operate properly with the anti-virus software, appropriate information security safeguards shall
be instituted.
3. SCOPE
A base plan that describes the policies and procedures, GDC Hospital IT Manager and support
team will follow to prepare for, respond to, and manage Hospitals network.
4. TARGET AUDIENCE
Information Technology Department
5. RESPONSIBILITY
Information Technology Department
6. PROCEDURE
All servers and workstations shall be configured according to Information Security standards in
order to safeguard information system hardware, operation and application software, networks,
and communication systems against both physical attack and unauthorized network intrusion.
All servers and workstations shall run anti-virus software (including spyware detection) whileconnected to the network infrastructure. In the event that the system will not operate properly
with the anti-virus software, appropriate information security safeguards shall be instituted.
33
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
34/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 34 of 62
7. REFERENCE
Null
34
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
35/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 35 of 62
1. PURPOSE
System Operations and Administration, Appointing System Administrators
2. POLICY
Each Hospital system shall appoint systems administrators who demonstrate the qualificationsestablished by the hospitals IT department to manage the information technology systems and
oversee the day to day security of these systems.
3. SCOPE
Is to prepare definite measures for operating systems used for software applications and end-users, and monitoring the appointed system administrators running those operating systems.
4. TARGET AUDIENCE
Information Technology Department
5. RESPONSIBILITY
Information Technology Department
6.PROCEDURE
The Office of Computer Services (CS) in IT department shall appoint systems administratorswho demonstrate the qualifications established by the department to manage the information
technology systems and oversee the day to day security of these systems. Only qualified staff or
third party technicians should repair information system hardware faults. System administratorsmust meet stringent qualifications for hire assuring that IT analysts are capable of handling
analytic processes.
7. REFERENCE
Null
35
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
36/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 36 of 62
1.PURPOSE
Ensuring Information IntegrityCommissioning Facilities Management
E-mail and the World-wide Web
Downloading Files and Information from the Internet
Sending Electronic Mail (E-Mail) and/or Other Forms ofDigital Communication
2.POLICY
All Hospital systems shall develop and implement procedures to ensure that the integrity of
electronic protected or restricted information is maintained in the event of processing errors,system failure, human errors, natural disasters and deliberate acts.
Hospital shall implement the appropriate procedures within the Disaster Recovery Plan (DRP) to
ensure that the integrity of electronic protected or restricted information is maintained in theevent of processing errors, system failure, human errors, natural disasters, and deliberate acts.
Any facilities management company engaged by a Hospital system shall be expected to comply
with the System Information Security policies and to execute a Business Associate Agreement orsimilar document that communicates the performance expected and the remedies available in the
instance of noncompliance.
Each Hospital system IT department shall develop standards and guidelines to ensure
information, software and media downloaded from the Internet does not jeopardize its operationsor the security of information systems.
Each Hospital system shall develop procedures that require all email and/or any other form of
digital communication generated by its information systems that contains protected or restrictedinformation, including data attachments, shall only be permitted after confirming that such action
is consistent with the restriction specified by the security classification of the information being
sent. In addition, the file shall be scanned for the possibility of a virus or other malicious code. Inno case shall protected or restricted information be sent outside the information infrastructure
without taking precautions to ensure the confidentiality and integrity of the information.
3.SCOPE
Define a plan for the hospital system IT department to develop standards and guidelines to
ensure information, software and media downloaded from the Internet does not jeopardize its
36
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
37/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 37 of 62
operations or the security of information systems, including e-mails (sending and receiving),
www, data extraction/download from internet, and digital communications.
4.TARGET AUDIENCE
All hospital End-users granted hospital systems (computers).
5.RESPONSIBILITY
IT department and all end-users using hospital computers.
6. PROCEDURE
All email and/or any other form of digital communication generated by information systems that
contain protected or restricted information, including data attachments, shall only be permitted
after confirming that such action is consistent with the restriction specified by the securityclassification of the information being sent. In addition, the file shall be scanned for the
possibility of a virus or other malicious code. In no case shall protected or restricted information
be sent outside the information infrastructure without taking precautions to ensure theconfidentiality and integrity of the information.
7. REFERENCE
Null
37
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
38/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 38 of 62
1. PURPOSE
Receiving and sending electronic mails and/or any other form of digital communication.
2. POLICY
Each Hospital system shall develop and implement standards and procedures that will ensure thatmalicious code is not delivered to or executed on the information systems by receiving email
and/or any other form of digital communication.
3. SCOPE
Define a plan for the hospital data exchange between hospital end-users and outside world, andto develop standards and guidelines to ensure electronic data/e-mails received and sent do not
jeopardize the security of information systems and digital communications.
4.TARGET AUDIENCE
All hospital End-users granted hospital systems (computers).
5.RESPONSIBILITY
IT department and all end-users using hospital computers.
6. PROCEDURE
All workstations shall have anti-virus software that scans emails and attachments. All inbound
and outbound external and internal email shall be scanned for viruses on the email servers. The
Office of Computer Services may also implement any procedures it feels necessary to ensure thatmalicious code is not delivered to or executed on the information systems by receiving email
and/or any other form of digital communication.
7. REFERENCE
Null
38
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
39/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 39 of 62
1. PURPOSE
Misdirected Information by E-Mail and/or Any Other Form of Digital Communication
2. POLICY
Each Hospital system shall develop and implement procedures that ensure that emails and/or anyother form of digital communication that contain protected or restricted information, including
attachments, are correctly addressed and only being sent to appropriate persons. This procedure
shall include a mechanism in which the misdirected communication is correctly deliveredwithout the content being viewed any further than is necessary to identify the appropriate
recipient and deleted from the mistaken recipients computer system.
3. SCOPE
Define a plan for the hospital data exchange between hospital end-users and outside world, andto develop standards and guidelines to ensure that the appropriate data being sent to proper
receiver.
4. TARGET AUDIENCE
All hospital end-users granted hospitals email user name/password.
5. RESPONSIBILITY
IT Department (End-user support) and all hospital end-users granted hospitals email username/password.
6. PROCEDURE
Protected and/or restricted information should not be sent via email until has developed and
implemented procedures that ensure that emails and/or any other form of digital communication
that contains protected or restricted information, including attachments, are correctly addressedand only being sent to appropriate persons. This procedure when developed shall include a
mechanism in which the misdirected communication is correctly delivered without the content
39
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
40/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 40 of 62
being viewed any further than is necessary to identify the appropriate recipient and deleted from
the mistaken recipients computer system.
Protected and/or restricted information can be sent electronically via Secure FTP, encrypted dataon PCDs, or by giving protected access to a data drive.
7. REFERENCE
Null
40
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
41/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 41 of 62
1. PURPOSE
Website Maintenance
2. POLICY
Hospital system shall develop and implement a procedure which ensures System websites thatcontain protected or restricted information are protected from unauthorized intrusion.
3. SCOPE
Having a proper plan describes the policies and procedures to define and maintain an in-
house/out-sourced website managed internally by IT department.
4. TARGET AUDIENCE
GDC Hospitals employees and outside customers (Patients).
5. RESPONSIBILITY
Information Technology Department.
6. PROCEDURE
Websites that contain protected or restricted information should be protected from unauthorized
intrusion using website security standards. Only personnel who demonstrate the qualificationsestablished by the Office of Computer Services should modify the hospital website, especially if
it contains protected information. These modifications shall be documented for audit purposes.
7. REFERENCE
Null
41
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
42/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 42 of 62
1. PURPOSE
Data Management, Transferring and Exchanging Data, Managing Data Storage
2. POLICY
All restricted or protected information shall only be transferred outside of hospital networks, orcopied to other media, when the confidentiality and integrity of the data can reasonably be
assured. All data stored on information systems shall be managed to ensure the confidentiality,
integrity, and availability of the data.
3. SCOPE
The base plan describes the policies and procedures to maintain GDC Hospital data storage,
backups, data confidentiality, integrity, and proper restoring indexing.
4. TARGET AUDIENCE
GDC Hospital employees, Doctors, and Medical recordsdepartment (archive system).
5. RESPONSIBILITY
Information Technology Department.
6. PROCEDURE
Storage Array with fair capacity that contains all saved data on all nodes, protected or restricted
information should be mirrored and duplicated and incrementally updated in the backup system
with IT department for retrieval purposes in case of loss in addition to transferred and exchangeddata on daily basis.
7. REFERENCE
Null
42
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
43/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 43 of 62
1. PURPOSE
Purchasing and Maintaining Commercial Software1-Purchasing and Installing Software
2-Using Licensed Software (Software Maintenance and Upgrade)
3-Supporting Application Software
4-Disposing of Information System Software
2. POLICY
Each Hospital system shall make every effort to ensure that all terms and conditions of End User
License Agreements (EULA) are strictly adhered to in order to comply with applicable laws and
to ensure ongoing vendor support.All application software shall be supported to ensure that the hospital business is not
compromised. Every effort shall be made to resolve software problems efficiently and within an
acceptable time period.Disposal of information systems software shall not occur unless the disposal is authorized by the
appropriate hospital official, the information systems software is no longer required, and its
related data can be archived and will not require restoration in the future.
3. SCOPE
The base plan describes the policies and procedures for purchasing, installing, using, upgrading,supporting, and maintaining licensed software and describing a proper way for disposing
information system software.
4. TARGET AUDIENCE
All GDC Hospital employees using in-house application software.
5. RESPONSIBILITY
GDC Hospital Information Technology Department.
43
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
44/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 44 of 62
6. PROCEDURE
The Disposition Phase represents the end of the systems life cycle. It provides for the systematictermination of a system to ensure that vital information is preserved for potential future access
and/or reactivation. The system, when placed in the Disposition Phase, has been declared surplus
and/or obsolete, and is scheduled to be shut down. The emphasis of this phase is to ensure that
the system (e.g. software, data, procedures, and documentation) is packaged and archived in anorderly fashion, enabling the system to be reinstalled later, if desired.
7. REFERENCE
Null
44
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
45/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 45 of 62
1. PURPOSE
Developing and Maintaining Custom SoftwareControlling Software Code
Managing Operational Program Libraries
2. POLICY
Each Hospital system shall implement a procedure in which only authorized staff may access
operational program libraries.
3. SCOPE
Defining a plan that describes different authorization levels for all end-users with different
access permissions.
4. TARGET AUDIENCE
GDC Hospital end-users, using hospital systems and software applications (databases).
5. RESPONSIBILITY
IT Department.
6. PROCEDURE
All operational program libraries for critical applications that developed shall reside on
enterprise servers. Access to operational program libraries shall be controlled by the Information
Security group and will be provided on an as needed basis.
7. REFERENCE
Null
45
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
46/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 46 of 62
1. PURPOSE
Testing and Training EnvironmentsThe Use of Protected Data for Training
2. POLICY
Each Hospital system shall implement a procedure that requires adequate controls for the
security of protected or restricted data when used in the testing of new systems or system
changes.
3. SCOPE
Defining a plan for data security policy and procedure that protects database live data accessed
and used for training purposes.
4. TARGET AUDIENCE
New doctors, employees, and receptionists.
5. RESPONSIBILITY
IT Department.
6. PROCEDURE
The use of protected or restricted data in the testing of new systems or system changes shall be
adequately controlled. Access to operational test environments for critical applications shall be
controlled by the Information Security group and will be provided on an as needed basis.
7. REFERENCE
Null
46
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
47/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 47 of 62
1. PURPOSE
New System Training
2. POLICY
Each Hospital system shall implement a procedure in which users and technical staff are trained
in the functionality and operations of all new systems.
3. SCOPE
Defining a plan for data security policy and procedure that protects database live data accessedand used for training purposes
4. TARGET AUDIENCE
New doctors, new employees and receptionists
5. RESPONSIBILITY
IT Department.
6. PROCEDURE
IT Director will work with the application vendors, HR, Staff Development, and the developersof new applications to implement training plans for each new application prior to the application
being put into production.
7. REFERENCE
Null
47
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
48/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 48 of 62
1. PURPOSE
Complying with Legal and Policy RequirementsComplying with Legal Obligations, Awareness of Legal Obligations
Copyright Compliance, Computer Misuse: Legal Safeguards
2. POLICY
All Hospital systems shall develop and implement procedures to inform employees of their legal
responsibilities in relation to the use of computer based information and data.All Hospital systems shall develop and implement procedures to inform employees of their
obligation to comply with applicable copyright laws.
Each Hospital system shall implement a procedure by which employees are informed of changesin computer misuse law, as well as hospital policy, as it directly impacts their job duties.
3. SCOPE
Defining a plan to develop and implement policy and procedures for employees roles and
responsibilities in using data and understanding copyrights where applicable.
4. TARGET AUDIENCE
Employees that are using GDC Hospital systems.
5. RESPONSIBILITY
IT Support team to guide and GDC end-users when they apply policies and procedures.
6. PROCEDURE
IT Director will work on copyrights procedures.
7. REFERENCE
Null
48
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
49/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 49 of 62
1. PURPOSE
External Suppliers/Other Vendor Contracts
2. POLICY
All Hospital systems suppliers/vendors who handle protected or restricted information shallacknowledge compliance with the hospital information security procedures prior to the delivery
of services.
3. SCOPE
Defining a plan that clearly describes most restricted information and acknowledges complinacywith GDC Hospital.
4. TARGET AUDIENCE
External Suppliers and software vendors
5. RESPONSIBILITY
IT Department and Hospital Legal advisors.
6. PROCEDURE
Lending of keys, both physical and electronic, should be prohibited by each Hospital system.In the event that access to an area or information secured by a physical or electronic key is
required by an individual without such key, that individual should be accompanied and
supervised by someone who has been issued such a key.
7. REFERENCE
Null
49
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
50/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 50 of 62
1. PURPOSE
Personnel Information Security Responsibilities - Passwords and PIN NumbersEmployment Termination - Staff Resignations
2. POLICY
All Hospital system users, staff and physicians are expected to treat passwords as private and
highly confidential.
All Hospital systems shall ensure that the appropriate Security Officer is notified of all employeeterminations and that access to the Hospital system information systems is revoked. If in the
judgment of the appropriate hospital official, it is determined that an employee represents a risk
to the security of the Hospital system information, all access shall be terminated immediately.
3. SCOPE
Defining measures in steps in order to secure hospital information/data
4. TARGET AUDIENCE
Any terminated employee, used to work on hospitals systems/data.
5. RESPONSIBILITY
GDC Human Resources Department and IT Department.
6. PROCEDURE
The HR Manager will contact IT Department to immediately disable the account of anyemployee that represents a risk to the security of the Hospital system information.
The Enterprise Information Security group generates reports to determine terminations and
transfers of users with access to computer resources.
7. REFERENCE
Null
50
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
51/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 51 of 62
1. PURPOSE
Procedures for Staff Leaving EmploymentTraining and Staff Awareness
Awareness for Temporary Staff
Security Information Updates to Staff
2. POLICY
GDC Hospital systems shall develop and implement a procedure to ensure that all Hospitalsystem property previously assigned to a departing employee is returned, and also that all keys,
access cards and forms of employee identification are returned.
All Hospital systems temporary staff with access privileges to the hospital networks shallacknowledge compliance with the hospital Information Security policies prior to beginning
work with the hospital. Updates on Information Security awareness shall be provided to the staff
on an evolving, ongoing basis as events warrant.
3. SCOPE
Defining a plan to make sure that people on leave will be revoked from any remote access to
hospital data/information during their leave, including changing access passwords where
required/applicable.
4. TARGET AUDIENCE
GDC Hospital employees on leave
5. RESPONSIBILITY
HR Department and IT Department.
6. PROCEDURE
Proposed changes or amendments to policies will be presented to the hospital Compliance
Committee for approval.
Updated policies will be distributed to Hospital personnel and to the HR for implementation.
51
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
52/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 52 of 62
In all of the training, it will be emphasized that the Compliance Officer/ Privacy Officer or
Security Officer must be notified if these policies are not followed At that point, it will be
determined if the employee/resident requires more in-depth education and training, or if thematter needs to be referred to Human Resources for disciplinary action.
7. REFERENCE
Null
52
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
53/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 53 of 62
1. PURPOSE
Information Security Training on New SystemsNew System Staff and Physicians Training in Information Security
Preparing Hospital for Placement of Computers
2. POLICY
Each Hospital system staff and physicians shall complete information security training
appropriate for their job function. If the users job responsibilities change, then the userstraining requirements shall be reassessed and new training must occur, if required/applicable.
All new Hospital system staff and physicians shall receive application training/mandatory
Information Security training appropriate for their job or educational function within 3 calendardays of their start date.
All Hospital system information systems hardware and media that contain protected or restricted
information shall be located in areas that are protected from physical intrusion, theft, fire,excessive temperature/humidity or other hazards.
3. SCOPE
Prepare a training plan including manuals (if required) and other training materials.
4. TARGET AUDIENCE
GDC system end-users and physicians
5. RESPONSIBILITY
Hospital HR Department and IT Department.
6. PROCEDURE
IT Management to define according procedures.
7. REFERENCE
Null
53
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
54/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 54 of 62
1. PURPOSE
Protecting For, Detecting and Responding to Information Security IncidentsReporting Information Security Incidents
Defending Against Unauthorized or Criminal Activity
2. POLICY
GDC Hospital system shall develop and implement procedures to defend hospital networks and
information systems that contain protected or restricted information against vandalism,unauthorized physical intrusion, and unauthorized access, denial of service, virus attack, spyware
or malware.
3. SCOPE
Preparing a scope of work to develop policy and procedures to protect hospitals NIS (NetworkInformation System).
4. TARGET AUDIENCE
GDC Hospital network and information systems
5. RESPONSIBILITY
IT Department.
6. PROCEDURE
Hospitals shall adhere to the Information Security (IS) and Incident Response Procedure aboveand shall adhere to the Workstation and Server Standards and the Network Standards in to help
defend hospital networks and information systems that contain protected or restricted
information against unauthorized physical intrusion, unauthorized access, denial of service, virus
attack, spyware/malware or criminal activity.
7. REFERENCE
Null
54
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
55/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 55 of 62
1. PURPOSE
Security Incident Procedures
2. POLICY
All hospital systems shall develop and implement procedures requiring that all suspected oractual information security incidents as defined by the hospital IT department are promptly
reported to the Information Technology Manager.
3. SCOPE
Develop policy and procedures for suspected information incidents defined by the hospital inorder to protect hospitals information and software application (management database).
4. TARGET AUDIENCE
Hospital software application, Database, and Information system.
5. RESPONSIBILITY
IT Department.
6. PROCEDURE
Hospital shall adhere to the Information Security (IS) and Incident Response Procedure above.Each hospital system should adhere to industry recognized best practices when collecting and
protecting evidence from information systems so that criminal perpetrators can be prosecuted to
the fullest extent of the law.
7. REFERENCE
Null
55
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
56/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 56 of 62
1. PURPOSE
Responding to Information Security Incidents
2. POLICY
All Hospital's systems shall develop and implement procedures for the response to informationsystem security incidents, as defined by the hospital IT department. Every effort shall be made
to mitigate the adverse impact on the confidentiality, integrity and availability of data, and to
preserve any evidence that could be used in the investigation of the incident.
3. SCOPE
Develop policy and procedures for suspected information incidents defined by the hospital in
order to protect hospitals information and software application (management database).
Prepare a backup plan to restore data in case of loss.
4. TARGET AUDIENCE
Hospital software application, Database, and Information system.
5. RESPONSIBILITY
Information Technology Department.
6. PROCEDURE
Hospital shall adhere to the Information Security (IS) and Incident Response Procedure above.
Every effort shall be made to mitigate the adverse impact on the confidentiality, integrity, andavailability of data, and to preserve any evidence that could be used in the investigation of the
incident.
7. REFERENCE
Null
56
-
7/28/2019 Final IT Policy and Procedure 05-09-2012
57/62
GULFDIAGNOSTICCENTER
HOSPITAL
INFORMATION TECHNOLOGY DEPARTMENT Policy No:ADM-IT-PL001/12
TITLE:INFORMATION TECHNOLOGY PLANIssue Date : June 2012
Revision No.: Original
Department : Information Technology Revision Date : June 2012
Section : IT Next Revision : June 2014
Distribution : Hospital Wide Page 57 of 62
APPENDIX A
WORKSTATION AND SERVER STANDARDS
The purpose of these standards is to provide guidelines for best security practices when installing
new workstations and servers (or reconfiguring older workstations and servers) on the network. It is
not the purpose of this document to provide the information necessary to correctly administer a
workstation or server. It is assumed that the computer supporters responsible for implementing thesestandards are knowledgeable of the operating system they have chosen, the hardware on which it
runs, and any applications they intend to install.
A.1 Workstation Standards
No workstation should be connected to the network until the following items have beenaccomplished:
1. All security patches for the OS and any applications have been acquired using a local
connection that does not require an IP address (e.g. USB hard drive, zip drive, CD, etc.)2. All documentation for the workstation should be properly stored in a secure location.
3. The OS has been properly installed and configured and all relevant security patches for both
the OS and any applications have been applied.4. All