generic security policy - careconnect · web viewthink about any changes you need to make to...

Security Policy

Introductory comments TestSafe promises to be an important resource which will help pharmacists improve the standard of care they provide to patients, improve patient safety, reduce the risk of professional misjudgement leading to patient harm and enrich their professional lives. This can only be delivered if the information held by the TestSafe is secure and the community pharmacies using TestSafe follow sound processes in managing the security of those connections.

The starting point for implementing sound security processes in community pharmacy is a security policy. This policy must cover :

Organisational issues Assets to be covered by the policy Personnel Physical security of the pharmacy Control of access to computers Access to the New Zealand Health Network Software lifecycle management Incident reporting Managing malicious software Business continuity issues Compliance issues

This list may appear daunting at first sight but in fact implementing a pharmacy security policy is not an onerous task. This template policy is designed to reduce the amount of effort needed to document and implement a security policy which meets New Zealand Health Network requirements. It is based on a generic document used by other primary care providers to define their New Zealand Health Network compliant security policies and has been adapted for community pharmacy so only minimal modifications should be needed. Further, community pharmacy already has large amounts of the policy in place and working. For example all pharmacies have well developed business continuity policies and procedures in place.

Thus the challenge is largely one of reviewing existing policies and adapting them, where needed, to meet the additional needs of the New Zealand Health Network, and identifying any gaps and filling them using the template as a starting point.

Readers will see the policy requires 2 pivotal people to operate the security system; the Pharmacy Manager and The Pharmacy Security Officer. The Pharmacy Security Officer is not a full time position, nor is it a new position. Someone working in the pharmacy is almost certainly already undertaking most if not all of the role. In many pharmacies, the

Pharmacy Manager will undertake both roles. The position is formally defined to ensure responsibilities and authorities are clear, and staff have a person to report to on security issues and to obtain authorisation for activities which carry risks to pharmacy information security.

As with the template SOPs in this pack, the process for using the template is straightforward. We suggest:

1. Read this policy template,2. Think about any changes you need to make to reflect the policy you

will operate in your pharmacy3. Work through the template making any changes needed4. Finalise the policy and use it the basis for the SOPs needed to

implement the policy, using the templates provided as a starting point..

Security Policy For «insert pharmacy name»

Version 1.1

DOCUMENT INFORMATION

Title «Insert name of the pharmacy»

Author «Insert name of Pharmacy Security Officer»)

Version 1.1

Status Final

Filename Generic Community Pharmacy Security Policy

HISTORYVersi

onDate Description of changes

1.0 30/04/2009

Final version – for customisation

1.1 «insert date»

Amended for «insert pharmacy name»

Table of Contents1 INTRODUCTION................................................................5

1.1 Purpose..................................................................................5

1.2 Contents.................................................................................5

1.3 Document control..................................................................5

2 GENERAL SECURITY POLICY AND STANDARDS..............62.1 Objectives..............................................................................6

2.2 Legal requirements................................................................6

2.3 Security policy reviews..........................................................6

2.4 Sensitivity of information.......................................................6

3 ORGANISATION OF SECURITY OF INFORMATION..........73.1 Policy statements...................................................................7

3.2 Pharmacy Manager................................................................7

3.3 Pharmacy Security Officer.....................................................7

3.4 Staff Responsibilities.............................................................8

3.5 Risk Assessment....................................................................8

4 ASSET CLASSIFICATION AND CONTROL.......................104.1 Accountability for Pharmacy Health Data as an asset........10

4.2 Information classification....................................................10

5 PERSONNEL SECURITY..................................................115.1 Objectives............................................................................11

5.2 Job responsibilities...............................................................11

5.3 Non-disclosure information and security agreement..........11

5.4 Training................................................................................11

5.5 Disciplinary process.............................................................11

6 PHYSICAL SECURITY......................................................126.1 Policy statements.................................................................12

6.2 General requirements..........................................................12

6.3 Clear desk and computer screen policy...............................12

6.4 Equipment protection..........................................................12

6.5 Work performed outside secure sites..................................13

6.6 Storage of Information.........................................................13

6.7 Destruction of information...................................................13

6.8 Disposal of storage media....................................................13

6.9 Storage of Business Continuity data....................................13

6.10 Retention of clinical information following pharmacy closure13

7 COMPUTER SYSTEMS ACCESS CONTROL.....................157.1 Policy statement..................................................................15

7.2 Responsibilities....................................................................15

7.3 Information system access control......................................15

7.4 User logon procedures.........................................................15

7.5 Password standards.............................................................16

7.6 Individual user account management..................................16

7.7 Electronic Mail.....................................................................17

7.8 External network connections and controls........................17

8 NEW ZEALAND HEALTH NETWORK..............................188.1 Use of the New Zealand Health Network............................18

8.2 Sensitivity of information.....................................................18

8.3 Digital certificate management...........................................18

8.4 Other New Zealand Health Network information...............19

9 SECURITY IN SYSTEM LIFE CYCLE MANAGEMENT......209.1 Installation of software........................................................20

9.2 Operational Software...........................................................20

9.3 Technical support and maintenance....................................20

10 COMPUTER INTEGRITY AND INCIDENT REPORTING 2110.1 Policy statements.................................................................21

10.2 Security incident..................................................................21

10.3 Security violation.................................................................21

10.4 Reporting of security incidents or weaknesses...................21

11 MALICIOUS SOFTWARE...............................................2211.1 Virus and spyware prevention procedures..........................22

11.2 Virus education programmes...............................................22

12 BUSINESS CONTINUITY MANAGEMENT.....................2313 COMPLIANCE................................................................24

13.1 Software Licence Compliance.............................................24

13.2 Security Awareness.............................................................24

13.3 Compliance with Security Policy.........................................24

13.4 Approved Non Compliance..................................................24

Appendix 1: Health Information Privacy Code 1994.............25

Community Pharmacy Security Policy

1 INTRODUCTION

1.1 Purpose

This document provides guidance to users of the computer systems of this Pharmacy. Implementation of these policies will ensure adequate security for all information collected, processed, transmitted, stored, or disseminated as part of the Pharmacy systems and major applications.

These security policies are consistent with New Zealand Government legislation including the:

Health Information Privacy Code 1994 Privacy Act 1993 New Zealand Copyright Act 1994

Relevant New Zealand standards include: AS/NZS HB 231:2000 (Information security risk management

guidelines) AS/NZS ISO/IEC 17799:2001 (Code of Practice for information

security management) SNZ HB 8169:2001 (Health Network Code of Practice)

1.2 Contents

This security policy addresses the following areas of concern: General security policy and standards Security organisation Personnel security and training Physical security Computer systems access control New Zealand Health Network Security in system life cycle management Computer integrity and incident reporting Malicious software Business continuity management Compliance

1.3 Document control

The Pharmacy Security Officer will review this document annually and will be responsible for any modifications deemed necessary.

Version 1.1 – 13 March 2009 of 36


Any feedback and suggested amendments in respect of this document should be provided to the Pharmacy Security Officer.

The Pharmacy Manager will be responsible for approving security policy amendments, appointing the Pharmacy Security Officer, and supporting the implementation of the Security Policy.



2 GENERAL SECURITY POLICY AND STANDARDS

2.1 Objectives

The objective of this section of the security policy is:

To establish and maintain adequate and effective information security safeguards for users to ensure that the confidentiality, integrity, and operational availability of Pharmacy and patient information is not compromised.

CommentSensitive information must be safeguarded against unauthorised disclosure, modification, access, use, destruction, or delay in service.Each user has a duty and responsibility to other Pharmacy staff members to comply with the information protection policies and procedures detailed in this document.

2.2 Legal requirements

Under the Health Information Privacy Code 1994, Rule 5 – Storage and Security of Health Information, this Pharmacy has the role of responsible custodian of health and patient information. It will, therefore, promote and help protect the privacy of personal information entrusted to it.

See Appendix 1 which provides a copy of this rule.

2.3 Security policy reviews

This pharmacy will conduct annual reviews to verify the standard and quality of the information security controls it has implemented comply with this policy.

2.4 Sensitivity of information

Most health related information held by this pharmacy is collected in a situation of confidence and trust, is generally highly sensitive, and may include particularly sensitive personal details.There are two main types of sensitive information:



Health information about patients, collected and controlled in accordance with the Health Information Privacy Code 1994 [3] or with other relevant health-related legislation, and

Other information stored on the Pharmacy computer system that is sensitive for other reasons; such as commercial information, staff related information or any other information which may be considered sensitive.

See Appendix 1 which provides a copy of this rule.

See also section 4.2, “Information classification”.



3 ORGANISATION OF SECURITY OF INFORMATION

3.1 Policy statements

A management framework is required so that all those involved in the use or maintenance of the Pharmacy’s computer systems can initiate, co-ordinate and control the implementation of information security effectively. The key personnel in managing information security in the Pharmacy are the Pharmacy Manager and the Pharmacy Information Security Officer. They meet their obligations through defined staff responsibilities and a formal assessment of risks.

3.2 Pharmacy Manager

The Pharmacy Manager has a number of responsibilities with respect to the security of health information, including:

establishing and approving information security policies and procedures,

agreeing on specific methodologies and processes for information security, e.g. risk assessment, security classification, etc.,

determining acceptable levels of security risks, monitoring major information security threats and incidents, approving major initiatives to enhance information security, ensuring that formal audits are performed as necessary, reviewing audit reports where security problems exist, appointing and replacing the Pharmacy Security Officer, ensuring continuity of the application of this policy in periods

when the Pharmacy Security Officer’s post is vacant, acting as the Authorised Signatory in respect to the issuance

of digital certificates

3.3 Pharmacy Security Officer

The Pharmacy Security Officer is appointed by the Pharmacy Manager and is responsible for the co-ordination of security issues that affect the Pharmacy. In particular, the Pharmacy Security Officer is responsible for:

advising Pharmacy staff on security matters,



informing the Pharmacy Manager of any major security incidents,

developing and reviewing security policies and plans to be approved by the Pharmacy Manager,

maintaining a list of all persons authorised to have access to the Pharmacy premises, and to Pharmacy computer systems,

reporting security incidents, and the status thereof, to the Pharmacy Manager,

ensuring that Pharmacy security policies and standards meet all New Zealand Health Network requirements,

liaising with the New Zealand Health Network Security Officer in respect to security matters that may affect other members of the New Zealand Health Network.

The current Pharmacy Security Officer is «insert the name of the person»

CommentIn smaller pharmacies, the Pharmacy Manager is likely also to undertake the Pharmacy Security Officer’s role. Where the pharmacy has sufficient staffing resources to permit separation of these roles it is preferable for them to be separated.

3.4 Staff Responsibilities

Any security system relies on the users of the system to follow the procedures necessary for upholding security policies. All employees are therefore required to:

uphold security procedures and policies, protect their user identification and passwords, inform the Pharmacy Security Officer of any security issues,

problems or concerns, assist the Pharmacy Security Officer in resolving security

issues, ensure that all computer systems used in support of Pharmacy

functions are backed-up in a manner that mitigates both the risk of loss and costs of recovery,

be especially aware of the vulnerabilities presented by remote access and be aware of their obligation to report intrusions, misuse or abuse to the Pharmacy Security Officer,

be aware of their obligations in the event that they are storing, securing, transmitting and disposing of health information to protect the privacy of patients.

Agree not to connect personal portable USB disk drives or other portable devices which can store data to the pharmacy’s computer system.



With specific reference to The Health Information Privacy Code (1994), Rule 5 – Storage and Security of Health Information, users are included in the description as custodians of health and patient information and are required to promote and protect the privacy of personal information.

3.5 Risk Assessment

A formal assessment of the information security risks the pharmacy faces will be undertaken by the Pharmacy Security Officer at two yearly intervals or sooner if the either the Pharmacy Security Officer or the Pharmacy Manager judges it necessary.

ProcessIt is not possible to eliminate all business risk, rather appropriate techniques will be applied to identify and manage the risks so as to minimise any harmful affects.Security requirements will be identified by a methodical assessment of security risks. Decisions on mitigating controls will balance the expenditure needed to manage the risk against the harm to the Pharmacy likely to result from security failures.

This risk assessment will systematically consider:

the harm likely to result from a security failure, taking into account the potential consequences of a loss of integrity, confidentiality and availability of the information and other assets;

the realistic likelihood of such a failure occurring in the light of the prevailing threats and vulnerabilities, and the controls currently implemented.

The results of this assessment will assist in the determination of the appropriate management action and priorities for managing information security risks, and for implementing controls selected to protect against those risks.

Security policies will be reviewed for currency and appropriateness following any assessment of risks.



4 ASSET CLASSIFICATION AND CONTROL

4.1 Accountability for Pharmacy Health Data as an asset

All major information assets are to recorded in an information asset inventory and have a nominated owner who is responsible maintaining appropriate controls over that asset. (In addition to hardware, software and other information assets including databases present in the pharmacy, this requirement covers all material required to ensure business continuity. This includes but is not limited to pharmacy management software and patient database backups; accounting software and information backups; electronic banking records and other electronic pharmacy document backups which are stored offsite,)

Comment and processAn information asset can be either equipment used to access, manipulate, and store information, or Health or Other information stored in the Pharmacy’s computer systems.Accountability for assets helps to ensure that appropriate protection is maintained. The Pharmacy Manager will nominate “Owners” for each major asset and the responsibility for the maintenance of appropriate controls will be assigned to them.An asset inventory helps ensure that effective asset protection takes place, and will also be useful for other business purposes, such as health and safety, insurance or financial management reasons. The process of compiling an assets inventory is an important aspect of risk management.

4.2 Information classification

Information is to be classified to indicate the need, priorities and degree of protection.

CommentInformation has varying degrees of sensitivity and criticality. Some items may require an additional level of protection or special handling. An information classification system allows the Pharmacy to define an appropriate set of protection levels, and communicate the need for special handling processes to staff.The responsibility for defining the classification of an item of information, e.g., for a document, data file or diskette, and for



periodically reviewing that classification, is to be rest with the nominated owner of the information.

Handling procedures are to be defined to cover:

copying, storage, transmission by post, fax and electronic mail, transmission by spoken word, including mobile phone,

voicemail, answering machines, and destruction.



5 PERSONNEL SECURITY

5.1 Objectives

The objective of this section of the security policy is:

To ensure that employees are aware of information security threats and concerns, and are equipped to support the Pharmacy information protection policies and procedures in the course of their daily work.

5.2 Job responsibilities

Security related roles and responsibilities are to be documented where appropriate in specific job descriptions.

5.3 Non-disclosure information and security agreement

All employees involved in the collection, use and disclosure of health information must sign a non-disclosure information and security agreement which includes their obligations under this policy.

Contract staff and outside organisations not already covered by an existing contract (containing the confidentiality agreement) are required to sign a confidentiality agreement prior to accessing Pharmacy facilities. (For example, this requirement includes the computer hardware engineer at the time of computer maintenance.)

5.4 Training

Staff must receive appropriate training before using computer facilities and applications used by this Pharmacy.

All employees of the Pharmacy are to receive appropriate training and regular updates in Pharmacy policies and procedures, including security requirements, legal responsibilities, and business controls.

5.5 Disciplinary process

Staff and contractors who knowingly disregard a particular requirement of this policy will be subject to the disciplinary process



defined in their employment agreement or service contract as appropriate.



6 PHYSICAL SECURITY


All hardware, software, documentation, commercial information and health information held by the Pharmacy is to be protected from disclosure, modification, or destruction. Access by outside parties could reveal information that can be used to eliminate, bypass, or otherwise render security safeguards ineffective or enable the disclosure of patient information.

Where identifiable health and other sensitive information is stored, processed, or transmitted, physical access to that information is restricted to authorised individuals.

6.2 General requirements

Areas and equipment in which information (both Health and Other) is stored are to be physically secure and access to them is restricted to authorised personnel only. Access to documentation in respect to computer systems is also to be restricted to authorised personnel.

All persons, other than employees, who are granted access to Pharmacy premises must be accompanied at all times, and their access restricted to those areas necessary for them to complete their tasks.

6.3 Clear desk and computer screen policy

Work areas are, as far as conveniently possible, to be kept clear of papers and removable storage media in order to reduce the possibility of unauthorised access, loss of, and damage to information during and outside normal working hours.

All software functionality designed to protect against unauthorised access to information must be activated and used.

Similarly, screen savers are to be activated on all Pharmacy computers to provide additional confidentiality should a computer screen displaying sensitive information be left unattended for more than a few minutes. However, the use of a screensaver is not a substitute for staff ensuring computer screens displaying sensitive information are not left unattended.



Sensitive and critical Pharmacy information, including information stored on removable storage computer media, is to be locked away in a fireproof storage area when not required.

6.4 Equipment protection

All items of equipment are to be sited or protected to minimise the risks from environmental threats and hazards, and opportunities for unauthorised access.

Risk assessments (section 3.5above) will consider the impact of a disaster occurring in or around nearby premises and define suitable mitigating procedures to be followed..

6.5 Work performed outside secure sites

Security controls are to be in place to ensure only authorised operations occur and that sensitive information is properly protected.

Computers used to process patient information from remote locations and their methods of accessing the Pharmacy’s computer systems must meet the Pharmacy’s security requirements and have authorisation from the Pharmacy Security Officer. Where possible, there should be only one approved remote access pathway to the system.

6.6 Storage of Information

All Pharmacy information (Health and Other) stored on computer systems must be backed-up at least daily so that it can be restored if or when necessary. Backed up information will be securely stored off-site under the control of the Pharmacy Manager or nominated deputy.

6.7 Destruction of information

All care and responsibility will be taken in the destruction of sensitive information.

Both paper and electronic information relating to patient, administrative, and commercial information shall be disposed of in a secure manner. All portable electronic storage media including flash drives (“memory sticks”) and obsolete computer hard drives will be reformatted before being disposed of.



6.8 Disposal of storage media

Pharmacy information can be compromised through careless disposal of equipment. Accordingly, all sensitive information must be erased from computer storage media prior to their disposal.

Similarly, no computer equipment that is sent or taken off-site for repair should contain sensitive information.

Damaged storage devices such as hard disks may contain sensitive information that if disclosed could cause considerable embarrassment. Consideration should be given to not having a device repaired if information cannot be erased.

6.9 Storage of Business Continuity data

Off site storage of back-up data to allow rapid restoration of data services in the event of disaster is an essential part of the business continuity plan. All such off-site storage must employ a suitable physical protection to prevent unauthorised access to the data, and be under the personal supervision of the Pharmacy Manager or nominated deputy.

6.10 Retention of clinical information following pharmacy closure

In the event the pharmacy closes permanently, the Pharmacy Manager is responsible for making arrangements to store securely all clinical information held by the pharmacy for the period of the next 10 years. This obligation could be best met by passing these records together with appropriate software to the DHB for secure storage with the clinical records managed by the DHB. Any such arrangement would require the DHB’s agreement.



7 COMPUTER SYSTEMS ACCESS CONTROL

7.1 Policy statement

Access to computer services and information shall be restricted to authorised users. .

7.2 Responsibilities

Access control responsibilities are as follows:

Pharmacy Manager Will determine and support the Pharmacy access control

strategy. Will ensure the satisfactory resolution of problems relating to

the provision of user access when, in response to the concerns expressed by the Pharmacy Security Officer, significant changes are deemed necessary.

Pharmacy Security Officer Will ensure policies and standards address all Pharmacy

security requirements. Will ensure that logon and system access procedures meet

defined requirements. Will ensure that data and applications are safe in project

development environments. Will assist users in their day-to-day use of Pharmacy computer

systems by performing basic account administration functions, including the unlocking of locked accounts, resetting passwords, and providing user instruction.

7.3 Information system access control

Minimum requirements for information system access control are:

valid individual user identifications and passwords for all computer access (swipe card access verification is preferred if available),

successful and unsuccessful system accesses are to be recorded,

the last time a user was logged on is to be recorded or displayed,

user account details are to be issued at a formal training session,

new user accounts are to be initially configured so as to force a change of the password upon first logging on.



7.4 User logon procedures

Users may only access to Pharmacy computer facilities are to be via a secure logon process. The relative logon procedure will:

not display system or application prompts until the logon process has been successfully completed,

not provide help messages during logon procedures, validate the logon information only on completion of all input

data, allow only three unsuccessful logon attempts before:

recording the unsuccessful attempt, forcing a time delay before further logon attempts are

allowed, suspending a user account to prevent repeated invalid

access attempts, disconnecting and giving no assistance after a rejected

attempt to logon, limit the time allowed for the logon procedure; if exceeded, the

system should terminate the logon, display the following information on completion of a successful

logon: date and time of the previous successful logon, details of any unsuccessful logon attempts since last

successful logon.

This allows the user to check whether it was that he/she who was last logged on. If not, the incident should be reported to the Pharmacy Security Officer and appropriate action taken. Alternatively using swipecard based systems, which generate an audit trail, to control access to computer systems is acceptable under this policy.

7.5 Password standards

The following password standards are to be adhered to ensure compliance with the basic principles of logical security:

the use of individual passwords is to be enforced to maintain accountability. Sharing of passwords is not permitted,

users are able to select and change their own password and are required to provide a confirmation to account for typing errors,

a password is to have a minimum length of eight characters, passwords are not to be based on any of the following:

months of the year, days of the week or any other aspect of the date,

family names, initials or car registration numbers, company names, identifiers or references,



telephone numbers or similar all-number groups, user identification, user name, group identification or

other system identifier more than two consecutive identical characters, all-numeric or all-alphabetic groups, any word contained in a dictionary, either English or

another language. maximum password lifetime is to be 90 days for normal user

accounts and 60 days for system administrator accounts, users are to be forced to change temporary (initial) passwords

at the first logon, passwords are not to be displayed while being entered, password files should be stored separately from the main

application system data, and any access restricted to the system administrator,

password files are to be stored in encrypted form, using a one-way encryption algorithm,

default vendor user IDs and passwords are to be deleted or altered following installation of software.

7.6 Individual user account management

Inactive user accounts that are no longer required are be disabled and identified as pending deletion.

The Pharmacy Security Officer is to approve the continued availability of a particular inactive user account.

7.7 Electronic Mail

As electronic mail (e-mail) is a business resource, Pharmacy personnel are to note that:

personal use of e-mail is to be kept to a minimum,

Policy Decision neededSome pharmacy proprietors do not want their staff using the pharmacy’s internet and e-mail facilities for personal use, others consider restricted use acceptable under conditions which minimise the risk of a breach of computer system security and potential impact on productivity.This component of the template permits restricted use in building on the precedent of limited personal use of the phone being allowed in most pharmacies. If the pharmacy’s policy is to prohibit personal internet and e-mail use this paragraph must be altered.

the e-mail system is inherently insecure and individuals other than the intended recipients may be able to read messages,



nothing should be included in an e-mail message that would not be printed on Pharmacy letterhead,

the information contained in e-mail messages forms part of Pharmacy business records,

no sensitive information should be sent as part of, or attached to, an e-mail message unless the information is encrypted,

e-mail attachments are a common source of malicious software and particular care is to be taken before opening any attachments, especially if the message is not from a trusted source,

management reserves the right to monitor the content of e-mail messages,

All personnel should be aware of the security risks created by electronic mail including the vulnerability of messages and any legal considerations.

7.8 External network connections and controls

External network connections are an inherent risk to the security of the Pharmacy’s computer system. Pharmacy personnel are to note that:

Connections to other networks, including the World Wide Web, must be protected through a firewall.

Firewalls must be properly configured so as to ensure the required level of security is achieved.

Default settings in network servers are to be changed so as to minimise the possibility of unauthorised access.

No software, or other material, is to be downloaded from the World Wide Web without the prior knowledge and agreement of the Pharmacy Security Officer.



8 NEW ZEALAND HEALTH NETWORK

8.1 Use of the New Zealand Health Network

Healthcare organisations use the New Zealand Health Network as a medium to communicate information necessary for the effective provision of healthcare services.

While this Pharmacy has its own security requirements, it also has responsibilities in respect to the security of information in the New Zealand Health Network environment. These responsibilities are:

ensuring Pharmacy security policies and plans are consistent with the requirements of New Zealand Health Network policies,

ensuring all employees that use the New Zealand Health Network are aware of their security responsibilities,

assisting other organisations on the New Zealand Health Network in resolving any security issues where possible,

revoking any digital certificates that were specifically issued to employees who have resigned,

reporting staff changes to the Certification Authority, where such changes might affect the New Zealand Health Network.

CommentThe Sector Services Division of the Ministry of Health act as the Certification Authority for community pharmacy.

8.2 Sensitivity of information

All information passing through the New Zealand Health Network will be regarded as highly sensitive and will be appropriately protected at all times.

CommentAlthough there will be differing levels of sensitivity associated with information passing through the New Zealand Health Network, it will not be possible to differentiate between the levels during transmission.



8.3 Digital certificate management

Digital certificates are required for access to applications available on the New Zealand Health Network. The device on which any digital certificate is supplied must be stored in a secure manner that permits access as and when required.

The Pharmacy Security Officer is responsible for coordinating the issuance and renewal of any digital certificates issued to Pharmacy employees.

The Pharmacy Security Officer will formally request the Certification Authority to revoke a digital certificate in the event that:

the digital certificate is stolen, a password becomes corrupted or known to anyone other than

the user, when the holder of a specific certificate leaves the employment

of the Pharmacy, or the certificate becomes redundant for any other reason

8.4 Other New Zealand Health Network information

Users seeking more information on the New Zealand Health Network can refer to the

New Zealand Health Network Information Web Page at http://www.hisac.govt.nz/moh.nsf/pagescm/7405

New Zealand Health Network “Security Policy for General Practitioners and other Health Professionals.” The Pharmacy Security Officer holds a copy of that policy document.


http://www.hisac.govt.nz/moh.nsf/pagescm/7405


9 SECURITY IN SYSTEM LIFE CYCLE MANAGEMENT

9.1 Installation of software

The Pharmacy Security Officer is to approve all software prior to it being installed. If necessary, the Pharmacy Security Officer will seek advice from the administrators of the NZ Health Information Network before approving any piece of software.

9.2 Operational Software

Vendor supplied software used in operational systems must be maintained at a version level supported by the supplier.

Patches for all software on the Pharmacy’s computer systems that help to remove or reduce security weaknesses shall always be applied in a timely manner and with appropriate consideration for the seriousness of the risk an unpatched vulnerability poses. This includes computer operating system patches as well as application software patches.

9.3 Technical support and maintenance

Hardware and software maintenance activities are not to affect the integrity of existing safeguards or permit the introduction of security exposures (computer viruses, logic bombs, malicious code, etc.) into the Pharmacy’s computer systems.

Automated dial-up diagnostic maintenance of sensitive applications by software vendors via remote communications is only to be undertaken under the direction of the Pharmacy Security Officer, or nominated deputy in their absence.



10 COMPUTER INTEGRITY AND INCIDENT REPORTING


All personnel are to comply with the software integrity procedures outlined in this document especially in respect to the following:

security violations and software malfunctions reporting virus prevention and monitoring

10.2 Security incident

DefinitionA security incident is an event and/or condition that has the potential to impact on security or privacy and may result from either intentional or inadvertent action.

All employees, and others likely to be involved, as part of their training, are to be made aware of the procedures for reporting incidents that might have an impact on the security of Pharmacy assets and information.

All employees shall report any incident that might have an impact on the security of Pharmacy assets and information and report it using the agreed procedure «the pharmacy to insert the appropriate process.».

10.3 Security violation

DefinitionA security violation is an event that may result in disclosure of sensitive or otherwise classified information to unauthorised individuals, or in unauthorised modification or destruction of system data, loss of computer system processing capability, loss, or theft of any computer system resources.

If a security violation occurs as a consequence of a user’s access, that user and any like users are to be provided with guidance, and if necessary retraining, by the Pharmacy Security Officer to ensure that the violation does not re-occur.



10.4 Reporting of security incidents or weaknesses

Systems shall be monitored to detect deviation from access control policy and record events to provide evidence in case of security incidents. System monitoring allows the effectiveness of adopted controls to be checked and conformity to access policies to be verified.

Similarly, unauthorised intrusions are to be monitored.

Any security-related incidents, violations or weaknesses, are to be reported to the Pharmacy Security Officer at the earliest possible time but by no later than the following business day.



11 MALICIOUS SOFTWARE

Software and information processing facilities are vulnerable to the introduction of malicious software such as computer viruses, network worms, Trojan horses and spyware. It is therefore essential that precautions are taken to both detect and prevent the introduction of malicious software.

11.1 Virus and spyware prevention procedures

New viruses are being developed at regular and frequent intervals and could seriously undermine the integrity of the Pharmacy systems unless they are prevented. Accordingly, all workstations are to have anti-virus software installed.

The Pharmacy Security Officer is to ensure that virus signature files are updated on a regular (no less frequently than daily) basis so as to ensure that any new viruses can be promptly identified and removed.

Each individual user must ensure that the anti-virus software is active on their workstation so that any potential viruses from external sources are identified and removed.

11.2 Virus education programmes

All users are to receive training on how to best prevent the introduction of computer viruses and other malicious software.

The Pharmacy Security Officer is to therefore ensure that:

users are aware that e-mail attachments and web sites may contain (often unknown) viruses or other malicious software.

users immediately report attachments with suspicious file extensions (including .vbs, .shs, .pif and .exe) to the Pharmacy Security Officer.

users know to never launch e-mail attachments from their e-mail systems unless received from a trusted source, and then only after due care has been taken.

Users are aware of the risks associated with breaching the policy preventing the connection of personal data storage devices to the pharmacy’s computer systems.

Disciplinary procedures are to be brought into play in the event that a user fails to follow designated malicious software procedures.



12 BUSINESS CONTINUITY MANAGEMENT

A Pharmacy business continuity management plan is to be implemented so as to minimise the effects of disruption caused by disasters and system failures (which may be the result of, for example, natural disasters, equipment failures, or deliberate actions) through a combination of preventative and recovery controls.

Plans are to be developed and implemented to ensure that Pharmacy processes can be restored as soon as is practicable, and are to be maintained and practised so as to become an integral part of all other management processes.

The key elements of business continuity management plan are:

understanding the risks the organisation faces in terms of their likelihood and their impact, including identification and prioritisation of critical business processes,

understanding the impact which interruptions are likely to have on the Pharmacy,

establishing the place and importance of information processing facilities in the operation of the Pharmacy,

considering the purchase of suitable insurance which may form part of the business continuity process,

formulating and documenting a business continuity strategy consistent with the Pharmacy’s objectives and priorities,

formulating and documenting the detailed business continuity plan in line with agreed strategy,

regular testing and updating of the plans and processes put in place, and

ensuring that the responsibility for managing business continuity is clearly defined in the Pharmacy’s processes and structure.



13 COMPLIANCE

13.1 Software Licence Compliance

All conditions of a vendor’s software licence are to be strictly observed.

Users are responsible for ensuring that all licensing obligations are met and maintained to the extent it is within their power to do so.

13.2 Security Awareness

All users are to be kept aware of their general security responsibilities and be regularly updated on risks. It is essential that users understand and adhere to procedures for managing, detecting and responding to security incidents.

The Pharmacy Security Officer is responsibility for maintaining user security awareness.

13.3 Compliance with Security Policy

All security procedures are to be subject to periodic review so as to ensure compliance with Pharmacy security policies and standards.

Similarly, information systems are to be checked for compliance with security implementation standards.

Self audits of operational systems are to be planned and agreed so as to minimise risk of disruption to Pharmacy processes.

13.4 Approved Non Compliance

Where a particular policy cannot be complied with for a substantive business reason, approval for a deviation from policy is to be obtained from the Pharmacy Manager.Requests for authorised non-compliance must be formally submitted with details of any risks associated with the deviation. The Pharmacy Security Officer will maintain a record of all approved non-compliance requests.All approved non-compliance requests will be subject to six-monthly reassessment.



APPENDIX 1: HEALTH INFORMATION PRIVACY CODE 1994

Rule 3: Collection of Health Information from Individual1) Where a health agency collects health information directly

from the individual concerned, or from the individual's representative, the health agency must such are, circumstances, reasonable to ensure that the individual concerned (and the representative if collection is from the representative) is aware of:

a) the fact that the information is being collected;

b) the purpose for which the information is being collected;

c) the intended recipients of the information;

d) the name and address of:

i) the health agency that is collecting the information; and

ii) the agency that will hold the information;

e) whether or not the supply of the information is voluntary or mandatory and if mandatory the particular law under which it is required;

f) the consequences (if any) for that individual if all or any part of the requested information is not provided; and

g) the rights of access to, and correction of, health information provided by rules 6 and 7.

2) The steps referred to in sub rule (1) must be taken before the information is collected or, if that is not practicable, as soon as practicable after it is collected.

3) A health agency is not required to take the steps referred to in sub rule (1) in relation to the collection of information from an individual, or the individual's representative, if that agency has taken those steps in relation to the collection, from that individual or that representative, of the same information or information of the same kind for the same or a related purpose, on a recent previous occasion.

4) It is not necessary for a health agency to comply with sub rule (1) if the agency believes on reasonable grounds:



(a)[revoked]

(b)that compliance would:

(i) prejudice the interests of the individual concerned; or

(ii)prejudice the purposes of collection;

(c) that compliance is not reasonably practicable in the circumstances of the particular case; or

(d)that non-compliance is necessary to avoid prejudice to the maintenance of the law by any public sector agency, including the prevention, detection, investigation, prosecution, and punishment of offences.10

Note: An action is not a breach of this rule if it is authorised or required by or under law -Privacy Act, section 7(4). Rule 3(4) (a) was revoked by Amendment No 4.

Rule 5: Storage and Security of Health Information1) A health agency that holds health information must ensure:

a) that the information is protected, by such security safeguards as it is reasonable in the circumstances to take, against:

i) loss;

ii) access, use, modification, or disclosure, except with the authority of the agency; and

iii) other misuse;

b) that if it is necessary for the information to be given to a person in connection with the provision of a service to the health agency, including any storing, processing, or destruction of the information, everything reasonably within the power of the health agency is done to prevent unauthorised use or unauthorised disclosure of the information; and

c) that, where a document containing health information is not to be kept, the document is disposed of in a manner that preserves the privacy of the individual.

2) This rule applies to health information obtained before or after the commencement of this code.



Note: An action is not a breach of this rule if it is authorised or required by or under law – Privacy Act, section 7(4).

The full Health Information Privacy Code 1994 is found at: http://www.privacy.org.nz/assets/Files/Codes-of-Practice-materials/Health-Information-Privacy-Code-1994-including-Amendment.pdf


http://www.privacy.org.nz/assets/Files/Codes-of-Practice-materials/Health-Information-Privacy-Code-1994-including-Amendment.pdf



generic security policy - careconnect · web viewthink about any changes you need to make to...

Documents