Generic Security Policy

Security Policy

Introductory comments

TestSafe promises to be an important resource which will help pharmacists improve the standard of care they provide to patients, improve patient safety, reduce the risk of professional misjudgement leading to patient harm and enrich their professional lives. This can only be delivered if the information held by the TestSafe is secure and the community pharmacies using TestSafe follow sound processes in managing the security of those connections.

The starting point for implementing sound security processes in community pharmacy is a security policy. This policy must cover :

·  Organisational issues

·  Assets to be covered by the policy

·  Personnel

·  Physical security of the pharmacy

·  Control of access to computers

·  Access to the New Zealand Health Network

·  Software lifecycle management

·  Incident reporting

·  Managing malicious software

·  Business continuity issues

·  Compliance issues

This list may appear daunting at first sight but in fact implementing a pharmacy security policy is not an onerous task. This template policy is designed to reduce the amount of effort needed to document and implement a security policy which meets New Zealand Health Network requirements. It is based on a generic document used by other primary care providers to define their New Zealand Health Network compliant security policies and has been adapted for community pharmacy so only minimal modifications should be needed. Further, community pharmacy already has large amounts of the policy in place and working. For example all pharmacies have well developed business continuity policies and procedures in place.

Thus the challenge is largely one of reviewing existing policies and adapting them, where needed, to meet the additional needs of the New Zealand Health Network, and identifying any gaps and filling them using the template as a starting point.

Readers will see the policy requires 2 pivotal people to operate the security system; the Pharmacy Manager and The Pharmacy Security Officer. The Pharmacy Security Officer is not a full time position, nor is it a new position. Someone working in the pharmacy is almost certainly already undertaking most if not all of the role. In many pharmacies, the Pharmacy Manager will undertake both roles. The position is formally defined to ensure responsibilities and authorities are clear, and staff have a person to report to on security issues and to obtain authorisation for activities which carry risks to pharmacy information security.

As with the template SOPs in this pack, the process for using the template is straightforward. We suggest:

1.  Read this policy template,

2.  Think about any changes you need to make to reflect the policy you will operate in your pharmacy

3.  Work through the template making any changes needed

4.  Finalise the policy and use it the basis for the SOPs needed to implement the policy, using the templates provided as a starting point..

Security Policy

For «insert pharmacy name»

Version 1.1

Table of Contents

1 Introduction 5

1.1 Purpose 5

1.2 Contents 5

1.3 Document control 5

2 General Security Policy and Standards 6

2.1 Objectives 6

2.2 Legal requirements 6

2.3 Security policy reviews 6

2.4 Sensitivity of information 6

3 ORGANISATION OF Security of information 7

3.1 Policy statements 7

3.2 Pharmacy Manager 7

3.3 Pharmacy Security Officer 7

3.4 Staff Responsibilities 8

3.5 Risk Assessment 8

4 Asset Classification and Control 10

4.1 Accountability for Pharmacy Health Data as an asset 10

4.2 Information classification 10

5 Personnel Security 11

5.1 Objectives 11

5.2 Job responsibilities 11

5.3 Non-disclosure information and security agreement 11

5.4 Training 11

5.5 Disciplinary process 11

6 Physical Security 12

6.1 Policy statements 12

6.2 General requirements 12

6.3 Clear desk and computer screen policy 12

6.4 Equipment protection 12

6.5 Work performed outside secure sites 13

6.6 Storage of Information 13

6.7 Destruction of information 13

6.8 Disposal of storage media 13

6.9 Storage of Business Continuity data 13

6.10 Retention of clinical information following pharmacy closure 13

7 Computer Systems Access Control 15

7.1 Policy statement 15

7.2 Responsibilities 15

7.3 Information system access control 15

7.4 User logon procedures 15

7.5 Password standards 16

7.6 Individual user account management 16

7.7 Electronic Mail 17

7.8 External network connections and controls 17

8 New Zealand Health Network 18

8.1 Use of the New Zealand Health Network 18

8.2 Sensitivity of information 18

8.3 Digital certificate management 18

8.4 Other New Zealand Health Network information 19

9 Security in System Life Cycle Management 20

9.1 Installation of software 20

9.2 Operational Software 20

9.3 Technical support and maintenance 20

10 Computer Integrity and Incident Reporting 21

10.1 Policy statements 21

10.2 Security incident 21

10.3 Security violation 21

10.4 Reporting of security incidents or weaknesses 21

11 Malicious Software 22

11.1 Virus and spyware prevention procedures 22

11.2 Virus education programmes 22

12 Business Continuity Management 23

13 Compliance 24

13.1 Software Licence Compliance 24

13.2 Security Awareness 24

13.3 Compliance with Security Policy 24

13.4 Approved Non Compliance 24

Appendix 1: Health Information Privacy Code 1994 25

Community Pharmacy Security Policy

1  Introduction

1.1  Purpose

This document provides guidance to users of the computer systems of this Pharmacy. Implementation of these policies will ensure adequate security for all information collected, processed, transmitted, stored, or disseminated as part of the Pharmacy systems and major applications.

These security policies are consistent with New Zealand Government legislation including the:

·  Health Information Privacy Code 1994

·  Privacy Act 1993

·  New Zealand Copyright Act 1994

Relevant New Zealand standards include:

·  AS/NZS HB 231:2000 (Information security risk management guidelines)

·  AS/NZS ISO/IEC 17799:2001 (Code of Practice for information security management)

·  SNZ HB 8169:2001 (Health Network Code of Practice)

1.2  Contents

This security policy addresses the following areas of concern:

·  General security policy and standards

·  Security organisation

·  Personnel security and training

·  Physical security

·  Computer systems access control

·  New Zealand Health Network

·  Security in system life cycle management

·  Computer integrity and incident reporting

·  Malicious software

·  Business continuity management

·  Compliance

1.3  Document control

The Pharmacy Security Officer will review this document annually and will be responsible for any modifications deemed necessary. Any feedback and suggested amendments in respect of this document should be provided to the Pharmacy Security Officer.

The Pharmacy Manager will be responsible for approving security policy amendments, appointing the Pharmacy Security Officer, and supporting the implementation of the Security Policy.

2  General Security Policy and Standards

2.1  Objectives

The objective of this section of the security policy is:

·  To establish and maintain adequate and effective information security safeguards for users to ensure that the confidentiality, integrity, and operational availability of Pharmacy and patient information is not compromised.

Comment

Sensitive information must be safeguarded against unauthorised disclosure, modification, access, use, destruction, or delay in service.

Each user has a duty and responsibility to other Pharmacy staff members to comply with the information protection policies and procedures detailed in this document.

2.2  Legal requirements

Under the Health Information Privacy Code 1994, Rule 5 – Storage and Security of Health Information, this Pharmacy has the role of responsible custodian of health and patient information. It will, therefore, promote and help protect the privacy of personal information entrusted to it.

See Appendix 1 which provides a copy of this rule.

2.3  Security policy reviews

This pharmacy will conduct annual reviews to verify the standard and quality of the information security controls it has implemented comply with this policy.

2.4  Sensitivity of information

Most health related information held by this pharmacy is collected in a situation of confidence and trust, is generally highly sensitive, and may include particularly sensitive personal details.

There are two main types of sensitive information:

·  Health information about patients, collected and controlled in accordance with the Health Information Privacy Code 1994 [3] or with other relevant health-related legislation, and

·  Other information stored on the Pharmacy computer system that is sensitive for other reasons; such as commercial information, staff related information or any other information which may be considered sensitive.

See Appendix 1 which provides a copy of this rule.

See also section 4.2, “Information classification”.

3  ORGANISATION OF Security of information

3.1  Policy statements

A management framework is required so that all those involved in the use or maintenance of the Pharmacy’s computer systems can initiate, co-ordinate and control the implementation of information security effectively. The key personnel in managing information security in the Pharmacy are the Pharmacy Manager and the Pharmacy Information Security Officer. They meet their obligations through defined staff responsibilities and a formal assessment of risks.

3.2  Pharmacy Manager

The Pharmacy Manager has a number of responsibilities with respect to the security of health information, including:

·  establishing and approving information security policies and procedures,

·  agreeing on specific methodologies and processes for information security, e.g. risk assessment, security classification, etc.,

·  determining acceptable levels of security risks,

·  monitoring major information security threats and incidents,

·  approving major initiatives to enhance information security,

·  ensuring that formal audits are performed as necessary,

·  reviewing audit reports where security problems exist,

·  appointing and replacing the Pharmacy Security Officer,

·  ensuring continuity of the application of this policy in periods when the Pharmacy Security Officer’s post is vacant,

·  acting as the Authorised Signatory in respect to the issuance of digital certificates

3.3  Pharmacy Security Officer

The Pharmacy Security Officer is appointed by the Pharmacy Manager and is responsible for the co-ordination of security issues that affect the Pharmacy. In particular, the Pharmacy Security Officer is responsible for:

·  advising Pharmacy staff on security matters,

·  informing the Pharmacy Manager of any major security incidents,

·  developing and reviewing security policies and plans to be approved by the Pharmacy Manager,

·  maintaining a list of all persons authorised to have access to the Pharmacy premises, and to Pharmacy computer systems,

·  reporting security incidents, and the status thereof, to the Pharmacy Manager,

·  ensuring that Pharmacy security policies and standards meet all New Zealand Health Network requirements,

·  liaising with the New Zealand Health Network Security Officer in respect to security matters that may affect other members of the New Zealand Health Network.

The current Pharmacy Security Officer is «insert the name of the person»

Comment

In smaller pharmacies, the Pharmacy Manager is likely also to undertake the Pharmacy Security Officer’s role. Where the pharmacy has sufficient staffing resources to permit separation of these roles it is preferable for them to be separated.

3.4  Staff Responsibilities

Any security system relies on the users of the system to follow the procedures necessary for upholding security policies. All employees are therefore required to:

·  uphold security procedures and policies,

·  protect their user identification and passwords,

·  inform the Pharmacy Security Officer of any security issues, problems or concerns,

·  assist the Pharmacy Security Officer in resolving security issues,

·  ensure that all computer systems used in support of Pharmacy functions are backed-up in a manner that mitigates both the risk of loss and costs of recovery,

·  be especially aware of the vulnerabilities presented by remote access and be aware of their obligation to report intrusions, misuse or abuse to the Pharmacy Security Officer,

·  be aware of their obligations in the event that they are storing, securing, transmitting and disposing of health information to protect the privacy of patients.

·  Agree not to connect personal portable USB disk drives or other portable devices which can store data to the pharmacy’s computer system.

With specific reference to The Health Information Privacy Code (1994), Rule 5 – Storage and Security of Health Information, users are included in the description as custodians of health and patient information and are required to promote and protect the privacy of personal information.

3.5  Risk Assessment

A formal assessment of the information security risks the pharmacy faces will be undertaken by the Pharmacy Security Officer at two yearly intervals or sooner if the either the Pharmacy Security Officer or the Pharmacy Manager judges it necessary.

Process

It is not possible to eliminate all business risk, rather appropriate techniques will be applied to identify and manage the risks so as to minimise any harmful affects.

Security requirements will be identified by a methodical assessment of security risks. Decisions on mitigating controls will balance the expenditure needed to manage the risk against the harm to the Pharmacy likely to result from security failures.

This risk assessment will systematically consider:

·  the harm likely to result from a security failure, taking into account the potential consequences of a loss of integrity, confidentiality and availability of the information and other assets;

·  the realistic likelihood of such a failure occurring in the light of the prevailing threats and vulnerabilities, and the controls currently implemented.

The results of this assessment will assist in the determination of the appropriate management action and priorities for managing information security risks, and for implementing controls selected to protect against those risks.

Security policies will be reviewed for currency and appropriateness following any assessment of risks.

4  Asset Classification and Control

4.1  Accountability for Pharmacy Health Data as an asset

All major information assets are to recorded in an information asset inventory and have a nominated owner who is responsible maintaining appropriate controls over that asset. (In addition to hardware, software and other information assets including databases present in the pharmacy, this requirement covers all material required to ensure business continuity. This includes but is not limited to pharmacy management software and patient database backups; accounting software and information backups; electronic banking records and other electronic pharmacy document backups which are stored offsite,)