The issues of computer security and data protection are currently actual for all business segments as well as for individuals, and health care is one of the spheres where the information protection is especially important. In addition to securing internal data and business transactions, companies operating in the sphere of health care need to pay attention to the security of specific software and online tools, and protect patient health care records from unauthorized access and/or disclosure. In different countries, different legal regulations associated with privacy protection and development of information security policies are adopted. The requirements of these regulations should be reflected in corporate information security policies of health care organizations (Bos, 2008). The purpose of this paper is to analyze three privacy and security policies of health care organizations, to identify similarities and differences between these policies, and to identify key security elements and principles which should be taken into account while developing information security policy for a healthcare organization.
The first document represents a technology resources policy of Beth Israel Deaconess Medical Center, the second document outlines information security policies and standards of Mayo Foundation, and the last document is the manual on protection of health information policies and procedures of Georgetown University. All these documents describe internal organizational rules regulating information security issues for the employees of these organizations, and the differences in the documents reflect the differences in the scope of activities and size of these health care organizations. Common elements of these policies include definitions of the basic concepts mentioned in the text, rules relating to information disclosure and control of access to information adopted within the organization.
All three documents mention rights and responsibilities of employees related to information technology and resources, and in each of these documents, actions which are allowed and prohibited to the employees are described. Rights of different groups of employees are mentioned in the security document of Georgetown University (business associated are separately described), and in the standards of Mayo Foundation (external contractors’ rights are outlined in a separate chapter) (Information Security Policies and Standards With Guidelines and Cross References, 2002).
The use of different devices for accessing organizational network is explicitly described in all three documents, including the use of wired and wireless options, use of portable devices, PDA’s and personal computers. In each of these documents, different variants of accessing information system of the organization are considered, and such issues as remote access, use of external data storage devices and sharing of information are considered. Such aspects of information security as e-mail policies, use of encryption software, access to different media (especially streamlining large files), viruses and antivirus protection systems are considered in all of these documents in various forms. All documents contain prohibition of hacking and attempts to gain unauthorized access to information in various forms, and describe the sets of actions which may be classified so. However, despite obvious similarities, there are significant differences between these polities as well.
The rights of different groups of people involved in healthcare are outlined in the policy of Georgetown University in detail (Protection of Health Information Policies and Procedures Manual, 2003), while in other documents, there is no clear analysis of different shareholders’ rights. One major difference of information security policy of Beth Israel Deaconess Medical Center is absolute prohibition to use organizational software and equipment for employee personal needs, and denial of employee privacy with regard to all data stored at the computers of the organization (Beth Israel Deaconess Medical Center Technology Resources Policy, 2003). Other two organizations allow to minor use of organizational resources for personal needs of their employees, with certain reservations. One more significant difference is that the policy of Beth Israel Deaconess Medical Center does not mention how sensitive personal information of the patients should be managed. At the same time, the policies of Georgetown University and Mayo Foundation mention the requirements of the HIPAA and describe the procedures of handling and securing personal data of their patients. Finally, the Health Care Department of Georgetown University clearly has to deal with a wider scope of situations, and therefore many situations involving legal regulations are explicitly described in the information security document of Georgetown University.
Overall, key security principles which should be covered in the organizational information security policy are rights and responsibilities of employees, storage and handing of personal data (sensitive data), control of access to information (Lazakidou, 2006), access to information network using different types of devices, e-mail handling, spam issues, virus issues, use of anti-virus software, use of encryption software as well as appropriate control and revision procedures.
Beth Israel Deaconess Medical Center Technology Resources Policy. (2003). Retrieved from http://cdad.trident.edu/Uploads/Presentations/1194beth_israel.pdf
Bos, L. (2008). Medical and Care Compunetics 5. IOS Press.
Information Security Policies and Standards With Guidelines and Cross References. (2002). Mayo Foundation. Retrieved from http://cdad.trident.edu/Uploads/Presentations/1195mayo.pdf
Lazakidou, A.A. (2006). Handbook of research on informatics in healthcare and biomedicine. Idea Group Inc (IGI).
Protection of Health Information Policies and Procedures Manual. (2003). Georgetown University. Retrieved from http://cdad.trident.edu/Uploads/Presentations/1196georgetown.pdf