Wednesday, December 12, 2012

Medical Computer Security Standards

Recent hacking of medical records suggests a greater need for care by GPs. The Royal Australian College of General Practitioners recommend GPs implement a set of "RACGP Computer and Information Security Standards" (CISS) for their practice computer systems. There is a workbook with a check-list provided. This covers Staff roles and responsibilities as well as technical matters.

Contents

Preface
  1. Introduction
    1. How to use this document
  2. Computer and information security checklist
  3. Organisational and technical issues
    1. Risk assessment
      1. Select security coordinator
      2. Articulate the operating parameters
      3. Record all user and technical support contact details
      4. Asset register
      5. Identify the threats and vulnerabilities, and suggested controls
      6. Identify appropriate controls
      7. Security management and reporting, including monitoring
      8. compliance and review planning

      9. Education and communication
      10. Breach reporting
    2. Staff roles and responsibilities
      1. Practice computer security coordinator
      2. Other staff roles and responsibilities
    3. Practice security policies and procedures
      1. Practice security policies and procedures description
      2. Sample confidentiality agreement
      3. Contractual agreements
    4. Access control and management
      1. Setting access levels
      2. Access policy
    5. Business continuity and disaster recovery plans
      1. Business continuity and disaster recovery
      2. Development process and procedures
    6. Staff internet and email usage
      1. Policies for the use of internet and email
      2. Procedures for the safe use of internet and email
    7. Backup
      1. Backup procedure
      2. Backup media cycling
      3. Documenting rotation of backup media
      4. Restoring data
    8. Malware, viruses and email threats
      1. Malware and virus protection
    9. Network perimeter controls
      1. Network perimeter control policy
      2. Intrusion detection system
      3. Firewall
      4. Other controls
    10. Portable devices and wireless networks
      1. Portable devices
      2. Remote access
    11. Physical, system and software protection
      1. Physical
      2. System maintenance
      3. Software maintenance
    12. Secure electronic communication
      1. Healthcare identifiers
      2. Message system record
  4. Conclusion
    • Glossary of computer and information security terms 

    From: RACGP Computer and Information Security Standards, Royal Australian College of General Practitioners, 2011
RACGP cite these standards:
  • AZ/NZS ISO 31000:2009 Risk management – principles and guidelines. Sydney: Standards Australia International, 2009
  • HB 292 – 2006 A practitioners guide to business continuity management. Sydney: Standards Australia International, 2006
  • HB 174 – 2003 Information security management – implementation guide for the health sector. Sydney: Standards Australia International, 2003. Note: this handbook is due for revision shortly
  • HB 231 – 2004 Information security risk management guidelines. Sydney: Standards Australia International, 2004
  • HB 292 – 2006 A practitioners guide to business continuity management. Sydney: Standards Australia International, 2006
  • HB 293 – 2006 Executive guide to business continuity management. Sydney: Standards Australia International, 2006
  • Information Privacy Principles under the Privacy Act 198
  • ISO/IEC 27002:2006 Information technology – Security techniques – Code of practice for information security management
  • ISO 27799:2008 Health Informatics – Information security management in health using ISO/IEC 27002
  • NIST (2008). Computer security incident handling guide. Special Publication 800–61. National Institute of Standards and Technology
  • Office of the Australian Information Commissioner. (2006). National Privacy Principles

No comments: