Security Policy
From Clinfowiki
Security Policy
According to Barrows (1996) [1], a limitation to information security for health care is the absence of a standardized security policy.
A security policy is comprised of the following:
- What functions are required of a health information system for a user to accomplish a task
- Security in place to protect the necessary information
- A protocol and model in place in the event of a security breech
Data security policies and standards were developed by the Mayo Clinic/Foundation. [2]
The Columbia-Presbyterian Medical Center [3] developed an approach that involved numerous experts that came up with 14 topic areas for which security polices in health information technology should follow.
- User authentication
- Physical security of data center sites
- Access control to system resources
- Data ownership
- Data protection policies
- Building security into systems
- Security of hard copy materials
- Systems integrity
- User profiles
- Legal and liability issues
- Problem identification and resolution
- Network security
- Informed consent
- Education of users
- ↑ Barrows, R. C., & Clayton, P. D. (1996). Privacy, confidentiality, and electronic medical records. Journal of the American Medical Informatics Association, 3(2), 139-148. http://www.ncbi.nlm.nih.gov/pmc/articles/PMC116296/
- ↑ Information Security Subcommittee, Mayo Clinic/Foundation. Data Security Policies and Standards; September 1994 (provided by Dr. Christopher D. Chute, Section of Medical Information Resources, Mayo Clinic/Foundation, Rochester, MN)
- ↑ Clayton, P. D., Sideli, R. V., & Sengupta, S. (1991). Open architecture and integrated information at Columbia-Presbyterian Medical Center. MD computing: computers in medical practice, 9(5), 297-303.
