Difference between revisions of "Security Policy"

Latest revision as of 00:19, 9 April 2015

Security Policy

According to Barrows (1996) ^[1], a limitation to information security for health care is the absence of a standardized security policy.

A security policy is comprised of the following:

• What functions are required of a health information system for a user to accomplish a task
• Security in place to protect the necessary information
• A protocol and model in place in the event of a security breech

Data security policies and standards were developed by the Mayo Clinic/Foundation. ^[2]

The Columbia-Presbyterian Medical Center ^[3] developed an approach that involved numerous experts that came up with 14 topic areas for which security polices in health information technology should follow.

• User authentication
• Physical security of data center sites
• Access control to system resources
• Data ownership
• Data protection policies
• Building security into systems
• Security of hard copy materials
• Systems integrity
• User profiles
• Legal and liability issues
• Problem identification and resolution
• Network security
• Informed consent
• Education of users

1. ↑ Barrows, R. C., & Clayton, P. D. (1996). Privacy, confidentiality, and electronic medical records. Journal of the American Medical Informatics Association, 3(2), 139-148. http://www.ncbi.nlm.nih.gov/pmc/articles/PMC116296/
2. ↑ Information Security Subcommittee, Mayo Clinic/Foundation. Data Security Policies and Standards; September 1994 (provided by Dr. Christopher D. Chute, Section of Medical Information Resources, Mayo Clinic/Foundation, Rochester, MN)
3. ↑ Clayton, P. D., Sideli, R. V., & Sengupta, S. (1991). Open architecture and integrated information at Columbia-Presbyterian Medical Center. MD computing: computers in medical practice, 9(5), 297-303.