INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE



Similar documents
How To Protect Decd Information From Harm

HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

HIPAA Security Alert

HIPAA Information Security Overview

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Montclair State University. HIPAA Security Policy

Information Resources Security Guidelines

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

VMware vcloud Air HIPAA Matrix

Authorized. User Agreement

Wellesley College Written Information Security Program

University of Liverpool

R345, Information Technology Resource Security 1

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

INFORMATION TECHNOLOGY SECURITY STANDARDS

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

State HIPAA Security Policy State of Connecticut

ISO Controls and Objectives

To protect information in the custody and control of AHS while being transmitted and/or stored on mobile devices.

Newcastle University Information Security Procedures Version 3

BERKELEY COLLEGE DATA SECURITY POLICY

Office 365 Data Processing Agreement with Model Clauses

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Information Security and Electronic Communications Acceptable Use Policy (AUP)

So the security measures you put in place should seek to ensure that:

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Healthcare Compliance Solutions

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Estate Agents Authority

Third Party Security Requirements Policy

Virginia Commonwealth University School of Medicine Information Security Standard

Excerpt of Cyber Security Policy/Standard S Information Security Standards

MOBILE DEVICE SECURITY POLICY

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Information Management and Cyber Security Policy

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

DHHS Information Technology (IT) Access Control Standard

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Responsible Access and Use of Information Technology Resources and Services Policy

The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures

COMPLIANCE ALERT 10-12

Policies and Compliance Guide

Information Security Policies. Version 6.1

University of Aberdeen Information Security Policy

ISO COMPLIANCE WITH OBSERVEIT

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

Supplier IT Security Guide

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

How To Write A Health Care Security Rule For A University

HIPAA Security Series

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

HIPAA: Bigger and More Annoying

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

HIPAA BUSINESS ASSOCIATE AGREEMENT

C.T. Hellmuth & Associates, Inc.

ISO27001 Controls and Objectives

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

M E M O R A N D U M. Definitions

Draft Information Technology Policy

Service Children s Education

HIPAA and Mental Health Privacy:

HIPAA Security COMPLIANCE Checklist For Employers

Ohio Supercomputer Center

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook

BUSINESS ASSOCIATE AGREEMENT

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.

Data Management Policies. Sage ERP Online

HIPAA Security and HITECH Compliance Checklist

CITY UNIVERSITY OF HONG KONG. Information Classification and

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1

HIPAA Compliance: Are you prepared for the new regulatory changes?

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information

Title: Data Security Policy Code: Date: rev Approved: WPL INTRODUCTION

Procedure Title: TennDent HIPAA Security Awareness and Training

Information Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services

BUSINESS ASSOCIATE AGREEMENT

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

Information Systems Access Policy

This procedure is associated with BCIT policy 6700, Freedom of Information and Protection of Privacy.

Transcription:

TITLE AND INFORMATION TECHNOLOGY RESOURCES DOCUMENT # 1107 APPROVAL LEVEL Alberta Health Services Executive Committee SPONSOR Legal & Privacy / Information Technology CATEGORY Information and Technology Management INITIAL APPROVAL DATE June 24, 2009 INITIAL EFFECTIVE DATE June 24, 2009 REVISION EFFECTIVE DATE January 10, 2012 NEXT REVIEW January 10, 2015 corporatepolicy@albertahealthservices.ca. The Corporate Policy website is the official source of current approved corporate policies, procedures, PURPOSE To outline to Contractors and individuals negotiating, administering, or managing contracts on behalf of Alberta Health Services ( AHS ) the Security requirements for using, accessing, or provisioning AHS information or Information Technology ( IT ) Resources. To comply with the Freedom of Information and Protection of Privacy Act (Alberta) ( FOIPP ) and the Health Information Act (Alberta) ( HIA ). POLICY STATEMENT Contractors using, accessing, or provisioning of AHS information or IT Resources (e.g. third party service providers) shall implement and maintain controls for the Security of information and IT Resources and comply with applicable AHS policies and AHS IT Security and Compliance Program Standards. Individuals negotiating, administering, or managing AHS contracts shall ensure Contractors comply with this and other applicable AHS policies, the AHS IT Security and Compliance Program Standards, and with the terms, such as information management, specified in applicable contracts. Prior to establishing a contractual relationship, AHS shall evaluate Contractors for potential Security risks. Contracts or agreements, which may specify additional Security requirements, shall be completed and signed before a Contractor is granted privileges for Access to, or provisioning of, AHS information or IT Resources. Alberta Health Services 2012 PAGE: 1 of 8

January 10, 2012 1107 2 of 8 APPLICABILITY Compliance with this policy is required by all AHS employees, members of the medical and midwifery staffs, students, volunteers, and other persons acting on behalf of AHS (including contracted services providers as necessary). This policy is subject to all applicable laws. POLICY ELEMENTS 1. Contractor Overall Security Responsibilities 1.1 Security Infrastructure Contractors shall ensure Security controls are implemented and maintained. Contractors shall set out the roles and responsibilities of its staff with responsibility for information management and IT Security and Compliance, and provide a current list of staff responsible for the implementation of Security policies, procedures, practices, and standards. 1.2 Monitoring AHS Information Technology may monitor a Contractor to ensure compliance with applicable AHS policies and AHS IT Security and Compliance Program Standards. Monitoring may include, but is not limited to, ongoing or random Security audits. 1.3 Annual Review and Audit a) The AHS IT Security and Compliance Office may require a Contractor to conduct an annual review and/or an annual technical audit of its Security policies, procedures, practices, and standards. Any identified Security gaps or areas of non-compliance shall be clearly documented. b) Completed reviews and/or technical audits shall be submitted to the AHS IT Security and Compliance Office within seven (7) days of completion. The AHS IT Security and Compliance Office shall prepare a final report, including recommendations for remedying deficiencies where appropriate, and forward the report to the Contractor and applicable AHS staff and committees. c) Where the AHS IT Security and Compliance Office identifies deficiencies, Contractors shall have thirty (30) calendar days to implement remedies and notify the AHS IT Security and Compliance Office that such deficiencies have been addressed. Contractors failing to remedy the identified deficiencies shall be penalized in accordance with the provisions of their specific contracts. 1.4 Privacy Impact Assessments The AHS Information & Privacy Office shall determine whether the goods and services performed by the Contractor require a Privacy Impact Assessment ( PIA ) (see Privacy Impact Assessments policy (#1145)). Contractors shall be notified as necessary, and shall participate, cooperate, and comply with the AHS PIA process.

January 10, 2012 1107 3 of 8 1.5 Disaster Recovery Plan Contractors shall, as specified in a contract or on the request of IT Security & Compliance Office, prepare and submit disaster recovery and/or business continuity plans to ensure ongoing protection of access to or provisioning of AHS information and IT Resources in the event of a disaster or disruption in normal business operations. 2. Access to AHS Information and IT Resources 2.1 Contractor Access Review The AHS Information & Privacy Office or the AHS IT Security and Compliance Office shall identify and document deficiencies and risks associated with a Contractor s access to AHS information or IT Resources through an initial access review. Contractors may be requested to perform a full Security review as a result of an access review. 2.2 Access Privileges Individuals negotiating, administering, or managing AHS contracts, in conjunction with the AHS IT Security and Compliance Office, Information & Privacy Office, and/or Protective Services (or Facility Designate) as appropriate, shall evaluate Contractors to determine the appropriate Access Privileges for Contractors. Contractor Access Privileges, including remote access, shall be granted in compliance with AHS Access to Information (Physical, Electronic, Remote) policy (#1105). a) Contractors shall not receive Access Privileges until: i. the Contractor has signed an approved contract with AHS; ii. the Contractor has completed designated pre-requirements set out in the contract; and identified deficiencies have been corrected to the satisfaction of the AHS IT Security and Compliance Office and Information & Privacy Office. b) Contractors must request and receive approval before granting Access Privileges to other individuals or organizations. Contractors may be required by the AHS IT Security and Compliance Office to perform a Security review prior to the Contractor granting any Access Privileges to other individuals or organizations. c) Where Contractors have approval to grant Access Privileges to other individuals or organizations, the access shall be for the minimum information necessary to fulfil their responsibilities on behalf of AHS. The Contractor shall inform the access recipients of their responsibility to comply with applicable AHS policies while exercising their granted access rights. 2.3 Contract or Agreement Expiration or Termination

January 10, 2012 1107 4 of 8 Immediately upon expiration or termination of a Contractor s agreement or contract with AHS, all Access Privileges shall be revoked, and AHS information and IT Resources returned. 3. Contractor Human Resource Requirements 3.1 Contractors shall have human resource processes and practices in place to maintain the Security and integrity of AHS information and IT Resources. 3.2 Contractors shall ensure that: a) an employment screening process, including reference verification, is implemented and complied with; b) all employment agreements and job descriptions contain confidentiality requirements during and upon termination of employment, including specific penalties or disciplinary action for intentional, accidental, or unintentional Information Security Incidents or loss or damage to AHS information or IT Resources ; and c) policies are implemented requiring staff or representatives of the Contractor to comply with generally accepted principles for computing use, applicable AHS policies, and clearly defined information and IT Resource management procedures. 3.3 Contractors, individual or firms, shall ensure staff who have or will have access to AHS information or IT Resources: a) are familiar with, understand, and agree to comply with all applicable AHS policies and AHS IT Security and Compliance Program Standards; b) receive appropriate Security awareness training consistent with AHS training standards; c) visibly display an identification badge clearly indicating the individual is acting on behalf of the Contractor, while working in AHS facilities; d) sign and agree to comply with the terms of a confidentiality agreement; and e) receive suitable supervision during job training to ensure the Security of AHS information and IT Resources are protected and maintained. 4. Information Security Contractors shall have mechanisms and comply with applicable AHS policies processes to ensure AHS information and IT Resources are managed in compliance with AHS policies and AHS IT Security and Compliance Program Standards. 4.1 Retention, Destruction, and Disposal Contractors shall ensure that retention, destruction, and disposal of AHS information and IT Resources are in accordance with the AHS Records Retention

January 10, 2012 1107 5 of 8 Schedule (#1133-01), Records Destruction procedure (#1133-02), and AHS IT Security and Compliance Program Standards. 4.2 Classification and Inventory All information generated by Contractors and or IT Resources acquired on behalf of AHS shall be classified and inventoried by Contractors. Contractors shall: a) maintain and review the inventory on a quarterly basis and forward a copy of the inventory list and quarterly review to either the AHS contract manager of record, the IT Security & Compliance Office or the Information & Privacy Office upon request; b) provide written confirmation that any information and or IT Resource destroyed has been destroyed in accordance with the AHS Records Retention Schedule (#1133-01), Records Destruction procedure (#1133-02), and the AHS IT Security and Compliance Program standards; c) upon expiration or termination of a contract, forward the inventory to AHS and return the information and IT Resources listed in the inventory; and d) confirm that no copies of AHS information have been made or retained by the Contractor. 4.3 Information Transport, Transmission, and Log Contractors shall ensure that all transportation of AHS information or IT Resources, or transmission of information complies with applicable AHS policies and AHS IT Security and Compliance Program standards. Contractors shall maintain accurate logs to record the internal and external movement of AHS information and IT Resources. 5. Access Control Contractors shall have in place access control mechanisms and procedures to comply with the provisions of the contract or agreement and AHS Access to Information (Physical, Electronic, Remote) policy (#1105) and other applicable AHS policies, including but not limited to: a) Storage Contractors shall ensure that AHS information and IT Resources are securely stored or placed in secure locations to prevent unauthorized access, loss, damage, or corruption. b) Unattended Equipment Contractors shall ensure that inactive terminals are automatically logged off from AHS information systems after a defined period of inactivity. Logged-in or otherwise unsecured workstations or Mobile Computing Devices containing or accessing AHS information shall not be left unattended by the Contractor.

January 10, 2012 1107 6 of 8 c) Access Security Audit Contractors shall maintain a log of all successful and unsuccessful requests for physical, environmental, or electronic access to AHS information and IT Resources. The log shall be available, upon request, to the AHS IT Security and Compliance Office for audit purposes. 6. Incident Management 6.1 All Breaches shall be immediately assessed by Contractors for impact and risk, and appropriate action to mitigate harm and risks shall be taken as soon as possible. 6.2 Contractors shall report all Information Security Incidents involving IT Resources or physical access to the AHS IT Security and Compliance Office as soon as possible. Other Breaches shall be reported to Information & Privacy Office. Contractors shall cooperate with any AHS investigation conducted by IT Security and Compliance and/or the Information & Privacy Office. 6.3 After receiving and reviewing a report of a Breach, either the AHS IT Security and Compliance Office or the Information & Privacy Office shall advise Contractors of appropriate remedies. Any remedial action taken by AHS relating to an Information Security Incident or privacy incident shall be in accordance with legal, contractual, and other AHS requirements. 7. Mobile Computing and Mobile Storage Device Security 7.1 Contractor-assigned Mobile Computing Devices and Mobile Storage Devices that contain or have access to AHS information or IT Resources shall be protected in accordance with AHS IT Security and Compliance Program Standards. Mobile Computing Devices and Mobile Storage Devices shall utilize AHS-approved encryption tools. 7.2 To prevent a loss of information or theft of Mobile Computing Devices or Mobile Storage Devices, Contractors shall comply with the requirements set out in the applicable AHS policies and procedures. 7.3 Contractors shall also ensure that all Mobile Computing Devices and Mobile Storage Devices containing or having access to AHS information or IT Resources have: a) an automatic log-off mechanism; b) processes to prevent unauthorized viewing of user-ids or passwords; c) appropriate password protection (e.g., log-on, hard-drive, and screen saver passwords); and d) AHS approved anti-virus software installed and updated.

January 10, 2012 1107 7 of 8 8. Information Managers 8.1 Contractors acting as information managers on behalf of AHS shall sign an information management agreement with AHS. 8.2 Information managers may store, retrieve, or dispose of AHS information pursuant to the terms of the information manager agreement and in accordance with applicable legislation and AHS policies. Information disclosed to information managers shall be protected in accordance with applicable legislation and AHS policies. 8.3 Information managers shall not collect, use, disclose or destroy records, including Health or Personal Information, for any purpose other than those authorized by the information management agreement and in accordance with applicable legislation and AHS policies. DEFINITIONS Access Privileges means privileges granted to Contractors for the use of AHS information or IT Resources to perform contracted responsibilities. Access Privileges may be granted for physical, environmental or electronic resources. Breach means a failure to observe security or privacy processes, procedures or policies, whether deliberate or accidental, which results in the information being viewed, or having the potential to be, accessed, used, transmitted or held by unauthorized persons. Contractor means: a) an affiliate (a person performing a service on behalf of AHS as an appointee, or under a contract or agency relationship), business partner, consultant, contractor, non-employee, outsourcer, service provider, information manager, or third party engaged by AHS to perform services for or on behalf of AHS; or b) an agent, employee or third party to the Contractor engaged by AHS to perform services for or on behalf of AHS. Facility Designate means the individual or Department responsible for ensuring access controls are met at an AHS facility. A Facility Designate shall be identified in facilities where AHS Protective Services is not employed. Information Security Incident means any incident where there is a Violation or Breach of the Security of information or a weakness or malfunction of IT infrastructure that could potentially cause a violation or breach, is identified. IT Resource means any AHS-owned or controlled asset used to generate, process, transmit, store, or access AHS information, which includes but is not limited to IT infrastructure, computer facilities, systems, hardware, software, information systems, networks, shared drives, computer

January 10, 2012 1107 8 of 8 equipment and devices, Internet, email, databases, applications, Mobile Computing Devices, and Mobile Storage Devices. Mobile Computing Device means portable electronic devices including but not limited to Portable Digital Assistants (PDAs), notebook computers, laptops, desktop PCs, Palm Pilots, Pocket PCs, Blackberrys, text pagers, smart phones, and other similar devices. Mobile Storage Device means portable devices used to store data including but not limited to analog or digital voice recorders, external hard drives, memory cards, flash and other data storage drives, optical storage devices (e.g. CDs, DVDs, and Blu-ray discs), and other similar devices. Security means the guarding or guaranteeing of the safety of AHS information and IT Resources against misuse, theft or other dangers, and protecting the privacy and maintaining the integrity of information. Violation means a particular incident or system-wide condition that violates Security or privacy policy, but does not result in a breach REFERENCES AHS Policies and Procedures: o Access to Information (Physical, Electronic, Remote) (#1105) o Business Continuity Planning for IT Resources (#1140) o Collection, Access, Use, and Disclosure of Information (#1112) o Delegation of Authority and Responsibilities for Compliance with FOIPP and the HIA (#1108) o Information Security and Privacy Safeguards (#1143) o Information Technology Acceptable Use (#1109) o Monitoring and Auditing of IT Resources (#1144) o Privacy Impact Assessments (#1145) o Records Destruction (#1133-02) o Records Retention Schedule (#1133-01) o Transmission of Information by Facsimile and Electronic Mail (#1113) AHS IT Security and Compliance Program Standards International Organization for Standardization (ISO) 27001 and 27002 Freedom of Information and Protection of Privacy Act (Alberta) Health Information Act (Alberta) REVISIONS January 10, 2012

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information