HealthLink Security Policy



Similar documents
MedTech32 RSD User Guide. New Zealand

Integration Guide. Genie for Windows. LAB2, RSDAU, PIT and BROADCST Messages. HealthLink Messaging System (HMS) 6.6.x

This document and the information contained herein are the property of Bowman Systems L.L.C. and should be considered business sensitive.

Installation Guide Companion. Applicable to set up SmartRooms for PIT, Pathology & Radiology Reports (LAB2) HealthLink Messaging System (HMS) 6.6.

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

SCOPE OF SERVICE Hosted Cloud Storage Service: Scope of Service

Release Notes. Build /05/2014 Mac OSX Customer Release Notes: HealthLink Client version 6.6.3

How To Protect Decd Information From Harm

Information Circular

DISCLOSURE STATEMENT PREPARED BY

Electronic business conditions of use

Cloud Computing Contracts. October 11, 2012

Cultural Human Resources Council (CHRC) Personal Information Protection and Electronic Documents Act (PIPEDA) Privacy Policy

HIPAA COMPLIANCE AND

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services

Lauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L.

CHIS, Inc. Privacy General Guidelines

Newcastle University Information Security Procedures Version 3

Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services

Encryption Policy Version 3.0

INTERNATIONAL SOS. Data Protection Policy. Version 1.05

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY

White Paper. BD Assurity Linc Software Security. Overview

CBHS HEALTH FUND LIMITED PRIVACY POLICY

INSTITUTE FOR SAFE MEDICATION PRACTICES CANADA

PCI DSS COMPLIANCE DATA

Privacy Policy Draft

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Copyright Telerad Tech RADSpa. HIPAA Compliance

Web Site Download Carol Johnston

HealthLink Messaging Technology

XIT CLOUD SOLUTIONS LIMITED

This is a free 15 page sample. Access the full version online.

CBHS HEALTH FUND LIMITED PRIVACY POLICY

REMOTE WORKING POLICY

Description of Services

The Use of Cloud Computing for the Storing and Accessing of Client Information: Some Practical and Ethical Considerations

Records Management and Security Procedure. Approved by: Executive Management Team Version: 1.2 Date:

Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services

How To Protect Your Data From Being Hacked

How not to lose your head in the Cloud: AGIMO guidelines released

ELECTRONIC MAIL ( ) September Version 3.1

Information Security & Management Systems

AASA Online Privacy Policy CRP.020

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

ABERDARE COMMUNITY SCHOOL

Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR

Ensuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

Security Policy Revision Date: 23 April 2009

Remote Access Policy

The kinds of personal information we collect and hold vary depending on the services we are providing, but generally can include:

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

UNIFIED MEETING 5 SECURITY WHITEPAPER INFO@INTERCALL.COM INTERCALL.COM

HIPAA HANDBOOK. Keeping your backup HIPAA-compliant

Revelian Pty Ltd ABN Privacy Policy Effective 1 September 2014

USING GENIE REMOTELY

M&T BANK CANADIAN PRIVACY POLICY

HIPAA RISK ASSESSMENT

SAFEGUARDING PROTECTED HEALTH INFORMATION (PHI): FOCUS POINTS FOR OFFSITE TRANSCRIPTIONISTS

OFFSITE BACKUP & RESTORE USER/ ADMINISTRATOR GUIDE

Unit 6 Research Project. Eddie S. Jackson. Kaplan University. IT540: Management of Information Security. Kenneth L. Flick, Ph.D.

White Paper. Improved Delivery and Management of Critical Information: Solicitors Regulation Authority Compliance

Software Service Agreement. <Client Name>

General Statement and Verification of Standards

Questions to ask a recruitment or labour hire firm prior to engagement of services in New Zealand

How To Use A Pnet For Free On A Pc Or Mac (For A Limited Time) For A Month Or Two (For Free) On A Pnt For A Year (For Pnet) For Free (For Ipnet) Or For

Managing internet security

/ BROCHURE / CHECKLIST: PCI/ISO COMPLIANCE. By Melbourne IT Enterprise Services

TEXTURA AUSTRALASIA PTY LTD ACN ( Textura ) CONSTRUCTION PAYMENT MANAGEMENT SYSTEM TERMS AND CONDITIONS OF USE

Supplier Security Assessment Questionnaire

INFORMATION SECURITY MANAGEMENT POLICY

You may choose not to provide us with any of this information, but not doing so will affect our ability to provide you with storage.

UNIVERSITY OF MAINE SYSTEM STANDARDS FOR SAFEGUARDING INFORMATION ATTACHMENT C

CPM. Application Form INSURANCE FOR CYBER, PRIVACY & MEDIA RISKS

STUDENT RECORD POLICY, PROCEDURES AND DEFINITIONS

How To Write A Health Care Security Rule For A University

ESTRO PRIVACY AND DATA SECURITY NOTICE

Policy. London School of Economics & Political Science. Remote Access Policy. IT Services. Jethro Perkins. Information Security Manager.

The Ariadne Labs Website - A Perfect Home Based Business

Payment Card Industry (PCI) Compliance. Management Guidelines

Conditions of Use. Communications and IT Facilities

<cloud> Secure Hosting Services

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE

Information Security Plan effective March 1, 2010

Hosted Testing and Grading

Healthcare Compliance Solutions

HP Laptop & Apple ipads

Data Security Policy. 1. Document Status. Version 1.0. Approval. Review By June Secure Research Database Analyst. Change History. 1 Version 1.

Retention & Destruction

Information Sheet: Cloud Computing

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

SPECIALIST PRACTICE MANAGER

Supplier Information Security Addendum for GE Restricted Data

Information Security

Cloud Computing in a Government Context

Improving Business for SMEs with Online Backup Improving Business for SMEs with Online Backup

Transcription:

HealthLink Security Policy Updated 21 st July 2014 HealthLink commercial in confidence 11/03/2014 HealthLink 0

Date First Version 2nd October 2001 Date Last Change 21 st July 2014 Document Name HealthLink Security Policy Document Version 6 Author Tom Bowden Copyright HealthLink Company Limited 2014. All rights reserved. No reproduction, transmission, transcription, storage in a retrieval system, or translation into any language or by any means, electronic, mechanical, optical, chemical, manual, or otherwise, any part of this document without express written permission of HealthLink Company Limited. Liability Notice: Every effort has been made to ensure that the information in this document, supplied by HealthLink Company Limited, is accurate and complete. However, as use and interpretation of this document is beyond the control of HealthLink Company Limited, no liability, either direct or consequential, can be entertained by HealthLink Company Limited, its agents, or its suppliers. HealthLink commercial in confidence 11/03/2014 Security Policy 1

Introduction HealthLink is a world leader in the provision of health sector information services. From its bases in Auckland, Sydney and Vancouver, HealthLink provides electronic communications services to more than 10,000 health sector organisations sited across New Zealand, Australia, the Pacific Islands and recently Canada. HealthLink has been operating in New Zealand since 1994 and in Australia since 1999. HealthLink commenced operation in Canada in 2010. HealthLink provides a range of services, which include; Electronic messaging between healthcare providers Electronic claims processing systems Online referral and pathology ordering systems Disease Management Databases Access to Government provided patient databases Managed online security services Electronic Portals Every month HealthLink s systems handle more than six million items of patient information and the company is responsible for the management and maintenance of a number of databases containing patient information. On a daily basis HealthLink s staff based in New Zealand, Australia and Canada handle enquiries regarding computer system malfunctions. These enquiries at times necessitate staff looking into computer records and studying the composition of computer files which can contain personally identifiable information. HealthLink s staff are required to sign an agreement that they will adhere to strict privacy and data handling policies. HealthLink Ltd 11/03/2014 Security Policy 2

Purpose The purpose of this Security Policy is to set down the ways in which HealthLink s staff will manage all aspects of the services security. This document is available to all of HealthLink s customers and is used by staff as the basis on which management decisions regarding security are made. HealthLink Ltd 11/03/2014 Security Policy 3

HealthLink s Security Policy Governance of Security Policy HealthLink agrees to follow the directives and rulings of government appointed bodies concerned with setting standards for security policy. HealthLink staff members are required to follow these directives and rulings on the company s behalf. In New Zealand the National Health IT Board, a Government appointed industry body, exists to regulate the security levels employed by the sector. HealthLink was a member of the Expert Advisory Committee for the development of the Health Information Security Framework which is the key document explaining the rules that need to be followed when handling health information within the New Zealand health sector. In Australia there is currently no single body set up to set security policies for the health sector, however Australian standard AS4400 (Personal Privacy Protection in Healthcare Information Systems) does set out the minimum levels of security required. HealthLink operates subject to the respective laws of New Zealand, Australia and Canada. All HealthLink staff members are required to sign an agreement that they will abide by the company s privacy policy. HealthLink Ltd 11/03/2014 Security Policy 4

Section One: HealthLink s approach to providing robust security 1.1 Data-communications standards -Overview HealthLink has been operating in New Zealand since 1994 and in Australia since 1999. Over that time it has consistently striven to lift the level of security standards it employs, in line with a general raising of standards across the health sector, in many cases, this is driven by improvements in the available security technology. Beginning with 40 bit encryption and 8 digit user passwords the standard being applied by Healthlink is now 128 bit encryption and Public Key Infrastructure-based digital certification. 1.2 Authentication HealthLink has implemented X509 v3 compliant digital certificates across its entire user base. 1.3 Data-encryption HealthLink currently offers two levels of data-encryption; 1. Secure Sockets Layer (SSL) 128 bit encryption. This level of encryption is standard across all of HealthLink s messaging services. 2. IPSEC Internet Protocol Security is used in the HealthLink SECURIT Service (See SECURIT for health provider organisations to use to connect to Connected Health which is a secure communications networking environment 1.4 Non-Repudiation HealthLink provides electronic signatures and therefore true non-repudiation. This technology has been in place since 1993 and has been continuously upgraded since that time. HealthLink Ltd 11/03/2014 Security Policy 5

Section Two: Security Policies 2.1 The HealthLink Security Officer HealthLink s Security Officer is currently Mr Geoffrey Brown, IT Manager. 2.2 Staff Security and Privacy Declarations Following a privacy training workshop, each HealthLink staff member is required to sign a declaration that he or she understands the importance of patient privacy in each of the jurisdictions that HealthLink operates in and the importance of the New Zealand Health and Disability act. In this declaration, the staff-member agrees to uphold the principles of the above legislation and the company s Privacy and Security Policies. The penalty for a serious breach of the declaration (deliberately or carelessly) is immediate dismissal. Copies of the HealthLink Staff Security and Privacy Declaration and the standard HealthLink Staff contract are available upon request. 2.3 Staff Security and Privacy Training Seminars are held regularly for new staff as a key part of staff initiation processes. Privacy and Security Seminars are conducted by the HealthLink Security and Privacy Officers and they use materials provided by the Health and Disability Commissioner and the Privacy Commissioners office as well as the HealthLink Privacy policy and The HealthLink Security Policy. 2.4 Promoting security consciousness amongst customers HealthLink takes every opportunity it can to promote awareness of the importance of security and privacy within its extensive customer base. 2.5 Trusted Third Parties No third parties are allowed to work on the HealthLink infrastructure. The only personnel working on HealthLink s systems are HealthLink employees and are therefore bound by their employment agreements to observe the HealthLink Security and Privacy Policies. 2.6 Client Contracts All of HealthLink s clients are contractually bound to observe suitable security and privacy policies of their own. HealthLink s standard client contract requires them to do this. Additionally, subscribers of the HealthLink SECURIT Service are using a Connected Health compliant service and are therefore required by the Ministry of Health to have their own security policy. HealthLink Ltd 11/03/2014 Security Policy 6

Section Three: Physical Security 3.1 Building Security The main HealthLink offices are in an Auckland office building. The building has swipe card access and all of the individual floors are locked and have individual burglar alarms. Each HealthLink employee has his or her own unique swipe-card key. After-hours access is available to key staff and each of those staff members has their own unique code for the alarm system. The building security is monitored remotely 24/7 by a professional Security company. Any activations of the alarm system are reported directly to the HealthLink Security Officer. HealthLink s satellite offices in Wollongong and Townsville have building security in place. 3.2 Servers Housed in Secure Data Centres The HealthLink production servers are housed in secure data centres provided by one of New Zealand s largest and most reputable data communications companies Datacom Ltd. Datacom Ltd has an extensive investment in the security of its data centres and operates state-of-the-art facilities across New Zealand and Australia. 3.3 Server Room Security The HealthLink off-site backups are held in a secure server room within the HealthLink office building. The server room is permanently locked and alarmed. Access to the server room is restricted to a list of people approved by the HealthLink Security Officer HealthLink Ltd 11/03/2014 Security Policy 7

Section Four: Network Security 4.1 Network Access All data network access, both ingoing and outgoing, is managed by the HealthLink IT Services Team. No external parties have access to HealthLink network devices. 4.2 Firewalls All of the HealthLink computing resources are located behind ICSA-compliant approved firewalls. Now in operation for 20 years, HealthLink has never had a security incident on its networks or servers. HealthLink Ltd 11/03/2014 Security Policy 8

Section Five: Operational Security All HealthLink staff members are required to lock access to their desktops if they are not working on their computers and to have their desktops automatically lock after any more than five minutes of inactivity. Any printed documents or facsimiles containing patient information must be held in folders and locked away at night in secure cabinets. We have a clean desk policy for confidential and sensitive information requiring all employees to remove all such paper from their desks before leaving the office for the night. Any complaints about HealthLink s operational security will be treated with the highest priority and investigated immediately a complaint has been made. To date there has never been a formal or informal complaint made about HealthLink s operational security. HealthLink Ltd 11/03/2014 Security Policy 9

New Zealand Phone toll free: 0800 288 887 8.00am 6.00 pm Monday-Friday (AEST) Australia Phone toll free: 1800 125 036 8.00am 6.00 pm Monday-Friday (AEST) Canada Phone toll free: 1800 254 5762 11.00am 6.00 pm Monday-Thursday (PST) Email: helpdesk@healthlink.net www.healthlink.net HealthLink Ltd 11/03/2014 Security Policy 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information