Privacy and Security Risk Management Framework



Similar documents
Privacy and Security Framework, February 2010

Privacy Policy on the Collection, Use, Disclosure and Retention of Personal Health Information and De-Identified Data, 2010

Privacy and Security Incident Management Protocol

Pharmacist Workforce, 2012 Provincial/Territorial Highlights

Regulated Nurses, 2013

Long-Term Care Pilot Test Report

Title Draft Pan-Canadian Primary Health Care Electronic Medical Record Content Standard, Version 2.0 Data Extract Specifi cation Business View

Pan-Canadian Primary Health Care Electronic Medical Record Content Standard, Version 3.0

Data Quality Documentation, Hospital Morbidity Database Multi-Year Information

Regulated Nurses, 2012 Summary Report

Easy Reference Guide to the National Rehabilitation Reporting System

Children Vulnerable in Areas of Early Development: A Determinant of Child Health

CIHI s Provisional Analytical Plan, 2016 to Overview of Indicator Development and New Reports

A Province-Wide Life-Course Database on Child Development and Health

Pan-Canadian Primary Health Care Electronic Medical Record Content Standard, Version 3.0

How To Ensure Health Information Is Protected

Catalogue no X General Social Survey: Selected Tables on Social Engagement

Atlantic Provinces 71 COMMUNITIES

The Regulation and Supply of Nurse Practitioners in Canada. Preliminary Provincial and Territorial Government. Health Expenditure Estimates

Occupational Therapists in Canada, 2010 National and Jurisdictional Highlights and Profiles

STANDARDS OF SOUND BUSINESS AND FINANCIAL PRACTICES. ENTERPRISE RISK MANAGEMENT Framework

Resolving Customer Complaints

How to make a complaint

Working With Unregulated Care Providers Updated 2013

Documentation, Revised 2008

Inpatient Rehabilitation in Canada

Record keeping 3. Fees and services 4. Using, recommending, providing, or selling client-care products 4. Medication 5

Better Information for Improved Health: A Vision for Health System Use of Data in Canada

Production and Value of Honey and Maple Products

Drug Use Among Seniors on Public Drug Programs in Canada, 2002 to 2008

esidential rehabilitation assistance program

Memorial University of Newfoundland 2,550 2,550 8,800 8,800. University of Prince Edward Island 5,360 5,360 11,600 11,600

The CIHI Data Quality Framework

Introduction 3. Accountabilities for Nurses Supporting Learners 3. Guidelines for Nurses in the Educator Role 3

When a Nursing Home Is Home: How Do Canadian Nursing Homes Measure Up on Quality?

SURVEY OF COMMERCIAL AND INSTITUTIONAL ENERGY USE BUILDINGS 2009 DETAILED STATISTICAL REPORT DECEMBER, 2012

Inside Mexico Seafood Trade

Canadian Patient Experiences Survey Inpatient Care: Frequently Asked Questions

What Is a Directive? 3. When Is an Order Required? 3. What Information Does a Directive Need to Include? 3

Dental Assisting (Levels I and II) Program Standard

How To Find Out If You Can Help First Nations

Understanding Critical Illness Insurance Health insurance that provides a lump-sum payment should you become seriously ill.

Your Health System: Insight Privacy Impact Assessment (October 2015)

Salaries and Salary Scales of Full-time Teaching Staff at Canadian Universities, 2009/2010: Preliminary Report

Audit of the Canada Student Loans Program

Professional Standards, Revised 2002

2010 National Physician Survey :

11520 Alberta CALGARY Nova Scotia / Nouvelle-Écosse HALIFAX Quebec / Québec MONTREAL Ontario OTTAWA

Canadian Securities Administrators Consultation Paper on Over-the- Counter Derivatives Regulation in Canada

Safety Analysis for Nuclear Power Plants

2013 R-1 MAIN RESIDENCY MATCH REPORT

Each of the 16 Canadian medical schools has a psychiatry. Canadian Psychiatry Residency Training Programs: A Glance at the Management Structure

Access to Basic Banking Services

Le storytelling : un outil de gestion des connaissances

VIA

Canadian Provincial and Territorial Early Hearing Detection and Intervention. (EHDI) Programs: PROGRESS REPORT

Politique de sécurité de l information Information Security Policy

Adaptive Management Measures under the Canadian Environmental Assessment Act

CSA Staff Notice and Request for Comment Next Steps in Regulation and Transparency of the Fixed Income Market

Film, Television and Video Production

Risk Management Policy

2014 Registration Guide

Open Government and Information Management. Roy Wiseman Executive Director, MISA/ASIM Canada CIO (Retired), Region of Peel

Council Meeting Agenda 27/07/15

College of Nurses of Ontario. Membership Statistics Highlights 2014

Careers in wildlife conservation

All about. credit information and insurance

Consulting Services. Service bulletin. Highlights. Catalogue no X

EMR Lessons Learned from Ontario and British Columbia Demonstration Projects and the PHC Voluntary Reporting System (PHC VRS)

Instructions for Registering in the Translation Bureau Directory of Linguistic Services Suppliers

Repair and Maintenance Services

Re: CAPP Response to the Federal Government s Consultation Paper Titled Establishing Mandatory Reporting Standards for the Extractive Sector

Social Accountability. A Vision for Canadian Medical Schools

Distribution and Internal Migration of Canada s Respiratory Therapist, Clinical Perfusionist and Cardiopulmonary Technologist Workforce

Nursing Education in Canada, Consolidated Statistics for Entry-to-Practice Certificate, Diploma and Baccalaureate Programs:

Revised Ontario College of Teachers Foundations of Professional Practice INTRODUCTION 2

FIDUCIARY ADVISORY SERVICES

National System for Incident Reporting

Transcription:

Owner: CISO/CIPO Version: 1.0 Release date: 2015-07-16 Next review: 2016-07 Security classification: Public

Our Vision Better data. Better decisions. Healthier Canadians. Our Mandate To lead the development and maintenance of comprehensive and integrated health information that enables sound policy and effective health system management that improve health and health care. Our Values Respect, Integrity, Collaboration, Excellence, Innovation

Revision history Date Version Description Author 2015-07-16 1.0 Document for approval CISO and CPO Approval Date Version Approval authority Notes 2015-07-16 1.0 Senior Management Committee Approved

Table of contents 1 Introduction... 5 1.1 Overview... 5 2 Alignment with Corporate Risk Management Framework... 6 3 Why PSRM?... 7 4 Risk management governance... 8 5 CIHI s risk tolerance... 9 6 PSRM methodology... 10

1 Introduction 1.1 Overview Privacy and security risk management (PSRM) is a formal, repeatable process for identifying, assessing, treating and monitoring risks in order to minimize the probability of such risks materializing and/or their impact should they occur. This PSRM Framework provides an overview of PSRM at the Canadian Institute for Health Information (CIHI), including its alignment with CIHI s Corporate Risk Management Framework, drivers for PSRM, the governance model, CIHI s risk tolerance and the PSRM methodology. Version 1.0 Security Classification: Public 5

2 Alignment with Corporate Risk Management Framework This PSRM Framework has been designed to integrate and align with CIHI s Corporate Risk Management Framework, shown below: PSRM informs and aligns with corporate risk management activities through Adopting a similar methodology, terminology and governance structure; and Identifying privacy and security risks for potential inclusion on the Corporate Risk Register. 6 Security Classification: Public Version 1.0

3 Why PSRM? Effective management of privacy and security risks is essential for CIHI to achieve its strategic goals and is a core requirement for CIHI s continued designated status under the Personal Health Information Protection Act (PHIPA) of Ontario. Adopting an effective and robust PSRM program contributes to stakeholder and public trust by demonstrating CIHI s commitment to protecting the personal health information that it maintains. By implementing a continuous, proactive and systematic process to understand, manage and communicate privacy and security risks, CIHI can make sound strategic and tactical decisions based on real risk, cost and benefit. Version 1.0 Security Classification: Public 7

4 Risk management governance CIHI s chief privacy officer (CPO) and chief information security officer (CISO) have primary responsibility for CIHI s PSRM Program. CIHI has defined management responsibilities and a governance framework for effective PSRM, as shown in the figure below. 8 Security Classification: Public Version 1.0

5 CIHI s risk tolerance It is not always efficient or possible to eliminate risk due to the time, cost or effort that would be required, or because of other constraints. On the other hand, risks that are clearly inconsistent with CIHI s vision, mandate and strategic goals may not be acceptable. On this basis, CIHI has developed a privacy and security risk tolerance statement that sets out the amount of residual risk it is willing to bear as part of normal management practice. CIHI is willing to accept risk that May result in minor delays in achieving CIHI s objectives; Does not lead to financial losses; May result in some potential for minor complaints, non-compliance issues or negative media coverage; May lead to some impact on public perception; May cause low stakeholder concern; and May lead to a potential minimal impact on service delivery. The consequences of the risk event could be absorbed by normal activity or with minimal effort. CIHI s privacy and security risk tolerance: LOW Version 1.0 Security Classification: Public 9

6 PSRM methodology Identify risk Monitor and review risk Assess risk Treat risk CIHI s PSRM methodology is made up of the following 4 steps: 1. Identify risk: Risks are identified through a variety of sources and are entered into the Privacy and Security Risk Register. 2. Assess risk: Risk likelihood and impact are assessed in order to determine whether risk treatment is required. Risks that are within CIHI s identified risk tolerance require no treatment. 3. Treat risk: Options for risk treatment are mitigating the risk, transferring the risk, avoiding the risk or accepting the risk. 4. Monitor and review risk: Risks and risk treatments must be continually monitored to ensure that CIHI s assets are adequately protected. 10 Security Classification: Public Version 1.0

All rights reserved. The contents of this publication may be reproduced unaltered, in whole or in part and by any means, solely for non-commercial purposes, provided that the Canadian Institute for Health Information is properly and fully acknowledged as the copyright owner. Any reproduction or use of this publication or its contents for any commercial purpose requires the prior written authorization of the Canadian Institute for Health Information. Reproduction or use that suggests endorsement by, or affiliation with, the Canadian Institute for Health Information is prohibited. For permission or information, please contact CIHI: Canadian Institute for Health Information 495 Richmond Road, Suite 600 Ottawa, Ontario K2A 4H6 Phone: 613-241-7860 Fax: 613-241-8120 www.cihi.ca copyright@cihi.ca 2015 Canadian Institute for Health Information Cette publication est aussi disponible en français sous le titre Cadre de gestion des risques liés au respect de la vie privée et à la sécurité.

Talk to Us CIHI Ottawa 495 Richmond Road, Suite 600 Ottawa, Ontario K2A 4H6 Phone: 613-241-7860 CIHI Toronto 4110 Yonge Street, Suite 300 Toronto, Ontario M2P 2B7 Phone: 416-481-2002 CIHI Montréal 1010 Sherbrooke Street West, Suite 300 Montréal, Quebec H3A 2R7 Phone: 514-842-2226 CIHI St. John s 140 Water Street, Suite 701 St. John s, Newfoundland and Labrador A1C 6H6 Phone: 709-576-7006 CIHI Victoria 880 Douglas Street, Suite 600 Victoria, British Columbia V8W 2B7 Phone: 250-220-4100 10929-0815 www.cihi.ca At the heart of data

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information