Assets and Access Control for GH’s Infosec Security Policy

The General Hospital’s organizational structure and that of the EHR system is centralized and cause confusion of procedures and policies to follow when accessing patients’ information. In this context, the GH’s assets are readily available. For example, the GH system allows staff and patients to access data from an on-site computer with user permissions access control. This is a major risk to the privacy confidentiality of information in the GH’s EHR system. The GH case study shows how a lack of a proper access control system allowed people to use username and password combinations that are easy to hack. Also, third parties used another individual’s details to access the information system without proper authorization from the IT administrator. Lack of restrictions on accessing the IT area and system made it easy for unauthorized to export data from the servers without permission. The fact that people allow others to personal details when accessing the system leads to sharing of passwords that make it difficult to have a successful access control system (Herzig, Walsh & Gallagher, 2013). The GH case study shows a system without proper policies and procedures required for users to comply before the administrator authenticates the details and authorizes the same. Such a process involves filling a Network Access Request Form to determine whether the user can access the system through a ‘need to know’ policy.  The following recommendations focus on assets and access control systems that GH can include in the hospital’s information security policy and resolve issues of data insecurity, unauthorized information, and hacking.

Classification of assets

The GH’s policy on assets and access control classifies the former into the following categories and levels. According to Hostland, Enstad, Ellertsen & Boe (2010), the assets are;

• All assets are either in information or physical forms.
• The classification of assets like information and infrastructure in EHR system is based on security levels.
• The final classification of assets relies on confidentiality levels; sensitive, internal, and open levels. In this regard, sensitive information is part of the asset that requires no access to the public and unauthorized staff. The internal information involves asset or data that external or third parties are not required to obtain. Meanwhile, open information entails assets that are accessible to any interested party.
• Also, the assets of the GH can be categorized as strategic and tactical. Strategic assets include registries, analytic repositories, claims history database, care coordination program, and clinical data viewer. Usually, strategic assets are concerned with the GH’s health blueprint and the respective EHR system. Meanwhile, the tactical assets include interim client’s registry, consent registry, hospital management reports, telemedicine networks, and electronic access to clinical health information. The tactical assets are components and integral into development and adoption of an EHR system.

Access control sections

According to Herzig, Walsh & Gallagher (2013), the information security policy in a hospital dictates that access control will be a critical element in protecting the organization’s information resources. The success of a secure information system is determined by how the IT function secures the patients’ information (Herzig, Walsh & Gallagher, 2013). Therefore, the access control systems be both internal and external with each having a set of rules on how the information resources are accessed.

Developing a successful access control system must be guided by the primary objective that is restricting information (Herzig, Walsh & Gallagher, 2013). The second goal of access control system is protecting patient privacy. In this context, the IT administrators have the duty to ensure the system denies access to users in case of doubt.

Firstly, the access control system requires that a user fills a Network Access Request Form that is forwarded to a supervisor, manager or information system administrator (National Learning Consortium, 2011). The person in charge of the system then adds a user to the network based on the ‘need to know’ policy as outlined in the Network Access Request Form.

Secondly, the GH’s access control systems are to suit the organization’s requirements. Therefore, the access control systems must have a written guideline with passwords that safeguards the hospital’s security needs (Hostland, Enstad, Ellertsen & Boe, 201). The access control directives and passwords require a mandatory re-evaluation to improve safety. Normally, the passwords must be complex in terms of length and characters to deter hackers from easy access to the system.

Thirdly, the access control system will be supervised and authenticated by a trained information security administrator. The role of the administrator will be to authenticate the system users according to the established security protocols (Hostland, Enstad, Ellertsen & Boe, 201). The administrator is to make sure that users maintain high levels of security by using unique login details such as the usernames and passwords (Peltier, 2004). It is the policy of the GH that all users are solely responsible for the usage of login details. Therefore, users must not disclose login details as they remain private and confidential unless required to by the IT security administrator. According to Herzig, Walsh & Gallagher (2013), the IT administrators’ roles range from adding users to the system, modify user system, add files and directories, identify users to monitoring and managing accessing rights.

Fourthly, the policy on access control and authorization allows access to the system based on a ‘need to know’ basis which is under the supervision of IT security. The GH uses a policy that determines the access rights to the IT system. In this context, the access rights are defined by the user’s classification which is either internal, external, public, and others (Hostland, Enstad, Ellertsen & Boe, 2010).

Finally, the GH’s policy on accessing the EHR system through remote devices is that such is permitted if the user reads and signs an IT regulation document on remote access. Also, the policy on remote access allows users to use smartphones, tablets, and laptops through a controlled security software approved and supervised by the IT department (Hostland, Enstad, Ellertsen & Boe, 2010).  The access to sensitive information is to be encrypted if it involves portable devices.

Access controls to physical areas and infrastructures

Similar to information, physical resources and infrastructures are primary assets of the GH organization. The supporting infrastructure and network need a secure location to control access to GH information systems. The infrastructural security is categorized into three levels namely: green, yellow, and red (Hostland, Enstad, Ellertsen & Boe, 2010).

• The green security level does not require strict access control systems. In fact, medical and nursing students can access the green security area for information at normal hours. However, the green security level does not give access to internal and sensitive information.
• The yellow security level entails the infrastructure and location where internal information is obtained. The GH yellow security level involves meetings rooms, laboratories, and the printing area. The access control system at this level dictates the use of a key card while accessing the area.
• The red security level is a restricted zone with sensitive information that requires special authorization by the IT administrator. Such areas include the computer laboratories and server rooms where authorized users use a key card as an access control tool.

In addition, the security and access control system involves making physical markings to give guidelines of who is authorized to access the IT locations (Hostland, Enstad, Ellertsen & Boe, 2010). Also, both the Physical and IT security administrators can supplement the security systems that monitors the controlled areas. It is advisable that all users accessing critical information use a personal access card especially in yellow and red security zones.

References

Herzig, T. W., Walsh, T. & Gallagher, L. A. (2013). Implementing Information Security in Healthcare: Building a Security Program. Chicago, IL: HIMSS.

Hostland, K., Enstad, P., Eilertsen & Boe, G. (2010). Information Security Policy. Best Practice Document. Trondheim: UNINETT.

National Learning Consortium. (2011). Information Security Policy Template. Washington, D.C: National Learning Consortium.

Peltier, T., R. (2004). Information Security Policies and Procedures: A Practitioners Reference, second Edition.  Boca Raton, FL: CRC Press.