Introduction
Albany Medical College is the only northeastern New York academic health science center and is among the largest private employers in the region (Albany Medical College, 2019). Moreover, it is affiliated with Saratoga Hospital and Columbia Memorial Health to create the region’s most expansive healthcare system, that is, the Albany Med system. With computerized documentation being the primary mode of documentation in the facility, to store patient information and facilitate the exchange of information between Saratoga Hospital and Columbia Memorial Health, there is a crucial need for Albany Medical College to have a comprehensive Electronic Health Record (EHR) security management. This can be facilitated through the creation of a computer and Internet security policy.
Information security policy is a primary element of effective information security management. The objective of this computer and Internet security policy is to elucidate on the acceptable use of information systems and infrastructure provided by the Albany Medical College; thereby protecting Albany Medical College, its personnel, and affiliates from damaging actions by persons either intentionally or unintentionally.
Computer and Email Acceptable Use Policy
It is the culture of Albany Med to encourage its staff to use computers and electronic mail when sharing information as information is stored digitally. The utilization of the computer and email facilities are allowed only when the intended activity serves the sole purpose of the institution, which is to achieve the highest standard of care delivery, education, and research initiatives. The hospital has transformed its care environment by implementing automated ‘smart’ computer systems. Moreover, since information is shared within Albany Med and across with Saratoga Hospital and Columbia Memorial Health, the system has been connected via a multilevel access sharing access control. Wang, Li, Zhu, Fan, & Zhang (2010) has established multilevel access sharing access as a proper manner of building a security system. Albany Med reserves the right to select employees to whom it will give access to a computer and electronic mail services. At any point in time, it may also revoke access to individuals who misuse the system.
Personal use of the computer and email accounts is strictly limited to the input of patient data into the system and the transmission and receipt of emails. Employees and volunteers are required not to use their official emails as personal correspondence.
All computers have to be personalized with a password-protected screensaver having an automated screen timeout feature set at 5 minutes.
Personnel should lock the screen or log off when the device is not being used.
All computers should be installed with current and authorized software, which has been approved by the Chief Security Officer.
Mobile devices, such as phones and tablets, should not be connected directly to Albany Med’s computer system via USB. However, hard drives and memory sticks can be used, but only after receiving permission from the Chief Security Officer.
All employees have to follow Albany Med’s brand identity when using the electronic mail service. If in doubt, they should request clarification from the Marketing and Administration office.
When using email, personnel must exercise caution during sending patient-related information or any other sensitive information relating to Albany Med. This is because emails can be accidentally sent to the wrong address, therefore, read by someone other than the intended recipient.
Personnel must ensure that information is encrypted prior to sending, and that they have been mandated with authority to share it.
Electronic health records must not be sent over the public information system without a patient’s approval.
Personnel must exercise extreme care when opening attachments sent on email by unknown senders, as they may contain viruses or malware.
Forging or unapproved use of email header information is prohibited.
Sending unsolicited emails originating from Albany Med’s networks. This will include the sending of junk mail to users who did not request such information, that is, email spam, or to newsgroups, that is, newsgroup spam.
Internet Acceptable Use Policy
All users of Albany Med’s Internet services must agree to and comply with this Internet Acceptable Use Policy. The Internet can be used in a fashion that aligns with Albany Med’s standard of business conduct. Although reasonable personal usage of the Internet is endorsed, employees should be aware that the use of Albany Med’s network resources is scrutinized; hence, there is no expectation of privacy.
Albany Med may offer cooperation to legal authorities or third parties in the event of an investigation of alleged or suspected criminal or civil wrongdoing. Moreover, any policy violation can lead to the suspension or termination of access to the service or other actions deemed appropriate. The following are some of the actions considered as unacceptable use.
Using the Internet in a way that is regarded as harmful or disruptive to others, for instance, by accessing, displaying, and transmitting explicit images of the medical conditions patients in the hospital suffer from to other Internet sites or individuals.
Disrespecting others’ privacy by impersonating oneself as another individual to gain access to files and passwords, and by not seeking disallowed access using the Internet.
Utilizing the Internet to make deceitful offers to buy or sell items, advance any financial scams, for instance, Ponzi schemes.
Using the Internet to attempt to harm or harm minors.
Downloading any software over the Internet to Albany Med’s computers or other smart devices.
Using the Internet for personal commercial activity, for instance, the distribution of advertising.
Staff must observe all copyright and intellectual property law. Therefore, they should not upload, download, copy or otherwise transfer copyrighted materials owned by parties outside Albany Med without the copyright holder’s written consent.
It is unacceptable for staff to use Albany Med’s Internet facilities to download images, videos, or entertainment software unless it has a specific business-related use.
Albany Med controls Internet access; therefore, it has the right to restrict access to any sites it considers as unacceptable following the discovery of policy violation or non-conventional end-user activity as established by Albany Med. Furthermore, Albany Med provides public access to the Internet. Therefore, there exist severe potential security concerns with any computer or medical device connected to the Internet in the absence of appropriate protection. These security problems include viruses, worms, and hackers.
Password Protection Policy
Passwords are among the primary means through which critical Albany Med Information systems are protected from unauthorized use. Furthermore, in Samadbeik, Gorzin, Khoshkam, and Roudbari, (2015), passwords have been identified as the primary level of information security protection. Therefore, personnel has to follow this policy to ascertain that passwords are kept confidential, and the system remains hard to breach. Since Albany Med contains electronic Protected Health Information (ePHI), the parameters of this policy are in alignment with legal and regulatory standards, taking into account the Health Insurance Portability and Accountability Act (HIPAA). The purpose of this policy is to offer clear guidance and present best practices for the creation, management, and protection of strong passwords. These include:
Where technically feasible, all Albany Med’s information technology systems must be secured using a strong password.
The mobile device management platform manages mobile devices accessing and storing Albany Med’s data such as smartphones, pagers, and tablets. A mobile devise wipe is triggered after 9 invalid password attempts.
Password requirements
User-level and system-level passwords have to be consistent with Albany Med’s complexity password requirement policy, which is:
- It has to be a minimum of 9 characters in length.
- It has to have a combination of lowercase and uppercase letters, at least one number (0-9), and a special character (#, *, $, and % among others).
- It should not be based on numbers or words that can be easily guessed, such as date of birth, names, and telephone numbers.
- Words used should not be found in the dictionary.
Password aging
To prevent a hacker from making use of passwords that have been compromised, passwords are regarded as temporary, thus have to be changed regularly.
No password should be re-used within a 12-month period.
The frequency at which passwords are changed depends on the type of user. User-level passwords must be changed every six months, while system-level passwords used by administrators must be changed after every 90 days.
Password security
Default passwords that are set in new Albany Med’s devices and systems must be changed immediately upon installation.
Personnel should avoid using the same password for multiple systems.
Staff must only use the user access accounts and passwords assigned to them with the exception of group access accounts.
It is prohibited to provide password access to another user, either purposefully or through inability to secure its access. A compromised or shared password is a reportable incident.
Passwords must not be stored on an automated system.
Encryption keys and passwords relating to Albany Med’s systems should not be copied or transmitted over the Internet via email.
The staff should not change or use another individual’s files or username for which they lack authorization. Hence, personnel is required to use password protection or switch off their computer when unattended.
Medical students and staff must take steps to avoid phishing scams and other attempts by hackers to steal their sensitive information, including passwords.
Personnel must desist from writing down and keeping passwords at their workstations.
Albany Med has the right to take the action it considers appropriate against persons who breach the conditions of this policy.
Conclusion
The acculturation of information security within institutions is heavily dependent on the implementation and management of formal, informal, technical, and social controls. Moreover, with the increase in the occurrence of information systems security-related incidents such as hacking, information security management has become an integral component of organizational operations, especially in healthcare. Hospitals are becoming increasingly aware of cyberattacks and the infringement of confidential patient-related information. Therefore, is the need for creating holistic information protection policies that constitute computers, the Internet, emails, and passwords. However, due to the advancement in technology, such policies should be continually revised to enable the maintenance of an impeccable security system.
References
Albany Medical College. (2019). Annual report 2018. Web.
Choi, S., Martins, J., & Bernik, I. (2018). Information security: Listening to the perspective of organisational insiders. Journal of Information Science, 44(6) 752?767. Web.
Samadbeik, M., Gorzin, Z., Khoshkam, M., & Roudbari, M. (2015). Managing the security of nursing data in the electronic health record. Acta Informatica Medica, 23(1), 39?43. Web.
Wang, B., Li, D., Zhu, C., Fan, Q., & Zhang, X. (2010). Proceedings from the 2nd International Conference on Information Management and Engineering: An enterprise security search system based on multilevel sharing-group access control. Chengdu, China: IEEE. Web.