[LINK] Hacking of medical records
Tom Worthington
tom.worthington at tomw.net.au
Thu Dec 13 08:40:58 AEDT 2012
At 08:31 PM 11/12/2012, David Boxall wrote:
> Were those the only records? No backups? ...
The Royal Australian College of General Practitioners recommend GPs
implement a set of "RACGP Computer and Information Security Standards"
(CISS) for their practice computer systems:
http://www.racgp.org.au/your-practice/standards/ciss/
There is a workbook with a check-list provided. This covers Staff roles
and responsibilities as well as technical matters:
Contents
Preface
Introduction
How to use this document
Computer and information security checklist
Organisational and technical issues
Risk assessment
Select security coordinator
Articulate the operating parameters
Record all user and technical support contact details
Asset register
Identify the threats and vulnerabilities, and suggested controls
Identify appropriate controls
Security management and reporting, including monitoring
compliance and review planning
Education and communication
Breach reporting
Staff roles and responsibilities
Practice computer security coordinator
Other staff roles and responsibilities
Practice security policies and procedures
Practice security policies and procedures description
Sample confidentiality agreement
Contractual agreements
Access control and management
Setting access levels
Access policy
Business continuity and disaster recovery plans
Business continuity and disaster recovery
Development process and procedures
Staff internet and email usage
Policies for the use of internet and email
Procedures for the safe use of internet and email
Backup
Backup procedure
Backup media cycling
Documenting rotation of backup media
Restoring data
Malware, viruses and email threats
Malware and virus protection
Network perimeter controls
Network perimeter control policy
Intrusion detection system
Firewall
Other controls
Portable devices and wireless networks
Portable devices
Remote access
Physical, system and software protection
Physical
System maintenance
Software maintenance
Secure electronic communication
Healthcare identifiers
Message system record
Conclusion
Glossary of computer and information security terms
RACGP cite these standards:
* AZ/NZS ISO 31000:2009 Risk management – principles and guidelines.
Sydney: Standards Australia International, 2009
* HB 292 – 2006 A practitioners guide to business continuity management.
Sydney: Standards Australia International, 2006
* HB 174 – 2003 Information security management – implementation guide
for the health sector. Sydney: Standards Australia International, 2003.
Note: this handbook is due for revision shortly
* HB 231 – 2004 Information security risk management guidelines. Sydney:
Standards Australia International, 2004
* HB 292 – 2006 A practitioners guide to business continuity management.
Sydney: Standards Australia International, 2006
* HB 293 – 2006 Executive guide to business continuity management.
Sydney: Standards Australia International, 2006
* Information Privacy Principles under the Privacy Act 198
* ISO/IEC 27002:2006 Information technology – Security techniques – Code
of practice for information security management
* ISO 27799:2008 Health Informatics – Information security management in
health using ISO/IEC 27002
* NIST (2008). Computer security incident handling guide. Special
Publication 800–61. National Institute of Standards and Technology
* Office of the Australian Information Commissioner. (2006). National
Privacy Principles
--
Tom Worthington FACS CP, TomW Communications Pty Ltd. t: 0419496150
PO Box 13, Belconnen ACT 2617, Australia http://www.tomw.net.au
Liability limited by a scheme approved under Professional Standards
Legislation
Adjunct Lecturer, Research School of Computer Science,
Australian National University http://cs.anu.edu.au/courses/COMP7310/
More information about the Link
mailing list