Heart Healthy Information Security Policy:
The policy for information security has two different sections – first is managing passwords and second is new user policy. They are discussed in detail as below:
When a new user enters the organization, depending upon the roles and responsibilities assigned to the person, he will be given corresponding access rights. With the help of these access rights the person would be able to access the required files and data necessary for his tasks. When these access rights are assigned the user should sign a document, which will list his roles and responsibilities. This document will be co-signed by his supervisor ...view middle of the document...
Besides this users should not keep easily guessed data like names, birthdays etc. Also words that are found in the dictionary should also not be used as passwords because hackers can use brute force attack to guess passwords and will use all dictionary words as passwords. Users should be strictly cautioned against sharing of passwords no matter the situation. If any user finds that someone is sharing passwords it should be reported immediately to management and IT staff as required. IT staff should not send reset passwords through email or messages. They should be told verbally either on phone or in person. All users should be required by policy to change passwords after 30 days. The organization’s central system should automatically start sending password expiry notices 7 days prior to password expiry date. The new password set by the user should not be same as the previous five (5) passwords. In case the users input wrong passwords during three (3) attempts, the account should lock or disable automatically and grant enabled access only after they put a written request with the IT administrator. This will ensure that unauthorized users do not get unlimited chances to guess passwords.
Compared to this the HIPAA guidelines for password management are discussed as below:
1. Should be a combination of lower case alphabet, upper case alphabet and special characters such as !$%& Etc.
2. Password lifetimes should be configured for sixty (60) days.
3. History – “Set this figure at six (6), passwords will have to be changed six times before they can be used again” (HHS, 2007)
4. Account should be locked out or disabled following five (5) unsuccessful attempts.
As it can be seen that besides history parameter the organization’s new suggested policies are stricter than those which are set by the HIPAA and therefore they will provide adequate security
For the healthcare sector many information security guidelines are available. Some examples are SANS, HIPAA and NIST. Based on these guidelines the new password policies suggested are completely justified. Any information stored in an organization is considered secure only when it passes the test of confidentiality, integrity and availability. To achieve this the security policies outlined before must be implemented strictly and with diligence.
There are three types of security when we talk about information security. They are technical security, physical security and administrative security. Technical security refers to the various mechanisms and safeguards installed in the organization’s systems, which keep the data secure from any alteration and external breaches. For example IDS/IPS, Next-Generation firewalls, procedures for authentication, anti-spyware, anti-virus etc. Physical security refers to the keeping the network infrastructure safe from any unauthorized access. For example, physical access to server rooms. “Administrative access I mplies other security measures with respect to the...