Security Policy

Security Policy
Introductory comments
TestSafe promises to be an important resource which will help
pharmacists improve the standard of care they provide to patients,
improve patient safety, reduce the risk of professional misjudgement
leading to patient harm and enrich their professional lives. This can only
be delivered if the information held by the TestSafe is secure and the
community pharmacies using TestSafe follow sound processes in
managing the security of those connections.
The starting point for implementing sound security processes in
community pharmacy is a security policy. This policy must cover :
Organisational issues
Assets to be covered by the policy
Personnel
Physical security of the pharmacy
Control of access to computers
Access to the New Zealand Health Network
Software lifecycle management
Incident reporting
Managing malicious software
Business continuity issues
Compliance issues
This list may appear daunting at first sight but in fact implementing a
pharmacy security policy is not an onerous task. This template policy is
designed to reduce the amount of effort needed to document and
implement a security policy which meets New Zealand Health Network
requirements. It is based on a generic document used by other primary
care providers to define their New Zealand Health Network compliant
security policies and has been adapted for community pharmacy so only
minimal modifications should be needed. Further, community pharmacy
already has large amounts of the policy in place and working. For
example all pharmacies have well developed business continuity policies
and procedures in place.
Thus the challenge is largely one of reviewing existing policies and
adapting them, where needed, to meet the additional needs of the New
Zealand Health Network, and identifying any gaps and filling them using
the template as a starting point.
Readers will see the policy requires 2 pivotal people to operate the
security system; the Pharmacy Manager and The Pharmacy Security
Officer. The Pharmacy Security Officer is not a full time position, nor is it
a new position. Someone working in the pharmacy is almost certainly
already undertaking most if not all of the role. In many pharmacies, the
Pharmacy Manager will undertake both roles. The position is formally
defined to ensure responsibilities and authorities are clear, and staff have
a person to report to on security issues and to obtain authorisation for
activities which carry risks to pharmacy information security.
As with the template SOPs in this pack, the process for using the
template is straightforward. We suggest:
1.
2.
3.
4.
Read this policy template,

Think about any changes you need to make to reflect the policy you
will operate in your pharmacy
Work through the template making any changes needed
Finalise the policy and use it the basis for the SOPs needed to
implement the policy, using the templates provided as a starting
point..
Security Policy
For insert pharmacy name
Version 1.1
DOCUMENT INFORMATION
Title
Insert name of the pharmacy
Author
Insert name of Pharmacy Security Officer)
Version
1.1
Status
Final
Filename
Generic Community Pharmacy Security Policy
HISTORY
Versi
on
Date
Description of changes
1.0
30/04/20
09
Final
version
customisation
1.1
insert
date
Amended
for
pharmacy name
for
insert
Table of Contents
1
INTRODUCTION................................................................5
1.1
Purpose..................................................................................5
1.2
Contents.................................................................................5
1.3
Document control..................................................................5
GENERAL SECURITY POLICY AND STANDARDS..............6

2.1
Objectives..............................................................................6
2.2
Legal requirements................................................................6
2.3
Security policy reviews..........................................................6
2.4
Sensitivity of information.......................................................6
ORGANISATION OF SECURITY OF INFORMATION..........7

3.1
Policy statements...................................................................7
3.2
Pharmacy Manager................................................................7
3.3
Pharmacy Security Officer.....................................................7
3.4
Staff Responsibilities.............................................................8
3.5
Risk Assessment....................................................................8
ASSET CLASSIFICATION AND CONTROL.......................10

4.1
Accountability for Pharmacy Health Data as an asset........10
4.2
Information classification....................................................10
PERSONNEL SECURITY..................................................11
5.1
Objectives............................................................................11
5.2
Job responsibilities...............................................................11
5.3
Non-disclosure information and security agreement..........11
5.4
Training................................................................................11
5.5
Disciplinary process.............................................................11
PHYSICAL SECURITY......................................................12
6.1
Policy statements.................................................................12
6.2
General requirements..........................................................12
6.3
Clear desk and computer screen policy...............................12
6.4
Equipment protection..........................................................12
6.5
Work performed outside secure sites..................................13
6.6
Storage of Information.........................................................13
6.7
Destruction of information...................................................13
6.8
Disposal of storage media....................................................13
6.9
Storage of Business Continuity data....................................13
6.10 Retention of clinical information following pharmacy closure13

7
COMPUTER SYSTEMS ACCESS CONTROL.....................15

7.1
Policy statement...................................................................15
7.2
Responsibilities....................................................................15
7.3
Information system access control......................................15
7.4
User logon procedures.........................................................15
7.5
Password standards.............................................................16
7.6
Individual user account management..................................16
7.7
Electronic Mail.....................................................................17
7.8
External network connections and controls........................17
NEW ZEALAND HEALTH NETWORK...............................18

8.1
Use of the New Zealand Health Network............................18
8.2
Sensitivity of information.....................................................18
8.3
Digital certificate management...........................................18
8.4
Other New Zealand Health Network information...............19
SECURITY IN SYSTEM LIFE CYCLE MANAGEMENT......20

9.1
Installation of software........................................................20
9.2
Operational Software...........................................................20
9.3
Technical support and maintenance....................................20
10
COMPUTER INTEGRITY AND INCIDENT REPORTING 21
10.1 Policy statements.................................................................21
10.2 Security incident..................................................................21

10.3 Security violation.................................................................21
10.4 Reporting of security incidents or weaknesses...................21
11
MALICIOUS SOFTWARE................................................22
11.1 Virus and spyware prevention procedures..........................22

11.2 Virus education programmes...............................................22
12
BUSINESS CONTINUITY MANAGEMENT.....................23
13
COMPLIANCE................................................................24
13.1 Software Licence Compliance.............................................24

13.2 Security Awareness..............................................................24
13.3 Compliance with Security Policy.........................................24
13.4 Approved Non Compliance..................................................24
APPENDIX 1: HEALTH INFORMATION PRIVACY CODE 199425
Community Pharmacy Security Policy
1
1.1
INTRODUCTION
Purpose
This document provides guidance to users of the computer systems

of this Pharmacy. Implementation of these policies will ensure
adequate security for all information collected, processed,
transmitted, stored, or disseminated as part of the Pharmacy
systems and major applications.
These security policies are consistent
Government legislation including the:
with
New
Zealand
Health Information Privacy Code 1994

Privacy Act 1993
New Zealand Copyright Act 1994
Relevant New Zealand standards include:
1.2
AS/NZS HB 231:2000 (Information security risk management

guidelines)
AS/NZS ISO/IEC 17799:2001 (Code of Practice for information
security management)
SNZ HB 8169:2001 (Health Network Code of Practice)
Contents
This security policy addresses the following areas of concern:
General security policy and standards

Security organisation
Personnel security and training
Physical security
Computer systems access control
New Zealand Health Network
Security in system life cycle management
Computer integrity and incident reporting
Malicious software
Business continuity management
Compliance
Version 1.1 13 March 2009
Page 8 of 36
1.3
Document control
The Pharmacy Security Officer will review this document annually

and will be responsible for any modifications deemed necessary.
Any feedback and suggested amendments in respect of this
document should be provided to the Pharmacy Security Officer.
The Pharmacy Manager will be responsible for approving security
policy amendments, appointing the Pharmacy Security Officer, and
supporting the implementation of the Security Policy.
Page 9 of 36
2.1
GENERAL
SECURITY
STANDARDS
POLICY
AND
Objectives
The objective of this section of the security policy is:
To establish and maintain adequate and effective information

security safeguards for users to ensure that the confidentiality,
integrity, and operational availability of Pharmacy and patient
information is not compromised.
Comment
Sensitive information must be safeguarded against unauthorised
disclosure, modification, access, use, destruction, or delay in
service.
Each user has a duty and responsibility to other Pharmacy staff
members to comply with the information protection policies and
procedures detailed in this document.
2.2
Legal requirements
Under the Health Information Privacy Code 1994, Rule 5 Storage

and Security of Health Information, this Pharmacy has the role of
responsible custodian of health and patient information. It will,
therefore, promote and help protect the privacy of personal
information entrusted to it.
See Appendix 1 which provides a copy of this rule.
2.3
Security policy reviews
This pharmacy will conduct annual reviews to verify the standard

and quality of the information security controls it has implemented
comply with this policy.
2.4
Sensitivity of information
Most health related information held by this pharmacy is collected

in a situation of confidence and trust, is generally highly sensitive,
and may include particularly sensitive personal details.
There are two main types of sensitive information:
Page 10 of 36
Health information about patients, collected and controlled in

accordance with the Health Information Privacy Code 1994 [3]
or with other relevant health-related legislation, and
Other information stored on the Pharmacy computer system

that is sensitive for other reasons; such as commercial
information, staff related information or any other information
which may be considered sensitive.
See Appendix 1 which provides a copy of this rule.
See also section 4.2, Information classification.
Page 11 of 36
3.1
ORGANISATION
INFORMATION
OF
SECURITY
OF
Policy statements
A management framework is required so that all those involved in

the use or maintenance of the Pharmacys computer systems can
initiate, co-ordinate and control the implementation of information
security effectively. The key personnel in managing information
security in the Pharmacy are the Pharmacy Manager and the
Pharmacy Information Security Officer. They meet their obligations
through defined staff responsibilities and a formal assessment of
risks.
3.2
Pharmacy Manager
The Pharmacy Manager has a number of responsibilities with

respect to the security of health information, including:
3.3
establishing and approving information security policies and

procedures,
agreeing on specific methodologies and processes for
information
security,
e.g.
risk
assessment,
security
classification, etc.,
determining acceptable levels of security risks,
monitoring major information security threats and incidents,
approving major initiatives to enhance information security,
ensuring that formal audits are performed as necessary,
reviewing audit reports where security problems exist,
appointing and replacing the Pharmacy Security Officer,
ensuring continuity of the application of this policy in periods
when the Pharmacy Security Officers post is vacant,
acting as the Authorised Signatory in respect to the issuance
of digital certificates
Pharmacy Security Officer
The Pharmacy Security Officer is appointed by the Pharmacy

Manager and is responsible for the co-ordination of security issues
that affect the Pharmacy. In particular, the Pharmacy Security
Officer is responsible for:
advising Pharmacy staff on security matters,
Page 12 of 36
informing the Pharmacy Manager of any major security

incidents,
developing and reviewing security policies and plans to be

approved by the Pharmacy Manager,
maintaining a list of all persons authorised to have access to

the Pharmacy premises, and to Pharmacy computer systems,
reporting security incidents, and the status thereof, to the

Pharmacy Manager,
ensuring that Pharmacy security policies and standards meet

all New Zealand Health Network requirements,
liaising with the New Zealand Health Network Security Officer

in respect to security matters that may affect other members
of the New Zealand Health Network.
The current Pharmacy Security Officer is insert the name of the
person
Comment
In smaller pharmacies, the Pharmacy Manager is likely also to
undertake the Pharmacy Security Officers role.
Where the
pharmacy has sufficient staffing resources to permit separation of
these roles it is preferable for them to be separated.
3.4
Staff Responsibilities
Any security system relies on the users of the system to follow the
procedures necessary for upholding security policies.
All
employees are therefore required to:
uphold security procedures and policies,

protect their user identification and passwords,
inform the Pharmacy Security Officer of any security issues,
problems or concerns,
assist the Pharmacy Security Officer in resolving security
issues,
ensure that all computer systems used in support of Pharmacy
functions are backed-up in a manner that mitigates both the
risk of loss and costs of recovery,
be especially aware of the vulnerabilities presented by remote
access and be aware of their obligation to report intrusions,
misuse or abuse to the Pharmacy Security Officer,
be aware of their obligations in the event that they are storing,
securing, transmitting and disposing of health information to
protect the privacy of patients.
Agree not to connect personal portable USB disk drives or
other portable devices which can store data to the pharmacys
computer system.
Page 13 of 36

With specific reference to The Health Information Privacy Code
(1994), Rule 5 Storage and Security of Health Information, users
are included in the description as custodians of health and patient
information and are required to promote and protect the privacy of
personal information.
3.5
Risk Assessment
A formal assessment of the information security risks the pharmacy

faces will be undertaken by the Pharmacy Security Officer at two
yearly intervals or sooner if the either the Pharmacy Security
Officer or the Pharmacy Manager judges it necessary.
Process
It is not possible to eliminate all business risk, rather appropriate
techniques will be applied to identify and manage the risks so as to
minimise any harmful affects.
Security requirements will be identified by a methodical
assessment of security risks. Decisions on mitigating controls will
balance the expenditure needed to manage the risk against the
harm to the Pharmacy likely to result from security failures.
This risk assessment will systematically consider:
the harm likely to result from a security failure, taking into

account the potential consequences of a loss of integrity,
confidentiality and availability of the information and other
assets;
the realistic likelihood of such a failure occurring in the light
of the prevailing threats and vulnerabilities, and the controls
currently implemented.
The results of this assessment will assist in the determination of the

appropriate management action and priorities for managing
information security risks, and for implementing controls selected
to protect against those risks.
Security policies will be reviewed for currency and appropriateness
following any assessment of risks.
Page 14 of 36
4
4.1
ASSET CLASSIFICATION AND CONTROL

Accountability for Pharmacy Health Data as an
asset
All major information assets are to recorded in an information asset

inventory and have a nominated owner who is responsible
maintaining appropriate controls over that asset. (In addition to
hardware, software and other information assets including
databases present in the pharmacy, this requirement covers all
material required to ensure business continuity. This includes but
is not limited to pharmacy management software and patient
database backups; accounting software and information backups;
electronic banking records and other electronic pharmacy
document backups which are stored offsite,)
Comment and process
An information asset can be either equipment used to access,
manipulate, and store information, or Health or Other information
stored in the Pharmacys computer systems.
Accountability for assets helps to ensure that appropriate
protection is maintained. The Pharmacy Manager will nominate
Owners for each major asset and the responsibility for the
maintenance of appropriate controls will be assigned to them.
An asset inventory helps ensure that effective asset protection
takes place, and will also be useful for other business purposes,
such as health and safety, insurance or financial management
reasons. The process of compiling an assets inventory is an
important aspect of risk management.
4.2
Information classification
Information is to be classified to indicate the need, priorities and

degree of protection.
Comment
Information has varying degrees of sensitivity and criticality. Some
items may require an additional level of protection or special
handling.
An information classification system allows the Pharmacy to define
an appropriate set of protection levels, and communicate the need
for special handling processes to staff.
The responsibility for defining the classification of an item of
information, e.g., for a document, data file or diskette, and for
Page 15 of 36

periodically reviewing that classification, is to be rest with the
nominated owner of the information.
Handling procedures are to be defined to cover:
copying,
storage,
transmission by post, fax and electronic mail,
transmission by spoken word, including
voicemail, answering machines, and
destruction.
mobile
phone,
Page 16 of 36
PERSONNEL SECURITY
5.1
Objectives
The objective of this section of the security policy is:
5.2
To ensure that employees are aware of information

security threats and concerns, and are equipped to
support the Pharmacy information protection policies and
procedures in the course of their daily work.
Job responsibilities
Security related roles and responsibilities are to be documented

where appropriate in specific job descriptions.
5.3
Non-disclosure information and security

agreement
All employees involved in the collection, use and disclosure of

health information must sign a non-disclosure information and
security agreement which includes their obligations under this
policy.
Contract staff and outside organisations not already covered by an
existing contract (containing the confidentiality agreement) are
required to sign a confidentiality agreement prior to accessing
Pharmacy facilities. (For example, this requirement includes the
computer hardware engineer at the time of computer
maintenance.)
5.4
Training
Staff must receive appropriate training before using computer

facilities and applications used by this Pharmacy.
All employees of the Pharmacy are to receive appropriate training
and regular updates in Pharmacy policies and procedures,
including security requirements, legal responsibilities, and
business controls.
5.5
Disciplinary process
Staff and contractors who knowingly disregard a particular

requirement of this policy will be subject to the disciplinary process
Page 17 of 36

defined in their employment agreement or service contract as
appropriate.
Page 18 of 36
6
6.1
PHYSICAL SECURITY
Policy statements
All hardware, software, documentation, commercial information

and health information held by the Pharmacy is to be protected
from disclosure, modification, or destruction. Access by outside
parties could reveal information that can be used to eliminate,
bypass, or otherwise render security safeguards ineffective or
enable the disclosure of patient information.
Where identifiable health and other sensitive information is stored,
processed, or transmitted, physical access to that information is
restricted to authorised individuals.
6.2
General requirements
Areas and equipment in which information (both Health and Other)

is stored are to be physically secure and access to them is
restricted to authorised personnel only. Access to documentation in
respect to computer systems is also to be restricted to authorised
personnel.
All persons, other than employees, who are granted access to
Pharmacy premises must be accompanied at all times, and their
access restricted to those areas necessary for them to complete
their tasks.
6.3
Clear desk and computer screen policy
Work areas are, as far as conveniently possible, to be kept clear of

papers and removable storage media in order to reduce the
possibility of unauthorised access, loss of, and damage to
information during and outside normal working hours.
All software functionality designed to protect against unauthorised
access to information must be activated and used.
Similarly, screen savers are to be activated on all Pharmacy
computers to provide additional confidentiality should a computer
screen displaying sensitive information be left unattended for more
than a few minutes. However, the use of a screensaver is not a
substitute for staff ensuring computer screens displaying sensitive
information are not left unattended.
Page 19 of 36

Sensitive and critical Pharmacy information, including information
stored on removable storage computer media, is to be locked away
in a fireproof storage area when not required.
6.4
Equipment protection
All items of equipment are to be sited or protected to minimise the

risks from environmental threats and hazards, and opportunities
for unauthorised access.
Risk assessments (section 3.5above) will consider the impact of a
disaster occurring in or around nearby premises and define
suitable mitigating procedures to be followed..
6.5
Work performed outside secure sites
Security controls are to be in place to ensure only authorised

operations occur and that sensitive information is properly
protected.
Computers used to process patient information from remote
locations and their methods of accessing the Pharmacys computer
systems must meet the Pharmacys security requirements and have
authorisation from the Pharmacy Security Officer. Where possible,
there should be only one approved remote access pathway to the
system.
6.6
Storage of Information
All Pharmacy information (Health and Other) stored on computer

systems must be backed-up at least daily so that it can be restored
if or when necessary. Backed up information will be securely
stored off-site under the control of the Pharmacy Manager or
nominated deputy.
6.7
Destruction of information
All care and responsibility will be taken in the destruction of

sensitive information.
Both paper and electronic information relating to patient,
administrative, and commercial information shall be disposed of in
a secure manner. All portable electronic storage media including
flash drives (memory sticks) and obsolete computer hard drives
will be reformatted before being disposed of.
Page 20 of 36
6.8
Disposal of storage media
Pharmacy information can be compromised through careless

disposal of equipment. Accordingly, all sensitive information must
be erased from computer storage media prior to their disposal.
Similarly, no computer equipment that is sent or taken off-site for
repair should contain sensitive information.
Damaged storage devices such as hard disks may contain sensitive
information
that
if
disclosed
could
cause
considerable
embarrassment. Consideration should be given to not having a
device repaired if information cannot be erased.
6.9
Storage of Business Continuity data
Off site storage of back-up data to allow rapid restoration of data

services in the event of disaster is an essential part of the business
continuity plan. All such off-site storage must employ a suitable
physical protection to prevent unauthorised access to the data, and
be under the personal supervision of the Pharmacy Manager or
nominated deputy.
6.10 Retention of clinical information following

pharmacy closure
In the event the pharmacy closes permanently, the Pharmacy
Manager is responsible for making arrangements to store securely
all clinical information held by the pharmacy for the period of the
next 10 years. This obligation could be best met by passing these
records together with appropriate software to the DHB for secure
storage with the clinical records managed by the DHB. Any such
arrangement would require the DHBs agreement.
Page 21 of 36
7
7.1
COMPUTER SYSTEMS ACCESS CONTROL

Policy statement
Access to computer services and information shall be restricted to

authorised users. .
7.2
Responsibilities
Access control responsibilities are as follows:

Pharmacy Manager
Will determine and support the Pharmacy access control

strategy.
Will ensure the satisfactory resolution of problems relating to
the provision of user access when, in response to the concerns
expressed by the Pharmacy Security Officer, significant
changes are deemed necessary.
Pharmacy Security Officer
7.3
Will ensure policies and standards address all Pharmacy

security requirements.
Will ensure that logon and system access procedures meet
defined requirements.
Will ensure that data and applications are safe in project
development environments.
Will assist users in their day-to-day use of Pharmacy computer
systems by performing basic account administration functions,
including the unlocking of locked accounts, resetting
passwords, and providing user instruction.
Information system access control
Minimum requirements for information system access control are:
valid individual user identifications and passwords for all

computer access (swipe card access verification is preferred if
available),
successful and unsuccessful system accesses are to be
recorded,
the last time a user was logged on is to be recorded or
displayed,
user account details are to be issued at a formal training
session,
Page 22 of 36
new user accounts are to be initially configured so as to force a

change of the password upon first logging on.
7.4
User logon procedures
Users may only access to Pharmacy computer facilities are to be

via a secure logon process. The relative logon procedure will:
not display system or application prompts until the logon

process has been successfully completed,
not provide help messages during logon procedures,
validate the logon information only on completion of all input
data,
allow only three unsuccessful logon attempts before:
recording the unsuccessful attempt,
forcing a time delay before further logon attempts are

allowed,
suspending a user account to prevent repeated invalid

access attempts,
disconnecting and giving no assistance after a rejected

attempt to logon,
limit the time allowed for the logon procedure; if exceeded, the
system should terminate the logon,
display the following information on completion of a successful
logon:
date and time of the previous successful logon,
details of any unsuccessful logon attempts since last

successful logon.
This allows the user to check whether it was that he/she who was
last logged on. If not, the incident should be reported to the
Pharmacy Security Officer and appropriate action taken.
Alternatively using swipecard based systems, which generate an
audit trail, to control access to computer systems is acceptable
under this policy.
7.5
Password standards
The following password standards are to be adhered to ensure

compliance with the basic principles of logical security:
the use of individual passwords is to be enforced to maintain

accountability. Sharing of passwords is not permitted,
users are able to select and change their own password and
are required to provide a confirmation to account for typing
errors,
a password is to have a minimum length of eight characters,
Page 23 of 36
passwords are not to be based on any of the following:
months of the year, days of the week or any other aspect

of the date,
family names, initials or car registration numbers,
company names, identifiers or references,
telephone numbers or similar all-number groups,
user identification, user name, group identification or

other system identifier
more than two consecutive identical characters,
all-numeric or all-alphabetic groups,
any word contained in a dictionary, either English or
another language.
maximum password lifetime is to be 90 days for normal user

accounts and 60 days for system administrator accounts,
users are to be forced to change temporary (initial) passwords

at the first logon,
passwords are not to be displayed while being entered,
password files should be stored separately from the main

application system data, and any access restricted to the
system administrator,
password files are to be stored in encrypted form, using a oneway encryption algorithm,
default vendor user IDs and passwords are to be deleted or

altered following installation of software.
7.6
Individual user account management
Inactive user accounts that are no longer required are be disabled

and identified as pending deletion.
The Pharmacy Security Officer is to approve the continued
availability of a particular inactive user account.
7.7
Electronic Mail
As electronic mail (e-mail) is a business resource, Pharmacy

personnel are to note that:
personal use of e-mail is to be kept to a minimum,
Policy Decision needed

Some pharmacy proprietors do not want their staff using the
pharmacys internet and e-mail facilities for personal use, others
consider restricted use acceptable under conditions which
minimise the risk of a breach of computer system security and
potential impact on productivity.
Page 24 of 36

This component of the template permits restricted use in building
on the precedent of limited personal use of the phone being
allowed in most pharmacies. If the pharmacys policy is to prohibit
personal internet and e-mail use this paragraph must be altered.
the e-mail system is inherently insecure and individuals other

than the intended recipients may be able to read messages,
nothing should be included in an e-mail message that would
not be printed on Pharmacy letterhead,
the information contained in e-mail messages forms part of
Pharmacy business records,
no sensitive information should be sent as part of, or attached
to, an e-mail message unless the information is encrypted,
e-mail attachments are a common source of malicious software
and particular care is to be taken before opening any
attachments, especially if the message is not from a trusted
source,
management reserves the right to monitor the content of email messages,
All personnel should be aware of the security risks created by

electronic mail including the vulnerability of messages and any
legal considerations.
7.8
External network connections and controls
External network connections are an inherent risk to the security of

the Pharmacys computer system. Pharmacy personnel are to note
that:
Connections to other networks, including the World Wide Web,

must be protected through a firewall.
Firewalls must be properly configured so as to ensure the
required level of security is achieved.
Default settings in network servers are to be changed so as to
minimise the possibility of unauthorised access.
No software, or other material, is to be downloaded from the
World Wide Web without the prior knowledge and agreement
of the Pharmacy Security Officer.
Page 25 of 36
NEW ZEALAND HEALTH NETWORK
8.1
Use of the New Zealand Health Network
Healthcare organisations use the New Zealand Health Network as

a medium to communicate information necessary for the effective
provision of healthcare services.
While this Pharmacy has its own security requirements, it also has
responsibilities in respect to the security of information in the New
Zealand Health Network environment. These responsibilities are:
ensuring Pharmacy security policies and plans are consistent

with the requirements of New Zealand Health Network policies,
ensuring all employees that use the New Zealand Health

Network are aware of their security responsibilities,
assisting other organisations on the New Zealand Health

Network in resolving any security issues where possible,
revoking any digital certificates that were specifically issued to

employees who have resigned,
reporting staff changes to the Certification Authority, where

such changes might affect the New Zealand Health Network.
Comment
The Sector Services Division of the Ministry of Health act as the
Certification Authority for community pharmacy.
8.2
Sensitivity of information
All information passing through the New Zealand Health Network

will be regarded as highly sensitive and will be appropriately
protected at all times.
Comment
Although there will be differing levels of sensitivity associated with
information passing through the New Zealand Health Network, it
will not be possible to differentiate between the levels during
transmission.
Page 26 of 36
8.3
Digital certificate management
Digital certificates are required for access to applications available

on the New Zealand Health Network. The device on which any
digital certificate is supplied must be stored in a secure manner
that permits access as and when required.
The Pharmacy Security Officer is responsible for coordinating the
issuance and renewal of any digital certificates issued to Pharmacy
employees.
The Pharmacy Security Officer will formally request the
Certification Authority to revoke a digital certificate in the event
that:
the digital certificate is stolen,

a password becomes corrupted or known to anyone other than
the user,
when the holder of a specific certificate leaves the employment
of the Pharmacy, or
the certificate becomes redundant for any other reason
8.4
Other New Zealand Health Network

information
Users seeking more information on the New Zealand Health

Network can refer to the
New Zealand Health Network Information Web Page at

http://www.hisac.govt.nz/moh.nsf/pagescm/7405
New Zealand Health Network Security Policy for General

Practitioners and other Health Professionals. The Pharmacy
Security Officer holds a copy of that policy document.
Page 27 of 36
9.1
SECURITY IN SYSTEM LIFE CYCLE

MANAGEMENT
Installation of software
The Pharmacy Security Officer is to approve all software prior to it

being installed. If necessary, the Pharmacy Security Officer will
seek advice from the administrators of the NZ Health Information
Network before approving any piece of software.
9.2
Operational Software
Vendor supplied software used in operational systems must be

maintained at a version level supported by the supplier.
Patches for all software on the Pharmacys computer systems that
help to remove or reduce security weaknesses shall always be
applied in a timely manner and with appropriate consideration for
the seriousness of the risk an unpatched vulnerability poses. This
includes computer operating system patches as well as application
software patches.
9.3
Technical support and maintenance
Hardware and software maintenance activities are not to affect the

integrity of existing safeguards or permit the introduction of
security exposures (computer viruses, logic bombs, malicious code,
etc.) into the Pharmacys computer systems.
Automated dial-up diagnostic maintenance of sensitive applications
by software vendors via remote communications is only to be
undertaken under the direction of the Pharmacy Security Officer, or
nominated deputy in their absence.
Page 28 of 36
10 COMPUTER INTEGRITY AND INCIDENT

REPORTING
10.1 Policy statements
All personnel are to comply with the software integrity procedures
outlined in this document especially in respect to the following:
security violations and software malfunctions reporting

virus prevention and monitoring
10.2 Security incident

Definition
A security incident is an event and/or condition that has the
potential to impact on security or privacy and may result from
either intentional or inadvertent action.
All employees, and others likely to be involved, as part of their
training, are to be made aware of the procedures for reporting
incidents that might have an impact on the security of Pharmacy
assets and information.
All employees shall report any incident that might have an impact
on the security of Pharmacy assets and information and report it
using the agreed procedure the pharmacy to insert the
appropriate process..
10.3 Security violation

Definition
A security violation is an event that may result in disclosure of
sensitive or otherwise classified information to unauthorised
individuals, or in unauthorised modification or destruction of
system data, loss of computer system processing capability, loss, or
theft of any computer system resources.
If a security violation occurs as a consequence of a users access,
that user and any like users are to be provided with guidance, and
if necessary retraining, by the Pharmacy Security Officer to ensure
that the violation does not re-occur.
Page 29 of 36
10.4 Reporting of security incidents or weaknesses

Systems shall be monitored to detect deviation from access control
policy and record events to provide evidence in case of security
incidents. System monitoring allows the effectiveness of adopted
controls to be checked and conformity to access policies to be
verified.
Similarly, unauthorised intrusions are to be monitored.
Any security-related incidents, violations or weaknesses, are to be
reported to the Pharmacy Security Officer at the earliest possible
time but by no later than the following business day.
Page 30 of 36
11 MALICIOUS SOFTWARE
Software and information processing facilities are vulnerable to the
introduction of malicious software such as computer viruses,
network worms, Trojan horses and spyware.
It is therefore
essential that precautions are taken to both detect and prevent the
introduction of malicious software.
11.1 Virus and spyware prevention procedures

New viruses are being developed at regular and frequent intervals
and could seriously undermine the integrity of the Pharmacy
systems unless they are prevented. Accordingly, all workstations
are to have anti-virus software installed.
The Pharmacy Security Officer is to ensure that virus signature
files are updated on a regular (no less frequently than daily) basis
so as to ensure that any new viruses can be promptly identified and
removed.
Each individual user must ensure that the anti-virus software is
active on their workstation so that any potential viruses from
external sources are identified and removed.
11.2 Virus education programmes

All users are to receive training on how to best prevent the
introduction of computer viruses and other malicious software.
The Pharmacy Security Officer is to therefore ensure that:
users are aware that e-mail attachments and web sites may
contain (often unknown) viruses or other malicious software.
users immediately report attachments with suspicious file
extensions (including .vbs, .shs, .pif and .exe) to the Pharmacy
Security Officer.
users know to never launch e-mail attachments from their email systems unless received from a trusted source, and then
only after due care has been taken.
Users are aware of the risks associated with breaching the
policy preventing the connection of personal data storage
devices to the pharmacys computer systems.
Disciplinary procedures are to be brought into play in the event

that a user fails to follow designated malicious software
procedures.
Page 31 of 36
12 BUSINESS CONTINUITY MANAGEMENT

A Pharmacy business continuity management plan is to be
implemented so as to minimise the effects of disruption caused by
disasters and system failures (which may be the result of, for
example, natural disasters, equipment failures, or deliberate
actions) through a combination of preventative and recovery
controls.
Plans are to be developed and implemented to ensure that
Pharmacy processes can be restored as soon as is practicable, and
are to be maintained and practised so as to become an integral part
of all other management processes.
The key elements of business continuity management plan are:
understanding the risks the organisation faces in terms of their

likelihood and their impact, including identification and
prioritisation of critical business processes,
understanding the impact which interruptions are likely to
have on the Pharmacy,
establishing the place and importance of information
processing facilities in the operation of the Pharmacy,
considering the purchase of suitable insurance which may
form part of the business continuity process,
formulating and documenting a business continuity strategy
consistent with the Pharmacys objectives and priorities,
formulating and documenting the detailed business continuity
plan in line with agreed strategy,
regular testing and updating of the plans and processes put in
place, and
ensuring that the responsibility for managing business
continuity is clearly defined in the Pharmacys processes and
structure.
Page 32 of 36
13 COMPLIANCE
13.1 Software Licence Compliance
All conditions of a vendors software licence are to be strictly
observed.
Users are responsible for ensuring that all licensing obligations are
met and maintained to the extent it is within their power to do so.
13.2 Security Awareness

All users are to be kept aware of their general security
responsibilities and be regularly updated on risks. It is essential
that users understand and adhere to procedures for managing,
detecting and responding to security incidents.
The Pharmacy Security Officer is responsibility for maintaining
user security awareness.
13.3 Compliance with Security Policy

All security procedures are to be subject to periodic review so as to
ensure compliance with Pharmacy security policies and standards.
Similarly, information systems are to be checked for compliance
with security implementation standards.
Self audits of operational systems are to be planned and agreed so
as to minimise risk of disruption to Pharmacy processes.
13.4 Approved Non Compliance

Where a particular policy cannot be complied with for a substantive
business reason, approval for a deviation from policy is to be
obtained from the Pharmacy Manager.
Requests for authorised non-compliance must be formally
submitted with details of any risks associated with the deviation.
The Pharmacy Security Officer will maintain a record of all
approved non-compliance requests.
All approved non-compliance requests will be subject to six-monthly
reassessment.
Page 33 of 36
APPENDIX
1:
HEALTH
PRIVACY CODE 1994
INFORMATION
Rule 3:
Individual
Information
1)
Collection
of
Health
from
Where a health agency collects health information directly

from the individual concerned, or from the individual's
representative,
the
health
agency
must
such
are,
circumstances, reasonable to ensure that the individual
concerned (and the representative if collection is from the
representative) is aware of:
a)
the fact that the information is being collected;
b)
the purpose for which the information is being collected;
c)
the intended recipients of the information;
d)
the name and address of:

i) the health agency that is collecting the information; and
ii) the agency that will hold the information;
e)
whether or not the supply of the information is voluntary

or mandatory and if mandatory the particular law under
which it is required;
f)
the consequences (if any) for that individual if all or any

part of the requested information is not provided; and
g)
the rights of access to, and correction

information provided by rules 6 and 7.
of,
health
2)
The steps referred to in sub rule (1) must be taken before the
information is collected or, if that is not practicable, as soon as
practicable after it is collected.
3)
A health agency is not required to take the steps referred to in

sub rule (1) in relation to the collection of information from an
individual, or the individual's representative, if that agency has
taken those steps in relation to the collection, from that
individual or that representative, of the same information or
information of the same kind for the same or a related
purpose, on a recent previous occasion.
4)
It is not necessary for a health agency to comply with sub rule

(1) if the agency believes on reasonable grounds:
Page 34 of 36

(a) [revoked]
(b)that compliance would:
(i) prejudice the
concerned; or
interests
of
the
individual
(ii)prejudice the purposes of collection;

(c) that compliance is not reasonably practicable in the
circumstances of the particular case; or
(d)that non-compliance is necessary to avoid prejudice
to the maintenance of the law by any public sector
agency,
including
the
prevention,
detection,
investigation, prosecution, and punishment of
offences.10
Note: An action is not a breach of this rule if it is authorised or
required by or under law -Privacy Act, section 7(4). Rule 3(4) (a)
was revoked by Amendment No 4.
Rule 5: Storage and Security of Health Information

1)
A health agency that holds health information must ensure:

a)
that the information is protected, by such security

safeguards as it is reasonable in the circumstances to
take, against:
i) loss;
ii) access, use, modification, or disclosure, except with
the authority of the agency; and
iii)
2)
other misuse;
b)
that if it is necessary for the information to be given to a

person in connection with the provision of a service to the
health agency, including any storing, processing, or
destruction of the information, everything reasonably
within the power of the health agency is done to
prevent unauthorised use or unauthorised disclosure of
the information; and
c)
that, where a document containing health information is

not to be kept, the document is disposed of in a manner
that preserves the privacy of the individual.
This rule applies to health information obtained before or after

the commencement of this code.
Page 35 of 36

Note: An action is not a breach of this rule if it is authorised or
required by or under law Privacy Act, section 7(4).
The full Health Information Privacy Code 1994 is found at:
http://www.privacy.org.nz/assets/Files/Codes-of-Practicematerials/Health-Information-Privacy-Code-1994-includingAmendment.pdf
Page 36 of 36

Security Policy

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Security Policy

Încărcat de

Drepturi de autor:

Formate disponibile

Security Policy

Read this policy template,

Insert name of the pharmacy

Insert name of Pharmacy Security Officer)

Generic Community Pharmacy Security Policy

GENERAL SECURITY POLICY AND STANDARDS..............6

Security policy reviews..........................................................6

ORGANISATION OF SECURITY OF INFORMATION..........7

Pharmacy Security Officer.....................................................7

ASSET CLASSIFICATION AND CONTROL.......................10

Accountability for Pharmacy Health Data as an asset........10

Non-disclosure information and security agreement..........11

Clear desk and computer screen policy...............................12

Work performed outside secure sites..................................13

Disposal of storage media....................................................13

Storage of Business Continuity data....................................13

6.10 Retention of clinical information following pharmacy closure13

COMPUTER SYSTEMS ACCESS CONTROL.....................15

Information system access control......................................15

User logon procedures.........................................................15

Individual user account management..................................16

External network connections and controls........................17

NEW ZEALAND HEALTH NETWORK...............................18

Use of the New Zealand Health Network............................18

Digital certificate management...........................................18

Other New Zealand Health Network information...............19

SECURITY IN SYSTEM LIFE CYCLE MANAGEMENT......20

Technical support and maintenance....................................20

COMPUTER INTEGRITY AND INCIDENT REPORTING 21

10.1 Policy statements.................................................................21

10.2 Security incident..................................................................21

11.1 Virus and spyware prevention procedures..........................22

BUSINESS CONTINUITY MANAGEMENT.....................23

13.1 Software Licence Compliance.............................................24

Community Pharmacy Security Policy

This document provides guidance to users of the computer systems

Health Information Privacy Code 1994

Relevant New Zealand standards include:

AS/NZS HB 231:2000 (Information security risk management

This security policy addresses the following areas of concern:

General security policy and standards

Version 1.1 13 March 2009

Community Pharmacy Security Policy

The Pharmacy Security Officer will review this document annually

Version 1.1 13 March 2009

Community Pharmacy Security Policy

The objective of this section of the security policy is:

To establish and maintain adequate and effective information

Under the Health Information Privacy Code 1994, Rule 5 Storage

Security policy reviews

This pharmacy will conduct annual reviews to verify the standard

Most health related information held by this pharmacy is collected

Version 1.1 13 March 2009

Community Pharmacy Security Policy

Health information about patients, collected and controlled in

Other information stored on the Pharmacy computer system

Version 1.1 13 March 2009

Community Pharmacy Security Policy

A management framework is required so that all those involved in

The Pharmacy Manager has a number of responsibilities with

establishing and approving information security policies and

Pharmacy Security Officer

The Pharmacy Security Officer is appointed by the Pharmacy

advising Pharmacy staff on security matters,