Documente Academic
Documente Profesional
Documente Cultură
Introductory comments
TestSafe promises to be an important resource which will help
pharmacists improve the standard of care they provide to patients,
improve patient safety, reduce the risk of professional misjudgement
leading to patient harm and enrich their professional lives. This can only
be delivered if the information held by the TestSafe is secure and the
community pharmacies using TestSafe follow sound processes in
managing the security of those connections.
The starting point for implementing sound security processes in
community pharmacy is a security policy. This policy must cover :
Organisational issues
Assets to be covered by the policy
Personnel
Physical security of the pharmacy
Control of access to computers
Access to the New Zealand Health Network
Software lifecycle management
Incident reporting
Managing malicious software
Business continuity issues
Compliance issues
This list may appear daunting at first sight but in fact implementing a
pharmacy security policy is not an onerous task. This template policy is
designed to reduce the amount of effort needed to document and
implement a security policy which meets New Zealand Health Network
requirements. It is based on a generic document used by other primary
care providers to define their New Zealand Health Network compliant
security policies and has been adapted for community pharmacy so only
minimal modifications should be needed. Further, community pharmacy
already has large amounts of the policy in place and working. For
example all pharmacies have well developed business continuity policies
and procedures in place.
Thus the challenge is largely one of reviewing existing policies and
adapting them, where needed, to meet the additional needs of the New
Zealand Health Network, and identifying any gaps and filling them using
the template as a starting point.
Readers will see the policy requires 2 pivotal people to operate the
security system; the Pharmacy Manager and The Pharmacy Security
Officer. The Pharmacy Security Officer is not a full time position, nor is it
a new position. Someone working in the pharmacy is almost certainly
already undertaking most if not all of the role. In many pharmacies, the
Pharmacy Manager will undertake both roles. The position is formally
defined to ensure responsibilities and authorities are clear, and staff have
a person to report to on security issues and to obtain authorisation for
activities which carry risks to pharmacy information security.
As with the template SOPs in this pack, the process for using the
template is straightforward. We suggest:
1.
2.
3.
4.
Security Policy
For insert pharmacy name
Version 1.1
DOCUMENT INFORMATION
Title
Author
Version
1.1
Status
Final
Filename
HISTORY
Versi
on
Date
Description of changes
1.0
30/04/20
09
Final
version
customisation
1.1
insert
date
Amended
for
pharmacy name
for
insert
Table of Contents
1
INTRODUCTION................................................................5
1.1
Purpose..................................................................................5
1.2
Contents.................................................................................5
1.3
Document control..................................................................5
Objectives..............................................................................6
2.2
Legal requirements................................................................6
2.3
2.4
Sensitivity of information.......................................................6
Policy statements...................................................................7
3.2
Pharmacy Manager................................................................7
3.3
3.4
Staff Responsibilities.............................................................8
3.5
Risk Assessment....................................................................8
4.2
Information classification....................................................10
PERSONNEL SECURITY..................................................11
5.1
Objectives............................................................................11
5.2
Job responsibilities...............................................................11
5.3
5.4
Training................................................................................11
5.5
Disciplinary process.............................................................11
PHYSICAL SECURITY......................................................12
6.1
Policy statements.................................................................12
6.2
General requirements..........................................................12
6.3
6.4
Equipment protection..........................................................12
6.5
6.6
Storage of Information.........................................................13
6.7
Destruction of information...................................................13
6.8
6.9
Policy statement...................................................................15
7.2
Responsibilities....................................................................15
7.3
7.4
7.5
Password standards.............................................................16
7.6
7.7
Electronic Mail.....................................................................17
7.8
8.2
Sensitivity of information.....................................................18
8.3
8.4
Installation of software........................................................20
9.2
Operational Software...........................................................20
9.3
10
MALICIOUS SOFTWARE................................................22
13
COMPLIANCE................................................................24
1
1.1
INTRODUCTION
Purpose
with
New
Zealand
1.2
Contents
Page 8 of 36
1.3
Document control
Page 9 of 36
2.1
GENERAL
SECURITY
STANDARDS
POLICY
AND
Objectives
Comment
Sensitive information must be safeguarded against unauthorised
disclosure, modification, access, use, destruction, or delay in
service.
Each user has a duty and responsibility to other Pharmacy staff
members to comply with the information protection policies and
procedures detailed in this document.
2.2
Legal requirements
2.3
2.4
Sensitivity of information
Page 10 of 36
Page 11 of 36
3.1
ORGANISATION
INFORMATION
OF
SECURITY
OF
Policy statements
3.2
Pharmacy Manager
3.3
Page 12 of 36
3.4
Staff Responsibilities
Any security system relies on the users of the system to follow the
procedures necessary for upholding security policies.
All
employees are therefore required to:
Page 13 of 36
3.5
Risk Assessment
Page 14 of 36
4
4.1
4.2
Information classification
Page 15 of 36
copying,
storage,
transmission by post, fax and electronic mail,
transmission by spoken word, including
voicemail, answering machines, and
destruction.
mobile
phone,
Page 16 of 36
PERSONNEL SECURITY
5.1
Objectives
5.2
Job responsibilities
5.3
5.4
Training
5.5
Disciplinary process
Page 17 of 36
Page 18 of 36
6
6.1
PHYSICAL SECURITY
Policy statements
6.2
General requirements
6.3
Page 19 of 36
6.4
Equipment protection
6.5
6.6
Storage of Information
6.7
Destruction of information
Page 20 of 36
6.8
6.9
Page 21 of 36
7
7.1
7.2
Responsibilities
7.3
Page 22 of 36
7.4
This allows the user to check whether it was that he/she who was
last logged on. If not, the incident should be reported to the
Pharmacy Security Officer and appropriate action taken.
Alternatively using swipecard based systems, which generate an
audit trail, to control access to computer systems is acceptable
under this policy.
7.5
Password standards
Page 23 of 36
password files are to be stored in encrypted form, using a oneway encryption algorithm,
7.6
7.7
Electronic Mail
Page 24 of 36
7.8
Page 25 of 36
8.1
Comment
The Sector Services Division of the Ministry of Health act as the
Certification Authority for community pharmacy.
8.2
Sensitivity of information
Page 26 of 36
8.3
8.4
Page 27 of 36
9.1
9.2
Operational Software
9.3
Page 28 of 36
Page 29 of 36
Page 30 of 36
11 MALICIOUS SOFTWARE
Software and information processing facilities are vulnerable to the
introduction of malicious software such as computer viruses,
network worms, Trojan horses and spyware.
It is therefore
essential that precautions are taken to both detect and prevent the
introduction of malicious software.
users are aware that e-mail attachments and web sites may
contain (often unknown) viruses or other malicious software.
users immediately report attachments with suspicious file
extensions (including .vbs, .shs, .pif and .exe) to the Pharmacy
Security Officer.
users know to never launch e-mail attachments from their email systems unless received from a trusted source, and then
only after due care has been taken.
Users are aware of the risks associated with breaching the
policy preventing the connection of personal data storage
devices to the pharmacys computer systems.
Page 31 of 36
Page 32 of 36
13 COMPLIANCE
13.1 Software Licence Compliance
All conditions of a vendors software licence are to be strictly
observed.
Users are responsible for ensuring that all licensing obligations are
met and maintained to the extent it is within their power to do so.
Page 33 of 36
APPENDIX
1:
HEALTH
PRIVACY CODE 1994
INFORMATION
Rule 3:
Individual
Information
1)
Collection
of
Health
from
b)
c)
d)
e)
f)
g)
of,
health
2)
The steps referred to in sub rule (1) must be taken before the
information is collected or, if that is not practicable, as soon as
practicable after it is collected.
3)
4)
Page 34 of 36
interests
of
the
individual
2)
other misuse;
b)
c)
Page 35 of 36
Page 36 of 36