1. No category

Generic Security Policy

Security Policy
Introductory comments
TestSafe promises to be an important resource which will help pharmacists improve the standard
of care they provide to patients, improve patient safety, reduce the risk of professional
misjudgement leading to patient harm and enrich their professional lives. This can only be
delivered if the information held by the TestSafe is secure and the community pharmacies using
TestSafe follow sound processes in managing the security of those connections.
The starting point for implementing sound security processes in community pharmacy is a
security policy. This policy must cover :











Organisational issues
Assets to be covered by the policy
Personnel
Physical security of the pharmacy
Control of access to computers
Access to the New Zealand Health Network
Software lifecycle management
Incident reporting
Managing malicious software
Business continuity issues
Compliance issues
This list may appear daunting at first sight but in fact implementing a pharmacy security policy is
not an onerous task. This template policy is designed to reduce the amount of effort needed to
document and implement a security policy which meets New Zealand Health Network
requirements. It is based on a generic document used by other primary care providers to define
their New Zealand Health Network compliant security policies and has been adapted for
community pharmacy so only minimal modifications should be needed. Further, community
pharmacy already has large amounts of the policy in place and working. For example all
pharmacies have well developed business continuity policies and procedures in place.
Thus the challenge is largely one of reviewing existing policies and adapting them, where needed,
to meet the additional needs of the New Zealand Health Network, and identifying any gaps and
filling them using the template as a starting point.
Readers will see the policy requires 2 pivotal people to operate the security system; the Pharmacy
Manager and The Pharmacy Security Officer. The Pharmacy Security Officer is not a full time
position, nor is it a new position. Someone working in the pharmacy is almost certainly already
undertaking most if not all of the role. In many pharmacies, the Pharmacy Manager will
undertake both roles. The position is formally defined to ensure responsibilities and authorities
are clear, and staff have a person to report to on security issues and to obtain authorisation for
activities which carry risks to pharmacy information security.
As with the template SOPs in this pack, the process for using the template is straightforward.
We suggest:
1.
2.
3.
4.
Read this policy template,
Think about any changes you need to make to reflect the policy you will operate in your
pharmacy
Work through the template making any changes needed
Finalise the policy and use it the basis for the SOPs needed to implement the policy, using
the templates provided as a starting point..
Security Policy
For «insert pharmacy name»
Version 1.1
DOCUMENT INFORMATION
Title
«Insert name of the pharmacy»
Author
«Insert name of Pharmacy Security Officer»)
Version
1.1
Status
Final
Filename
Generic Community Pharmacy Security Policy
HISTORY
Version
Date
Description of changes
1.0
30/04/2009 Final version – for customisation
1.1
«insert date» Amended for «insert pharmacy name»
Table of Contents
1
2
3
4
5
6
INTRODUCTION ...........................................................................................8
1.1
Purpose ...........................................................................................................................8
1.2
Contents ..........................................................................................................................8
1.3
Document control .........................................................................................................8
GENERAL SECURITY POLICY AND STANDARDS ................................ 10
2.1
Objectives .................................................................................................................... 10
2.2
Legal requirements ..................................................................................................... 10
2.3
Security policy reviews ............................................................................................... 10
2.4
Sensitivity of information .......................................................................................... 10
ORGANISATION OF SECURITY OF INFORMATION ........................... 12
3.1
Policy statements ........................................................................................................ 12
3.2
Pharmacy Manager ..................................................................................................... 12
3.3
Pharmacy Security Officer......................................................................................... 12
3.4
Staff Responsibilities .................................................................................................. 13
3.5
Risk Assessment.......................................................................................................... 13
ASSET CLASSIFICATION AND CONTROL ............................................. 15
4.1
Accountability for Pharmacy Health Data as an asset .......................................... 15
4.2
Information classification .......................................................................................... 15
PERSONNEL SECURITY ............................................................................ 16
5.1
Objectives .................................................................................................................... 16
5.2
Job responsibilities ...................................................................................................... 16
5.3
Non-disclosure information and security agreement ............................................ 16
5.4
Training ........................................................................................................................ 16
5.5
Disciplinary process ................................................................................................... 16
PHYSICAL SECURITY ................................................................................. 17
6.1
Policy statements ........................................................................................................ 17
6.2
General requirements ................................................................................................. 17
6.3
Clear desk and computer screen policy ................................................................... 17
6.4
Equipment protection ................................................................................................ 17
6.5
Work performed outside secure sites ...................................................................... 18
6.6
Storage of Information .............................................................................................. 18
6.7
Destruction of information ....................................................................................... 18
6.8
Disposal of storage media ......................................................................................... 18
6.9
Storage of Business Continuity data ........................................................................ 18
6.10
Retention of clinical information following pharmacy closure ............................ 19
7
COMPUTER SYSTEMS ACCESS CONTROL ............................................ 20
7.1
Policy statement .......................................................................................................... 20
7.2
Responsibilities............................................................................................................ 20
7.3
Information system access control .......................................................................... 20
7.4
User logon procedures ............................................................................................... 20
7.5
Password standards .................................................................................................... 21
7.6
Individual user account management ...................................................................... 22
7.7
Electronic Mail ............................................................................................................ 22
7.8
External network connections and controls ........................................................... 22
8
NEW ZEALAND HEALTH NETWORK .................................................... 24
8.1
Use of the New Zealand Health Network .............................................................. 24
8.2
Sensitivity of information .......................................................................................... 24
8.3
Digital certificate management ................................................................................. 24
8.4
Other New Zealand Health Network information ............................................... 25
9
SECURITY IN SYSTEM LIFE CYCLE MANAGEMENT ......................... 26
9.1
Installation of software .............................................................................................. 26
9.2
Operational Software ................................................................................................. 26
9.3
Technical support and maintenance ........................................................................ 26
10
10.1
COMPUTER INTEGRITY AND INCIDENT REPORTING ................ 27
Policy statements ........................................................................................................ 27
10.2
Security incident .......................................................................................................... 27
10.3
Security violation ........................................................................................................ 27
10.4
Reporting of security incidents or weaknesses ....................................................... 27
11
MALICIOUS SOFTWARE .......................................................................... 29
11.1
Virus and spyware prevention procedures .............................................................. 29
11.2
Virus education programmes .................................................................................... 29
12
BUSINESS CONTINUITY MANAGEMENT .......................................... 30
13
COMPLIANCE............................................................................................ 31
13.1
Software Licence Compliance................................................................................... 31
13.2
Security Awareness ..................................................................................................... 31
13.3
Compliance with Security Policy .............................................................................. 31
13.4
Approved Non Compliance ...................................................................................... 31
APPENDIX 1: HEALTH INFORMATION PRIVACY CODE 1994................... 32
Community Pharmacy Security Policy
1
1.1
INTRODUCTION
Purpose
This document provides guidance to users of the computer systems of this Pharmacy.
Implementation of these policies will ensure adequate security for all information
collected, processed, transmitted, stored, or disseminated as part of the Pharmacy
systems and major applications.
These security policies are consistent with New Zealand Government legislation
including the:



Health Information Privacy Code 1994
Privacy Act 1993
New Zealand Copyright Act 1994
Relevant New Zealand standards include:



1.2
AS/NZS HB 231:2000 (Information security risk management guidelines)
AS/NZS ISO/IEC 17799:2001 (Code of Practice for information security
management)
SNZ HB 8169:2001 (Health Network Code of Practice)
Contents
This security policy addresses the following areas of concern:











1.3
General security policy and standards
Security organisation
Personnel security and training
Physical security
Computer systems access control
New Zealand Health Network
Security in system life cycle management
Computer integrity and incident reporting
Malicious software
Business continuity management
Compliance
Document control
The Pharmacy Security Officer will review this document annually and will be
responsible for any modifications deemed necessary. Any feedback and suggested
amendments in respect of this document should be provided to the Pharmacy Security
Officer.
Version 1.1 – 13 March 2009
Page 8 of 33
Community Pharmacy Security Policy
The Pharmacy Manager will be responsible for approving security policy amendments,
appointing the Pharmacy Security Officer, and supporting the implementation of the
Security Policy.
Version 1.1 – 13 March 2009
Page 9 of 33
Community Pharmacy Security Policy
2
2.1
GENERAL SECURITY POLICY AND STANDARDS
Objectives
The objective of this section of the security policy is:

To establish and maintain adequate and effective information security safeguards
for users to ensure that the confidentiality, integrity, and operational availability of
Pharmacy and patient information is not compromised.
Comment
Sensitive information must be safeguarded against unauthorised disclosure, modification,
access, use, destruction, or delay in service.
Each user has a duty and responsibility to other Pharmacy staff members to comply with
the information protection policies and procedures detailed in this document.
2.2
Legal requirements
Under the Health Information Privacy Code 1994, Rule 5 – Storage and Security of
Health Information, this Pharmacy has the role of responsible custodian of health and
patient information. It will, therefore, promote and help protect the privacy of personal
information entrusted to it.
See Appendix 1 which provides a copy of this rule.
2.3
Security policy reviews
This pharmacy will conduct annual reviews to verify the standard and quality of the
information security controls it has implemented comply with this policy.
2.4
Sensitivity of information
Most health related information held by this pharmacy is collected in a situation of
confidence and trust, is generally highly sensitive, and may include particularly sensitive
personal details.
There are two main types of sensitive information:


Health information about patients, collected and controlled in accordance with the
Health Information Privacy Code 1994 [3] or with other relevant health-related
legislation, and
Other information stored on the Pharmacy computer system that is sensitive for
other reasons; such as commercial information, staff related information or any
other information which may be considered sensitive.
See Appendix 1 which provides a copy of this rule.
Version 1.1 – 13 March 2009
Page 10 of 33
Community Pharmacy Security Policy
See also section 4.2, “Information classification”.
Version 1.1 – 13 March 2009
Page 11 of 33
Community Pharmacy Security Policy
3
ORGANISATION
INFORMATION
3.1
Policy statements
OF
SECURITY
OF
A management framework is required so that all those involved in the use or
maintenance of the Pharmacy’s computer systems can initiate, co-ordinate and control
the implementation of information security effectively. The key personnel in managing
information security in the Pharmacy are the Pharmacy Manager and the Pharmacy
Information Security Officer. They meet their obligations through defined staff
responsibilities and a formal assessment of risks.
3.2
Pharmacy Manager
The Pharmacy Manager has a number of responsibilities with respect to the security of
health information, including:










3.3
establishing and approving information security policies and procedures,
agreeing on specific methodologies and processes for information security, e.g. risk
assessment, security classification, etc.,
determining acceptable levels of security risks,
monitoring major information security threats and incidents,
approving major initiatives to enhance information security,
ensuring that formal audits are performed as necessary,
reviewing audit reports where security problems exist,
appointing and replacing the Pharmacy Security Officer,
ensuring continuity of the application of this policy in periods when the Pharmacy
Security Officer’s post is vacant,
acting as the Authorised Signatory in respect to the issuance of digital certificates
Pharmacy Security Officer
The Pharmacy Security Officer is appointed by the Pharmacy Manager and is responsible
for the co-ordination of security issues that affect the Pharmacy. In particular, the
Pharmacy Security Officer is responsible for:





advising Pharmacy staff on security matters,
informing the Pharmacy Manager of any major security incidents,
developing and reviewing security policies and plans to be approved by the
Pharmacy Manager,
maintaining a list of all persons authorised to have access to the Pharmacy
premises, and to Pharmacy computer systems,
reporting security incidents, and the status thereof, to the Pharmacy Manager,
Version 1.1 – 13 March 2009
Page 12 of 33
Community Pharmacy Security Policy


ensuring that Pharmacy security policies and standards meet all New Zealand
Health Network requirements,
liaising with the New Zealand Health Network Security Officer in respect to
security matters that may affect other members of the New Zealand Health
Network.
The current Pharmacy Security Officer is «insert the name of the person»
Comment
In smaller pharmacies, the Pharmacy Manager is likely also to undertake the Pharmacy
Security Officer’s role. Where the pharmacy has sufficient staffing resources to permit
separation of these roles it is preferable for them to be separated.
3.4
Staff Responsibilities
Any security system relies on the users of the system to follow the procedures necessary
for upholding security policies. All employees are therefore required to:








uphold security procedures and policies,
protect their user identification and passwords,
inform the Pharmacy Security Officer of any security issues, problems or concerns,
assist the Pharmacy Security Officer in resolving security issues,
ensure that all computer systems used in support of Pharmacy functions are
backed-up in a manner that mitigates both the risk of loss and costs of recovery,
be especially aware of the vulnerabilities presented by remote access and be aware
of their obligation to report intrusions, misuse or abuse to the Pharmacy Security
Officer,
be aware of their obligations in the event that they are storing, securing,
transmitting and disposing of health information to protect the privacy of patients.
Agree not to connect personal portable USB disk drives or other portable devices
which can store data to the pharmacy’s computer system.
With specific reference to The Health Information Privacy Code (1994), Rule 5 – Storage
and Security of Health Information, users are included in the description as custodians of
health and patient information and are required to promote and protect the privacy of
personal information.
3.5
Risk Assessment
A formal assessment of the information security risks the pharmacy faces will be
undertaken by the Pharmacy Security Officer at two yearly intervals or sooner if the
either the Pharmacy Security Officer or the Pharmacy Manager judges it necessary.
Process
It is not possible to eliminate all business risk, rather appropriate techniques will be
applied to identify and manage the risks so as to minimise any harmful affects.
Version 1.1 – 13 March 2009
Page 13 of 33
Community Pharmacy Security Policy
Security requirements will be identified by a methodical assessment of security risks.
Decisions on mitigating controls will balance the expenditure needed to manage the risk
against the harm to the Pharmacy likely to result from security failures.
This risk assessment will systematically consider:


the harm likely to result from a security failure, taking into account the potential
consequences of a loss of integrity, confidentiality and availability of the
information and other assets;
the realistic likelihood of such a failure occurring in the light of the prevailing
threats and vulnerabilities, and the controls currently implemented.
The results of this assessment will assist in the determination of the appropriate
management action and priorities for managing information security risks, and for
implementing controls selected to protect against those risks.
Security policies will be reviewed for currency and appropriateness following any
assessment of risks.
Version 1.1 – 13 March 2009
Page 14 of 33
Community Pharmacy Security Policy
4
4.1
ASSET CLASSIFICATION AND CONTROL
Accountability for Pharmacy Health Data as an asset
All major information assets are to recorded in an information asset inventory and have a
nominated owner who is responsible maintaining appropriate controls over that asset.
(In addition to hardware, software and other information assets including databases
present in the pharmacy, this requirement covers all material required to ensure business
continuity. This includes but is not limited to pharmacy management software and
patient database backups; accounting software and information backups; electronic
banking records and other electronic pharmacy document backups which are stored
offsite,)
Comment and process
An information asset can be either equipment used to access, manipulate, and store
information, or Health or Other information stored in the Pharmacy’s computer systems.
Accountability for assets helps to ensure that appropriate protection is maintained. The
Pharmacy Manager will nominate “Owners” for each major asset and the responsibility
for the maintenance of appropriate controls will be assigned to them.
An asset inventory helps ensure that effective asset protection takes place, and will also
be useful for other business purposes, such as health and safety, insurance or financial
management reasons. The process of compiling an assets inventory is an important
aspect of risk management.
4.2
Information classification
Information is to be classified to indicate the need, priorities and degree of protection.
Comment
Information has varying degrees of sensitivity and criticality. Some items may require an
additional level of protection or special handling.
An information classification system allows the Pharmacy to define an appropriate set of
protection levels, and communicate the need for special handling processes to staff.
The responsibility for defining the classification of an item of information, e.g., for a
document, data file or diskette, and for periodically reviewing that classification, is to be
rest with the nominated owner of the information.
Handling procedures are to be defined to cover:





copying,
storage,
transmission by post, fax and electronic mail,
transmission by spoken word, including mobile phone, voicemail, answering
machines, and
destruction.
Version 1.1 – 13 March 2009
Page 15 of 33
Community Pharmacy Security Policy
5
PERSONNEL SECURITY
5.1
Objectives
The objective of this section of the security policy is:

5.2
To ensure that employees are aware of information security threats and
concerns, and are equipped to support the Pharmacy information protection
policies and procedures in the course of their daily work.
Job responsibilities
Security related roles and responsibilities are to be documented where appropriate in
specific job descriptions.
5.3
Non-disclosure information and security agreement
All employees involved in the collection, use and disclosure of health information must
sign a non-disclosure information and security agreement which includes their
obligations under this policy.
Contract staff and outside organisations not already covered by an existing contract
(containing the confidentiality agreement) are required to sign a confidentiality agreement
prior to accessing Pharmacy facilities. (For example, this requirement includes the
computer hardware engineer at the time of computer maintenance.)
5.4
Training
Staff must receive appropriate training before using computer facilities and applications
used by this Pharmacy.
All employees of the Pharmacy are to receive appropriate training and regular updates in
Pharmacy policies and procedures, including security requirements, legal responsibilities,
and business controls.
5.5
Disciplinary process
Staff and contractors who knowingly disregard a particular requirement of this policy will
be subject to the disciplinary process defined in their employment agreement or service
contract as appropriate.
Version 1.1 – 13 March 2009
Page 16 of 33
Community Pharmacy Security Policy
6
6.1
PHYSICAL SECURITY
Policy statements
All hardware, software, documentation, commercial information and health information
held by the Pharmacy is to be protected from disclosure, modification, or destruction.
Access by outside parties could reveal information that can be used to eliminate, bypass,
or otherwise render security safeguards ineffective or enable the disclosure of patient
information.
Where identifiable health and other sensitive information is stored, processed, or
transmitted, physical access to that information is restricted to authorised individuals.
6.2
General requirements
Areas and equipment in which information (both Health and Other) is stored are to be
physically secure and access to them is restricted to authorised personnel only. Access to
documentation in respect to computer systems is also to be restricted to authorised
personnel.
All persons, other than employees, who are granted access to Pharmacy premises must
be accompanied at all times, and their access restricted to those areas necessary for them
to complete their tasks.
6.3
Clear desk and computer screen policy
Work areas are, as far as conveniently possible, to be kept clear of papers and removable
storage media in order to reduce the possibility of unauthorised access, loss of, and
damage to information during and outside normal working hours.
All software functionality designed to protect against unauthorised access to information
must be activated and used.
Similarly, screen savers are to be activated on all Pharmacy computers to provide
additional confidentiality should a computer screen displaying sensitive information be
left unattended for more than a few minutes. However, the use of a screensaver is not a
substitute for staff ensuring computer screens displaying sensitive information are not
left unattended.
Sensitive and critical Pharmacy information, including information stored on removable
storage computer media, is to be locked away in a fireproof storage area when not
required.
6.4
Equipment protection
All items of equipment are to be sited or protected to minimise the risks from
environmental threats and hazards, and opportunities for unauthorised access.
Version 1.1 – 13 March 2009
Page 17 of 33
Community Pharmacy Security Policy
Risk assessments (section 3.5above) will consider the impact of a disaster occurring in or
around nearby premises and define suitable mitigating procedures to be followed..
6.5
Work performed outside secure sites
Security controls are to be in place to ensure only authorised operations occur and that
sensitive information is properly protected.
Computers used to process patient information from remote locations and their methods
of accessing the Pharmacy’s computer systems must meet the Pharmacy’s security
requirements and have authorisation from the Pharmacy Security Officer. Where
possible, there should be only one approved remote access pathway to the system.
6.6
Storage of Information
All Pharmacy information (Health and Other) stored on computer systems must be
backed-up at least daily so that it can be restored if or when necessary. Backed up
information will be securely stored off-site under the control of the Pharmacy Manager
or nominated deputy.
6.7
Destruction of information
All care and responsibility will be taken in the destruction of sensitive information.
Both paper and electronic information relating to patient, administrative, and commercial
information shall be disposed of in a secure manner. All portable electronic storage
media including flash drives (“memory sticks”) and obsolete computer hard drives will be
reformatted before being disposed of.
6.8
Disposal of storage media
Pharmacy information can be compromised through careless disposal of equipment.
Accordingly, all sensitive information must be erased from computer storage media prior
to their disposal.
Similarly, no computer equipment that is sent or taken off-site for repair should contain
sensitive information.
Damaged storage devices such as hard disks may contain sensitive information that if
disclosed could cause considerable embarrassment. Consideration should be given to
not having a device repaired if information cannot be erased.
6.9
Storage of Business Continuity data
Off site storage of back-up data to allow rapid restoration of data services in the event of
disaster is an essential part of the business continuity plan. All such off-site storage must
employ a suitable physical protection to prevent unauthorised access to the data, and be
under the personal supervision of the Pharmacy Manager or nominated deputy.
Version 1.1 – 13 March 2009
Page 18 of 33
Community Pharmacy Security Policy
6.10
Retention of clinical information following pharmacy closure
In the event the pharmacy closes permanently, the Pharmacy Manager is responsible for
making arrangements to store securely all clinical information held by the pharmacy for
the period of the next 10 years. This obligation could be best met by passing these
records together with appropriate software to the DHB for secure storage with the
clinical records managed by the DHB. Any such arrangement would require the DHB’s
agreement.
Version 1.1 – 13 March 2009
Page 19 of 33
Community Pharmacy Security Policy
7
7.1
COMPUTER SYSTEMS ACCESS CONTROL
Policy statement
Access to computer services and information shall be restricted to authorised users. .
7.2
Responsibilities
Access control responsibilities are as follows:
Pharmacy Manager


Will determine and support the Pharmacy access control strategy.
Will ensure the satisfactory resolution of problems relating to the provision of user
access when, in response to the concerns expressed by the Pharmacy Security
Officer, significant changes are deemed necessary.
Pharmacy Security Officer




7.3
Will ensure policies and standards address all Pharmacy security requirements.
Will ensure that logon and system access procedures meet defined requirements.
Will ensure that data and applications are safe in project development
environments.
Will assist users in their day-to-day use of Pharmacy computer systems by
performing basic account administration functions, including the unlocking of
locked accounts, resetting passwords, and providing user instruction.
Information system access control
Minimum requirements for information system access control are:





7.4
valid individual user identifications and passwords for all computer access (swipe
card access verification is preferred if available),
successful and unsuccessful system accesses are to be recorded,
the last time a user was logged on is to be recorded or displayed,
user account details are to be issued at a formal training session,
new user accounts are to be initially configured so as to force a change of the
password upon first logging on.
User logon procedures
Users may only access to Pharmacy computer facilities are to be via a secure logon
process. The relative logon procedure will:


not display system or application prompts until the logon process has been
successfully completed,
not provide help messages during logon procedures,
Version 1.1 – 13 March 2009
Page 20 of 33
Community Pharmacy Security Policy




validate the logon information only on completion of all input data,
allow only three unsuccessful logon attempts before:

recording the unsuccessful attempt,

forcing a time delay before further logon attempts are allowed,

suspending a user account to prevent repeated invalid access attempts,

disconnecting and giving no assistance after a rejected attempt to logon,
limit the time allowed for the logon procedure; if exceeded, the system should
terminate the logon,
display the following information on completion of a successful logon:

date and time of the previous successful logon,

details of any unsuccessful logon attempts since last successful logon.
This allows the user to check whether it was that he/she who was last logged on. If not,
the incident should be reported to the Pharmacy Security Officer and appropriate action
taken. Alternatively using swipecard based systems, which generate an audit trail, to
control access to computer systems is acceptable under this policy.
7.5
Password standards
The following password standards are to be adhered to ensure compliance with the basic
principles of logical security:










the use of individual passwords is to be enforced to maintain accountability.
Sharing of passwords is not permitted,
users are able to select and change their own password and are required to provide
a confirmation to account for typing errors,
a password is to have a minimum length of eight characters,
passwords are not to be based on any of the following:

months of the year, days of the week or any other aspect of the date,

family names, initials or car registration numbers,

company names, identifiers or references,

telephone numbers or similar all-number groups,

user identification, user name, group identification or other system identifier
 more than two consecutive identical characters,
 all-numeric or all-alphabetic groups,
 any word contained in a dictionary, either English or another language.
maximum password lifetime is to be 90 days for normal user accounts and 60 days
for system administrator accounts,
users are to be forced to change temporary (initial) passwords at the first logon,
passwords are not to be displayed while being entered,
password files should be stored separately from the main application system data,
and any access restricted to the system administrator,
password files are to be stored in encrypted form, using a one-way encryption
algorithm,
default vendor user IDs and passwords are to be deleted or altered following
installation of software.
Version 1.1 – 13 March 2009
Page 21 of 33
Community Pharmacy Security Policy
7.6
Individual user account management
Inactive user accounts that are no longer required are be disabled and identified as
pending deletion.
The Pharmacy Security Officer is to approve the continued availability of a particular
inactive user account.
7.7
Electronic Mail
As electronic mail (e-mail) is a business resource, Pharmacy personnel are to note that:

personal use of e-mail is to be kept to a minimum,
Policy Decision needed
Some pharmacy proprietors do not want their staff using the pharmacy’s internet and email facilities for personal use, others consider restricted use acceptable under conditions
which minimise the risk of a breach of computer system security and potential impact on
productivity.
This component of the template permits restricted use in building on the precedent of
limited personal use of the phone being allowed in most pharmacies. If the pharmacy’s
policy is to prohibit personal internet and e-mail use this paragraph must be altered.






the e-mail system is inherently insecure and individuals other than the intended
recipients may be able to read messages,
nothing should be included in an e-mail message that would not be printed on
Pharmacy letterhead,
the information contained in e-mail messages forms part of Pharmacy business
records,
no sensitive information should be sent as part of, or attached to, an e-mail
message unless the information is encrypted,
e-mail attachments are a common source of malicious software and particular care
is to be taken before opening any attachments, especially if the message is not from
a trusted source,
management reserves the right to monitor the content of e-mail messages,
All personnel should be aware of the security risks created by electronic mail including
the vulnerability of messages and any legal considerations.
7.8
External network connections and controls
External network connections are an inherent risk to the security of the Pharmacy’s
computer system. Pharmacy personnel are to note that:


Connections to other networks, including the World Wide Web, must be protected
through a firewall.
Firewalls must be properly configured so as to ensure the required level of security
is achieved.
Version 1.1 – 13 March 2009
Page 22 of 33
Community Pharmacy Security Policy


Default settings in network servers are to be changed so as to minimise the
possibility of unauthorised access.
No software, or other material, is to be downloaded from the World Wide Web
without the prior knowledge and agreement of the Pharmacy Security Officer.
Version 1.1 – 13 March 2009
Page 23 of 33
Community Pharmacy Security Policy
8
8.1
NEW ZEALAND HEALTH NETWORK
Use of the New Zealand Health Network
Healthcare organisations use the New Zealand Health Network as a medium to
communicate information necessary for the effective provision of healthcare services.
While this Pharmacy has its own security requirements, it also has responsibilities in
respect to the security of information in the New Zealand Health Network environment.
These responsibilities are:

ensuring Pharmacy security policies and plans are consistent with the requirements of
New Zealand Health Network policies,

ensuring all employees that use the New Zealand Health Network are aware of their
security responsibilities,

assisting other organisations on the New Zealand Health Network in resolving any
security issues where possible,

revoking any digital certificates that were specifically issued to employees who have
resigned,

reporting staff changes to the Certification Authority, where such changes might
affect the New Zealand Health Network.
Comment
The Sector Services Division of the Ministry of Health act as the Certification Authority
for community pharmacy.
8.2
Sensitivity of information
All information passing through the New Zealand Health Network will be regarded as
highly sensitive and will be appropriately protected at all times.
Comment
Although there will be differing levels of sensitivity associated with information passing
through the New Zealand Health Network, it will not be possible to differentiate
between the levels during transmission.
8.3
Digital certificate management
Digital certificates are required for access to applications available on the New Zealand
Health Network. The device on which any digital certificate is supplied must be stored
in a secure manner that permits access as and when required.
Version 1.1 – 13 March 2009
Page 24 of 33
Community Pharmacy Security Policy
The Pharmacy Security Officer is responsible for coordinating the issuance and renewal
of any digital certificates issued to Pharmacy employees.
The Pharmacy Security Officer will formally request the Certification Authority to revoke
a digital certificate in the event that:




8.4
the digital certificate is stolen,
a password becomes corrupted or known to anyone other than the user,
when the holder of a specific certificate leaves the employment of the Pharmacy,
or
the certificate becomes redundant for any other reason
Other New Zealand Health Network information
Users seeking more information on the New Zealand Health Network can refer to the

New Zealand Health Network Information Web Page at
http://www.hisac.govt.nz/moh.nsf/pagescm/7405

New Zealand Health Network “Security Policy for General Practitioners and other Health
Professionals.” The Pharmacy Security Officer holds a copy of that policy document.
Version 1.1 – 13 March 2009
Page 25 of 33
Community Pharmacy Security Policy
9
9.1
SECURITY IN SYSTEM LIFE CYCLE
MANAGEMENT
Installation of software
The Pharmacy Security Officer is to approve all software prior to it being installed. If
necessary, the Pharmacy Security Officer will seek advice from the administrators of the
NZ Health Information Network before approving any piece of software.
9.2
Operational Software
Vendor supplied software used in operational systems must be maintained at a version
level supported by the supplier.
Patches for all software on the Pharmacy’s computer systems that help to remove or
reduce security weaknesses shall always be applied in a timely manner and with
appropriate consideration for the seriousness of the risk an unpatched vulnerability
poses. This includes computer operating system patches as well as application software
patches.
9.3
Technical support and maintenance
Hardware and software maintenance activities are not to affect the integrity of existing
safeguards or permit the introduction of security exposures (computer viruses, logic
bombs, malicious code, etc.) into the Pharmacy’s computer systems.
Automated dial-up diagnostic maintenance of sensitive applications by software vendors
via remote communications is only to be undertaken under the direction of the Pharmacy
Security Officer, or nominated deputy in their absence.
Version 1.1 – 13 March 2009
Page 26 of 33
Community Pharmacy Security Policy
1 0 COMPUTER INTEGRITY AND INCIDENT
REPORTING
10.1
Policy statements
All personnel are to comply with the software integrity procedures outlined in this
document especially in respect to the following:


10.2
security violations and software malfunctions reporting
virus prevention and monitoring
Security incident
Definition
A security incident is an event and/or condition that has the potential to impact on
security or privacy and may result from either intentional or inadvertent action.
All employees, and others likely to be involved, as part of their training, are to be made
aware of the procedures for reporting incidents that might have an impact on the security
of Pharmacy assets and information.
All employees shall report any incident that might have an impact on the security of
Pharmacy assets and information and report it using the agreed procedure «the
pharmacy to insert the appropriate process.».
10.3 Security violation
Definition
A security violation is an event that may result in disclosure of sensitive or otherwise
classified information to unauthorised individuals, or in unauthorised modification or
destruction of system data, loss of computer system processing capability, loss, or theft
of any computer system resources.
If a security violation occurs as a consequence of a user’s access, that user and any like
users are to be provided with guidance, and if necessary retraining, by the Pharmacy
Security Officer to ensure that the violation does not re-occur.
10.4
Reporting of security incidents or weaknesses
Systems shall be monitored to detect deviation from access control policy and record
events to provide evidence in case of security incidents. System monitoring allows the
effectiveness of adopted controls to be checked and conformity to access policies to be
verified.
Similarly, unauthorised intrusions are to be monitored.
Version 1.1 – 13 March 2009
Page 27 of 33
Community Pharmacy Security Policy
Any security-related incidents, violations or weaknesses, are to be reported to the
Pharmacy Security Officer at the earliest possible time but by no later than the following
business day.
Version 1.1 – 13 March 2009
Page 28 of 33
Community Pharmacy Security Policy
1 1 MALICIOUS SOFTWARE
Software and information processing facilities are vulnerable to the introduction of
malicious software such as computer viruses, network worms, Trojan horses and
spyware. It is therefore essential that precautions are taken to both detect and prevent
the introduction of malicious software.
11.1
Virus and spyware prevention procedures
New viruses are being developed at regular and frequent intervals and could seriously
undermine the integrity of the Pharmacy systems unless they are prevented. Accordingly,
all workstations are to have anti-virus software installed.
The Pharmacy Security Officer is to ensure that virus signature files are updated on a
regular (no less frequently than daily) basis so as to ensure that any new viruses can be
promptly identified and removed.
Each individual user must ensure that the anti-virus software is active on their
workstation so that any potential viruses from external sources are identified and
removed.
11.2
Virus education programmes
All users are to receive training on how to best prevent the introduction of computer
viruses and other malicious software.
The Pharmacy Security Officer is to therefore ensure that:




users are aware that e-mail attachments and web sites may contain (often
unknown) viruses or other malicious software.
users immediately report attachments with suspicious file extensions (including
.vbs, .shs, .pif and .exe) to the Pharmacy Security Officer.
users know to never launch e-mail attachments from their e-mail systems unless
received from a trusted source, and then only after due care has been taken.
Users are aware of the risks associated with breaching the policy preventing the
connection of personal data storage devices to the pharmacy’s computer systems.
Disciplinary procedures are to be brought into play in the event that a user fails to follow
designated malicious software procedures.
Version 1.1 – 13 March 2009
Page 29 of 33
Community Pharmacy Security Policy
1 2 BUSINESS CONTINUITY MANAGEMENT
A Pharmacy business continuity management plan is to be implemented so as to
minimise the effects of disruption caused by disasters and system failures (which may be
the result of, for example, natural disasters, equipment failures, or deliberate actions)
through a combination of preventative and recovery controls.
Plans are to be developed and implemented to ensure that Pharmacy processes can be
restored as soon as is practicable, and are to be maintained and practised so as to become
an integral part of all other management processes.
The key elements of business continuity management plan are:








understanding the risks the organisation faces in terms of their likelihood and their
impact, including identification and prioritisation of critical business processes,
understanding the impact which interruptions are likely to have on the Pharmacy,
establishing the place and importance of information processing facilities in the
operation of the Pharmacy,
considering the purchase of suitable insurance which may form part of the
business continuity process,
formulating and documenting a business continuity strategy consistent with the
Pharmacy’s objectives and priorities,
formulating and documenting the detailed business continuity plan in line with
agreed strategy,
regular testing and updating of the plans and processes put in place, and
ensuring that the responsibility for managing business continuity is clearly defined
in the Pharmacy’s processes and structure.
Version 1.1 – 13 March 2009
Page 30 of 33
Community Pharmacy Security Policy
1 3 COMPLIANCE
13.1
Software Licence Compliance
All conditions of a vendor’s software licence are to be strictly observed.
Users are responsible for ensuring that all licensing obligations are met and maintained to
the extent it is within their power to do so.
13.2
Security Awareness
All users are to be kept aware of their general security responsibilities and be regularly
updated on risks. It is essential that users understand and adhere to procedures for
managing, detecting and responding to security incidents.
The Pharmacy Security Officer is responsibility for maintaining user security awareness.
13.3
Compliance with Security Policy
All security procedures are to be subject to periodic review so as to ensure compliance
with Pharmacy security policies and standards.
Similarly, information systems are to be checked for compliance with security
implementation standards.
Self audits of operational systems are to be planned and agreed so as to minimise risk of
disruption to Pharmacy processes.
13.4
Approved Non Compliance
Where a particular policy cannot be complied with for a substantive business reason,
approval for a deviation from policy is to be obtained from the Pharmacy Manager.
Requests for authorised non-compliance must be formally submitted with details of any
risks associated with the deviation.
The Pharmacy Security Officer will maintain a record of all approved non-compliance
requests.
All approved non-compliance requests will be subject to six-monthly reassessment.
Version 1.1 – 13 March 2009
Page 31 of 33
Community Pharmacy Security Policy
APPENDIX 1: HEALTH INFORMATION PRIVACY
CODE 1994
Rule 3: Collection of Health Information from Individual
1)
Where a health agency collects health information directly from the individual
concerned, or from the individual's representative, the health agency must such are,
circumstances, reasonable to ensure that the individual concerned (and the
representative if collection is from the representative) is aware of:
a)
the fact that the information is being collected;
b)
the purpose for which the information is being collected;
c)
the intended recipients of the information;
d)
the name and address of:
i) the health agency that is collecting the information; and
ii) the agency that will hold the information;
e)
whether or not the supply of the information is voluntary or mandatory and
if mandatory the particular law under which it is required;
f)
the consequences (if any) for that individual if all or any part of the requested
information is not provided; and
g)
the rights of access to, and correction of, health information provided by
rules 6 and 7.
2)
The steps referred to in sub rule (1) must be taken before the information is
collected or, if that is not practicable, as soon as practicable after it is collected.
3)
A health agency is not required to take the steps referred to in sub rule (1) in
relation to the collection of information from an individual, or the individual's
representative, if that agency has taken those steps in relation to the collection,
from that individual or that representative, of the same information or
information of the same kind for the same or a related purpose, on a recent
previous occasion.
4)
It is not necessary for a health agency to comply with sub rule (1) if the agency
believes on reasonable grounds:
(a) [revoked]
(b) that compliance would:
(i) prejudice the interests of the individual concerned; or
(ii) prejudice the purposes of collection;
Version 1.1 – 13 March 2009
Page 32 of 33
Community Pharmacy Security Policy
(c) that compliance is not reasonably practicable in the circumstances of
the particular case; or
(d) that non-compliance is necessary to avoid prejudice to the
maintenance of the law by any public sector agency, including the
prevention, detection, investigation, prosecution, and punishment of
offences.10
Note: An action is not a breach of this rule if it is authorised or required by or under law
-Privacy Act, section 7(4). Rule 3(4) (a) was revoked by Amendment No 4.
Rule 5: Storage and Security of Health Information
1)
A health agency that holds health information must ensure:
a)
that the information is protected, by such security safeguards as it is
reasonable in the circumstances to take, against:
i) loss;
ii) access, use, modification, or disclosure, except with the authority of
the agency; and
iii) other misuse;
2)
b)
that if it is necessary for the information to be given to a person in
connection with the provision of a service to the health agency, including any
storing, processing, or destruction of the information, everything
reasonably within the power of the health agency is done to prevent
unauthorised use or unauthorised disclosure of the information; and
c)
that, where a document containing health information is not to be kept, the
document is disposed of in a manner that preserves the privacy of the
individual.
This rule applies to health information obtained before or after the
commencement of this code.
Note: An action is not a breach of this rule if it is authorised or required by or under law
– Privacy Act, section 7(4).
The full Health Information Privacy Code 1994 is found at:
http://www.privacy.org.nz/assets/Files/Codes-of-Practice-materials/HealthInformation-Privacy-Code-1994-including-Amendment.pdf
Version 1.1 – 13 March 2009
Page 33 of 33

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz