IS4550 SECURITY POLICIES AND PROCEDURES

14
CREATE USER POLICY
UNIT 5 ASSIGNMENT 1

IS4550 SECURITY POLICIES AND PROCEDURES

14
CREATE USER POLICY
UNIT 5 ASSIGNMENT 1

To: Hospital Administrators
From: IT Security Specialist
Subject: User Policy

We understand the type of security policies that you currently have in place. However we are here to present to you what security, users, and possible threats to your mainframe issues can impose. In today’s society we deal with many types of hackers and they are not like the 1980’s. Today we deal with threats unlike ever before, some examples would be:
The stakes are high as the Institute of Medicine (IOM) highlights in its recent publication related to privacy:
“Breaches of an individual’s privacy and confidentiality may affect a person’s dignity and cause irreparable harm” and “[unauthorized disclosures] can result in stigma, embarrassment, and discrimination.” IOM: Beyond the HIPAA Privacy Rule—Enhancing Privacy, Improving Health Through Research, February 4, 2009”
1. So Many Mobile Devices, So Much Risk
Mobile devices are ubiquitous in today's society, and the number and types of devices used by physicians, nurses, clinicians, specialists, administrators and staff – as well as patients and visitors – is growing at healthcare organizations across the country. Providing anywhere/anytime network access is essential, particularly when instant communication is required to ensure quality patient care. But these devices are launched daily with upgraded versions of operating systems that are ripe for infection.
2. Embedded Devices Become the Norm
As tablets and mobile devices with wide-area network and Wi-Fi capabilities – including medication scanners, patient-monitoring systems and imaging devices – become more common, embedded connectivity makes tracking, monitoring and managing enterprise productivity easier while helping reduce errors. However, embedded connectivity also puts a strain on bandwidth and exposes the network to viruses brought in by a host of new connected devices that are different from traditional PCs. Recommendation: Incorporate a security solution that will protect the integrity of critical (and often private) data and close any vulnerability gaps in the network.
3. Virtualization from Desktops to Servers
Gartner reports that 80 percent of enterprises have a "virtualization" strategy to run more than one application on one server. The strategy is achieved by using virtualization software, which allows servers to run multiple applications with limited investment in hardware and which reduces costs associated with energy, lowering an organization's carbon footprint. The popularity of the strategy is no surprise: Virtualization holds promise for enterprises of all types – including those in health care – looking to significantly reduce hardware and management costs, implement green strategies and make the most of the flexibility offered by virtualized desktops. Unfortunately, as more users move to virtualized environments, more threats arise.
Recommendation: Healthcare organizations need to remember that hosted virtualized desktops (HVDs) should be viewed in the same way as traditional devices, posing the same – and some new – threats as any connected device. Set the stage now, before adoption explodes, by ensuring that your NAC solution and other network security tools can view an HVD the same way they view a PC.
4. Viruses Spreading through Social Media
Social media platforms such as Facebook, Twitter and YouTube are here to stay, and even healthcare users are not immune. This means that in spite of a host of malware that can spread like wildfire through social media sites, it may be virtually impossible to permanently block access to social media at your facility. Recommendation: Quickly identifying which devices are infected is essential to maintaining network security and protecting crucial data.
5. IT Becomes Consumer Friendly Physicians and employees need access to the facility's network, but the consumerization of IT has made the problem more difficult to manage. As users increasingly adopt their own devices for professional use, health are organizations will see more network security threats. In fact, the consumerization of IT is driving the need for network security solutions that can cover multiple types of devices and infrastructure components.

Recommendation: A solid NAC system can help stave off each threat. Respond with security solutions that identify any consumer-adopted device, scan for threats and deficiencies, then provision access or automatically remediate problems – regardless of the type of device or location. When we look at the negative, we must always look for any allowable fixes, so below you will see examples of some hospitals access policies.
Website Privacy Policy
We understand, acknowledge and respect any individual’s right to privacy and the concerns one may have in regard to privacy and security. We recognize the importance of protecting the privacy of information provided by our patients, as well as, general users of our website.
IMPORTANT NOTE! The Our Hospital Notice of Privacy Practices is a separate document that governs how medical information about you may be used and disclosed by Our Hospital.
MEDICAL DISCLAIMER. IF THIS IS A MEDICAL EMERGENCY, PLEASE IMMEDIATELY CALL EMERGENCY PERSONNEL (911) TO GET PROMPT MEDICAL ATTENTION. DO NOT RELY ON ELECTRONIC COMMUNICIATIONS OR THIS WEBSITE FOR ASSISTANCE IN REGARD TO YOUR IMMEDIATE, URGENT MEDICAL NEEDS. THIS WEBSITE IS NOT DESIGNED TO FACILITATE MEDICAL EMERGENCIES. Our Hospital CANNOT GUARANTEE RESPONSE TIMES IF YOU CHOOSE TO USE THIS WEBSITE IN THE EVENT OF A MEDICAL EMERGENCY.
PERSONAL INFORMATION
A visitor can access and browse our entire site at any time without providing any personal information. We do not collect information that would personally identify you unless you choose to provide it.
In addition, Our Hospital does not share any personally identifiable information of any individual with any third party unrelated to Our Hospital, except in situations where we must provide information for legal purposes or investigations, or if so directed by the patient through a proper authorization.
Forms
Our website contains forms through which users may request information or supply feedback to us. In some cases, telephone numbers, email addresses or return addresses are required so that we can supply requested information to you, and in other cases, correct names and addresses are required to process credit card payments.
After you fill out a form, we may contact you with follow-up information (unless you have checked an "opt-out" box on the form). We do not provide any information supplied on our web forms to any outside organization for any reason (other than where we may be required to by law, or as necessary to process credit card information). We do not save this personal information for any other reason.
Surveys
Occasionally, we may survey visitors to our site. The information from these surveys is used in aggregate form to help us understand the needs of our visitors so that we can improve our site. We generally do not ask for information in surveys that would personally identify you. If we do request contact information for follow-up, you may decline to provide it. If survey respondents provide personal information (such as an email address) in a survey, it is shared only with those people who need to see it to respond to the question or request.
Email
"Phishing" is a scam designed to steal your personal information. If you receive an email that looks like it is from Our Hospital asking you for your personal information, do not respond. We will never request your password, user name, credit card information or other personal information through email.
User Name and Password
In the event you access any Service requiring a User Name and Password, you are solely responsible for keeping such User Name and Password strictly confidential.
NON-PERSONAL INFORMATION
Our Hospital collects non-personal information such as website usage, traffic patterns, site performance and related statistics based on our tracking of your visits to the website.
IP Addresses
The Web server automatically collects the IP (which stands for Internet Protocol) address of the computers that access our site. An IP address is a number that is assigned to your computer when you access the Internet. It is not truly personally identifiable information because many different individuals can access the Internet via the same computer. We use this information in aggregate form to understand how our site is being used and how we can better serve visitors.
Please note that although such information is not personally identifiable, we can determine from an IP address a visitor's Internet Service Provider and the geographic location of his or her point of connectivity.
First Party Cookies
We collect information about visitors to our site using "first party cookies”, which are alphanumeric identifiers that we transfer to your computer's hard drive through your web browser. Cookies are never associated with specific personal identities. First party cookies are distinct from third party cookies that they are created and directly served by the company hosting the website.
We use two types of “cookies” on this site: * We use persistent cookies to recognize a repeat visitor, enabling us the opportunity to offer the visitor a set of services or information requested in a previous visit. * We use session cookies to track a visitor's path through our site during a visit, to help us understand how people use our site.
You can delete our cookies at any time. The "help" section, located on the toolbar of most browsers, will tell you how to prevent your browser from accepting new cookies, how to have the browser notify you when you receive a new cookie or how to disable cookies altogether. Since cookies allow you to take full advantage of some of our website's best features, we recommend that you leave them turned on.
SECURITY OF YOUR INFORMATION
Please note that our forms are encrypted to protect your privacy. Once the information is sent to our site, it is kept in secure databases where it is not available to users on the Internet. While we sometimes ask for credit card numbers or certain service transactions, and either pass them on to a credit card processing service or process them manually, we do not store credit card numbers online.
Our Hospital periodically reviews and modifies, where appropriate, its security policies and procedures. We use reasonable care to protect your personally identifiable and confidential information provided by you to our site. Our Hospital has in place a security program that seeks to mitigate this risk substantially.
DISCLAIMER OF WARRANTY
MATERIALS, SERVICES AND OTHER INFORMATION ARE PROVIDED “AS IS” BY Our Hospital FOR EDUCATIONAL PURPOSES ONLY. Our Hospital MAKES NO EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR USE, TITLE OR NON INFRINGEMENT.
PLEASE NOTE THAT, BY ITS VERY NATURE, A WEBSITE CANNOT BE ABSOLUTELY PROTECTED AGAINST INTENTIONAL OR MALICIOUS INTRUSION ATTEMPTS. FURTHERMORE, Our Hospital DOES NOT CONTROL THE DEVICES OR COMPUTERS OR THE INTERNET OVER WHICH YOU MAY CHOOSE TO SEND CONFIDENTIAL PERSONAL INFORMATION AND CANNOT, THEREFORE, PREVENT SUCH INTERCEPTIONS OF COMPROMISES TO YOUR INFORMATION WHILE IN TRANSIT TO Our Hospital.
THEREFORE, Our Hospital HEREBY MAKES NO GUARANTEE AS TO SECURITY, INTEGRITY OR CONFIDENTIALITY OF ANY INFORMATION TRANSMITTED TO OR FROM THIS WEBSITE, OR STORED WITHIN THIS WEBSITE.
BEYOND OUR REASONABLE CARE TO SAFEGUARD YOUR INFORMATION WHILE IN TRANSIT, Our Hospital CANNOT AND DOES NOT GUARANTEE THE ABSOLUTE SECURITY OF ELECTRONIC COMMUNICATIONS OR TRANSMISSIONS SINCE ANY TRANSMISSION MADE OVER THE INTERNET BY ANY ORGANIZATION OR ANY INDIVIDUAL RUNS THE RISK OF INTERCEPTION.
IN ADDITION, WE HEREBY MAKE NO GUARANTEE AS TO SECURITY, INTEGRITY OR CONFIDENTIALITY OF ANY INFORMATION TRANSMITTED TO OR FROM THIS WEBSITE, OR STORED WITHIN THIS WEBSITE.
LIMITATION OF LIABILITY
YOU ASSUME THE SOLE RISK OF TRANSMITTING YOUR INFORMATION AS IT RELATES TO THE USE OF THIS WEBSITE, AND FOR ANY DATA CORRUPTIONS, INTENTIONAL INTERCEPTIONS, INTRUSIONS OR UNAUTHORIZED ACCESS TO INFORMATION, OR OF ANY DELAYS, INTERRUPTIONS TO OR FAILURES PREVENTING THE USE THIS WEBSITE.
IN NO EVENT SHALL Our Hospital BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, CONSEQUENTIAL OR MONETARY DAMAGES, INCLUDING FEES, AND PENALTIES IN CONNECTION WITH YOUR USE OF MATERIALS POSTED ON THIS SITE OR CONNECTIVITY TO OR FROM THIS SITE TO ANY OTHER SITE.
Our Hospital MAY CHANGE THIS PRIVACY POLICY WITHOUT NOTICE TO YOU. Following these small tools and methods will assist your healthcare industry in a big way. Choosing to allow us to do business with you would thus allow us to keep you and your company safe and in compliance.