CenturyHospital-v5

Security Framework
Century Hospital
Dennis Rollin
and
Mark Zahlin

Century Hospital Security Framework
i
Table of Contents
1. Executive Summary......................................................................................................... 1
2. Century Hospital Introduction........................................................................................ 1
3. Security Policy.................................................................................................................. 1
4. Chief Information Officer................................................................................................2
5. Data Protection Officer...................................................................................................3
6. Compliance/Privacy Officer.............................................................................................4
7. IT Security Analyst...........................................................................................................5
8. Security Policies...............................................................................................................6
8.1 Code of Conduct Policy.................................................................................................6
8.2 Confidentiality Policy.....................................................................................................8
8.3 Password Security Policy..............................................................................................9
8.4 Password Construction Guidelines............................................................................ 10
8.5 Acceptable Encryption Policy......................................................................................12
8.6 Workstation Security Policy........................................................................................ 14
8.7 Remote Access Policy................................................................................................. 15
8.8 Data Backup Policy...................................................................................................... 17
8.9 Physical Security Policy...............................................................................................20
8.10 Contingency Plan Policy............................................................................................22
8.11 Incident Response Plan Policy...................................................................................24
8.12 Disaster Recovery Plan Policy...................................................................................26
8.13 Security Awareness and Training Policy................................................................... 31
9. Security Blueprint..........................................................................................................33
10. Risk Assessment Report..............................................................................................34
11. Risk Assessment Chart.................................................................................................36
12. Sensitivity and Risk Mitigation....................................................................................38
13. Compliance Framework.............................................................................................. 40
14. References...................................................................................................................43

1
1. Executive Summary
The purpose of this document of defining the security policy through the National Institute of Standards
and Technology for all executives, employees and contractors for Century Hospital. It is required that all
mentioned will be expected to read and follow all stated policies, procedures and guidelines of Century
Hospital’s security policies. We must all strive to keep our patients and fellow employees safe and secure at
all times. We must always ensure that are patients privacy is always maintained to the letter of the law.
2. Century Hospital Introduction
Century hospital is a county run, level 1 trauma center that has been providing health care services to the Twin
Cities metropolitan area for 75 years. Over the last 10 years we have expanded and updated our facilities to
provide better care for the community at large. We offer treatment for the whole range of medical needs for
thecommunityfrommentalhealthtoworldclassemergencycare.OurBurnUnitandEmergencyDepartment
are considered to be the best in the Twin Cities area and receive the most severe and difficult cases in the
area. We are also a teaching facility with medical students from local colleges as well as the University of
Minnesota. We take pride in the fact we our providing the training and experience for the next generation
of health professionals in the region. By providing this valuable experience it also gives us the opportunity
to retain the best students and keep Century Hospital staffed with the very best health care professionals
possible. We have received many awards over the years, in 2012 and 2013 US news and World Report placed
Century Hospital on their Top 100 list of Hospitals in the United States. We continue our commitment to offer
the best medical care possible to the community, this is our number one goal.
3. Security Policy
All employees and affiliates will comply with all state and federal laws (HIPAA), protecting information
security and all assets of all persons involved. Upholding the business ethical standards, which includes
maintaining integrity of business conduct, which safeguards the information and assets of the business,
patients and employees. Annual education will be provided for continued compliance of security procedures
to prevent unauthorized access to the information and assets of the business. Any breach of policy could
result in disciplinary and/or legal action, which may include termination.

2
4. Chief Information Officer
The Chief Information Officer (CIO) is responsible for identifying and planning the goals and strategies for
implementing information technology. The CIO works closely with the executive team, proposing cost-
effective strategies that increase information technology productivity and security. The CIO manages a
team of information technology specialists that implement the day-to-day information technology needs
and co-create effective policies to meet those needs.
Responsibilities
• Provide technological guidance within the organization.
• Manage the daily operations of the information technology team, including the network infrastructure
for LAN and WAN connectivity.
• Manage the daily operations of the information security team, safeguarding against potential security
threats.
• Oversee the development, design, and implementation of new applications and changes to existing
computer systems and software packages.
• Developandimplementstrategicplansfortheongoinginformationtechnologyneedsoftheorganization
due to growth and technological advances.
• Ensure all creation and maintenance of information security policies and procedures.
• Establish and direct security mitigation to ensure compliance of law while maintaining information
technology productivity.
• Oversee the information security team to ensure policies and procedures are implemented.
• Review the quarterly information security audit and implement necessary changes to policies and
procedures to safeguard data.
• Oversee all data breaches that arise. Documenting all measures taken to resolve security breaches to
mitigate future data breaches.
• Advise senior management on information technology needs and strategic plans to support the goals
and objectives of the organization.
Requirements
• Master’s Degree in Information Systems or related field with CISPP Certification or equivalent.
• Six (6) years of information technology experience.
• Three (3) years of senior level management.
• Familiarity with health care or health care related organization.
• Experience developing and implementing policies and procedures.
• Experience with HIPPA and other laws related to patient records.
• Demonstrated experience with project management.
• Excellent verbal, written and listening skills.

3
5. Data Protection Officer
The Data Protection Officer (DPO) is responsible for maintaining the security of data within the organization.
The DPO must be versed in data protection laws, particularly HIPPA, to ensure that our organization is
compliant and all measures have been taken to protect the data of patients and employees. The DPO will
work closely with the information security team to ensure all members are aware of the laws and regulations
required to safeguard all sensitive data. The DPO will assist with policies and procedures developed and
maintained, as well as provide information necessary for annual data security training of all employees.
Responsibilities
• Maintain federal and state law compliance to protect and secure information by developing and
implementing policies and procedures preventing and/or detecting law violations.
• Manage a team of security professionals to ensure compliance of laws.
• Work closely with the Information Security Team in creating and maintaining policies and procedures.
• Inform Information Security Team immediately of changes to HIPPA or other laws pertaining to data
security.
• Address every day privacy issues throughout the organization.
• Report to the CIO the appropriate measures that must be implemented to safeguard information to the
full extent of the law.
• Be directly involved in all data breaches, working closely with the Information Security Team to ensure
incidentresponseismonitoredanddocumentedaspertainingtoanylegalbreachthatrequiresimmediate
reporting to the CIO.
• Conduct quarterly audits to ensure the compliance of HIPPA and other data protection laws.
• Continued education to Information Security Team and Century Hospital’s employees of privacy and
data protection laws to ensure the organization is in compliance.
• Educating Century Hospital about new methods to safeguard information and maintain awareness of
the laws to the organization where necessary.
Requirements
• Bachelor’s Degree in IT or Computer Science with six (6) years of security experience.
• Hold a CCIE Security Certification or CCNP Security Certification with equivalent experience.
• In-depth knowledge of HIPPA, and other federal and state data protection laws.
• Ability to draft policies and procedures and training materials.
• Ability to manage a team.
• Excellent collaboration skills.
• Ability to work independently.
• Excellent written and verbal communication skills.

4
6. Compliance/Privacy Officer
The Compliance/Privacy Officer is responsible for monitoring and reporting results of the compliance/
ethics efforts of Century Hospital and to provide guidance for senior management on matters relating to
compliance. The Compliance/Privacy Officer will work with the Executive team to develop, initiate, maintain
and revise policies and procedures pertaining to security and HIPAA compliance.
Respnsibilities
• Act as an independent review and evaluation body to ensure that compliance issues/concerns within
Century Hospital are being appropriately evaluated, investigated, and resolved.
• Collaborate with other departments to direct compliance issues to appropriate existing channels for
investigation and resolution.
• Consult with the corporate attorney as needed to resolve difficult compliance issues.
• Respond to alleged violation of rules, regulations, procedures, and Standards of Conduct by evaluating
or recommending the initiation of investigative procedures.
• Develop and oversee a uniform handling of compliance violations.
• Ensure proper reporting of violations or potential violations to duly authorized enforcement agencies as
appropriate or required.
• Establish and provide direction and management of the compliance Hotline.
• Institute and maintain an effective compliance communication program including:
»» Use of the Compliance Hotline.
»» Heightened awareness of the Standards of Conduct.
»» Understand and communicate new and existing compliance issues and related policies and
procedures.
Requirements
• Bachelor’s Degree in Business Administration
• Ten (10) years of health care senior level management
• Complete understanding of the Health Insurance Portability and Accountability Act (HIPAA)
• Ability to quickly implement necessary change within an organization
• Excellent verbal, written, and listening skills

5
7. IT Security Analyst
The IT Security Analyst is responsible for maintaining the security and integrity of all Century Hospital data.
The IT Security Analyst will work to effectively analyze all security measures of Century Hospital as well as
implement any training including instructing staff on proper security measures both in the office and on-line.
The Security Analyst must work with business administrators as well as IT professionals to communicate
flaws in the security systems and recommend any and all improvements to the overall security of Century
Hospital.
Responsibilities
• Assist with the development and maintenance of security policies, procedures, and guidelines based on
industry best practices and compliance requirements (HIPAA).
• Monitor the use of data files and regulate access to safeguard information in computer files.
• Review violations of computer security procedures and discuss procedures with violators to ensure
violations are not repeated.
• Trainusersandpromotesecurityawarenesstoensuresystemsecurityandtoimproveserverandnetwork
efficiency.
• Developplanstosafeguardcomputerfilesagainstaccidentalandunauthorizedmodification,destruction,
or disclosure and to meet emergency processing needs.
• Perform risk assessments and execute tests of data processing system to ensure functioning of data
processing activities and security measures.
• Encryptdatatransmissionsanderectfirewallstoconcealconfidentialinformationasitisbeingtransmitted
and to keep out tainted digital transfers.
• Document computer security and emergency measures, policies, procedures, and tests.
• Monitor current reports of computer viruses to determine when to update virus protection systems.
Requirements
• Bachelor’s Degree in Information technology or Information technology security
• Three (3) to five (5) years experience in Information technology security
• Familiarity with health care or health care organizations
• Strong aptitude for project management and problem solving skills
• Strong verbal and written communication skills with the ability to communicate with people of varying
degrees of IT knowledge.
• CISSP, CISA, and other applicable security information certifications

6
8. Security Policies
8.1 Code of Conduct Policy
Overview
Century Hospital is committed to protecting employees, partners, vendors, and the company from illegal
and damaging actions by individuals, either knowingly or unknowingly. When Century Hospital addresses
issues proactively and uses correct judgment, it will help set us apart from competition.
Century Hospital will not tolerate any wrong doing or impropriety at any time. Century Hospital will take the
appropriate measures and act quickly in correcting the issue of the Code of Conduct Policy.
Purpose
The purpose of this policy is to establish a culture of openness and trust, and emphasize the employee’s
and patient’s expectations to be treated to fair business practices. This policy will serve to guide business
behavior to ensure respectful and ethical conduct. Effective conduct and ethics is a team effort involving the
participation and support of every Century Hospital employee. All employees should familiarize themselves
with the Code of Conduct guidelines that follow this introduction.
Scope
This policy applies to employees, contractors, consultants, temporaries, and other workers at Century
Hospital, including all personal affiliated with third parties.
Policy
Executive Commitment to Ethics and the Code of Conduct
• Senior leaders and executives within Century Hospital must set a prime example. In any business practice,
honesty and integrity must be a top priority for executives.
• Executives must have an open door policy and welcome suggestions and concerns from employees.
This will allow employees to feel comfortable discussing any issues and will alert executives to concerns
within the work force.
• Executives must disclose any conflict of interests regarding their position within Century Hospital.
Employee Commitment to Ethics and the Code of Conduct
• Century Hospital employees will treat everyone fairly, have mutual respect, promote a team environment
and avoid the intent and appearance of unethical or compromising practices.
• Every employee needs to apply effort and intelligence in maintaining ethics and code of conduct values.
• Employees must disclose any conflict of interest regarding their position within Century Hospital.
• Employees should consider the following questions to themselves when any behavior is questionable:
»» Is the behavior legal?
»» Does the behavior reflect Century Hospital’s values and culture?

7
»» Could the behavior adversely affect company shareholders?
»» Would you feel particularly concerned if the behavior appeared in a news headline?
»» Could the behavior adversely affect Century Hospital if all employees did it?
Company Awareness
Promotion of ethical conduct within interpersonal communications of employees will be rewarded.
Century Hospital will promote a trustworthy and honest atmosphere to reinforce the vision of ethics within
the company.
Unethical Behavior
CenturyHospitalwillavoidtheintentandappearanceofunethicalorcompromisingpracticesinrelationships,
actions, and communications.
Century Hospital will not tolerate harassment or discrimination.
Century Hospital will not permit impropriety at any time and will act ethically and responsibly In accordance
with the law.
Century Hospital employees will not use corporate assets or business relationships for personal gain.
Policy Compliance
Compliance Measurement
The Information Security Team is responsible for verifying compliance of this policy and will use various
methods to ensure compliance which includes, but not limited to, internal and external audits, periodic
walk-throughs, video monitoring, business tool reports, and feedback to the policy owner.
Exceptions
Any exception to this policy must be approved by the Information Security Team in advance.
Non-Compliance
Violation of this policy by any employee may be subject to disciplinary action, including the possibility of
termination.

8
8.2 Confidentiality Policy
Overview
All information concerning patients, former patients, staff, students, patient records and business records
of Century Hospital are confidential. “Confidential” means you are free to talk about Century Hospital and
your position in the organization but you are not allowed to disclose patient’s names or talk about them in
ways so that their identity be known. No information may be released without appropriate authorization.
This is a basic component of patient care and business practices. Century Hospital expects you to respect
the privacy of patients and to maintain their personal and patient information as confidential. Failure to
maintain confidentiality may result in termination of your employment or other corrective action. This policy
is intended to protect you as well as Century Hospital, because, in extreme cases, violations may result in
personal liability.
Purpose
Confidentiality is the preservation of privileged information. By necessity the sharing of personal and private
information is disclosed in a professional working relationship. Part of what you learn is necessary to patient
care; other information is shared within the development in a helping and trusting relationship. Therefore,
most information gained about individual patients through an assignment is confidential in terms of the law,
and disclosure could make you and Century Hospital legally liable.
Scope
This policy applies tom all Century Hospital employees, contractors, vendors, students and agents. This
policy applies to all confidential information concerning Century Hospital patients.
Policy
The patient has his or her right to expect that all aspects of their care will be treated as confidential.
Physicians, Nurses, Therapists, and Consultants giving direct care may read and enter information on a
patient’s chart.
Privacy is established for patients when examining, interviewing or sharing information by drawing the
curtain or closing the door.
Verbalization of the patients is not shared with those not participating in the patients care.
Discretion is used when maintaining confidentiality during meetings, when using telephone or other
electronic communication.
Information covered by this policy can include written, unwritten or stored electronically
Subject to any legislation or regulation, any personal and confidential information shall be released only as
required in the necessary course of employment and only by those authorized to release such information.
Policy Compliance
Failure to comply with the Confidentiality Policy may be subject to disciplinary action up to and including
termination of employment.

9
8.3 Password Security Policy
Overview
Passwords are a security measure to protect Century Hospital from unauthorized access and/or exploitation
of Century Hospital’s resources. Choosing insecure passwords place Century Hospital at risk for security
breaches. All users, including third party contractors and vendors, are responsible for taking the necessary
steps in selecting secure passwords to secure against unauthorized access to the Century Hospital systems.
Purpose
The purpose of this policy is to establish a standard for the creation of strong passwords, to protect those
passwords, and for the frequency of change of the passwords.
Scope
The scope of this policy includes all personnel who have been given the responsibility of an account,
and/or any form of access that supports or requires a password, on any system that is connected to the
Century Hospital’s infrastructure, including access to the network, or any electronic storage of non-public
organizational information.
Policy
Password Change
All system-level passwords (including root, enable, NT admin, application administration accounts and
others) must be changed bimonthly (every two months).
All user-level passwords (including email, web, desktop computers and others) must be changed every six
months, recommended every four months.
Password cracking or guessing may be performed by the Information Security Team on a random basis. If
a password is cracked during this process, the user must change their password in compliance with the
Password Construction Guidelines.
Password Protection
• All passwords are to be treated as sensitive information of the Century Hospital and must not be shared
with anyone.
• Passwords must not be saved on any form of electronic medium unless encrypted.
• Passwords must not be inserted or communicated through email or other forms of electronic
communication.
• Passwords must not be communicated to any over the phone.
• Passwords must not be revealed on questionnaires or security forms.
• Do not hint at the format of a password (such as “my street address”).
• Passwords must not be shared with anyone at any time, including managers, administrative assistants,
co-workers or family members.
• Do not write passwords down and store anywhere within Century Hospital.

10
• Never use the “Remember Password” feature on applications, such as web browsers.
• If, for any reason, a user believes that his/her password was compromised, the incident must be reported
and all passwords must be changed.
Application Development
Application developers must follow the following security precautions in their programs:
• Applications must encrypt all passwords, never to be stored in clear text or in any easily reversible form.
• Applications must not transmit passwords over the network without encryption.
• Applications must provide role management, such that functions of one user can be taken over by
another without knowing the user’s password.
Use of Passphrases
Generally a passphrase is used for public/private key authentication. A passphrase is a longer version of a
password, making a passphrase more secure. All the rules that apply to passwords also apply to passphrases.
Policy Compliance
Exceptions
Non-Compliance
termination.
Related Standards, Policies and Processes
Password Construction Guidelines
8.4 Password Construction Guidelines
Overview
Passwords are a security measure to protect Century Hospital from unauthorized access and/or
exploitation of Century Hospital’s resources. Choosing insecure passwords place Century Hospital at risk
for security breaches. This guideline provides best practices for creating secure passwords.
Purpose
The purpose of this guideline is to provide best practices for creation of strong passwords.

11
Scope
This guideline applies to all personnel at Century Hospital including temporary employees and all third parties
affiliatedwithCenturyHospital. Thisguidelineappliestoallpasswordsonanysystemthatisconnectedtothe
Century Hospital’s infrastructure, including, but not limited to, user-level accounts, system-level accounts,
web accounts, e-mail accounts, screen saver protection, voicemail, and local router logins.
Statement of Guidelines
All passwords should meet or exceed the following guidelines
Strong passwords have the following characteristics:
• Contain at least 12 characters.
• Contain both upper and lower case letters.
• Contain at least one numeric character.
• Contain at least one special character (for example, !@#$%^&*()_?/><[]{}=+:,”:;).
Weak, or poor, passwords have the following characteristics:
• Contain less than eight characters.
• Words that can be found in a dictionary, including foreign words, or language considered to be slang,
dialect, or jargon.
• Contain personal information such as names, birthdates, addresses, phone numbers, pets and character
names.
• Contain personal information that has easy substitutions (for example, William as w1ll1am, where 1=i).
• Containwork-relatedinformationsuchasbuildingnames,systemcommands,sites,companies,hardware,
or software.
• Contain number patterns such as yyyzzz, abcdefg, or 321123.
• Contain common words spelled backward or preceded by a number or special character.
Passwords should never be written down. Create a password that can be easily remembered.
Use of Passphrases
Generally a passphrase is used for public/private key authentication. A passphrase is a longer version of a
password, making a passphrase more secure. All the rules that apply to passwords also apply to passphrases.
Policy Compliance
Exceptions

12
Overview
See Purpose.
Purpose
The purpose of this policy is to provide guidance that limits the use of encryption to those algorithms that
have received substantial public review and have been proven to work effectively. Additionally, this policy
provides direction to ensure that Federal regulations are followed, and legal authority is granted for the
dissemination and use of encryption technologies outside the United States.
Scope
The scope of this policy includes all employees and affiliates of Century Hospital.
Policy
Proven, standard algorithms should be used as the basis for encryption technologies. The use of
proprietary encryption algorithms is not allowed for any purpose. Be aware that the export of encryption
technologies is restricted by the U.S. Government.
Algorithm Requirements
Ciphers in use must meet or exceed the set defined as “AES-compatible” or “partially AES-compatible”
according to the IETF/IRTF Cipher Catalog, or the set defined for use in the United States National
Institute of Standards and Technology (NIST) publication FIPS 104-2, or any superseding documents
according to the date of implementation. The use of the Advanced Encryption Standard (AES) is strongly
recommended for symmetric encryption.
Algorithms in use must meet the standards defined for use in NIST publication FIPS 104-2 or any
superseding document, according to the date of implementation. The use of the RSA and Elliptic Curve
Cryptography (ECC) algorithms is strongly recommended for asymmetric encryption.
Signature Algorithms
Algorithm Key Length (min) Additional Comment
ECDSA P-256 Cisco Legal recommends RFC6090 compliance to avoid patent
infringement
RSA 2048 Must use a secure padding scheme. PKCS#7 padding scheme is
recommended. Message hashing required.
LDWM SHA256 Refer to LDWM Hash-based Signatures Draft
8.5 Acceptable Encryption Policy
Non-Compliance
termination.

13
Hash Function Requirements
Century Hospital adheres to the NIST Policy on Hash Functions.
Key Agreement and Authentication
• Key exchanges must use one of the following cryptographic protocols: Diffie-Hellman, IKE, or Elliptic
curve Diffie-Hellman (ECDH).
• End points must be authenticated prior to the exchange or derivation of session keys.
• Public keys used to establish trust must be authenticated prior to use. Examples of authentication
include transmission via cryptographically signed message or manual verification of the public key hash.
• All servers used for authentication (such as RADIUS or TACACS) must have installed a valid certificate
signed by a known trusted provider.
• All servers and applications using SSL or TLS must have the certificates signed by a known, trusted
provider.
Key Generation
• Cryptographic keys must be generated and stored in a secure manner that prevents loss, theft, or
compromise.
• Key generation must be seeded from an industry standard random number generator (RNG).
Policy Compliance
Exceptions
Non-Compliance
termination.
IETF/IRTF Cipher Catalog, http://tools.ietf.org/html/draft-irtf-cfrg-cipher-catalog-01
NIST publication FIPS 140-2, http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2010.htm
LDWM Hash-based Signatures Draft, http://tools.ietf.org/html/draft-mcgrew-hash-sigs-00
NIST Policy on Hash Functions, http://csrc.nist.gov/groups/ST/hash/policy.html

14
8.6 Workstation Security Policy
Purpose
The purpose of this policy is to provide guidance for workstation security for Century Hospital workstations
to ensure the security of information on the workstation and secure access to the information on the
workstation. The policy also provides guidance to ensure requirements are met for the HIPAA Security Rule
“Workstation Security” Standard 164.310(c).
Scope
The scope of this policy applies to all Century Hospital employees, contractors, workforce members, vendors
and agents with a Century Hospital-owned workstation, or any workstation, connected to the Century
Hospital network.
Policy
Using workstations must be done with appropriate measures to ensure the confidentiality, integrity and
availability of sensitive information, including protected health information (PHI) and that access to sensitive
information is restricted to authorized users.
All workforce members using workstations must consider the sensitivity of the information, including PHI
that may be accessed and minimize the possibility of unauthorized access.
Century Hospital will implement physical and technical safeguards for all workstations that access electronic
PHI to restrict access to authorized users.
Appropriate measures include:
• Restricting physical access to workstations to only authorized personnel.
• Securing workstations (screen lock or logout) prior to leaving area to prevent unauthorized access.
• Enabling a password-protected screen saver with a short timeout period to ensure that workstations
that were left unsecured will be protected. The password must comply with Century Hospital’s Password
Policy.
• Complying with all applicable password policies and procedures. See Century Hospital’s Password Policy.
• Ensuring workstations are used for authorized business purposes only.
• Never installing unauthorized software on workstations.
• Storing all sensitive information, including PHI on network servers.
• Keeping food and drink away from workstations in order to avoid accidental spills.
• Securing laptops, or other portable devices, with access to Century Hospital’s network, by using cable
locks or locking the devices up in drawers or cabinets.
• Complying with the Acceptable Encryption Policy.
• Ensuring that monitors are positioned away from public view. If necessary, installing privacy screen
filters or using other physical barriers to alleviate exposing data.

15
• Ensuring workstations are left on but logged off in order to facilitate after-hours updates.
• Exit running applications and close open documents.
• Ensuring that all workstations use a surge protector (not just a power strip) or a UPS (battery backup).
• Mobile computing devices may not be removed from the premises prior to receiving Management
approval. Mobile devices being utilized outside office premises will be tracked by the Office Manager.
• Remote access must be approved by the Information Security Team. Remote access may be monitored
by the Information Security Team.
Policy Compliance
Exceptions
Non-Compliance
termination.
Password Security Policy
Acceptable Encryption Policy
Remote Access Policy
Definitions
• Workstation – desktops, laptops, PDAs, computer based equipment containing or accessing information
and authorized home workstations accessing the Century Hospital network.
8.7 Remote Access Policy
Overview
See Purpose.
Purpose
The purpose of this policy is to define standards for connecting to Century Hospital’s network, including any
network managed by Century Hospital,from an outside entity. These standards are designed to minimize the
potential exposure to Century Hospital from damages which may result from unauthorized use of Century
Hospital resources. Damages include the loss of and/or exposure of sensitive or confidential information,
damage to public image, and damage to critical Century Hospital internal systems.

16
Scope
This policy applies to all Century Hospital employees, contractors, vendors and agents with a Century
Hospital-owned or personally-owned computer used to connect to the Century Hospital network. This
policy applies to remote access connections used to perform work on behalf of Century Hospital including
reading or sending email and viewing intranet web resources.
Remote access implementations that are covered by this policy include, but are not limited to, dial-in
modems, frame relay, ISDN, DSL, VPN, SSH, WiFi and cable modems.
Policy
Storage of confidential information on any non-Century Hospital owned device is prohibited. Confidential
information may not be stored on any portable device without prior written approval from the Data
Protection Officer. Approved storage on any portable device must be encrypted. (Review the Acceptable
Encryption Policy for encryption regulations.)
All Century Hospital employees and contractors must be approved by the Information Security Team to
obtain remote access privileges to Century Hospital’s network and are responsible to ensure that their
remote access connection is given the same consideration as the user’s on-site connection to Century
Hospital.
All remote access users are expected to comply with Century Hospital policies, may not perform illegal
activities, and may not use the access for outside business interests.
Requirements
Remote access must be strictly controlled by the use of unique user credentials. For information on
creating a strong password please review Century Hospital’s Password Security Policy & Password
Construction Guidelines.
Remote access passwords are to be used only by the individual to whom they were assigned and may not
be shared.
All remote access connections that utilize a shared infrastructure, such as the Internet, must utilize
some form of encryption. For information on acceptable encryption technologies please review Century
Hospital’s Acceptable Encryption Policy.
Reconfiguration of a home user’s equipment for the purpose of split-tunneling or dual homing is not
permitted at any time.
All hosts that are connected to Century Hospital’s internal networks via remote access technologies must
have up-to-date anti-virus software implemented.
All hosts that are connected to Century Hospital’s internal networks via remote access technologies must
have current operating system security patches installed.
Personal equipment may not be used to connect to Century Hospital’s networks.
Organizations or individuals who wish to implement non-standard Remote Access solutions to the Century
Hospital production network must obtain prior approval from Century Hospital.

17
Policy Compliance
Exceptions
Non-Compliance
termination.
• Acceptable Encryption Policy
• Password Security Policy
• Password Construction Guidelines
Definitions
• Dual Homing - Having concurrent connectivity to more than one network from a computer or network
device.Examplesinclude:BeingloggedintotheCenturyHospitalnetworkviaalocalEthernetconnection,
and dialing into AOL or other Internet service provider (ISP).
• Split-tunneling - Simultaneous direct access to a non-Century Hospital network (such as the Internet,
or a home network) from a remote device (PC, PDA, WAP phone, etc.) while connected into Century
Hospital’s network via a Virtual Private Network (VPN) tunnel. VPN is a method for accessing a remote
network via “tunneling” through the Internet.
8.8 Data Backup Policy
Overview
This policy defines the backup policy of Century Hospital for computers within the organization which are
expected to have their data backed up. These systems are typically servers but are not limited to servers.
Servers expected to be backed up include the file server, the mail server, and the web server.
Purpose
This policy is designed to protect the data of Century Hospital to be sure it is not lost in the event of an
equipment failure, intentional destruction of data or disaster.
Scope
This policy applies to all equipment and data owned and operated by Century Hospital and the IT
employees responsible for Century Hospital’s data.

18
Policy
Timing
Full backup tapes will be performed daily Monday thru Sunday.
Tape Storage
There will be a separate tape or set of tapes for each day of the week including Monday, Tuesday,
Wednesday, Thursday, Friday, and Saturday. There shall be separate set of tapes for each Sunday of the
month such as Sunday1, Sunday2, etc. Backups performed on Sunday shall be kept for a month and used
again the next month on an applicable Sunday. Backups performed on Monday thru Saturday shall be kept
for one week and used the following appropriate day of the week.
Tape Drive Cleaning
Tape drives will be cleaned weekly and the cleaning tape shall be changed monthly.
Monthly Backups
Every month a monthly backup tape shall be made using the oldest backup tape or tape set from the tape
sets.
Age of tapes
The date of each tape put into service shall be recorded on the tape. Tapes that have been in use for more
than six months shall be discarded and replaced with new tapes.
Responsibility
The IT department manager shall delegate a member of the IT department to perform regular backups.
The delegated person shall develop a procedure for testing backups and test the ability to restore data
from the backups on a monthly basis.
Testing
The ability to restore data from backups shall be tested once per month.
Data Backed Up
Data to be backed up include the following information:
• User data stored on the hard drive.
• System state data
• The registry
Systems to be backed up include but are not limited to:
• File server
• Mail server
• Production web server
• Production data base server
• Domain controllers
• Test data base server

19
• Test web server
Archives
Archives are made at the end of each year in December. User account data associated with the file and mail
servers are archived one month after they have left Century Hospital.
Restoration
Users that need files restored must submit a request with the help desk. Include information about the file
creation date, the name of the file, the last time it was changed, and the date and time it was deleted or
destroyed.
Tape Storage Locations
Offline tapes used for daily backup shall be stored in an adjacent building in a fireproof safe. Monthly tapes
shall be stored across town in our other facility in a fireproof safe.
Policy Compliance
Exceptions
Non-Compliance
termination.
• NIST SP 800-123, http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf
Definitions
• Backup - The saving of files onto magnetic tape or other offline mass storage media for the purpose of
preventing loss of data in the event of equipment failure or destruction.
• Archive - The saving of old or unused files onto magnetic tape or other offline storage media for the
purpose of releasing of online storage room.
• Restore - The process of bringing offline storage back from the offline media and putting it on an online
storage system such as a file server.

20
8.9 Physical Security Policy
Overview
Physical security is an important measure to protect Century Hospital from unauthorized access and/
or exploitation of Century Hospital’s resources. All information systems that collect, receive, store and
transmit data must adhere to the physical security principles of this document.
Purpose
The purpose of this document is to establish best practice procedures and guidelines in the physical
protection of all systems related to the collection, storage, and transmission of data at Century Hospital.
Scope
This policy applies to all Century Hospital employees, contractors, consultants, temporaries and other
workers at Century Hospital, including all personal third parties.
Policy
Facility Security Controls
• Control and validate a person’s access to facilities. These should be based on role or function, and follow
minimum necessary standard by which users are given the minimum amount of access to perform their
job functions.
• Facilities containing Information systems must be located in access-controlled areas.
• Physical access controls must be logged and audited at least every six months and must include one
or more of the following: multi-factor authentication (e.g. token and pin number), key card access, or
biometric access controls.
• Regular review (at least every six months) of authorization for facility access of workforce members
and vendors, which ensures that facility access is limited to only those with a business need for physical
access to the facility.
• All physical access to facilities by vendors must be logged (i.e. through sign-in sheets) for entry time,
exit time, purpose, and workforce member who allowed the facility entry. Vendors should always be
escorted by workforce member when in a facility covered by this policy.
• Environmental controls should be in place for any facility covered under this policy. Reasonable attempts
must be made to implement protections against power outages, fire, water damage, temperature
extremes, and other environmental hazards.
• Procedures for providing facility access in support of restoration of data in the event of an emergency
or disaster.
• Records documenting the movement of any hardware or electronic media in and out of the facility.
• Maintenance records, including documentation of repairs and modifications to security-related physical
security components. Physical security components include doors, locks, walls, access controls cards,
etc.

21
• Conduct thorough and complete background checks on all Century Hospital employees who may have
access to facilities.
• Facility should be surrounded by proper fencing (following all local building codes) and be properly
equipped from all sides by surveillance equipment.
• Facility should be secured by trained security staff twenty four hours, a day seven days a week, no
exceptions.
Facility Environmental Controls
• Facilities need to have backup electricity supply including both backup generators and UPS
(uninterruptable power supply) systems to protect data loss in the event of power outages.
• Facilities should be equipped with fire protection equipment including smoke alarms, heat detection
systems, fire extinguishers and sprinkler systems.
• Smoke alarms (automatic and manual controlled) and heat detection systems should be placed inside
and directly outside network/server equipment rooms.
• Fire extinguishers should be placed inside all network/server rooms and all employees working in facility
should be trained in there operation.
• All environmental safety equipment should be inspected at least every six months by certified personal.
• All network/server equipment should be raised from floor level, and water detection systems must be
installed and regularly inspected by certified personal. Water proof covers should be readily available in
case of water leaks and/or flooding.
• Dedicated temperature and humidity regulation equipment must be installed for all network/server
rooms and must be maintained with regular inspections (every six months) by certified personal.
Policy Compliance
Exceptions
Non-Compliance
termination.

22
8.10 Contingency Plan Policy
Overview
Century Hospital establishes contingency planning throughout Century Hospital to help the organization
implement security best practices with regard to business continuity and disaster recovery.
Purpose
This policy establishes the Contingency Planning Policy, for managing risks from information asset
disruptions, failures, and disasters, through the establishment of an effective contingency planning program.
The contingency planning program helps Century Hospital implement security best practices with regard to
enterprise business continuity and disaster recovery.
Scope
The scope of this policy is applicable to all Information Technology (IT) resources owned or operated
by Century Hospital. Any information, not specifically identified as the property of other parties, that is
transmitted or stored on Century Hospital IT resources (including e-mail, messages and files) is the property
of Century Hospital. All users (Century Hospital employees, contractors, vendors or others) of IT resources
are responsible for adhering to this policy.
Policy
Century Hospital has chosen to adopt the Contingency Planning principles established in NIST SP 800-34
“Contingency Planning Guide for Federal Information Systems,” as the official policy for this domain. The
following subsections outline the Contingency Planning standards that constitute Century Hospital policy.
Century Hospital IT Management must develop or adhere to a program plan which demonstrates compliance
with the policy related the standards documented.
• Contingency Planning Procedures: IT Management must develop, adopt or adhere to a formal,
documented contingency planning procedure that addresses purpose, scope, roles, responsibilities,
management commitment, coordination among organizational entities, and compliance.
• Contingency Plan: IT Management must develop a contingency plan for the company information assets
that:
»» Identifies essential missions and business functions and associated contingency requirements.
»» Provides recovery objectives, restoration priorities, and metrics.
»» Addresses contingency roles, responsibilities, assigned individuals with contact information.
»» Addresses maintaining essential missions and business functions despite an information asset
disruption, compromise, or failure.
»» Addresses eventual, full information asset restoration without deterioration of the security
measures originally planned and implemented.
»» Is reviewed and approved by designated officials within the organization.
»» Distributes copies of the contingency plan to relevant management.

23
»» Coordinates contingency planning activities with incident handling activities.
»» Reviews the contingency plan for the information asset on an annual basis.
»» Revises the contingency plan to address changes to the organization, information asset, or
environment of operation and problems encountered during contingency plan implementation,
execution, or testing.
»» Communicates contingency plan changes to relevant management
• ContingencyTraining: ITManagementmusttrainpersonnelintheircontingencyrolesandresponsibilities
with respect to the information asset and provide refresher training on an annual basis.
• Contingency Plan Testing and Exercises: IT Management must test and/or exercise the contingency plan
for the information asset annually to determine the plan’s effectiveness and the organization’s readiness
to execute the plan. In addition, IT Management must review the contingency plan test/exercise results
and initiate corrective actions.
• AlternateStorageSite: CenturyHospitalITManagementmustestablishanalternatestoragesiteincluding
necessary agreements to permit the storage and recovery of information asset backup information.
• AlternateProcessingSite: ITManagementmustestablishanalternateprocessingsiteincludingnecessary
agreements to permit the resumption of informationasset operations for essential missions and business
functions within defined recovery times and recovery points when the primary processing capabilities
are unavailable. In addition, IT Management will ensure that equipment and supplies required to resume
operations are available at the alternate site or contracts are in place to support delivery to the site in
time to support the organization-defined time period for resumption.
• Telecommunications Services: IT Management must establish alternate telecommunications services
including necessary agreements to permit the resumption of information asset operations for essential
missions and business functions within defined recovery time and recovery points when the primary
telecommunications capabilities are unavailable.
• Information System Backup: IT Management must conduct backups of user-level, system-level, and
information asset documentation (including security-related documentation) within defined recovery
time and recovery point objectives. In addition, IT Management must protect the confidentiality and
integrity of backup information at the storage location.
• Information System Recovery and Reconstitution: IT Management must provide for the recovery and
reconstitution of the information asset to a known state after a disruption, compromise, or failure.
Policy Compliance
Exceptions

24
Non-Compliance
termination.
• Disaster Recovery Plan Policy
• NIST SP 800-34, http://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1_errata-Nov11-2010.
pdf
8.11 Incident Response Plan Policy
Overview
An Incident Response Plan (IRP) provides the impetus for security and business teams to integrate their
efforts from the perspective of awareness and communication, as well as coordinated response in times of
crisis(securityvulnerabilityidentifiedorexploited). Specifically,anIRPdefinesaproductdescription,contact
information, escalation paths, expected service level agreements (SLA), severity and impact classification,
and mitigation/remediation timelines. By requiring business units to incorporate an IRP as part of their
business continuity operations and as new products or services are developed and prepared for release to
consumers, ensures that when an incident occurs, swift mitigation and remediation ensues.
Purpose
The purpose of this policy is to establish the requirement that all business units supported by the IT Security
Team develop and maintain a security response plan. This ensures that Security Incident Management Team
has all the necessary information to formulate a successful response should a specific security incident occur.
Scope
This policy applies any established and defined business unity or entity within the Century Hospital.
Policy
The development, implementation, and execution of an Incident Response Plan (IRP) are the primary
responsibility of the specific business unit for whom the IRP is being developed in cooperation with the
IT Security Team. Business units are expected to properly facilitate the IRP, applicable to the service or
products they are held accountable. The business unit security coordinator or champion is further expected
to work with the IT Security Team in the development and maintenance of an IRP.
The IRP must address the following five stages when servicing a security incident: preparation, identification,
containment, eradication, and recovery. Knowing about each stage facilitates responding more methodically
and efficiently, and helps users understand the process of responding so that they can deal with unexpected
aspects of incidents they face.
Preparation
Century Hospital considers being prepared to respond before an incident occurs to be one of the most

25
critical facets of incident handling. This advance preparation avoids disorganized and confused response to
incidents. Preparation also limits the potential for damage by ensuring that response plans are familiar to all
users, thus making coordination easier.
Identification
The approach to the Identification Stage involves 1) validating the incident, 2) if an incident has occurred,
identify its nature, 3) identifying and protecting the evidence, and 4) logging and reporting the event or
incident. When a user notices a suspicious anomaly in data, a system, or the network, he or she begins the
identification process.
Determine the Systems
Determining whether an anomaly is symptomatic of an incident is difficult since most often-apparent
symptoms of a security incident are something else, (e.g., errors in system configuration, application bugs,
hardware failures, user error, etc.). Typical symptoms of computer security incidents include, but are not
limited to: Unexplained modification or deletion of data, system crashes, unsuccessful logon attempts,
unexplained new files or unfamiliar file names, and denial/disruption of service, or inability of one or more
users to login to an account.
Identify the Nature of the Incident
Although no single symptom conclusively shows that a computer security incident is taking place, observing
one or more of these symptoms prompts the observer to investigate events more closely. If a computer-
based incident is detected, it must be reported immediately to the IT Security Team.
Containment
The objective for the Containment Stage is to limit the scope and magnitude of an incident as quickly as
possible, rather than to allow the incident to continue in order to gain evidence for identifying and/or
prosecuting the perpetrator. Immediately change the passwords on all affected systems. Passwords should
be changed on comprised systems and on all systems that regularly interact with the compromised systems.
Eradication
The next priority, after containing the damage from a computer security incident, is to remove the cause of
the incident. In the case of a virus incident, antivirus software should be used to remove the virus from all
systems and media (e.g., floppy disks, backup media). Many intrusions leave benign or malignant artifacts
that can be hard to locate. Therefore, it may be necessary to employ more sophisticated techniques to
eradicate malignant artifacts (e.g., Trojan horses).
Recovery
Recovery is defined as restoring a system to its normal state. In the case of relatively simple incidents (such
as attempted but unsuccessful intrusions into systems), recovery requires only assurance that the incident
did not adversely affect the computer or data resources. In the case of complex incidents, such as malicious
code, recovery may require a complete restoration operation from backup tapes or full implementation of
the Century Hospital’s disaster recovery plans.
Reporting
Anyactivityobservedorsuspectedconcerningsecurityincidentsoutlinedinthispolicyshouldbeimmediately
reported to the IT Security Team or office of the Chief Information Officer.

26
Policy Compliance
Exceptions
Non-Compliance
termination.
• Disaster Recovery Plan Policy
• NIST SP 800-61, http://dx.doi.org/10.6028/NIST.SP.800-61r2
8.12 Disaster Recovery Plan Policy
Overview
In the event of a disaster, the Disaster Recovery Plan must be implemented to provide Century Hospital
with a comprehensive recovery plan to meet HIPAA compliance of part 164.308(a)(7). This policy requires
management to financially support and diligently attend to disaster contingency planning efforts. Disasters
are not limited to adverse weather conditions. Any event that could likely cause an extended delay of
service should be considered. The Disaster Recovery Plan is often part of the Business Continuity Plan.
Purpose
This policy defines a systematic approach for safeguarding the vital technology and data of Century
Hospital. This policy provides a framework for the management, development and implementation, and
maintenance of a disaster recovery program for the systems and services of Century Hospital.
Scope
This policy is directed to the IT Management Staff who is accountable to ensure the plan is developed,
tested and kept up-to-date. This policy is solely to state the requirements to have a Disaster Recovery Plan,
it does not provide requirements around what goes into the plan or sub-plans.
Policy
Principles
Disaster Recovery planning is a program that has a continuous lifecycle. Detailed requirements for each of
these steps are below.

27
Governance
• All Century Hospital systems must comply with disaster recovery policies and requirements.
• The Disaster Recovery Manager is responsible for the Disaster Recovery (DR) program coordination and
project management: including reporting status of DR planning, testing, and auditing activity to senior
management on a regular basis; at least twice per year.
• Senior IT management is responsible for ensuring sufficient financial, personnel and other resources are
available as needed.
• The DR Manager will review and update the DR Policy as necessary at least every other year. All
modifications must be approved by Senior IT Management.
Program Development
• The Disaster Recovery Program (DRP) addresses the protection and recovery of Century Hospital ITS
so that critical operations and services are recovered in a timeframe that ensures the survivability of
Century Hospital and is commensurate with patient obligations, business necessities, industry practices,
and regulatory requirements, particularly HIPAA standards.
• Plans must be developed, tested, and maintained to support the objectives of the program, and those
plans should include relevant IT infrastructure, computer systems, network elements and applications.
Annual updating is required.
• The DR Manager is responsible for conducting Business Impact Analyses (BIA) to identify the critical
business processes, determine stand recover timeframes, and establish the criticality ratings for each,
and conducting Capability Analyses (CA) to determine IT systems capacity to recover critical IT services
that support defined critical business processes and recovery objectives. Updated at least every other
year.

28
• The DR Manager is responsible for maintaining Recovery Tier Chart, which defines the Recovery Time
Objectives (RTO) and Recovery Point Objectives (RPO) of all ITS managed systems.
• ITS is required to create disaster recovery plans for the IT portion – including services, systems, and
assets – of critical business processes. These IT services, systems, and assets must be inventoried and
correlated according to the technical service catalog, prioritized based upon results of the Business
Impact Analysis, and ranked according to their Recovery Time Objectives and Recovery Point Objectives.
• A Risk Assessment must be conducted at least every other year to determine threats to disaster recovery
and their likelihood of impacting the IT infrastructure.
• For each risk or vulnerability identified in the Capability Review and Risk Assessment, a mitigation or
preventive solution must be identified.
• The IT DR program must include a change management and quality assurance process.
• Above Program Development statements will be progressively fulfilled via DR Manager, Departmental
and/or other resources.
Emergency Management
• The IT DR Team/Manager is responsible for overseeing IT DR activities in the event of an emergency –i.e.,
an unplanned outage where RTO is in jeopardy.
• The IT DR Manager should be part of the ITS representation within the institution’s Emergency
Management Team.
• Each IT division must develop and maintain a documented emergency plan including notification
procedures.
• Each IT division shall account for its associates when a building evacuation is ordered. Supervisory
personnel are responsible to account for the associates they supervise.
• The IT DR Team/Manager is required to complete a post-mortem report documenting outages and
recovery responses within 45 days after the occurrence of a disaster recovery event.
Budgeting
• IT DR budgeting must be informed annually by requirements gathered in the BIA and CA as well as the
ITS budgeting process.
• IT Managers are responsible for tracking and reporting on planned and unplanned outage spending
related to the recovery and restoration effort. During an outage, IT Managers may incur special recovery
and restoration costs that are unbudgeted. For a small outage, these costs would be immaterial; but for
a longer outage, these costs could be significant.
Plan Objective
• IT DR plans must provide information on Business Impact Analysis, Data Backup, Recovery, Business
Resumption, Administration, Organization Responsibilities, Emergency Response & Operations, Training
and Awareness and Testing.
• Plans must contain Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO).
• Technologicalsolutionsfordataavailability,dataprotection,andapplicationrecoverymustbeconsidered
by data gathered by the BIA and CA.

29
Vital Records
• ITS must maintain a single, comprehensive electronic inventory of all servers, network equipment,
relevant configuration, and model information, and the applications they support. This inventory should
be aligned with the service catalog and the technical service catalog.
• All Backup data must be labeled and logged, and are available for use during an emergency within stated
recovery time objectives. A documented decision making process will be used to determine what subset
of backup data will be additionally encrypted, and stored off-site in a secured location outside of the
geographical area of the system they are backups of.
• DR plans must be stored in a single, comprehensive database.
• DR plans owners need to be able to access a copy of emergency and recovery plan(s) independent of ITS
services and/or network.
• Upon completion or update, DR plans must be sent to the Disaster Recovery Manager and ITS Change
Manager for review.
• Plan information must be reviewed and updated as warranted by business and/or information systems
environment changes, at least annually.
Plan Attributes
• Plans must address an outage that could potentially last for a period of up to six weeks.
• Plans must identify risk exposure and either accept the risk or propose mitigation solution(s).
• Backup strategies must comply with predefined businesses continuity requirements, including defined
recovery time and point objectives. Backup strategies must be reviewed at least every other year.
• Recovery strategies must meet recovery objectives defined in the DR tier chart.
• Approved recovery strategies must be tested to ensure they meet required recovery time and recovery
point objectives.
• Recovery strategies must be implemented within a previously agreed upon period of time, generally not
more than 180 days after management approval.
• The ITS Disaster Recovery Manager is required to provide DR training and awareness activities at least
twice per year.
Maintenance
• Plans must contain current and accurate information.
• Planning must be integrated into all phases of the IT system life cycle.
• IT DR tests that demonstrate recoverability commensurate with documented IT DR plans must be
conducted regularly; as well as when warranted by changes in the business and/or information systems
environment.
• Backup media supporting critical business processes must be tested semi-annually. Reviews are required
within 60 days after a test to correct exposed deficiencies.
• Plan revisions must be completed within 60 days after a DR test is completed.

30
• The following maintenance activities must be conducted annually:
»» Updating the documented DR plan.
»» Reviewing the DR objectives and strategy.
»» Updating the internal and external contacts lists.
»» Conducting a simulation/desktop exercise.
»» Conducting a telecommunication exercise.
»» Conducting an application recovery test.
»» Verifying the alternate site technology.
»» Verifying the hardware platform requirements.
»» Submitting the DR Status and Recoverability Report.
»» IT managers are responsible for briefing staff on their roles and responsibilities related to DR
planning, including developing, updating, and testing plans.
Policy Compliance
Exceptions
Non-Compliance
termination.

31
8.13 Security Awareness and Training Policy
Overview
See Purpose.
Purpose
Century Hospital must implement a security awareness and training program to all employees, including
management, to comply with HIPAA section 164.308 (a) (5).
Century Hospital understands that “people”, not necessarily technology, are often the largest threat to the
security of sensitive information, such as electronic protected health information (ePHI), in the organization.
Scope
This policy applies to all Century Hospital employees, including anyone granted access to sensitive
information, (such as ePHI) by Century Hospital.
Policy
All Century Hospital employees who have access to the hospital information systems must understand how
to protect the confidentiality, integrity and availability of those information systems.
CenturyHospitalmustdevelop,implementandregularlyreviewaformal,documentedprogramforproviding
security training, education and awareness to all employees.
Century Hospital will ensure that all employees have been trained in and understand the security policies
and procedures. In addition, all employees will be trained how to identify, report, and prevent potential
security incidents.
All Century Hospital employees must be provided with regular training, supporting reference materials, and
reminders to enable them to appropriately protect Century Hospital information systems. This training must
include, but is not limited to:
• All Century Hospital information security policies, procedures and standards and/or significant revisions
to them.
• The secure use of Century Hospital information systems (e.g. log-on procedures, authorized software).
• Significant risks to Century Hospital information systems and date and/or any new threats as they are
identified.
• Century Hospital’s legal and business responsibilities for protecting its information systems and data (e.
g. HIPAA) and/or any significant changes to these responsibilities.
• Security best practices (e.g. how to construct a good password, how to report a security incident) and/
or changes to these practices.
• Security controls in place, any changes to these controls, and/or new controls being implemented.
All Century Hospital employees must receive appropriate security training and after such training, each
employee must verify that he or she has received the training, understood the material presented, and
agree to comply with the training.

32
Policy Compliance
Exceptions
Non-Compliance
termination.
Procedures
• New employees are required to complete mandatory new hire security training within 60 days of hire.
• Human Resources is responsible for notifying the Compliance Department of a new hire immediately, so
that the new employee can be scheduled for training within required timeframes.
• All employees are required to complete annual security training and any additional training required by
the IT Security Department.
• The IT SecurityDepartmentwillissueperiodicsecurityawarenessreminders toemployees. All employees
are responsible for reading the information and implementing any instructions contained in the security
awareness reminders.
• HIPAA 45 CFR Parts 160,162, and 164, http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/
index.html

33
9. Security Blueprint

34
10. Risk Assessment Report
Purpose
The purpose of this risk assessment is to evaluate the adequacy of Century Hospital’s security. This risk
assessment provides a structured qualitative assessment of the operational environment. It addresses
sensitivity, threats, vulnerabilities, risks, and safeguards. This assessment recommends cost-effective
safeguards to mitigate threats and associated exploitable vulnerabilities.
Scope
The scope of this risk assessment is to assess the systems use of resources and controls to eliminate and/
or manage the vulnerabilities exploitable by threats internal and external for Century Hospital. If exploited,
these vulnerabilities could result in:
• Unauthorized disclosure of data.
• Unauthorized modification to the system, data or both.
• Denial of service, access to data or both by authorized users.
This risk assessment report evaluates the confidentiality (protection from unauthorized disclosure of system
and data information), integrity (protection from improper modification of information), and availability
(loss of system access) of the system. Recommended security safeguards will allow management to make
decisions about security related initiatives.
Risk Assessment Approach
This risk assessment methodology and approach was conducted using the guidelines in NIST SP 800-30, Risk
Management Guide for Information Technology Systems. The assessment is broad in scope and evaluates
security vulnerabilities affecting confidentiality, integrity, and availability. The assessment recommends
appropriate security safeguards, permitting management to make knowledge-based decisions about
security-related initiatives.
Assessment
• Threat Identification
• Vulnerability Identification
• Risk Likelihood
• Impact Analysis
• Risk Level

35
For likelihood assessment we will use the following rating system:
High
The threat source is highly motivated and sufficiently capable, and controls to prevent
the vulnerability from being exercised are ineffective.
Moderate
The threat source is motivated and capable, but controls are in place that may impede
successful exercise of the vulnerability.
Low
The threat source lacks motivation or capability, or controls are in place to prevent, or
at least significantly impede, the vulnerability from being exercised.
For the Impact Analysis we will the following rating system:
High
Exercise of the vulnerability (1) may result in the highly costly loss of major tangible
assets or resources; (2) may significantly violate, harm, or impede an organizations
mission, reputation, or interest; or (3) may result in human death or serious injury.
Moderate
Exercise of the vulnerability (1) may result in the costly loss of tangible assets or
resources; (2) may violate, harm or impeded an organization’s mission, reputation, or
interest; or (3) may result in human injury.
Low
Exercise of the vulnerability (1) may result in the loss of some tangible assets or
resources; (2) may noticeably affect an organization’s mission, reputation, or interest.
For the Risk Level rating system we will use the following system:
High
There is a strong need for corrective measures. An existing system may continue to
operate, but a corrective action plan must be put in place as soon as possible.
Moderate
Corrective actions are needed and a plan must be developed to incorporate these
actions within a reasonable period of time.
Low
The system’s Authorizing Official must determine whether corrective actions are still
required or decide to accept the risk.

36
11. Risk Assessment Chart
Threat Vulnerability Likelihood Impact Risk level
Act of nature: wind, rain, flood,
tornado (facility 1)
Damage to facility/ facility is
inoperable
Low high low
Hazardous conditions: fire,
chemical spill (facility 1)
Damage to facility/ facility
inoperable
low high low
Act of nature: wind, rain, flood,
tornado (facility 2)
inoperable
low high low
Hazardous conditions: fire,
chemical spill (facility 2)
inoperable
low high low
System environmental failures:
heat detection, sprinklers, Hvac
(facility 1)
Damage to network/server
equipment
low high low
System environmental failures:
heat detection, sprinklers, Hvac
(facility 2)
Damage to network/server
equipment.
low high low
Violent acts of man: attack on
system or personnel
Damage to facility or vital
personnel for system
low moderate low
Errors or omissions: accidental
actions by personnel
Unintended physical damage or
system disruption
moderate moderate moderate
Insider attack: actions taken
by insiders meant to harm
organization
System compromised /crashes,
access changes, eavesdropping,
denial of service, reputation
External attack: outsiders trying
to harm organization
System compromise/crashes,
data harvesting, denial of
service, reputation
moderate high high
Malicious code: viruses, worms,
malware
System compromised or
crashes, data compromised,
denial of service, reputation
Physical intrusion or theft:
facility compromised or theft of
equipment (laptop)
Data or passwords
compromised, hard copy
output effected, reputation
Legal or administrative actions:
illegal or due diligence failure by
organization (hipaa)
Regulatory penalties, criminal
and/or civil proceedings,
damaged reputation
low high moderate
Social engineering: Inadvertent
exposure by phone or e-mail by
authorized users
Data or passwords
compromised, denial of service,
reputation
high high high
Mishandling of critical/ sensitive
information
Data or passwords
compromised, denial of service,
reputation

37
For the Sensitivity Ratings in the Risk Mitigation Chart we will use the following rating system:
Sensitivity Rating Low Moderate High
Confidentiality
Preserving authorized
restrictions on
information access and
disclosure, including
means for protection
of personal privacy and
proprietary information
[44 USC,SEC.3542]
The unauthorized
disclosure of information
could be expected to
have a limited adverse
effect on organizational
operations,
organizational assets, or
individuals
The unauthorized
disclosure of
information could
be expected to have
serious organizational
effect on operations,
individuals
The unauthorized
disclosure of information
could be expected
to have a severe or
catastrophic adverse
operations,
individuals
Integrity
Guarding against
improper information
modification or
destruction, and includes
ensuring information
non-repudiated and
authenticity
[44 USC, SEC.3542
The modification
or destruction of
information could
be expected to
have a limited effect
on organizational
operations,
individuals
The modification
or destruction of
information could be
expected to have a
serious adverse effect
on organizational
operations,
individuals
The modification
or destruction of
information could be
expected to have a
severe or catastrophic
adverse effect on
organizational
operations, assets, or
individuals
Availability
Ensuring timely and
reliable access to and
use of information
[USC, SEC.3542]
The disruption of access
to or use of information
or an information system
have a limited adverse
individuals
have a serious adverse
individuals
could be expected
to have a severer or
catastrophic adverse
individuals

38
12. Sensitivity and Risk Mitigation
Threat vulnerability confidentiality integrity availability Risk mitigation
Act of nature
Facility 1
Damage to
facility/ facility
is inoperable
low moderate moderate Mirrored facility to keep
data integrity during
issues with other facility
Act of nature
Facility 1
Damage to
facility/ facility
is inoperable
low moderate moderate Mirrored facility to keep
Hazardous
conditions
(facility 1)
Damage to
facility/ facility
is inoperable
low moderate low Mirrored facility to keep
Hazardous
conditions
(facility 2)
Damage to
facility/ facility
is inoperable
Environmental
system failures
(facility1)
Damage to
facility/ facility
is inoperable
Environmental
systems failure
(facility2)
Damage to
facility/ facility
is inoperable
Violent acts of
man: attack
on facility or
personnel
Damage to
facility/ facility
is inoperable
loss of vital
personnel
low low moderate Mirrored facility to keep
issues with other facility.
Physical security (human
and surveillance) on site
to protect employees and
equipment
Errors or
omissions:
accidental
Unintended
physical
damage
or system
disruption
moderate moderate moderate Training employees to
be detailed oriented
in their use of system.
Making sure employees
are accountable for all
actions.
Insider attack:
meant to harm
organization
System
compromised
access changes,
eavesdropping,
DoS
high high moderate Difficult to mitigate.
IT employees need to
monitor system for
irregularities, files being
accessed that seem out
of place.

39
Threat vulnerability confidentiality integrity availability Risk mitigation
External attack:
outsiders
trying to harm
organization
System
compromised
access changes,
eavesdropping,
DoS
high high high Firewalls, intrusion
detection systems,
intrusion prevention
systems, continuous
monitoring of system,
being aware of all latest
hacker techniques.
Malicious code:
viruses, worms
and malware
System
compromised
access changes,
eavesdropping,
DoS
high high high Firewalls, intrusion
detection systems,
intrusion prevention
systems, continuous
monitoring of systems,
being aware of latest
hacker techniques
Physical
intrusion
or theft of
equipment
(laptops)
Data or
passwords
compromised,
hard copy
output
effected,
reputation
high high moderate Physical security of
facilities, security
education and training
awareness program,
encryption systems and
policies
Legal or
administrative
actions: illegal
or due diligence
failures
Regulatory
penalties,
criminal
and/or civil
proceedings,
damaged
reputation
high high low Code of conduct
policy, confidentiality
policy, SETA program,
continuous training in all
departments pertaining
to their regulatory
responsibilities. HIPAA
Social
engineering:
inadvertent
exposure
Data or
passwords
compromised,
denial of
service,
reputation
high high moderate SETA program, all
employees need
to understand
the importance of
confidentiality at all times
Mishandling of
critical/sensitive
information
Data or
passwords
compromised,
denial of
service,
reputation
high high moderate SETA program, all
employees need
to understand
the importance of
confidentiality at all times

40
13. Compliance Framework
13.1 National Institute of Standards and Technology (NIST)
SP 800-12 - An Introduction to Computer Security: The NIST Handbook
Compliance: Entire CH Security Framework
SP 800-13 – Telecommunication Security Guidelines for Telecommunication Management Network
SP 800-14 – Generally Accepted Principles and Practices for Securing Information Technology Systems
SP 800-16 – Information Technology Security Training Requirements: A Role and Performance Based Model
Compliance: Security and Awareness Training Policy establishment and execution will be
Carried out by Officers of Security Team
SP 800-23 – Guidelines to Federal Organizations on Security Assurance and Acquisition / use of Tested
Evaluated Products
SP 800-30- Rev 1 – Guideline for Conducting Risk Assessments
Compliance – Security Blueprint, Risk Assessment Report and Risk Mitigation Report
SP 800-34 – Contingency Planning Guide For Federal Information Systems Nov.11, 2010
Compliance: Backup, Disaster Recovery, Contingency Plan, Incidence Response Policies
SP 800-36 – Guide to Selecting Information Technology Security Products
Compliance: Monitoring Trends in Network Security part of Security Analyst Position
SP 800-37 Rev 1 – Guide to Applying the Risk Management Framework to Federal Information Systems:
Security Life Cycle Approach
Compliance: Security Blueprint, Risk Assessment Framework, and Risk Mitigation Report
SP 800-46 Rev 1 – Guide to Enterprise Telework and Remote Access Security
Compliance: Remote access Policy
SP 800-50 – Building an Information Technology Security and Awareness and Training Program
Compliance: Security Awareness and Training Policy
SP 800-61 Rev 2 – Computer Security Incident Handling Guide
Compliance: Incidence Response, Contingency, and Disaster Recovery Policies

41
SP 800-83 – Guide to Malware Incident Prevention Handling
Compliance: Encryption, Work Station, and Incidence Response Policies
SP 800- 92 – Guide to Computer Log Management
Compliance: Encryption and Work Station Policies
SP 800-94 – Guide to Intrusion Detection and Prevention Systems
Compliance: Encryption Policy
SP 800- 100 – Information Security Handbook: A Guide for Managers
SP 800-114 – User’s Guide to Securing External Devices for Telework and Remote Access
Compliance: Remote Access Policy
SP 800-115 – Technical Guide to Information Security Testing and Assessment
Compliance: Encryption Policy
SP 800- 116 – A recommended use of PIV Credentials in Physical Access Control Systems (PACS)
Compliance: Physical Security Policy
SP 800-122 – Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
Compliance: Code of Conduct, Confidentiality, and Incidence Response Policies
SP 800- 123 – Guide to General Server Security
Compliance: Encryption, Physical, and Incidence Response Policies
SP 800-128 – Guide for Security-Focused Configuration Management of Information Systems
SP 800-137 – Information Security Continuous Monitoring for Federal Information Systems and
Organizations

42
13.2 Health Insurance Portability and Accountability Act (HIPAA)
The Purpose of the Privacy Rule as Defined by the Health and Human Services Department
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other
personal health information and applies to health plans, healthcare clearinghouses, and those healthcare
providers’ that conduct certain health transactions electronically. The rule requires appropriate safeguards
to protect the privacy of personal health information (PHI), and sets limits and conditions on the use and
disclosuresthatmaybemadeofsuchinformationwithoutpatientauthorization.TheRulealsogivespatient’s
rights over their health information, including rights to examine and obtain a copy of their health records,
and to request corrections.
Century Hospital Compliance to the Privacy Rule
• Compliance/Privacy Officer
• Confidentiality and Code of Conduct policies
• Security and Education Awareness policy
Purpose of Security Rule as defined by the Health and Human Services Department
The Primary goal of the HIPAA Security Rule is to protect the privacy of individuals’ health information while
still providing entities to adopt new technologies to improve the quality and efficiency of patient care. Given
that the health care marketplace is diverse, the Security Rule is designed to be flexible and scalable so a
covered entity can implement policies, procedures, and technologies that are appropriate for the entities
particular size, organizational structure and risks to consumers’ e-PHI.
Century Hospital Compliance to the Security Rule
• Risk Analysis and Management Compliance: Risk Assessment report, Sensitivity and Risk Mitigation
Report
• Security Management Process Compliance: The entire Century Hospital(CH) Security Framework
• Security Personnel: The Position of CIO duties is defined in the CH Security Framework,
• Work Force Training and Management Compliance: Security Education and Training Awareness Policy
Evaluation Compliance: Described in the entire CH Security Framework
Physical Safeguards
• Facility access and Control Compliance: Physical Security Policy
• Work Station and Device Security Compliance: Work Station Policy
Technical Safeguards
• Access Control Compliance: Password Policy
• Audit Controls Compliance: Defined throughout CH Security Framework
• Integrity Controls Compliance: Code of Conduct, Confidentiality, Encryption, Work Station, and Backup
Policies
• Transmission Security Compliance: Encryption Policy

43
14. References
Chief Information Officer
http://www.humanresources.hrvinet.com/cio-job-description/
http://www.americasjobexchange.com/chief-information-officer-job-description
http://www.humanresources.hrvinet.com/cio-job-specification/
Data Protection Officer
www.britishlegion.org.uk/media/1614687/jobdesc_dataprotectionoff.pdf
http://friendsofquest.com/DataProtection/data-protection-officer-job-description
Compliance Officer
www.ache.org/newclub/career/comploff.cfm
IT Security Analyst
www.humanresourses.hrvinet.com/computer-security-specialist-description/
www.iseek.org
Code of Conduct Policy
http://www.sans.org/security-resources/policies/general/pdf/ethics-policy
Confidentiality Policy
http://saskschoolsprivacy.com/wp-content/uploads/2013/09/SamplePolicy_Confidentiality.pdf
http://www.councilofnonprofits.org/files/SAMPLE%20Confidentiality%20Agreements.pdf
Password Security Policy
http://www.sans.org/security-resources/policies/general/pdf/password-protection-policy
Password Construction Guidelines
http://www.sans.org/security-resources/policies/general/pdf/password-construction-guidelines
http://eits.uga.edu/access_and_security/infosec/pols_regs/policies/passwords/password_standard
Acceptable Encryption Policy
http://www.sans.org/security-resources/policies/general/pdf/acceptable-encryption-policy
http://cpcstech.com/pdf/acceptable_encryption_policy.pdf
Workstation Security Policy
http://www.sans.org/security-resources/policies/server-security/pdf/workstation-security-for-hipaa-policy
http://phelc.org/downloads/policy-proced/Workstation%20Security.pdf

44
Remote Access Policy
http://www.sans.org/security-resources/policies/network-security/pdf/remote-access-policy
http://doit.maryland.gov/support/Documents/security_guidelines/Remote_Access_Policy.pdf
Data Backup Policy
http://www.comptechdoc.org/independent/security/policies/backup-policy.html
Physical Security Policy
http://www.sans.org/reading-room/whitepapers/physical/implementing-robust-physical-security-1447
http://weill.cornell.edu/its/policy/data/12-2-physical-security.html
Contingency Plan Policy
http://maricopa.gov/technology/pdf/TEMPLATE_Information_Security_Contingency_Planning_Policy.docx
http://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1_errata-Nov11-2010.pdf
Incident Response Plan Policy
https://www.sans.org/security-resources/policies/general/pdf/security-response-plan-policy
http:// savannahstate.edu/faculty-staff/computer-services/docs/Policies/10-4 Security Incident Response
Policy.pdf
Disaster Recovery Plan Policy
http://www.sans.org/security-resources/policies/general/pdf/disaster-recovery-plan-policy
http://weill.cornell.edu/its/policy/operations/15-5-disaster-recovery-policy.html
Security Awareness and Training Policy
http://it.ouhsc.edu/policies/Security_Awareness_and_Training_Policy.asp
http:// chpw.org/assets/file/Security-Awareness-and-Training-Policy.pdf
Risk Assessment and Mitigation
http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf
Compliance Framework
http://csrc.nist.gov/publications/PubsSPs.html
http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/

CenturyHospital-v5

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (9)

Similar to CenturyHospital-v5

Similar to CenturyHospital-v5 (20)

CenturyHospital-v5