Question

Consider that the Commonwealth Government of Australia is planning to launch ‘My Health Record’ a secure online summary of an individual’s health information. The system is available to all Australians, My Health Record is an electronic summary of an individual’s key health information, drawn from their existing records and is designed to be integrated into existing local clinical systems.

The ‘My Health Record’ is driven by the need for the Health Industry to continue a process of reform to drive efficiencies into the health care system, improve the quality of patient care, whilst reducing several issues that were apparent from the lack of important information that is shared about patients e.g. reducing the rate of hospital admissions due to issues with prescribed medications. This reform is critical to address the escalating costs of healthcare that become unsustainable in the medium to long term.

Individuals will control what goes into their My Health Record, and who is allowed to access it. An individual’s My Health Record allows them and their doctors, hospitals and other healthcare providers to view and share the individual’s health information to provide the best possible care.

The 'My Health Record' is used by various staff such as System Administrator, Doctor, Nurse, Pathologist and Patient. In order to convey and demonstrate the rules and regulations to the users of this system, Commonwealth Government of Australia needs a security policy.

You are employed as the Security Advisor for the organisation. The task that is handed to you by the Chief Information Officer now is to create, develop and manage "System Access Security Policy" for atleast any 3 users of the system.

Complete the following in your security policy:

• Plan System Access Security Policy
• Develop System Access Security Policy
• Manage System Access Security Policy

Criteria	HD
1. Plan System Access Security Policy Maximum 2 Marks	Well planned and well documented for system access security policy. Demonstrates breadth and depth of understanding and has insights and awareness of deeper more subtle aspects of the topic content. Evidence of having researched/read more widely beyond the core materials.
2. Develop System Access Security Policy Maximum 3 Marks	Well developed and well documented for system access security policy. Demonstrates breadth and depth of understanding and has insights and awareness of deeper more subtle aspects of the topic content. Evidence of having researched/read more widely beyond the core materials.
3. Manage System Access Security Policy Maximum 3 Marks	Well managed and well documented for system access security policy. Demonstrates breadth and depth of understanding and has insights and awareness of deeper more subtle aspects of the topic content. Evidence of having researched/read more widely beyond the core materials.

GUIDELINE (HINT) :

Introduction and nature of the Commonwealth Government of Australia with My Health Record System

Plan a Security Policy

• Identify and explain the role of planning for security policy.
• Identify and discuss the best strategic planning for security policy.
• Explain the resources planning required for security policy.
• Anything else you think is reasonable to place into a Plan for Security Policy based on what you have learnt.

Develop a Security Policy

• Define the intent and rationale of the policy.
• Any definitions which are used through out the document.
• Responsibilities of individuals i.e. those who enforce the guideline.
• Scope of the policy i.e. who and what it effects.
• Anything else you think is reasonable to place into a Develop for Security Policy based on what you have learnt.

Manage a Security Policy

• Describe how to monitor policy.
• Explain how to control policy.
• Identify and explain the major outcome of policy.
• Explain how do you update policy time to time.
• Anything else you think is reasonable to place into a Manage for Security Policy based on what you have learnt.

NOTE - PLEASE DONOT PROVIDE ME THE SAME ANSWER THAT IS ALREADY IN THE CHEGG SOLUTION. PLEASE REFER TO GUIDELINES GIVEN JUST ABOVE.

Answer 1

As the healthcare industry embraces network applications and devices, patient information must stay secure and private. System-based applications have changed for all intents and purposes for each industry, and healthcare is no special case. Arrangements that enable access to electronic medical records [EMRs], restorative administration frameworks, imaging, biomedical data, material administration, patient bookkeeping, conceding data and online cases entries are getting to be typical in remote, wired, and portable situations. Today, healthcare frameworks can combine these apparatuses into one framework to all the more adequately impart and team up, lessen errors, and improve patient consideration and effectiveness. These outcomes in lower cost for patient consideration.

As medicinal services suppliers embrace new innovations, they additionally face new security dangers. Programmers, PC infections, offended representatives, and human error present genuine threats to medicinal services systems. Luckily, most security breaches can be averted, and there are various organize security instruments accessible that are anything but difficult to send and utilize.

[1] Creating a Security Policy

The initial phase in guaranteeing a protected domain is to build up a sound security policy that delivers every one of the prerequisites to secure individuals, procedures, information, and innovation. A security policy is a formal, publishable archive that characterizes jobs, duties, satisfactory use, and security rehearses for the association. It is a fundamental part of a total security structure, and it ought to be utilized to manage interest in security resistances.

[1.1] The Elements of a Security Policy -

Since a security policy influences all parts of a human services biological system, it ought to be made through a cooperative procedure that incorporates delegates of clinical, managerial, legitimate, and innovation staff. A cross-utilitarian group will help guarantee that all interests of the supplier are met while conveying a safe framework. Building up an approach can take weeks, contingent upon the size of the association. The components of a security strategy include -

[A] Policy Statement - A brief proclamation of the report's motivation, an approach articulation ought to be explicit to the individual association or division and be auditable, controllable, and enforceable.

[B] Scope - The arrangement ought to incorporate the kind of data and assets secured by the arrangement [for instance, regardless of whether it applies just to electronic assets or joins paper-based physical security or different types of protected innovation].

[C] Roles and obligations -Policies must characterize the jobs and obligations of those overseeing security and data frameworks, just as the duties of clinical and authoritative staff.

[E] Security orders - The strategy should offer point by point security mandates that must be pursued. Orders should cover the kinds of equipment and programming that representatives can utilize, any outsiders that will approach the system, remote access, individual name, and password supervision i.e. IDSs, and different prerequisites.

[F] Acceptable use policy [AUP] - The AUP tends to issues, for example, individual utilization of the Internet and preclusions against getting to Internet destinations that offer improper content.

[G] Document control factors - Organizations ought to characterize how updates to the security approach will happen and how frequently they ought to be inspected and approved.

Suppliers might need regardless of an improved, abnormal state security approach and refine it after some time.

[2] Development a Security Policy

The security policy is a report that characterizes the normal practices, obligations and decides that the healthcare association must pursue and authorize for the shielding of data. The policy conveys the executives support for security exercises and establishes the pace for security rehearses inside the healthcare association.

[2.1] Advantages of Security Policy -

Alignment of a security policy with the healthcare system and, drivers, predictable messages, direction and responsibility for security policy. It includes -

1. The decrease in risk impact.
2. Better designation and the management of assets.
3. Increased familiarity with the significance of security policy all through the healthcare organization.

[2.2] Supporting Standards, Guidelines, and Procedures -

When the policy is composed, supporting measures, rules and methodology should be created to help the approach at a progressive point by point and explicit level. The detail and profundity of the benchmarks and rules will rely on the intricacy and, size of the healthcare association and its data frameworks. The purpose of these standards must include -

1. Privacy – the property that electronic healthcare data isn't made accessible or revealed to unapproved people or procedures.
2. Trustworthiness – the property that electronic healthcare data have not been adjusted or annihilated in an unapproved way.
3. Accessibility – the property that electronic healthcare data is available and useable upon interest by an approved individual.

[2.2.1] The policy set up by My Health organization ought to be relevant to a wide range of data utilized by the healthcare, including yet not restricted to -

1. Persistent health data.

2. Persistent statistic data.

3. Persistent financial data.

4. Research data.

5. Data about doctors, attendants, and different parental figures.

6. Companion audit data.

7. Legal and Regulatory Necessities.

[2.3] Stages of Establishing a Security Policy

1. Getting Executive Support - Connect with senior administration toward the start of building up the approach to acquire their help and responsibility for the advancement of the strategy furthermore, its execution.

2. Drafting and Engagement - When drafting the policy guarantee that those inside the My Health association that will be affected by the approach or who can offer a topic skill or understanding from their territory of the association are locked in and audit the substance of the draft. These people are known as stakeholders. Now and again, stakeholders outside of the association, for example, merchants, providers, or patients may be counseled.

3. Survey - The draft approach ought to be assessed with stakeholders and the management and fundamental modifications ought to be made. This may result in various adaptations being made previously an adequate draft is prepared for endorsement furthermore, distribution.

4. Endorsement - Official administration and some other required supporting body ought to officially endorse the strategy and impart to the association the need to agree to it.

5. Execution - Recognize zones in the association that must agree to the arrangement. Make and record an activity intend to arrive at consistency and screen for consummation.

6. Upkeep and Review - The arrangement ought to be assessed and refreshed on an occasional premise or upon huge changes to business targets, condition, innovation, enactment. The difficulties and issues in regards to the strategy, as communicated to the association by its staff, patients and their accomplices and guardians, researchers and governments.

[3] Development of Security Policy

[3.1] Area of consideration in building up the policies –

1. Right to be educated regarding the privileges - Duties regarding executing methodology for guaranteeing that the patient is educated regarding the arrangements identified with patient data ought to be characterized.

2. Right to security - Relatable patient data may just be unveiled to those straightforwardly engaged with the consideration of the patient, for the assurance of the general wellbeing as given by law, for the installment of administrations as approved by the patient, to help analysts as approved by the patient, or for some other purposes legally necessary or approved by the patient.

3. Right to audit data - Patients are qualified for know which data about them is in the ownership of the association and are qualified to survey it. Any classification of data that might be retained from the patient as per the law ought to be characterized in the policies

4. Right to clear and finish the introduction of data – My Health ought to create policies identified with making data from the PC based patient record accessible to the patient in an unmistakable, intelligent, justifiable configuration. Any approaches for showing data in a configuration not kept up by the association ought to be characterized. The organization's policies identified with the expenses related to the introduction of data ought to likewise be characterized.

5. Right to annex right data - Data can't be erased, however incorrect data can be set apart accordingly and right data affixed. The patient's privileges to give supplemental data or an informative supplement ought to likewise be characterized.

[3.2] Development of Roles and Responsibilities

The association should put a security policy the executives’ structure set up by relegating jobs and duties regarding security all through the association.

Advantages -

1. Accountability for security inside the association is set up and there is clear comprehension of who does what, when and where.
2. Ensures that security policy exercises are sorted out viably and effectively and staff are mindful of their security obligations and have sufficient preparing and abilities. It is essential to take note of that: Every association will have its very own exceptional prerequisites. Smaller associations may decide to join different duties into a solitary job, while medium to bigger associations may decide to separate a zone of duty into different jobs.

The idea of segregation of responsibilities ought to be connected when creating and allocating these jobs and obligations. In situations where segregation of responsibilities may not be conceivable or down to earth in all circumstances, the guideline ought to be connected as much as could reasonably be expected. On the off chance that the association is small and incapable to execute segregation of responsibilities, different controls ought to be executed to counterbalance the hazard. Controls may incorporate review systems, free audits, coherent controls, or extra manual controls.

[3.3] Assessment of Security Policy

All medicinal services foundations should audit (evaluate for holes) their Information Security Program at arranged interims or when changes to the security program happen.

Advantages -

1. Actual or potential security shortcomings, which could put the association or patient in danger, are distinguished to lessen potential mischief.

2. Allows the association to proactively organize and plan for enhancements, hence diminishing the hazard and guarantees the proceeding with appropriateness, ampleness, and adequacy of the Security Policy.

3. Without surveying the policy, an association will not know where they have shortcomings and where assets, time and exertion ought to be engaged. As an outcome, profitable assets might be spent or utilized verifying regions that don't require it. Appraisals of the Security Policy ought to be started by the executives.

The audit ought to recognize open doors for improvement and the requirement for changes to security, counting the arrangement and other security control zones. It is profoundly suggested that the policy assessment be finished by outsider inspectors or by somebody other than the individual who is in charge of actualizing the security policy arrangement. People completing these surveys ought to have suitable abilities and experience. The aftereffects of the autonomous survey ought to be recorded and answered to the management. On the off chance that the free survey finds that an association's security policy is insufficient or not consistent with the course in the security policy arrangement, the executives should take restorative activities, for a rundown of suggested parts of a thorough, standard-based Security Policy.