• English
    X

    Google Translate Disclaimer

    The Maryland Department of Information Technology (“DoIT”) offers translations of the content through Google Translate. Because Google Translate is an external website, DoIT does not control the quality or accuracy of translated content. All DoIT content is filtered through Google Translate which may result in unexpected and unpredictable degradation of portions of text, images and the general appearance on translated pages. Google Translate may maintain unique privacy and use policies. These policies are not controlled by DoIT and are not associated with DoIT’s privacy and use policies. After selecting a translation option, users will be notified that they are leaving DoIT’s website. Users should consult the original English content on DoIT’s website if there are any questions about the translated content.

    DoIT uses Google Translate to provide language translations of its content. Google Translate is a free, automated service that relies on data and technology to provide its translations. The Google Translate feature is provided for informational purposes only. Translations cannot be guaranteed as exact or without the inclusion of incorrect or inappropriate language. Google Translate is a third-party service and site users will be leaving DoIT to utilize translated content. As such, DoIT does not guarantee and does not accept responsibility for, the accuracy, reliability, or performance of this service nor the limitations provided by this service, such as the inability to translate specific files like PDFs and graphics (e.g. .jpgs, .gifs, etc.).

    DoIT provides Google Translate as an online tool for its users, but DoIT does not directly endorse the website or imply that it is the only solution available to users. All site visitors may choose to use alternate tools for their translation needs. Any individuals or parties that use DoIT content in translated form, whether by Google Translate or by any other translation services, do so at their own risk. DoIT is not liable for any loss or damages arising out of, or issues related to, the use of or reliance on translated content. DoIT assumes no liability for any site visitor’s activities in connection with use of the Google Translate functionality or content.

    The Google Translate service is a means by which DoIT offers translations of content and is meant solely for the convenience of non-English speaking users of the website. The translated content is provided directly and dynamically by Google; DoIT has no direct control over the translated content as it appears using this tool. Therefore, in all contexts, the English content, as directly provided by DoIT is to be held authoritative.

    Maryland Department of Health
    Maryland Department Of Health

    Deputy Secretariat for Operations - POLICY 02.01.06

    Effective June 1, 2001

     

    POLICY TO ASSURE CONFIDENTIALITY, INTEGRITY,

    AND AVAILABILITY OF MDH INFORMATION

     

    SHORT TITLE: INFORMATION ASSURANCE POLICY - IAP

    I. EXECUTIVE SUMMARY

    This policy provides direction for certain actions of Department employees to assure confidentiality, integrity, and availability of MDH information assets. It clarifies the roles and responsibilities of employees to protect the interest of MDH and consumers regarding the release of non-protected information and safeguarding of MDH protected and proprietary information. It recognizes and defines a life cycle for information. It acknowledges existing security and confidentiality requirements and initiates new requirements. It specifies requirements for both general and specific levels of due diligence and due care to be exercised over MDH information. Additionally, it provides for protection levels that are commensurate with an acceptable level of risk of loss or disclosure.

    Based on a 'need-to-know' approach, supervisors are to assign employees an appropriate access authority and grant to them corresponding system access levels. Employees are held accountable for reading and complying with the corresponding section(s) of this policy and to act accordingly based on their assigned duties and responsibilites.

    Due to the size, complexity, and evolving nature of health policy, information systems, and communications technology, this document provides broad standards for the handling and security of MDH information. To facilitate compliance with this policy a separate document entitled 'Security Procedures for MDH Information Assurance Policies and Programs,' hereafter referred to as 'MDH Information Security Procedures', has been developed to provide: (1) the roles and responsibilities of specific personnel, (2) data classifications, and (3) directions for handling Department information. These procedures are issued and maintained by the MDH Information Resources Management Administration to support this policy.

    II. BACKGROUND

    State Government records are public records, under the Maryland Public Information Act (PIA) (seehttp://www.oag.state.md.us/Forms/book.pdf). Upon request, these records are to be made available for inspection or copying unless a provision of the PIA or other law either prohibits or authorizes the custodian to refrain from such a disclosure. However, certain health and medical information may be exempt from disclosure in order to protect the privacy of individuals. Therefore, MDH must balance its responsibility, together with its other federal and State responsibilities, to protect the privacy and confidentiality of health and medical information and transactions.

    Our communications with the public needs to reinforce a sense of trust in MDH and State government. The Department's employees may be required to work with both electronic and paper-based systems, which included handling information, data, records, and documentation, hereafter generally referred to as information. Regardless of how information is obtained, created, or used in job performance, it must be handled with appropriate security precautions as established by this policy, or more restrictive applicable federal or State policies, procedures, regulations, or laws.

    This policy seeks to both clarify the responsibilities of employees as well as to protect the interests of the Department and health consumers through the safeguarding of protected information. Any MDH employees could be privy to information that is non-public, confidential, and/or intended only for Departmental use. Employees are cautioned that even seemingly appropriate disclosures of consumers' health and medical information may constitute an unwarranted 'invasion of privacy.'

    The use of MDH information systems by employees is explained in 02.01.01, Electronic Information Systems Policy . All MDH employees are to sign and initial the appropriate section(s) of the Combined Policy Acknowledgement Form. To ensure employees' understanding and compliance with applicable provisions of this policy, the acknowledgment and signing of the form are to be done in consultation with supervisory staff who will also initial the form.

    Because certain employees have duties that require them to have more extensive access, or require authority beyond that granted to the 'user' level, these employees are to read and comply with additional applicable provisions of this policy, as designated for specific personnel (see § III.A-Definitions) also consultation with supervisory staff.

    As a condition of access to MDH information resources, non-MDH employees, or other individuals who access or use MDH information systems, will also need to sign the Combined Policy Acknowledgment Form (see Appendix). Those individuals who do not sign the Statement will no longer be given access to or use of MDH protected or proprietary information or information systems, which may result in subsequent job reassignment.

    This policy was developed with assistance from the Security and Confidentiality (SeCon) Workgroup of the MDH Health Information Coordinating Council which reviewed and applied federal and State statues and regulations including the Health Insurance Portability and Accountability Act (HIPAA), in addition to the 'best practices' of government agencies and private industry. Given the complexity and evolving nature of information systems and communications technology, this policy is to be reviewed and revised periodically in coordination with the MDH Health Information Coordinating Council.

    III. POLICY STATEMENTS

    A. DEFINITIONS

    A comprehensive set of definitions for this policy is contained in MDH Information Security

    Procedures

     

    Specific personnel - For the purpose of this policy, the term specific personnel refers to the

    following positions, which are also described and defined in detail in the MDH Information

    Security Procedures.

     

     MDH Institutional Review Board Official Custodian

     Custodian of Records

     Data Steward

     Designated Responsible Party

     Network (System) Administrator

     Database Administator

     Data Technician

     Contract Monitor

     Contract Preparer

    B. INFORMATION SECURITY DIRECTIVES

    1. Information Is to Be Protected. All information, in any format, which is created or used in

    support of MDH business, is to be considered eiter owned by MDH or in MDH custody. This

    information is a valuable asset and must be protected from its point of origin through its life cycle of

    creation, collection, maintenance, authorized sharing, and storage, until its lawful disposal. It is to

    be maintained in accordance with federal and State regulations and MDH policies in a secure

    and reliable manner. Such protection levels are to reasonably assure confidentiality, integrity,

    accuracy, and ready availability for authorized use.

     

    2. Information Custodians Are To Be Appointed. Program Directors, facility CEO's,

    Health Officers, and other executive managers of MDH units are responsible for the information

    in their custody. Unless such responsibility is to be retained by them personally, or is provided for

    otherwise in law or regulation, the executives are authorized to appoint an official Custodian,

    Data Steward, or Designated Responsible Party to manage their information. These functions

    are also defined in the MDH Information Security Procedures.

    3. Information Is To Be Classified. Based on legal requirements, sensitivity, retention

    criteria, and the type of access required by authorized users, all MDH information will be

    classified by its custodians, or other authorized authority.

     

    4. Protection Levels Are To Be Based on Risk Assessment. Information assurance is to

    be achieved by implementing a comprehensive set of policies and procedures that protect

    against accidental or malicious disclosure, modification, or destruction. The level of effort to

    protect information should reflect its confidentiality and its risk of loss or compromise. The risk

    and impact of loss and the relative value of the information is to be determined initially, and

    annually thereafter, by the Director of the appointed custodian of the information set, using an

    IRMA-accepted business impact analysis tool as found in the MDH Information Security

    Procedures. Additionally, a comprehensive risk analysis is required to be completed in the

    development phase of new information systems, or when existing systems are modified

    between annual reviews.

     

    5. Information Access Is To Be Granted On A 'Need to Know' Basis. Access to

    information will be limited to authorized users who have a business need to know such information.

    This access and use will be further limited to appropriate job levels within legitimate job

    classifications. A higher level of access may be provided to persons who are designated to act

    in specialized support roles and who demonstrate a need to access, modify, or erase the

    information or to maintain the information system.

     

    6. A Separation of Duties is Required. No single individual will have complete control of a

    business process or transaction from inception to completion. Custodians are directed to assure

    that there is functional segregation of roles and duties performed by an employee, to limit error

    and the opportunity for unauthorized actions.

     

    7. Employees and Contractors Are To Be Trained in Information Security Awareness

    and Ethics. Depending on job duties, all MDH employees and contractors and agents will be

    provided with training in information ethics. This training will be provided prior to access to MDH

    information systems, or prior to commencement of contractual services, and annually thereafter.

     

    8. Employees Are to Be Aware of Their Obligation to Protect Information. Laws and

    regulations specifically require maintaining the confidentiality of certain records. MDH

    employees are responsible for knowing, or determining, in consulation with their supervisor, the

    specific protective requirements for information in their care, and for understanding their

    obligations to protect these resources. Employees are to report any suspected or realized

    violations.

     

    C. ROLES AND RESPONSIBILITIES

     

    Every employee has a role and responsibilities to fulfill in information assurance. Employees'

    roles and responsibilities are described in more detail in the MDH Information Security Procedures. They are necessary to direct, implement, enforce, and access the effectiveness of security and privacy

    policy, planning, and administration. The success of this policy is dependent upon supportive

    mangageme

    nt, appropriate role assignment, and employees' understanding of their roles and

    responsibilities for implementing and enforcing the policy. Every MDH employee is assigned at least

    one role and its related responsibilities:

     

    1. Chief Information Officer (CIO) - For the purpose of this policy, the MDH CIO is

    responsible for providing guidance on all Information Technology issues. The CIO is also

    responsible for directing the management and administration of the MDH information security

    program and initiating measures to assure and demonstrate compliance with security and

    privacy requirements.

     

    2. Information Assurance Officer (IAO) - The IAO is directly responsible for the

    Department-wide coordination of all aspects of security and confidentiality, pursuant to applicable

    federal and State laws, regulations, and policies, and MDH policies, procedures, and protocols.

    The following are the responsibilities of the IAO:

     develops and reviews system security and privacy policies and grants exceptions to them;

     provides guidance to assure the integrity of all MDH information;

     reviews the security and confidentiality of the resources associated with the processing

    functions;

     reports security status of MDH, as required;

     assures software controls are implemented;

     ensures procurement requirements of the IAP are met;

     supervises the resolving of security and privacy incidents;

     acts as Chief Privacy Officer (unless the role is otherwise assigned);

     coordinates with network security staff;

     assists in the preparation and review of IT risk assessments and contingency plans; and

     coordinates with internal and external audit staff to assure IAP requirements are included

    in audit reviews.

     

    3. Security Officer (SO) - The MDH SO serves as the single point of contact and as the

    access control agent for the daily IT security program. The following are responsibilities of the

    SO's:

     performs system audits, as directed;

     coordinates with MDH Monitors for access controls;

     resolves authentication and authorization issues or concerns;

     participates in addressing general security issues;

     provides appropriate IT security awareness and training to all employees;

     assists in the development of MDH systems contingency and disaster recovery plans;

     functions as the daily operational central point of contact for any type of IT security related

    incidents or violations;

     disseminates information concerning security alerts and potential threats to all MDH

    system owners;

     notifies users of security-related policies and procedures;

     assists in preparing annual systems evaluations of major processes including incident

    handling and security awareness training; and,

     assists in risk management analysis to determine effectiveness in reducing security

    incidents.

     

    4. Security Monitors (SMs) - The MDH System Monitors serve as the central point of contact

    and as the authorization control agents in their designated units for the daily IT security program.

    The following are SM responsibilities:

     coordinates with the MDH Security Officer in the preparation of lists of authorized users;

     makes changes to lists, and audits, as required;

     participates in addressing unit and MDH security issues;

     participates in IT security awareness and training;

     performs as the central point of contact for unit-level IT security related incidents or

    violations;

     disseminates information concerning security alerts and potential threats to MDH system

    owners;

     ensures that users are aware of security-related policies and procedures; and,

     assists in the annual systems evaluation process.

     

    5. User - The User is an employee or agent or contractor who has access to MDH information.

    Users are responsible for consulting with supervisory staff to:

     determine the user's role and responsibilities to protect information resources in the user's

    control or posession

     understand and comply with all applicable MDH and other security and privacy

    requirements, and

     to facilitate a better understanding of the general and specific requirements for the

    confidentiality of protected and/or proprietary information.

     

    6. Specific Personnel - The positions previously listed under Section III A - Definitions -

    Specific Personnel, within the scope of their assigned duties, are instructed to implement the

    following provisions as necessary to protect information from inadvertent or intentional

    improper use or disclosure.

     

    a. Information is to be Protected. Protection of information requires a diligent coordination

    of organizational and administrative requirements, physical security safeguards, and

    technological security measures further detailed in MDH Information Security Procedures.

    http://inMDH/secpolcy/html/iaphic2.htm.

     

    b. Employees Are to Actively Comply with IAP Requirements.

    Specific Personnel are to act as required or directed in order to assure compliance with

    Federal, State and MDH directives. They are to report any known or suspected violations

    of these directives, throughout the lifecycle of the MDH information resources in their custody.

     

    c. Proprietary Interests In MDH Information Are To Be Maintained. Specific personnel are

    to assure the Department's proprietary interest in information is protected through both legal

    and administrative means, describing and documenting the qualities and limitations of MDH

    information in their custody.

     

    d. Information Must Be Collected, Maintained, Transferred, Stored, and Disposed of

    As Authorized. In accordance with applicable laws and regulations, employees who have

    access to information must be diligent to protect consumer rights and MDH interests.

    Specific personnel may not transmit information electronically unless permitted by

    approved written procedures.

     

    e. Employees Are Authorized To Release Non-protected Information to the Public.

    Specific personnel will classify information in their custody, authorize certain employees,

    establish procedures to prevent unintended disclosure, facilitate and clarify the

    decision-making processes related to release/sharing in accordance with MDH

    copyright requirements.

     

    f. Employees Will Not Allow the Unauthorized Sharing of Protected and Proprietary

    Information. The sharing of MDH protected or proprietary information is encouraged

    as a good business practice, however, such sharing must be as necessary, appropriate

    and legal, in accordance with an explicit written understanding. MDH protected or

    proprietary information will not be physically or electronically removed or shared, without

    the explicit authorization of the official custodian of record or designee.

     

    g. Specific Personnel Will Not Allow the Unauthorized Disclosure of Protected and

    Proprietary Information. MDH protected or proprietary information may only be disclosed

    to others if necessary, appropriate, legal, and only as authorized by the official custodian

    of record or designee.

    .

    h. Certain Specific Personnel Will Monitor the Sharing of Protected Propietary

    Information - When information is shared or accessed, Specific personnel will establish

    and follow written procedures to hold all subsequently approved users to the same

    Department and/or other requirements and responsibilities. This includes an extension

    of the requirements and the continued strict adherence to all rules required by a MDH

    recognized Institutional Review Board including resubmission requirements.

     

    i. Certain Employees May Authorize Disclosure of Protected and Proprietary

    Information. Authorized Specific personnel, as defined in this policy, are permitted to

    disclose protected or propietary information resources in the course of their official

    duties, only if the requirements of this policy or other more stringent requirements

    are met before such disclosure.

     

    j. Employees Are To Notify Vendors Of The IAP And Other Applicable

    Requirements. - Specific personnel involved in the preparation and monitoring of

    MDH contracts and memoranda of understanding (MOU) will ensure that vendors,

    agents, or other entitles who provide work-for-hire, understand and comply with all

    applicable requirements for the protection of MDH information resources. This will

    be required when such resources are shared, or when MDH information systems

    are maintained, changed or developed.

     

    k. Specific Personnel are Responsible for IAP Compliance. Persons designated

    or authorized to act in the capacity of Specific personnel, as defined above, are

    responsible for taking any and all reasonable, appropriate, and legal steps to ensure

    all employees comply with the terms of this policy.

     

    D. DISCIPLINARY, CIVIL AND CRIMINAL CONSEQUENCES

     

    Violation of this policy may result in disciplinary action up to and including separation from

    State service and civil or criminal penalties. These remedies include, but are not limited to,

    those specified in the Annotated Code of Maryland, SG §10-626 through §10-628,

    HG §4-309, and Crimes and Punishments Article 27 §45A.

     V. Appendices, Exhibits, & Addenda

     

     Combined Policy Acknowledgement Form

     Software Code of Ethics

     

     

    APPROVED:

     

    /s/, (signed copy on file) DATE: June 1, 2001

    Georges C. Benjamin, M.D., Secretary​

     ​