Deputy Secretariat for Operations - POLICY 02.01.06
Effective June 1, 2001 |
POLICY TO ASSURE CONFIDENTIALITY, INTEGRITY,
AND AVAILABILITY OF MDH INFORMATION |
SHORT TITLE: INFORMATION ASSURANCE POLICY - IAP |
I. EXECUTIVE SUMMARY
This policy provides direction for certain actions of Department employees to assure confidentiality, integrity, and availability of MDH information assets. It clarifies the roles and responsibilities of employees to protect the interest of MDH and consumers regarding the release of non-protected information and safeguarding of MDH protected and proprietary information. It recognizes and defines a life cycle for information. It acknowledges existing security and confidentiality requirements and initiates new requirements. It specifies requirements for both general and specific levels of due diligence and due care to be exercised over MDH information. Additionally, it provides for protection levels that are commensurate with an acceptable level of risk of loss or disclosure.
Based on a 'need-to-know' approach, supervisors are to assign employees an appropriate access authority and grant to them corresponding system access levels. Employees are held accountable for reading and complying with the corresponding section(s) of this policy and to act accordingly based on their assigned duties and responsibilites.
Due to the size, complexity, and evolving nature of health policy, information systems, and communications technology, this document provides broad standards for the handling and security of MDH information. To facilitate compliance with this policy a separate document entitled 'Security Procedures for MDH Information Assurance Policies and Programs,' hereafter referred to as 'MDH Information Security Procedures', has been developed to provide: (1) the roles and responsibilities of specific personnel, (2) data classifications, and (3) directions for handling Department information. These procedures are issued and maintained by the MDH Information Resources Management Administration to support this policy.
II. BACKGROUND
State Government records are public records, under the Maryland Public Information Act (PIA) (seehttp://www.oag.state.md.us/Forms/book.pdf). Upon request, these records are to be made available for inspection or copying unless a provision of the PIA or other law either prohibits or authorizes the custodian to refrain from such a disclosure. However, certain health and medical information may be exempt from disclosure in order to protect the privacy of individuals. Therefore, MDH must balance its responsibility, together with its other federal and State responsibilities, to protect the privacy and confidentiality of health and medical information and transactions.
Our communications with the public needs to reinforce a sense of trust in MDH and State government. The Department's employees may be required to work with both electronic and paper-based systems, which included handling information, data, records, and documentation, hereafter generally referred to as information. Regardless of how information is obtained, created, or used in job performance, it must be handled with appropriate security precautions as established by this policy, or more restrictive applicable federal or State policies, procedures, regulations, or laws.
This policy seeks to both clarify the responsibilities of employees as well as to protect the interests of the Department and health consumers through the safeguarding of protected information. Any MDH employees could be privy to information that is non-public, confidential, and/or intended only for Departmental use. Employees are cautioned that even seemingly appropriate disclosures of consumers' health and medical information may constitute an unwarranted 'invasion of privacy.'
The use of MDH information systems by employees is explained in 02.01.01, Electronic Information Systems Policy . All MDH employees are to sign and initial the appropriate section(s) of the Combined Policy Acknowledgement Form. To ensure employees' understanding and compliance with applicable provisions of this policy, the acknowledgment and signing of the form are to be done in consultation with supervisory staff who will also initial the form.
Because certain employees have duties that require them to have more extensive access, or require authority beyond that granted to the 'user' level, these employees are to read and comply with additional applicable provisions of this policy, as designated for specific personnel (see § III.A-Definitions) also consultation with supervisory staff.
As a condition of access to MDH information resources, non-MDH employees, or other individuals who access or use MDH information systems, will also need to sign the Combined Policy Acknowledgment Form (see Appendix). Those individuals who do not sign the Statement will no longer be given access to or use of MDH protected or proprietary information or information systems, which may result in subsequent job reassignment.
This policy was developed with assistance from the Security and Confidentiality (SeCon) Workgroup of the MDH Health Information Coordinating Council which reviewed and applied federal and State statues and regulations including the Health Insurance Portability and Accountability Act (HIPAA), in addition to the 'best practices' of government agencies and private industry. Given the complexity and evolving nature of information systems and communications technology, this policy is to be reviewed and revised periodically in coordination with the MDH Health Information Coordinating Council.
III. POLICY STATEMENTS
A. DEFINITIONS
A comprehensive set of definitions for this policy is contained in MDH Information Security
Procedures,
Specific personnel - For the purpose of this policy, the term specific personnel refers to the
following positions, which are also described and defined in detail in the MDH Information
Security Procedures.
MDH Institutional Review Board Official Custodian
Custodian of Records
Data Steward
Designated Responsible Party
Network (System) Administrator
Database Administator
Data Technician
Contract Monitor
Contract Preparer
B. INFORMATION SECURITY DIRECTIVES
1. Information Is to Be Protected. All information, in any format, which is created or used in
support of MDH business, is to be considered eiter owned by MDH or in MDH custody. This
information is a valuable asset and must be protected from its point of origin through its life cycle of
creation, collection, maintenance, authorized sharing, and storage, until its lawful disposal. It is to
be maintained in accordance with federal and State regulations and MDH policies in a secure
and reliable manner. Such protection levels are to reasonably assure confidentiality, integrity,
accuracy, and ready availability for authorized use.
2. Information Custodians Are To Be Appointed. Program Directors, facility CEO's,
Health Officers, and other executive managers of MDH units are responsible for the information
in their custody. Unless such responsibility is to be retained by them personally, or is provided for
otherwise in law or regulation, the executives are authorized to appoint an official Custodian,
Data Steward, or Designated Responsible Party to manage their information. These functions
are also defined in the MDH Information Security Procedures.
3. Information Is To Be Classified. Based on legal requirements, sensitivity, retention
criteria, and the type of access required by authorized users, all MDH information will be
classified by its custodians, or other authorized authority.
4. Protection Levels Are To Be Based on Risk Assessment. Information assurance is to
be achieved by implementing a comprehensive set of policies and procedures that protect
against accidental or malicious disclosure, modification, or destruction. The level of effort to
protect information should reflect its confidentiality and its risk of loss or compromise. The risk
and impact of loss and the relative value of the information is to be determined initially, and
annually thereafter, by the Director of the appointed custodian of the information set, using an
IRMA-accepted business impact analysis tool as found in the MDH Information Security
Procedures. Additionally, a comprehensive risk analysis is required to be completed in the
development phase of new information systems, or when existing systems are modified
between annual reviews.
5. Information Access Is To Be Granted On A 'Need to Know' Basis. Access to
information will be limited to authorized users who have a business need to know such information.
This access and use will be further limited to appropriate job levels within legitimate job
classifications. A higher level of access may be provided to persons who are designated to act
in specialized support roles and who demonstrate a need to access, modify, or erase the
information or to maintain the information system.
6. A Separation of Duties is Required. No single individual will have complete control of a
business process or transaction from inception to completion. Custodians are directed to assure
that there is functional segregation of roles and duties performed by an employee, to limit error
and the opportunity for unauthorized actions.
7. Employees and Contractors Are To Be Trained in Information Security Awareness
and Ethics. Depending on job duties, all MDH employees and contractors and agents will be
provided with training in information ethics. This training will be provided prior to access to MDH
information systems, or prior to commencement of contractual services, and annually thereafter.
8. Employees Are to Be Aware of Their Obligation to Protect Information. Laws and
regulations specifically require maintaining the confidentiality of certain records. MDH
employees are responsible for knowing, or determining, in consulation with their supervisor, the
specific protective requirements for information in their care, and for understanding their
obligations to protect these resources. Employees are to report any suspected or realized
violations.
C. ROLES AND RESPONSIBILITIES
Every employee has a role and responsibilities to fulfill in information assurance. Employees'
roles and responsibilities are described in more detail in the MDH Information Security Procedures. They are necessary to direct, implement, enforce, and access the effectiveness of security and privacy
policy, planning, and administration. The success of this policy is dependent upon supportive
mangageme
nt, appropriate role assignment, and employees' understanding of their roles and
responsibilities for implementing and enforcing the policy. Every MDH employee is assigned at least
one role and its related responsibilities:
1. Chief Information Officer (CIO) - For the purpose of this policy, the MDH CIO is
responsible for providing guidance on all Information Technology issues. The CIO is also
responsible for directing the management and administration of the MDH information security
program and initiating measures to assure and demonstrate compliance with security and
privacy requirements.
2. Information Assurance Officer (IAO) - The IAO is directly responsible for the
Department-wide coordination of all aspects of security and confidentiality, pursuant to applicable
federal and State laws, regulations, and policies, and MDH policies, procedures, and protocols.
The following are the responsibilities of the IAO:
develops and reviews system security and privacy policies and grants exceptions to them;
provides guidance to assure the integrity of all MDH information;
reviews the security and confidentiality of the resources associated with the processing
functions;
reports security status of MDH, as required;
assures software controls are implemented;
ensures procurement requirements of the IAP are met;
supervises the resolving of security and privacy incidents;
acts as Chief Privacy Officer (unless the role is otherwise assigned);
coordinates with network security staff;
assists in the preparation and review of IT risk assessments and contingency plans; and
coordinates with internal and external audit staff to assure IAP requirements are included
in audit reviews.
3. Security Officer (SO) - The MDH SO serves as the single point of contact and as the
access control agent for the daily IT security program. The following are responsibilities of the
SO's:
performs system audits, as directed;
coordinates with MDH Monitors for access controls;
resolves authentication and authorization issues or concerns;
participates in addressing general security issues;
provides appropriate IT security awareness and training to all employees;
assists in the development of MDH systems contingency and disaster recovery plans;
functions as the daily operational central point of contact for any type of IT security related
incidents or violations;
disseminates information concerning security alerts and potential threats to all MDH
system owners;
notifies users of security-related policies and procedures;
assists in preparing annual systems evaluations of major processes including incident
handling and security awareness training; and,
assists in risk management analysis to determine effectiveness in reducing security
incidents.
4. Security Monitors (SMs) - The MDH System Monitors serve as the central point of contact
and as the authorization control agents in their designated units for the daily IT security program.
The following are SM responsibilities:
coordinates with the MDH Security Officer in the preparation of lists of authorized users;
makes changes to lists, and audits, as required;
participates in addressing unit and MDH security issues;
participates in IT security awareness and training;
performs as the central point of contact for unit-level IT security related incidents or
violations;
disseminates information concerning security alerts and potential threats to MDH system
owners;
ensures that users are aware of security-related policies and procedures; and,
assists in the annual systems evaluation process.
5. User - The User is an employee or agent or contractor who has access to MDH information.
Users are responsible for consulting with supervisory staff to:
determine the user's role and responsibilities to protect information resources in the user's
control or posession
understand and comply with all applicable MDH and other security and privacy
requirements, and
to facilitate a better understanding of the general and specific requirements for the
confidentiality of protected and/or proprietary information.
6. Specific Personnel - The positions previously listed under Section III A - Definitions -
Specific Personnel, within the scope of their assigned duties, are instructed to implement the
following provisions as necessary to protect information from inadvertent or intentional
improper use or disclosure.
a. Information is to be Protected. Protection of information requires a diligent coordination
of organizational and administrative requirements, physical security safeguards, and
technological security measures further detailed in MDH Information Security Procedures.
http://inMDH/secpolcy/html/iaphic2.htm.
b. Employees Are to Actively Comply with IAP Requirements.
Specific Personnel are to act as required or directed in order to assure compliance with
Federal, State and MDH directives. They are to report any known or suspected violations
of these directives, throughout the lifecycle of the MDH information resources in their custody.
c. Proprietary Interests In MDH Information Are To Be Maintained. Specific personnel are
to assure the Department's proprietary interest in information is protected through both legal
and administrative means, describing and documenting the qualities and limitations of MDH
information in their custody.
d. Information Must Be Collected, Maintained, Transferred, Stored, and Disposed of
As Authorized. In accordance with applicable laws and regulations, employees who have
access to information must be diligent to protect consumer rights and MDH interests.
Specific personnel may not transmit information electronically unless permitted by
approved written procedures.
e. Employees Are Authorized To Release Non-protected Information to the Public.
Specific personnel will classify information in their custody, authorize certain employees,
establish procedures to prevent unintended disclosure, facilitate and clarify the
decision-making processes related to release/sharing in accordance with MDH
copyright requirements.
f. Employees Will Not Allow the Unauthorized Sharing of Protected and Proprietary
Information. The sharing of MDH protected or proprietary information is encouraged
as a good business practice, however, such sharing must be as necessary, appropriate
and legal, in accordance with an explicit written understanding. MDH protected or
proprietary information will not be physically or electronically removed or shared, without
the explicit authorization of the official custodian of record or designee.
g. Specific Personnel Will Not Allow the Unauthorized Disclosure of Protected and
Proprietary Information. MDH protected or proprietary information may only be disclosed
to others if necessary, appropriate, legal, and only as authorized by the official custodian
of record or designee.
.
h. Certain Specific Personnel Will Monitor the Sharing of Protected Propietary
Information - When information is shared or accessed, Specific personnel will establish
and follow written procedures to hold all subsequently approved users to the same
Department and/or other requirements and responsibilities. This includes an extension
of the requirements and the continued strict adherence to all rules required by a MDH
recognized Institutional Review Board including resubmission requirements.
i. Certain Employees May Authorize Disclosure of Protected and Proprietary
Information. Authorized Specific personnel, as defined in this policy, are permitted to
disclose protected or propietary information resources in the course of their official
duties, only if the requirements of this policy or other more stringent requirements
are met before such disclosure.
j. Employees Are To Notify Vendors Of The IAP And Other Applicable
Requirements. - Specific personnel involved in the preparation and monitoring of
MDH contracts and memoranda of understanding (MOU) will ensure that vendors,
agents, or other entitles who provide work-for-hire, understand and comply with all
applicable requirements for the protection of MDH information resources. This will
be required when such resources are shared, or when MDH information systems
are maintained, changed or developed.
k. Specific Personnel are Responsible for IAP Compliance. Persons designated
or authorized to act in the capacity of Specific personnel, as defined above, are
responsible for taking any and all reasonable, appropriate, and legal steps to ensure
all employees comply with the terms of this policy.
D. DISCIPLINARY, CIVIL AND CRIMINAL CONSEQUENCES
Violation of this policy may result in disciplinary action up to and including separation from
State service and civil or criminal penalties. These remedies include, but are not limited to,
those specified in the Annotated Code of Maryland, SG §10-626 through §10-628,
HG §4-309, and Crimes and Punishments Article 27 §45A.
V. Appendices, Exhibits, & Addenda
Combined Policy Acknowledgement Form
Software Code of Ethics
APPROVED:
/s/, (signed copy on file) DATE: June 1, 2001
Georges C. Benjamin, M.D., Secretary