Tuesday, May 21, 2013
University Home
SQU Home
Home
Information For
       Patients and Visitors
          Visiting Hours
          Patient Satisfaction
          Maps and Directions
          Hospital Cafeteria Hours
          FAMCO Health Center
          Hospital Parking
          Privacy Practices
       Faculty
       Students
Information about
       Quality and Continual Improvements
          Management Review
          Continual Improvement
       Making an appointment
       Directions and Maps
       News and Publications
       Privacy Policy
About SQUH
       General Information
       Awards and Honors
SQUH Departments
       Administration
       Public Relations & Information
          About us
       Hospital Information Systems
          Information Security Policy
       Training Directorate
          About us
          Registration Guidelines
          Scheduled In-house courses
          Unscheduled- In-house courses
          Course Schedules
             Course Programme Schedule July - December 2008
             TD Course Schedule Colour Coded July to Dec 2008
             TD Course Eligibility Reference Chart
          Comitee
          Forms
       Quality Department
       Patient Services
       Medical Records Department
       Physiotherapy & Rehabilitation
       Housing Department
       Transport Department
       Pharmacy Department
          VISION
          Summary
          Administration
          Out patient
          Inpatient /Clinical pharmacy
          Medicine information services.
          Aseptic Preparation
          Pharmacy sub-store
       Asthma Managment Guidelines
       Clinical Biochemistry Department
Health Information
Services
       Emergency Services
       Social Work Services
Contact SQUH
SQUH Vacancies
       DEPARTMENT OF PATHOLOGY
       Department of Medicine
SQUH Departments » Hospital Information Systems » Information Security Policy
1.     Purpose of the Document
2.     Introduction
3.     HIS Information Security Management System Policy
4.     HIS Helpdesk and Technical Support Policy
5.     HIS Remote Access Policy
6.     HIS Training Policy
7.     HIS Change Management Policy
8.     HIS User Application Policy
9.     HIS Disaster Recovery Policy 
10.   Definitions/Abbreviations
11.   Revision of Document

 

1. Purpose of the Document  
The purpose of this policy is to centralized all HIS Department policies based on the Information Security Management Systems [ISO 27001:2005].

 

2. Scope

   Hospital Information Systems.
  
3.HIS Information Security Management System Policy
 
Purpose: HIS Vision and Mission clear to know that HIS working to provide Information systems solutions to SQUH and these solutions should be highly secure as we believe the sensitivity of the Medical information.
 
Scope: Management [all users], Technical Staff [Technicians, systems Analysis and administrators, etc], End Users.
 
HIS Information Security Policy is:
- To establish an HIS wide approach to information security management system.
- To prescribe mechanisms that help identify and prevent the compromise of information security and the misuse of data, applications, networks, computers, printers scanners and all other asset owned by HIS.
- To define mechanisms that protect the HIS assets till satisfy its legal and ethical responsibilities with regard to its networks and computer systems connectivity to internal and external networks.
- To prescribe an effective mechanism for responding to external complaints and queries about real or perceived non-compliance with this policy.
- To ensure that Information Resource Controls are in place, are effective, and are not being bypassed.
- To ensure to achieve audit Compliance, Service Level Monitoring, Performance Measuring, Limiting Liability, and Capacity Planning.
 
Policy Owner: The Responsibility of this policy role is handeld by the Information Security Specialist.
 
Note: while we are not having a dedicated staff for Security Specialist the chairman of committee of Quality and Security will be responsible and owner of this policy.
 
 4. HIS Helpdesk and Technical Support Policy
 
Purpose: The purpose of this policy is to provide a framework for Technical Support and Helpdesk activities and responsibilities.
 
Scope: The scope of this policy includes HIS Staff and all customers who have authority to benefit from any system that resides at any SQUH facility Such as patient medical records, employee personnel information, confidential emails etc.
 
Helpdesk and Technical Support Policy is: The roles of the Helpdesk and technical Support are to provide excellent Services to the Sultan Qaboos university HOSPITAL [24/7] day a week based on the criteria described on this document.

We are Supporting SQUH for 24 hours 7 days a week
From: 7:30 Am TO 2:30 Pm
Call: 4888 or Bleep: 747
From: 2:30 Pm TO 10:30 Pm
Call: 4888 or Bleep: 747
From: 10:30 pm TO 7:30Am
Call omantel Bleep: 9129005

Call the Help Desk First: If you have problems with or questions about your computer, please call the Help Desk and Technical Support only (Extension: 4888 Bleep: 747), rather than any individual HIS staff member. The Help Desk centralizes our response system so we can diagnose larger scale of problems quickly. Additionally, by calling the Help Desk numbers, you will help us avoiding duplicating work.
Note: Any user call does not call 4888 or bleep 747 Helpdesk and technical Support will not be accountable.
Note: During Night shift the support will be only for the Medtrak and Labtrak Systems only other application such as MS Office Applications and Internet will not be supported.
Answering Phones and Bleep: During regular working hours, the Help Desk tries to answer all Call throw Ext:4888 or Bleep:747 without missing any call because we believe that each call is having top priority then after we receive it and classify it we will categorize it.
Our Response Time: The Help Desk attempts to answer problem calls (anything which prevents basic operation of the computer, e.g., a bad monitor, computer virus, etc.) within 24 hours. We attempt to solve project tickets (e.g., installing new software, creating new accounts, etc.) within two weeks.
Technical Support Limits: Help Desk and technical Support only works on HIS owned equipment and SQUH (licensed or purchased) software. That means that personally-owned peripherals (PCs, Printers, and Laptops etc.) are not supported by the Help Desk and technical Support. As always, we’ll do what we can to help, but our assistance will be limited.
Personal Data Backup Responsibility: Any data saved inside PCs is user responsibility to save it or take another Backup.
Mersal Messages: FLASH messages by using Mersal System can be sent at any time. These messages are sent out only for immediate importance and should be read carefully by all. Please contact the help desk (4888).
Changing Passwords: Except under unusual circumstances, the Help Desk will not change passwords over the phone. Please come into HIS with your ID to have our help to change your password.
Access to Personal Files (the D: Drive):If a department needs access to a former employee’s files (specifically his/her D: drive), the Help Desk requires a formal letter from that employee’s HoD/Supervisor confirming the request before we can make that information available. Correspondingly, we will not access another user’s D: drive without specific permission from that user or the user’s supervisor.
Which Web Browsers Do We Support? three primary web browsers, Fire fox, Netscape Navigator, and Internet Explorer. Feel free to use any or all of them!
Using VNC Viewer Remote Control: The Technical Support Technicians will only use remote control tools with your permission. Our VNC Viewer help us to solve the problems immediately if the scenario of the problem.
User Responsibilities: It is the customer's responsibility to follow the HIS helpdesk and Technical Support Policy [SQUH-HIS-OPS-POLICY-01] and HIS helpdesk and Technical Support Procedure SQUH-HIS-OPR-PROCESS-001].
 
 
Policy Owner: The Responsibility of this policy role is handeld by the Operation Division Supervisor.
 
 
 
5.  HIS Remote Access Policy
 
Purpose: The purpose of this policy is to provide guidelines for Remote Access Service (Virtual Private Network) to SQUH network.  
 
Scope: This policy applies to all SQUH employees, contractors, consultants and other workers including all personnel affiliated with third parties utilizing remote access service to access SQUH network. This policy applies to implementations of remote access service that allow direct access to the SQUH network from outside SQUH network.
 
Remote Access Service Approval:
-Approved SQUH employees and authorized third parties (vendor support, etc.) may utilize the benefits of a REMOTE ACCESS SERVICE.
-REMOTE ACCESS SERVICE accounts will be provided only at the request of a user's supervisor or HoD by submitting an official letter along with the appropriate  Remote Access Request form signed by both user and HoD/Supervisor. Additionally, the user must have read, understood, and acknowledged this policy before using the remote access service.
-REMOTE ACCESS SERVICE for non-SQUH personnel (customers, vendors, etc.) must be approved by the HIS Director. Additionally, a copy of the remote access service Request Form (including remote access service Policy, and the confidentiality agreement) must be signed by the designated company Approving Authority. Accounts will not be issued until this process has been completed.
Remote Access Service User Responsibilities
a.                By using remote access service technology with personal equipment, users must understand that their machines are an extension of the SQUH network, and as such are subject to the same rules and regulations that apply to SQUH owned equipment, i.e., their machines must be configured to comply with all SQUH security policies.
b.                All computers connected to SQUH networks via remote access service must use up-to-date virus-scanning software and virus definitions. Use of anti-virus software must be approved for use by the SQUH network administrator, additionally all relevant security patches must be installed.
c.                Users of this service are responsible for the procurement and cost associated with acquiring basic Internet connectivity, and any associated service issues. Remote access service work best over broadband connections (A DSL).  Use of dial-up Internet service is not recommended for regular remote access service activity.
d.                It is the responsibility of the employee or company with remote access service privileges to ensure that unauthorized users are not allowed access to SQUH networks.
e.                 Remote access service access is controlled using ID and password authentication. For SQUH employees the ID must be in the form of their SQUH Domain. For non-SQUH employees the ID will be assigned by the HIS. The password must comply with the HIS Password Policy.
REMOTE ACCESS SERVICE restrictions:
a.    SQUH remote access service is to be used solely for SQUH Medical and/or technical support purposes.  All users are subject to auditing of remote access service usage.
b.    To prevent potential ‘back-doors’ to the network, dual (split) tunneling is NOT permitted. Only one network connection is allowed per remote access service session. for example (need to be clarified to users what do we mean by dual tunneling)
c.    SQUH network access for non-SQUH personnel will be limited to the resources to which they need access. Open access for these accounts will not be permitted. Tunnels should not be accessible by unauthorized users or the Internet.
d.    The remote access service will be set up and managed by HIS networking division.  
e.     Remote access service users will be automatically disconnected from the SQUH network after twenty minutes of inactivity. The user must then logon again to reconnect to the network. Artificial network processes are not to be used to keep the connection open.
f.     Technical Support will only be provided during working hours.
g.    User should not use any information belong to SQUH without permission from SQUH authorities.
h.    HIS have the right to ask the remote access service users for a report of the miss use of the facility. 
-Enforcement:
§   Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
§   Printouts, backups and other media must be held in locked cabinets when not in user.
§   Printouts must be returned to the organization or shredded when no longer needed.
 
Policy Owner: The Responsibility of this policy role is handeld by the Networking Division Supervision.
 
 
 
 
 
 
 
 
 
6.                 HIS Training Policy
 
Purpose: The purpose of this policy is to establish training management system and restrict all related procedure for the training programs provided by HIS.
 
Scope: This policy applies to all SQUH employees, SQU Student, Outside SQU Students.                                       
 
The Document:
A.    SQUH staff should refer to the Courses scheduled by the HIS and TD.
B.    SQU and Outside SQU student should follow training procedure to apply for the training program.
C.    The training period for SQU and Outside SQU students will be in 4 weeks. The students will be rotated in the two divisions in HIS two weeks in each division.
D.    It is the responsibilities of HIS employees to share knowledge with others throw any training program given to SQUH, SQU and Outside SQU student.
E.     Through all training programs planned by the Training Committee HIS staff should care of the points below:
§                     All trainees should work outside the staff offices.
§                     After finish any technical training inside the department the student will go to sit in training room.
F.     Any extension to the training programs must be approved by the training committee.
G.    Each Trainee should know the roles followed inside the HIS directorate to get the informative knowledgeable training programs.
 
Requirements
1.     the general requirement of the Trainee to be accepted:
a.                       SQUH Staff:
ý                      Refer to course entry requirements. like Language
ý                      Follow the Minimum and maximum number required to run the course.
 
b.                      SQU and all other Student:
c.     Completion of third academic year or fourth year.
 
Enforcement: Any employee or student found to have violated this policy may be subject to disciplinary action.
 
Responsibility/Policy owner
HIS Training Committee (Committee Chairman)

Purpose: The purpose of the HIS Systems Change Management Policy is to manage changes in a rational and predictable manner so that staff and clients can plan accordingly.

Scope: HIS Management, Technical Staff [Technicians, systems Analysis and Network administrators].
The Document:
·         Every change to a HIS Information Resources resource such as: operating systems, computing hardware, networks, and applications is subject to the Systems Change Management Policy and must follow the Systems Change Management Process.
·         All changes affecting computing environmental facilities (e.g., air-conditioning, water, heat, plumbing, electricity, and alarms) need to be reported to or coordinated with the leader of the Systems Change Management Process.
·         A formal written change request must be submitted for all changes, both scheduled and unscheduled.
·         All scheduled change requests must be submitted in accordance with Systems Change Management process so that the Owner of Systems Change Management has time to review the request, determine and review potential failures, and make the decision to allow or delay the request.
·         Each scheduled change request must receive formal Systems Change Management Owner* approval before proceeding with the change.
·         Owner of the Systems Change Management Policy may deny a scheduled or unscheduled change for reasons including, but not limited to, inadequate planning, inadequate back out plans, the timing of the change will negatively impact a key business process such as year end accounting, or if adequate resources cannot be readily available. Adequate resources may be a problem on weekends, holidays, or during special events.
·         Customer notification must be completed for each scheduled or unscheduled change following the steps contained in the Systems Change Management Process.
·         A Change Review must be completed for each change, whether scheduled or unscheduled, and whether successful or not.
·         A Systems Change Management Log must be maintained for all changes. The log must contain, but is not limited to:
v     Date of submission and date of change
v     Owner and custodian contact information
v     Nature of the change
v     Indication of success or failure
All HIS information systems must comply with a Systems Change Management Process that meets the standards outlined above.
 
 
8.                 HIS User Application Policy
Purpose: The purpose of this policy is to
Scope: Management [all users], Technical Staff [Technicians, systems Analysis and administrators, etc], End Users.
 
These policy are intended to help you make the best use of the computer resources
 
9.                 HIS Disaster Recovery Policy
Purpose:The purpose of HIS disaster Recovery Policy is to manage the Disaster Recovery process.
Scope: HIS Services and Systems, HIS Management [all users], Technical Staff [Technicians, systems Analysis and administrators, etc], End Users.
 
The Document:
·         The disaster recovery plan should cover all essential and critical business activities.
·         The disaster recovery plan should be periodically tested in a simulated environment to ensure that it can be implemented in emergency situations and that the management and staff understand how it is to be executed.
·         All staff must be made aware of the disaster recovery plan and their own roles within.
·         The Services and Systems that must be in Backup Process is DNS, DHCP, Web server, Web caches, HISweb server, , HISprint, , server
·          
 
10.            Definitions/Abbreviations 
 
·         HIS:Hospital Information Systems Directorate
·         SQUH:Sultan Qaboos University
·         SQU:Sultan Qaboos University Hospital
  • ISMS: Information security management system:that part of the overall management system, based on a business risk approach, to establish, implement, Operate, monitor, review, maintain and improve information security
 
§          NOTE:The management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes and resources.
  • Confidentiality: the property that information is not made available or disclosed to unauthorized individuals, entities, or processes.
  • integrity: the property of safeguarding the accuracy and completeness of assets.
  • availability: the property of being accessible and usable upon demand by an authorized entity.
  • information security:Preservation of Confidentiality, Integrity and Availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved.
·         security policy: set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information.
  • Information Resources (IR): It is the procedures, equipment, facilities, software, and data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information.
      • Like: Computers, printers, Scanners, Network, online display devices, magnetic storage media, mainframes, servers, notebook computers, personal digital assistants (PDA), network medical and laboratory equipment, telecommunication resources, telephones, fax machines.
·         Local Area Network (LAN):Local Area Network
 
Copyright © at Sultan Qaboos University. All Rights Reserved