Secure staging environment design and coding technique standards technical guide

C:\Users\djshirey\OneDrive - University of Phoenix\F_Drive\Style Guides\UPX Logos\Horizontal format\UOPX_Sig_Hor_Black_Medium.pngSecurity Standards, Policies, and Procedures Manual Template
Instructions: Replace the information in brackets [ ] with information relevant to your project.

Cyber Security Engineers are responsible for safeguarding computer networks and systems in an organization in order to protect the sensitive data they store.

Take on the role of Cyber Security Engineer for the organization you chose in Week 1. Research the following information for your chosen organization. Develop a Security Standards, Policies, and Procedures Manual using this template with recommendations to management of security standards, polices, and procedures which should be implemented in your organization.

UPMC Hospital
Overview
Explain the importance to your organization of implementing security policies, plans, and procedures. Discuss how security policies, plans, and procedures will improve the overall security of the organization.

Security policies for UPMC Hospital are a critical part of maintaining compliance with health standards and regulations, such as HIPAA. A security plan will improve the overall security of the hospital by having a written documentation containing protocols for maintaining a secure network, protecting sensitive patient information, and providing a policy of encryption which will ensure secure data transmissions. Additionally, security plans and procedures assist in implementing a patient tracking system using secured technology to ensure patients are not abducted.

The following policies, standards, and procedures are meant to protect UPMC’s data security environment. These Risk Management Policies also serve as a reference document for employees to ensure a cohesive response is followed by all departments and personnel in the hospital system.

Data Privacy Policies and Procedures
This policy pertains to all hospital and medical personnel who have access to patient/hospital data and information, whether direct or indirect. This policy is meant to protect high-level data and information and prevent those who do not have clearance from accessing the information. This policy also meets the requirements of the Patient Health Information (PHI) requirements as found in the Health Insurance Health Insurance Portability and Accountability Act (HIPAA). UPMC has adopted this policy to ensure that employees of the hospital are not given too much access to systems where they have no purpose or related duties.
Policy: Least Privilege. Reasonable effort must be taken to ensure PHI is secure and protected when using, accessing, requesting, and disclosing the protected information. Each hospital department must limit access to PHI least amount of access to data of all personnel to ensure they are only allowed to access the least amount needed to complete their job responsibilities.
Data Isolation Policies and Procedures
A data isolation policy will assist the overall security of the UPMC hospital by insuring that the data is secure by instilling a database property to control the visibility of changes made to the system. This property also controls when and how changes are implemented and whether these changes are visible to users, other properties, and the overall information systems. Implementing this property also assists with system performance since many transactions can occur simultaneously in isolation of each other thereby not interacting or affecting each other.
According to Livewire.com (2019), “Isolation is an integral part of database transactional properties. It is the third property of ACID (Atomicity, Consistency, Isolation, Durability) and these properties ensure that data is consistent and accurate” (Isolation Property in a Database, p. 1). Isolation is a set of rules that isolates transactions that are happening concurrently so that they do not affect each other. For example, if two users are conducting database transactions at the same time, they system performs one transaction in its entirety, then conducts the other transaction in its entirety, and so on. This prevents the database from accessing data in the middle of a transaction. The data isolation does not determine the order of transactions but does ensure that each transaction does not interfere with another transaction, therefore they operate in isolation.
Non-Disclosure Agreement (NDA) Policies and Procedures
The hospital non-disclosure agreement (NDA) protects the hospital by having each employee sign a document promising to abide by conditions related to keeping secrets and confidential information private. An example of the UPMC Non-Disclosure Agreement (NDA) is as follows:

I agree to follow the NDA below as a condition of my employment in regards to receiving and accessing electronic information, sensitive documents, proprietary information, and trade secrets.

1. I promise to not disclose any information to a third party that I have access to in any form.

2. I will keep my computer login and password secret and will not share or disclose this to anyone. Additionally, I agree that my login has the same legal weight as my signature and I am responsible for illegal or immoral files saved on my computer. I also agree that I cannot expect to have full privacy on my work computer and my employer has the right to view the contents of my computer, including my emails, at any time with or without my knowledge.

3. I agree that I will not attempt to access records or patient medical information that I do not have a direct need to access in my daily duties. Additionally, I will not access co-workers, friends or family member’s records.

4. I will change my login and password information when I have cause to believe it has been compromised.

5. I will abide by all other confidentiality procedures and policies while employed at the UPMC hospital.

Intellectual Property (IP) Policies and Procedures
The Intellectual Property (IP) Policy should be implemented because it covers IP’s created while in the employment of the UPMC hospital. This includes inventions, copyrightable works, tangible research, and all intellectual property (healthcare.partners.org, 2019). This protects the hospital by ensuring that all intellectual property created using hospital equipment, materials, and resources is granted to the hospital as owners of the property.
Employees agree that UPMC has the first option to own any such IP and employees are in violation of this policy if they seek to sell, contract, license, dispose of, or otherwise commit any IP created while employee to a third party without the approval of the UPMC hospital Board of Directors.
Password Policies and Procedures
This policy is used to safeguard UPMC information systems and the data contained therein and is therefore a critical policy for the hospital. The hospital relies on password and user logins that are unique and complex and employees are expected to keep passwords confidential. This policy aligns with the HIPAA regulatory requirements.
The following policy must be adhered to by all employees of UPMC hospital:
1. Employees must never leave their workstation while logged into the system. If an employee must attend to a patient or leave for lunch, they are expected to log out beforehand.
2. System passwords shall never be written down and left in the open. Additionally, password programs such as Roboform shall never be used as a means to save logins and passwords.
3. Passwords must be changed right away upon receiving login information, on an employee’s first day of work.
4. Employees are not allowed to share logins and any reports of this will lead to a mandatory security report that will be housed in the employee’s permanent employment record. Repeated violations will lead to termination.
5. Passwords must be changed every ninety days.
6. After five failed attempts to login to the system, the user account will be locked.
Acceptable Use of Organizational Assets and Data Policies and Procedures
An Acceptable Use policy is important to the security of the UPMC hospital system because it establishes overall employee behavior when using hospital networks, computers, etc. This policy is meant to safeguard hospital systems, data, and information. Inappropriate use can damage or open the system up for hacking, data theft, etc. It also sets boundaries on employee behavior in an effort to protect patient information and health information, which is also a requirement of HIPAA. By having the employees to re-sign this policy on an annual basis, it reminds them, what is and what is not acceptable use on the hospitals data systems.
An example Acceptable Use Policy for UPMC hospital is as follows:
This policy includes computers, e-mail, Internet usage, software, equipment, etc.
1. Personal Use of Computers. UPMC does not allow any personal use of their resources or data systems.
2. Employees agree that any and all data, research, etc. conducted on hospital equipment remains the property of UPMC hospital.
3. Employees should not expect privacy when using company computers or email services.
4. UPMC reserves the right to examine employee computers with or without their knowledge at any time.
5. Employees are prohibited from participating in behavior that is classified as offensive, harassing, or illegal. This includes posting negative comments about the hospital on social media outlets.
6. Employees may not install any software on their computer without the written approval of management.
7. Employees may not modify computers or network systems at any time.
8. Failure to comply with this policy will result in disciplinary action, up to an including termination.
Employee Policies and Procedures (Separation of Duties/Training)
UPMC will benefit from segregation of duties because this policy will assist in preventing fraud and errors by separating duties so that one person is not in total control of an internal procedure. This puts a check and balances system into the hospital environment and protects the patients, employees, and the hospital as a whole.

All employees will participate in New Hire Orientation to learn more about hospital policies and procedures. Additionally, department Managers will assign individual training after ninety days, to help employees perform adequately.

Risk Response Policies and Procedures
Define avoidance, transference, mitigation, and acceptance strategies and criteria.

Risk Response Policies and Procedures are an important part of developing a plan to have strategies in place so when a risk does occur, written procedures assist in determining appropriate actions to mitigate or eliminate it. A Risk Response policy typically assigns an owner to watch over the risk and take responsibility for leading the procedures to eliminate or mitigate the risk.

Additionally, a Risk Register is used to document Risk Responses. These responses include procedures and policies set according to the type of risk that is encountered. The risk and the risk response are entered into the register and an owner is chosen to monitor and execute actions to reduce or eliminate the risk, in a timely manner. Actions taken are also documented in the Risk Register. Actions are chosen according to the intensity of the risk and potential losses. Other considerations when choosing actions are the cost effectiveness of the action, according to long-term goals instead of short-term risk annihilation.

The following definitions describe types of actions taken when risk is encountered:

Avoidance – This is defined as avoiding the risk by removing the cause of it.

Transference – This is defined as transferring the risk to a third party to handle. The third party also bears the liability if the risk infiltrates the systems and causes damage or loss of data. This option gives the risk to an expert who is better able to handle the risk.

Mitigation – This is defined as actions taken the lessen the impact and probability that a risk will occur. An example of this is installing an anti-virus software on a computer to lessen the probability that the computer will get a virus.

Acceptance Strategies and Criteria – This is defined as a strategy used in response to risk when other options are not practical or possible. There is often a contingency plan accompanying acceptance strategies so that managers can handle the risk if and when it occurs.

Compliance (Regulatory, Advisory, Informative)
Examples could include: HIPPA, FERPA, ISO, NIST, SEC, and Sarbanes/Oxley.

A Regulatory, Advisory, and Informative Compliance Security standard assists hospital personnel by providing a documented procedure that all employees can refer to when risk is encountered. Because UPMC stores confidential patient medical information, these policies must also comply with federal laws and regulations, including HIPAA, ISO 27001, ISO 27799 and HITRUST Common Security Framework.

This security framework applies to information security management systems (ISMS), such as the one used by the UPMC hospital system. This covers technical, physical, and legal controls for the hospital in regards to risk management. This is important to the hospital because it assists the hospital in maintaining a secure environment for patient data. According to TechTarget.com (2019), “ISO 27001 was developed to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system (ISO27001, p. 1).

ISO 27001 – Establishes requirements for an Information Security Management System (ISMS) that utilizes specifications to assist in the security and risk planning process, including: defining a policy for security, defining the scope of an Information Security Management System, risk assessment, managing risks, and determining and implementing controls.

ISO 27799 - This is a set of Best Practices that the hospital can utilize to protect patient information and data. Some of these threats include: unauthorized use of health information, theft by outsiders or insiders, willful damage by outsiders or insiders, and masquerade by insiders, outsiders, and services providers, to name a few.

EMTALA – This regulation is meant to comply with federal law stating hospitals are required to offer treatment to all persons who seek care without regard to whether the patient has insurance or is able to pay for the treatment. This usually applies to emergency care situations.

CMS Conditions of Participation – This regulation protects the UPMC Hospital System by requiring a national background check of all hospital employees who have access to patients. According to CMS.gov (2019), “Title VI, Subtitle B, Part III, Subtitle C, Section 6201 of the Affordable Care Act of 2010 established the framework for a nationwide program to conduct background checks on a statewide basis on all prospective direct patient access employees (Background Check, p. 1).

Incident Response Policies and Procedures
Include: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned

An Incident Response Plan is a critical document to the overall security of the hospital environment. Below is a short overview of the stages of an Incident Response Plan. Each is directly related to a hospital information system risk management policy.

Preparation – It is important that all employees participate in training so they will know their role when a risk event occurs. Cyber threats should be at the top of the training list. Preparing begins with monitoring the network for obvious threats and reviewing logs in detail to prepare a course of action to mitigate the risk. Security policies should be updated on a regular basis.

Identification – Using equipment such as intrusion detection systems (IDS) can greatly affect the success of identifying risks and threats to the hospital. Employees should have a documented procedure on common security events to take the appropriate course of action. For example, if an employee’s computer has an obvious virus, the document should provide steps such as unplugging the computer from the network.

Containment - Once the computer is disconnected from the network, as in the example above, the risk is now considered contained. A virus scan would then be run to quarantine any malware or virus threats. Documenting the incident is also an important step.

Eradication – as in the example above, if the virus scan detects malware or a virus, the anti-virus software can eliminate the threat. Running diagnostics on the network server and affected computer is a great place to continue eradication efforts.

Recovery - Validation tests should then be run on the computer to make sure the threat has been removed from the computer or network.

Lessons Learned – Documenting everything from beginning to end can prove to be very useful for future threats. What may not seem important today can quickly become extremely important in a week or two.

Auditing Policies and Procedures
The UPMC hospital system utilizes auditing and monitoring potential vulnerabilities and threats found in data systems and electronic records. This audits helps to sustain the security of the hospital and identifies threats to confidentiality, integrity, and availability of confidential information. Audits are used by hospital administrators to measure how well current security policies are working while identifying potential future security enhancements to the information systems. The hospital systems include access auditing which are required software features to protect patient health information (PHI).

Below are example audit policy and procedures for the hospital.

1. Monitoring will occur on hospital information systems to identify unauthorized access, internal and external attempts to access the system, and other intrusion efforts by unauthorized users.

2. The hospital will track access and maintain system and event logs regarding system changes in configuration.

3. Security events will be reported to the UPMC security team.

Environmental/Physical Policies and Procedures
Environmental and physical security policies and procedures are especially important to UPMC hospital system since the hospital maintains items such as infectious and radioactive materials, narcotic and hazardous drugs, and hazardous chemicals. UPMC must ensure they remain in compliance with the Occupational Safety and Health Administration (OSHA) and protect staff, patients, and visitors from accidental exposure to these chemicals.

The Environmental Protection Agency (EPA) regulates these types of security issues along with smoke and fire dangers in connection with these chemicals, which can be deadly. The EPA reviews the hospital’s policies every three years to ensure they remain in compliance with the hundreds of rules and regulations surrounding environmental security (Compliance.com, 2019).

Administrative Policies and Procedures
Administrative Security policies and procedures are needed to control and protect the handling and distribution of administrative data. Types of data included in this area patient data, financial data, employee data, and hospital lab reports, to name a few. Since this data is housed on the hospital’s information system, it is imperative to protect the systems from cyber threats or intrusions.

Configuration Policies and Procedures
Recommended configuration policies and procedures will ensure information systems are safeguarded against cyber threats and attacks. Failure to follow these procedures could lead to unauthorized use of data, data unavailability, and data loss. Configuration policies offer security for the hospital that reduces security vulnerabilities, threats, and risks along with saving hospital resources and valuable time spent protecting patient data.

UPMC Hospital Configuration Policy

1. Information System Configurations

a. Documentation must be completed on each IS component including:

i. Current operating system (OS), installed software, and installed applications for mobile devices, computers, network equipment, laptops, and servers.

ii. Update and patch information on each system

iii. Network diagrams, including logical and physical placements

iv. Any configuration exceptions must also be documented.

b. Configuration Review and Updates

i. Review of configuration documentation must be done annually

ii. Records must be updated to illustrate any changes to config settings within the systems.

2. Configuration Devices.

a. HIPAA Security regulations are highly concerned with the following devices, including: modems, wireless access points, e-mail servers, web servers, virtual private networks, firewalls, and routers (HIPAA-compliant configuration guidelines for Information Security in a Medical Center environment, p. 4).

b. These devices above are a critical security factor since the outside world will have to infiltrate them in order to gain access to the hospital network. Protecting these devices is therefore key to maintaining a secure environment.

3. Testing.

a. Intrusion prevention and testing devices is a key factor in meeting compliance with HIPAA Security Guidelines.

Conclusion

While there is no single act that completely secures a hospital information system, following policies that keep the hospital in compliance with local and federal laws and regulations, is a good place to start. Providing a secure environment is an on-going effort and does not end. Cyber Security Engineers must have the mindset of lifetime learning to ensure they are keeping up-to-date with the newest threats along with the newest technologies to protect the hospital from these threats.

Reference Page
CMS.gov (2019). Background Check. Retrieved from https://www.cms.gov/Medicare/Provider-Enrollment-and-Certification/SurveyCertificationGenInfo/BackgroundCheck.html

Compliance.com (2019). Environmental Health and Safety. Retrieved from https://compliance.com/publications/hospital-risk-assessment-environmental-health-and-safety-compliance-and-physical-security-standards/

Healthcare.Partners.org (2019). IP Policy. Retrieved from http://healthcare.partners.org/OGCpolicies/IPPolicy.pdf

Sans.org (2019). HIPAA-compliant configuration guidelines for Information Security in a Medical Center environment. Retrieved from https://www.sans.org/reading-room/whitepapers/hipaa/hipaa-compliant-configuration-guidelines-information-security-medical-center-environment-891

Livewire.com (2019). Isolation Property in a Database. Retrieved from https://www.lifewire.com/isolation-definition-1019173

MayoClinic.org (2019). Confidentiality Agreement. Retrieved from https://www.mayoclinic.org/documents/confidentiality-jax-pdf/doc-20079517

NC.gov (2019). Configuration Management Policy. Retrieved from https://files.nc.gov/ncdit/documents/Statewide_Policies/SCIO_Configuration_Management.pdf

TechTarget (2019). ISO 27001. Retrieved from https://whatis.techtarget.com/definition/ISO-27001