This is just a blurb that I wrote for a friend trying to understand the protection(s) in place for the sake of patient information. Blah-de-blah.
Heyo. You'll definitely have to do some research on particulars, but I believe there seem to be two parts to this situation, one being the technical security of the computer and networks where the information is stored or used, and the second being the rules and legislation governing the usage of the information.
Talking to the tech support at your hospital will give all that information (or should), but it breaks down to a few items:
ACCESS AND ACCOUNTABILITY
- computer accounts to access the system are secured through individual passwords that are changed regularly and frequently (personal accountability)
- the passwords are substantially complex (so not just anyone can hack them)
- employees only have access to the information that is appropriate for them (medical personnel can't see financial information and vice versa)
- that access and the password changes are reviewed/audited on a regular basis
PHYSICAL SECURITY
- the security and integrity of the network has been certified and is audited (no one can just plug any machine into the network and gain access)
- the machines where the information is stored are secured with only certain employees having limited and appropriate access (also reviewed on a regular basis)
- there are very controlled and limited means for removing the information from the network (people can't just burn patient information to CDs unless they have that privilege and hardware)
RULES AND LEGISLATION
You'll have to look into the particulars, but I think this is the realm of HIPAA, dealing with patient privacy. Legislation dictates the laws that are upheld by all the bullet points above.
At my previous job, we were obligated to legislation called "Sarbanes-Oxley", or SOX. This was a result of the Enron debacle and all public companies were obligated to be compliant to this legislation. This required us to understand "control points" based on the legislation, define "controls" for our company that would address those control points, then generate "evidence" on a regular basis to prove we were compliant. Depending on the sensitivity of the control point(s), the period for evidence would range from annual to daily.
We would then be audited internally for our own sake by auditors that advocated our company, then we would undergo "external" auditing by auditors that advocated the government.
Lots of work, lots of evidence, lots of control. Each year would bring changes or refinements in legislation and, in turn, modification or refinements to controls and evidence.
Bear in mind that SOX is geared towards financial data where as HIPAA is geared towards patient privacy.
Hope this helps!
