ADHICS Implementation Guidelines: Information Security Policy*1

In early 2019, the Department of Health (DOH) launched the Abu Dhabi Healthcare Information and Cyber Security (ADHICS) Standard as a strategic initiative supporting its vision and federal mandates, approved by the Executive Committee. The regulations of the standard run-in line with global healthcare industry standards for Information Security.

Through the regulatory standard, DOH intends to prepare and enable Abu Dhabi’s healthcare division to maintain the highest level of privacy and security with healthcare information. Here is where ADHICS Compliance Services in Abu Dhabi matters and becomes a vital necessity in the healthcare sector.

About ADHICS Implementation Guidelines

As healthcare information gets digitized and healthcare equipment turned more complex and commune, the risks are way higher in the industry. We must also understand that constant innovation is a part of the industry, and ADHICS standard implementation creates an environment to have these technology adaptations in a controlled way, without adding too much to an entity’s risk environment.

To comply with the regulations of the standard, ADHICS also provides guidelines on how to best handle healthcare information, reducing an entity’s risk environment. Following the guidelines can help you implement the standard in the most appropriate and required path. And that also requires entities to know about different baseline policies associated with the standard.

Baseline Policies for ADHICS Implementation

Baseline policies for ADHICS Implementation refer to information security policies which help in the sound deployment of appropriate security controls within the healthcare sector. There are 20 + baseline policies in the ADHICS guidelines document: –

1. Information Security High-Level Policy
2.  Human Resources Security Policy
3.  Information Asset Management Policy
4.  Physical and Environmental Security Policy
5.  Access Control Policy
6.  Operations Security Policy
7.  Electronic Communications Policy
8.  Health Information and Security
9.  Third Parties Security Policy
10.  Information Systems Acquisition, Development, and Maintenance
11.  Policy Information Security Incident Management Policy
12.  Information Systems Continuity Policy
13.  Compliance Policy
14.  Acceptable Usage Policy
15.  Antivirus Policy
16.  Clear Desk and Clear Screen Policy
17.  Information/Data Backup Policy
18.  Internet Usage Policy
19.  Password Security Policy
20. Remote Access Security Policy

Importance of Information Asset Management Policy

Information Asset Management is one significant baseline policy to understand for healthcare entities while looking for successful implementation of ADHICS standard guidelines. The set of information gives deep insights into how entities can effectively manage data assets in compliance with the standard. So, here we try to best-describe what an information asset management policy is all about and how to deploy the same.

Overview

• About Information Assets

Initially, what are healthcare Information Assets?

Information Assets in the healthcare include data of all types and the underlying physical   infrastructure, technology and application used for corresponding storage, processing, and   communication of data. For a healthcare entity, the following represents its information assets:

1. Physical & Digital Information
2. Medical Devices and Equipment
3. Applications & Software
4. Information Systems
5. Physical Infrastructure
6. Human Resources

• The Purpose of the Policy

Next, why do healthcare entities require the policy?

A successful policy implementation can help organizations: –

1. Protect and secure patient data
2. Report any compliance issues
3. Monitor & record the use of Information Assets
4. Enhance overall health outcomes

• Scope and Responsibilities

Finally, what is the scope and obligations of the policy? The policy applies to all users, including the complete information assets owned and managed by the entity with a set of responsibilities defined within. The responsibilities enrolled with Information Asset Management Policy are as follows: –

1. The Information Security Manager is responsible for developing, maintaining, executing, and endorsing the policy.
2. The Information Security Division, or the Division holding Information Security obligations, is responsible for supporting the business unit to implement controls and keep compliance with the policy.
3. All users must read, learn, and adhere to the policy in their daily process lifecycle.
4. The Information Security Division, or the Division holding Information Security obligations, should conduct awareness of the policy to all users.
5. Senior Management and Business Process Owners are responsible for maintaining compliance with the policy in their respective areas of concern.
6. The Information Asset Owners are also responsible for maintaining compliance with the policy in their respective areas of concern.

Deeper into the Policy Guidelines

Now, let’s move a little deeper into the policy guidelines by addressing some significant questions rounding information asset management. ADHICS Compliance Services in Abu Dhabi pivots around helping clients implement these guidelines more effectively.

How to manage Information Assets?

Information Asset Management Policy requires organizations to identify, record and maintain all their Information Assets through an Information Asset Inventory System. Further, these Asset Inventories should be reviewed and updated as and when there is an organizational restructure. Also, entities must define and document their Information Assets specifying the owner, custodian, and access control list without failure.

How to classify Information Assets?

Information Assets shall be classified based on the following criteria: –

• Value of the information
• Intended users of the information
• Risk impact of the information

Information owners are responsible for assigning/maintaining these criteria and classifying the assets accordingly.

What are the categories of an Information Asset Classification?

Information Asset Classification relies on the foretold classification elements such as the information value, access details and the risk impact if the information was compromised. There are four categories into which information gets classified with reference to security best practices in the industry: –

Secret

•  The information is highly sensitive and requires multilevel protection.
•  Disclosure of such information carries impacts on various aspects of the nation.
•  A compromise influences an entity’s financial status, customer trust and other legal implications.

Confidential

• Information providing critical support to the decision-making within the entity, across the government and healthcare division.
•  The information needs robust protection from design exposure, configuration faults and vulnerabilities.
•  Compromise of such information can influence the competitive advantage, strategic plans, federal relations, and other legal bindings.

Restricted

• Information that bonds to an entity’s internal functions with limited relevance or applicability to a general audience.
•  The information requires less confidentiality protection due to its daily usage.
•  Compromise of such information only has minimum impact on an entity’s financial, operational, and reputational status

Public

• Information that gets used in the public domain with no legal bindings or usage restrictions.
• Some examples of such information include website information, promotion materials, articles, and other marketing copies.
• Compromise of such information has zero impact on an entity.

Is labelling for Information Assets required?

The policy guideline requires entities to classify and label all Information Assets regardless of their form (electronic or physical). Also, any information system that cannot be physically labelled, but used for processing, is considered confidential. Hence, healthcare entities must clearly label their Information Assets based on classifications as secret, confidential, restricted, and public.

When to reclassify Information Assets?

If the entities undergo a significant change in their business requirements resulting in a classification change, the Information Asset Owner shall consider reclassification of Information Assets. While reclassifying Information Assets, entities also need to deploy security controls as there might be a change in the access permissions with the classified.

How to handle Information Assets safely?

For this, entities need to store information in line with the assigned classification category. Adequate security controls need to be in place while information gets transferred through various channels. The levels of the security controls must also be in line with the classification category of the data transmitted. Furthermore, Information Asset Owner need to track and monitor if proper controls are in place for the transmission of each classified information.

How to safely dispose of Information Assets?

Information Assets require safe disposal at the end of their lifecycle by taking proper authorization from the Information Asset Owner. They must ensure adequate security controls while disposing of so that the information in the disposed system is irrecoverable.

Policy Compliance

Towards the final phase of the article, we help you identify the guidelines for policy compliance with Information Asset Management.

• Any policy violations are subject to disciplinary actions considering the employee code of conduct and other applicable regulations.
• Users have the right to seek clarifications or advice on the policy from the concerned Information Security Section/Department.
• On the other end, the Information Security Section/ Department also need to inspect compliance with the policy on a periodic basis.
• Any exceptions to the policy require authorization and approval from the Information Security Manager or the concerned position holding the obligatory function.

Final Thoughts

So far, we have quick-wrapped the implementation guidelines on Information Asset Management that prove as an essential segment for entities on their course to ADHICS Compliance Services in Abu Dhabi. There are several other baseline policies based on information security, human resources, access control, operations security, communication policy, third-parties security, etc, which will get elaborated on in our further articles. The development of these information security policies is vital and is the responsibility of the healthcare entity to ensure its effectiveness.