Security policies represent the definition of security for an organization.  Policies directly support the business objectives of the organization and are the foundation of all the supporting standards and procedures that follow.  Without defined security policies it is impossible to gauge how secure an organization is.  The concept and protection of privacy is also a major component of security policy, as the disclosure of private information has the potential to cause severe impact to any organization. 

As a security professional it is our job to understand not only the current threats and vulnerabilties to the organization, but also the applicable laws and regulations.  Those laws vary greatly depending on the industry, and failure to meet those expectations can results in severe financial penalties to the organization.  We also have an ethical responsibilty to protect customer information, particulary when that information is of a sensitive nature, as is the case with Personal Health Information (PHI).  Failure to properly safeguard this information not only carries legal penalties but may seriously negatively impact the personal life of the individual. 

What follows are example policies for a fictitious Health Insurance Company (HIC).  These policies were developed to support HIC business operations and ensure compliance with applicable healthcare related laws and regulations, notably HIPAA.

---

Asset Identification and Classification Policy for HIC, Inc.
The purpose of this document is to establish policies for the classification of HIC information assets based on confidentiality and for determining baseline security controls for their protection.  All HIC information assets, physical or electronic, must be classified and labelled as outlined in this policy.

1.0  Overview of HIC Asset Identification and Classification Policy
To centralize the authorization of access to information assets HIC has implemented a mandatory classification and access policy.  All HIC information must be classified upon creation in an HIC information system and maintain a classification throughout the life of the information.  A user may promote the information level to their level or higher but the information level may only be demoted by HIC corporate level IT.  Information assets must also be disposed of properly.  See the HIC Information Asset Retention, Reclassification, and Disposal Policy for more information. 
A Mandatory Access Control (MAC) policy is used to enforce access to data based on three levels of classification: PHI, Corporate, and Other.  Users, or user roles, are subject to the “Simple Security Rule” which states that they may only access or read data at their classification level or below.  Users are prohibited from reading information above their classification level.  Furthermore, users are only permitted to “write up”, meaning they can add information to levels above but may not read.  Users are also subject to the *-property (read: “star property”) which states that they may not write information to lower classification levels.  This property prevents the leaking of information to lower security levels.  (USD, 2017).   
Role Based Access Control (RBAC) will be used to assign users a classification level based on their job function and a “need-to-know” basis.  Roles are then mapped to MAC security classifications upon which access control is enforced. 

• Medical Practitioner: individuals directly responsible for the welfare of patients including doctors, physician’s assistant, nurse practitioners and nurses
• Technician: individuals who work to collect sample from patients and run tests including X-ray/MRI technician, laboratory technicians, and medical assistants
• Administrative: non-medical personnel employed by HIC or approved third party
• Public: all other unclassified users and the public
• Patient: the individual whose information is stored in the HIC information system

Information Classification Levels & Hierarchy:

• PHI: “individually identifiable health information” that relates to the individuals past, present, or future physical or mental health or condition.  (HHS, 2013).  PHI is also subject to protection under federal law with the Health Insurance Portability and Accountability Act (HIPAA).  Release of PHI level information may cause severe impact to HIC business operations and may include legal and financial penalties.  PHI level information must also be stored and transmitted security using HIC approved cryptographic mechanisms.  PHI is the highest classification level.
• Corporate: HIC internal information that does not include PHI.  Billing information, corporate policies, and HIC business communication are examples of the corporate classification.  Corporate level information must be stored and transmitted security using HIC approved cryptographic mechanisms.  Release of Corporate level information may cause serious impact to HIC business operations.  Corporate is the second highest classification level.
• Other: Low risk or public information with no access restrictions.  Examples include patient brochures, news releases, and public health information.  PHI that is released to the public must meet the De-identification Standard of the HIPAA Privacy Rule.  Release of Other level information may cause limited to no impact to HIC business operations.  Other is the lowest classification level.

If the classification of information entering the system is unknown the following default classifications should be used:

• Non-personal or sensitive information: Corporate classification
• Personal health or confidential information: PHI

 
2.0  Characteristics and Standards for Security Classification

1. PHI classification level
   1. Job function & authorized access: Medical Practitioner.  Note: a “patient” user may be allowed read access to their PHI information only
   2. Responsibilities and Restrictions for PHI level users: Medical Practitioners are responsible for maintaining the confidentiality of PHI under their care and must ensure they do not put this information at risk.  They are restricted from leaking PHI level information to lower classification levels.  They must also ensure that PHI is properly classified and immediately report the disclosure of PHI.  PHI level information may only be accessed on HIC owned and supported devices and may not be stored or accessed on personally owned devices.
   3. Read/Write access to other levels: Medical Practitioners have read access to all classification levels but may not write to any other level.
2. Corporate classification level
   1. Job function & authorized access: Technician and Administrative
   2. Responsibilities and Restrictions for Corporate level users: Technicians and administrative users are responsible for maintaining the confidentiality of HIC corporate information.  They are restricted from leaking Corporate level information to the public.  They are also responsible for recognizing PHI level information and immediately reporting when that information is misclassified or otherwise available.  Corporate level information may only be accessed on HIC owner and supported devices and may not be stored or accessed on personally owned devices.
   3. Read/Write access to other levels: Technicians and Administrative roles may read the Corporate and Other data classification levels.  They may write to the PHI level but not read it.  For example, a technician may not read PHI level information but may write patient laboratory test results to it. 
3. Other Classification level
   1. Job functions & authorized access: Public and Patient
   2. Responsibilities and Restrictions for users: HIC Public users must report the presence of PHI or Corporate level information that is publicly available.
   3. Read/Write Access to other levels: Public users may not read information at any other levels.  In some instances public users may write up to other levels, public health information on child growth percentiles may be included in a patient’s record for comparative purposes, for example.  However, public users are generally prohibited from making changes to information at higher levels. 

 
3.0  Penalties for violations of Policy

1. PHI: violation of this classification which includes the release of PHI may carry severe legal and financial penalties for HIC.  Employees may also be subject to criminal and civil penalties along with termination of employment depending on the severity of the infraction.  The Health Information Technology for Economic and Clinical Health (HITECH) Act strengthens the civil and criminal enforcement of the HIPAA rules and establishes:
   • Four categories of violations that reflect increasing levels of culpability;
   • Four corresponding tiers of penalty amounts that significantly increase the minimum penalty amount for each violation; and
   • A maximum penalty amount of $1.5 million for all violations of an identical provision. (HHS, 2017)
2. Corporate: violation of this policy with respect to corporate classified information may result in disciplinary action including termination of employment. 
3. Public: release of properly classified public information carries no penalties. 

References

• Alhaqbani, B., & Fidge, C. (2007) Access Control Requirements for Processing Electronic Health Records.  Retrieved from https://link.springer.com/chapter/10.1007/978-3-540-78238-4_38
• University of San Diego (USD). (2017). Introduction to Formal Policy Models – Part 2.  Retrieved from https://vimeo.com/175454522/37a42c299c
• U.S. Department of Health and Human Services (HHS). (2017, June 16). HITECH Act Enforcement Interim Final Rule. Retrieved from https://www.hhs.gov/hipaa/for-professionals/special-topics/hitech-act-enforcement-interim-final-rule/index.html
• U.S. Department of Health and Human Services (HHS). (2013, July 26). Summary of the HIPAA Privacy Rule. Retrieved from https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
  

---

HIC Asset Protection Policy – Malware Defense

1.0  Scope
This asset protection policy addendum supplements HIC Information Security Policies to further protect the confidentiality, integrity, and availability of HIC information systems and assets against malicious software.  This policy specifically applies to all endpoints connected to the HIC corporate network and includes employee issued laptops, workstations, and other network enabled devices connected via a wired or wireless connections.  The policy does not apply to HIC business servers that are fully managed by HIC IT.  This HIC Asset Protection Policy addendum applies globally to:

• Everyone who has access to HIC information assets, including HIC employees and third parties
• All HIC information assets including, but not limited to:
  • HIC information assets including electronic personal health records (e-PHI), intellectual property, and other HIC proprietary information
  • Information systems that store, process, or transmit HIC information assets internal or external to the HIC corporate network

 
2.0  Objectives

1. Enforcement: HIC IT must implement controls that locate and identify all endpoints on the HIC corporate network and ensure that they are sufficiently secured against malware, viruses, and other threats.  This includes, but is not limited to:
   1. Operating system updates are applied in a timely manner
      
   2. Application updates are applied in a timely manner, such as those for Java, Flash, and web browsers
   3. Anti-virus agents have the current definitions loaded
   4. Policies for establishing external network connections are applied
   5. Policies for connecting USB storage devices are applied
   6. Application installation control via white/blacklisting (Tanium, 2016) 
2. Detection: HIC IT must implement controls that scan the HIC corporate network on a periodic basis and identifies systems that may be potentially vulnerable to malware, viruses, and other threats.  This process should include:
   1. Scanning all devices connected to the HIC corporate network
   2. Scanning for “unmanaged” systems that may be out of compliance
   3. Tracking the usage of privileged accounts
   4. Ability to manage exceptions
   5. Generation of a report on the current state of all endpoints
   6. Creation of a remediation “ticket” to track the system, issue(s), owner, and progress of remediation. (Qualys, 2017)
3. Remediation: upon detection of an indicator of compromise the endpoint systems must be quarantined to prevent the spread of infection. This may include:
   1. Killing of malicious processes or applications
   2. Reset or demotion of user credentials
   3. Network isolation or removal from the network
4. Prevention: HIC IT must deploy security controls and mechanisms for the ongoing defense against malware and virus.  This may include:
   1. Anti-virus software for the detection, prevention, and recovery against malware
   2. Email scanning for suspect attachments, links, or images 
   3. Enablement of automatic updates for operating systems and applications
   4. Hardening of web browser security settings and extensions
   5. Emergency updates for critical vulnerabilities must be applied immediately.  See the HIC Security Update Severity Classification Standard for more information. 
   6. Digital certificates for executables: employ operating system controls which restricts the execution of software to those only with valid certificates. (Hall & Lich, 2017).
   7. Sandboxing/virtualization of applications that must be executed at elevated privilege should be run in isolation 
   8. In-line detection of malware and virus detection mechanisms as traffic enters and exits the HIC corporate network

 
3.0  Responsibilities

1. The Chief Information Officer (CIO) is the approval authority for the HIC Asset Protection Policy. 
2. The Chief Information Security Officer (CISO) is responsible for the development, implementation, and maintenance of the Asset Protection Policy and its supporting standards and guidelines. 
3. Electronic patient health information (e-PHI) is protected by law and by HIC privacy and security policies.  Users of HIC information systems have the following responsibilities for the protection HIC information assets: 
   1. Security software deployed on HIC information systems must be actively running at all times
   2. Users must not disable, modify, or bypass security protection software
   3. Users must switch off the suspected machine immediately
   4. Users must report malware, phishing, and other security incidents to HIC IT immediately

 
4.0  Policy Enforcement & Exception Handling
Failure to comply with the Asset Protection Policy and associated standards, guidelines and procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws. (Palmer, Robinson, Patilla, & Moser, 2000)

5.0  Review & Revision
The Asset Protection Policy will be reviewed and revised in accordance with the HIC Information Security Charter and Policies.

References

•  Hall, J., & Lich, B. (2017, April 19). System settings: Use certificate rules on Windows executables for Software Restriction Policies
• Palmer, M., Robinson, C., Patilla, J., Moser, E. (2000). META Security Group Information Security Policy Framework.  Retrieved from http://horseproject.wiki/images/1/18/Information-Security-Policy-Framework-Research-Report.pdf
• Qualys. (2017). Vulnerability Management.  Retrieved from https://www.qualys.com/docs/vulnerability-management-datasheet.pdf
• Tanium, Inc. (2016). Tanium for Endpoint Security. Retrieved from https://info.tanium.com/Security_Use_Cases
• US-CERT. (2015, September 8). Securing Your Web Browser. Retrieved from https://www.us-cert.gov/publications/securing-your-web-browser

---

Data Privacy Policy for HIC, Inc.
The purpose of this document is to establish data privacy policies for HIC information assets.  HIC is committed to protecting the privacy and confidentiality of our members and employees.  State and federal law, regulations, and HIC security policies work to ensure privacy, prevent fraud, and provide access to health information.  HIC information assets are divided into the following privacy domains according to the respective laws, regulations, and standards that apply to each.  All information assets are subject to the HIC Information Asset Identification and Classification Policy.

Privacy Domain 1 – Personal Health Information (PHI)

1. Information that requires privacy protection: individually identifiable health information that relates to the individuals past, present, or future physical or mental health or condition.  (HHS, 2013).  Health records, billing information, medical appointments, medical record number, and test results are all examples of PHI. 
2. Major privacy laws, regulations, and standards
   1. Health Insurance Portability and Accountability Act (HIPAA): principle federal law regulating health information privacy
   2. Health Information Technology for Economic and Clinical Health Act (HITECH): broadens the scope of privacy and security protections already available under HIPAA
   3. California Confidentiality of Medical Information Act (CIMA): state law addressing the privacy and security of medical information and its permitted uses and disclosures
   4. California Data Breach Notice - Civil Code sections 1798.29 and 1798.82. This law requires a business or a government agency that owns or licenses unencrypted computerized data that includes personal information to notify any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. (State of California, 2018)
   5. Patient Access to Health Records - California Health & Safety Code section 123110 and following. This law gives patients the right to see and copy information maintained by health care providers relating to the patients' health conditions. (State of California, 2018)
   6. HIC Security Policies and Standards
3. Authority to grant and revoke access to this domain: according to the HIPAA Privacy Rule the individual owns the right to control use of their info; authority for the release of PHI lies with the member. 

 
Privacy Domain 2 – Personally Identifiable Information (PII)

1. Information that requires privacy protection: non-PHI related information which can be used to distinguish or trace an individual's identity, such as their name, social security number, date and place of birth, mother's maiden name, biometric records, including any other personal information which is linked or linkable to a specified individual. (DONCIO, 2011).  Credit card and payment information also fall under PII.  This privacy domain applies to both HIC members and employees.
2. Major privacy laws, regulations, and standards
   1. California Financial Information Privacy Act - Financial Code sections 4050 - 4060. This law prohibits financial institutions from sharing or selling personally identifiable nonpublic information without obtaining a consumer's consent, as provided (State of California, 2018)
   2. California Online Privacy Protection Act of 2003 (CalOPPA): requires commercial websites and online services to include a privacy policy on their website
   3. California Data Breach Notice - Civil Code sections 1798.29 and 1798.82
   4. Payment Card Industry Data Security Standard (PCI DSS) – standard intended to protect customer information for credit card data as it is processed and transmitted
3. Authority to grant and revoke access to this domain: the employee or member

 
Privacy Domain 3 – HIC Internal Business Information

1. Information that requires privacy protection: HIC internal business information which, if disclosed, may cause serious or severe damage to HIC business operations.  This includes but is not limited to information regarding billing rates, actuarial data, employee salaries, financial performance, and business strategy. 
2. Major privacy laws, regulations, and standards: HIC Information Security Policies and Standards, HIC Standard of Business Conduct
3. Authority to grant and revoke access to this domain: HIC Information Security Council

 
Privacy Domain 4 – Public Information

1. Information that requires privacy protection:  release of this information may cause limited to no adverse effect on HIC business operations.  Information from other privacy domains may be made public when privacy is preserved via anonymization, sanitization, or aggregation.  See the HIC De-Identification Standard for more information. 
2. Major privacy laws, regulations, and standards:
   1. HIC Information Security Policies and Standards, HIC Standard of Business Conduct
   2. HIPAA Privacy Rule De-identification Standard: Section 164.514(a) of the HIPAA Privacy Rule provides the standard for de-identification of protected health information
   3. HIC De-Identification Standard
3. Who has authority to grant and revoke access to this domain: HIC Information Security Council must approve the reclassification of other privacy domains into the public domain

References

• Department of the Navy – Chief Information Officer (DONCIO). (2011, July 15). What is Personally Identifiable Information?. Retrieved from http://www.doncio.navy.mil/contentview.aspx?id=2428
  
• State of California Department of Justice. (2018). Privacy Laws. Retrieved from https://oag.ca.gov/privacy/privacy-laws
  
• U.S. Department of Health and Human Services (HHS). (2013, July 26). Summary of the HIPAA Privacy Rule. Retrieved from https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html