Deputy Secretariat for Operations - POLICY 02.01.06

Effective June 1, 2001

 

POLICY TO ASSURE CONFIDENTIALITY, INTEGRITY,

AND AVAILABILITY OF MDH INFORMATION

 

SHORT TITLE: INFORMATION ASSURANCE POLICY - IAP

I. EXECUTIVE SUMMARY

This policy provides direction for certain actions of Department employees to assure confidentiality, integrity, and availability of MDH information assets. It clarifies the roles and responsibilities of employees to protect the interest of MDH and consumers regarding the release of non-protected information and safeguarding of MDH protected and proprietary information. It recognizes and defines a life cycle for information. It acknowledges existing security and confidentiality requirements and initiates new requirements. It specifies requirements for both general and specific levels of due diligence and due care to be exercised over MDH information. Additionally, it provides for protection levels that are commensurate with an acceptable level of risk of loss or disclosure.

Based on a 'need-to-know' approach, supervisors are to assign employees an appropriate access authority and grant to them corresponding system access levels. Employees are held accountable for reading and complying with the corresponding section(s) of this policy and to act accordingly based on their assigned duties and responsibilites.

Due to the size, complexity, and evolving nature of health policy, information systems, and communications technology, this document provides broad standards for the handling and security of MDH information. To facilitate compliance with this policy a separate document entitled 'Security Procedures for MDH Information Assurance Policies and Programs,' hereafter referred to as 'MDH Information Security Procedures', has been developed to provide: (1) the roles and responsibilities of specific personnel, (2) data classifications, and (3) directions for handling Department information. These procedures are issued and maintained by the MDH Information Resources Management Administration to support this policy.

II. BACKGROUND

State Government records are public records, under the Maryland Public Information Act (PIA) (seehttp://www.oag.state.md.us/Forms/book.pdf). Upon request, these records are to be made available for inspection or copying unless a provision of the PIA or other law either prohibits or authorizes the custodian to refrain from such a disclosure. However, certain health and medical information may be exempt from disclosure in order to protect the privacy of individuals. Therefore, MDH must balance its responsibility, together with its other federal and State responsibilities, to protect the privacy and confidentiality of health and medical information and transactions.

Our communications with the public needs to reinforce a sense of trust in MDH and State government. The Department's employees may be required to work with both electronic and paper-based systems, which included handling information, data, records, and documentation, hereafter generally referred to as information. Regardless of how information is obtained, created, or used in job performance, it must be handled with appropriate security precautions as established by this policy, or more restrictive applicable federal or State policies, procedures, regulations, or laws.

This policy seeks to both clarify the responsibilities of employees as well as to protect the interests of the Department and health consumers through the safeguarding of protected information. Any MDH employees could be privy to information that is non-public, confidential, and/or intended only for Departmental use. Employees are cautioned that even seemingly appropriate disclosures of consumers' health and medical information may constitute an unwarranted 'invasion of privacy.'

The use of MDH information systems by employees is explained in 02.01.01, Electronic Information Systems Policy . All MDH employees are to sign and initial the appropriate section(s) of the Combined Policy Acknowledgement Form. To ensure employees' understanding and compliance with applicable provisions of this policy, the acknowledgment and signing of the form are to be done in consultation with supervisory staff who will also initial the form.

Because certain employees have duties that require them to have more extensive access, or require authority beyond that granted to the 'user' level, these employees are to read and comply with additional applicable provisions of this policy, as designated for specific personnel (see § III.A-Definitions) also consultation with supervisory staff.

As a condition of access to MDH information resources, non-MDH employees, or other individuals who access or use MDH information systems, will also need to sign the Combined Policy Acknowledgment Form (see Appendix). Those individuals who do not sign the Statement will no longer be given access to or use of MDH protected or proprietary information or information systems, which may result in subsequent job reassignment.

This policy was developed with assistance from the Security and Confidentiality (SeCon) Workgroup of the MDH Health Information Coordinating Council which reviewed and applied federal and State statues and regulations including the Health Insurance Portability and Accountability Act (HIPAA), in addition to the 'best practices' of government agencies and private industry. Given the complexity and evolving nature of information systems and communications technology, this policy is to be reviewed and revised periodically in coordination with the MDH Health Information Coordinating Council.

III. POLICY STATEMENTS

A. DEFINITIONS

A comprehensive set of definitions for this policy is contained in MDH Information Security

Procedures

 

Specific personnel - For the purpose of this policy, the term specific personnel refers to the

following positions, which are also described and defined in detail in the MDH Information

Security Procedures.

 

 MDH Institutional Review Board Official Custodian

 Custodian of Records

 Data Steward

 Designated Responsible Party

 Network (System) Administrator

 Database Administator

 Data Technician

 Contract Monitor

 Contract Preparer

B. INFORMATION SECURITY DIRECTIVES

1. Information Is to Be Protected. All information, in any format, which is created or used in

support of MDH business, is to be considered eiter owned by MDH or in MDH custody. This

information is a valuable asset and must be protected from its point of origin through its life cycle of

creation, collection, maintenance, authorized sharing, and storage, until its lawful disposal. It is to

be maintained in accordance with federal and State regulations and MDH policies in a secure

and reliable manner. Such protection levels are to reasonably assure confidentiality, integrity,

accuracy, and ready availability for authorized use.

 

2. Information Custodians Are To Be Appointed. Program Directors, facility CEO's,

Health Officers, and other executive managers of MDH units are responsible for the information

in their custody. Unless such responsibility is to be retained by them personally, or is provided for

otherwise in law or regulation, the executives are authorized to appoint an official Custodian,

Data Steward, or Designated Responsible Party to manage their information. These functions

are also defined in the MDH Information Security Procedures.

3. Information Is To Be Classified. Based on legal requirements, sensitivity, retention

criteria, and the type of access required by authorized users, all MDH information will be

classified by its custodians, or other authorized authority.

 

4. Protection Levels Are To Be Based on Risk Assessment. Information assurance is to

be achieved by implementing a comprehensive set of policies and procedures that protect

against accidental or malicious disclosure, modification, or destruction. The level of effort to

protect information should reflect its confidentiality and its risk of loss or compromise. The risk

and impact of loss and the relative value of the information is to be determined initially, and

annually thereafter, by the Director of the appointed custodian of the information set, using an

IRMA-accepted business impact analysis tool as found in the MDH Information Security

Procedures. Additionally, a comprehensive risk analysis is required to be completed in the

development phase of new information systems, or when existing systems are modified

between annual reviews.

 

5. Information Access Is To Be Granted On A 'Need to Know' Basis. Access to

information will be limited to authorized users who have a business need to know such information.

This access and use will be further limited to appropriate job levels within legitimate job

classifications. A higher level of access may be provided to persons who are designated to act

in specialized support roles and who demonstrate a need to access, modify, or erase the

information or to maintain the information system.

 

6. A Separation of Duties is Required. No single individual will have complete control of a

business process or transaction from inception to completion. Custodians are directed to assure

that there is functional segregation of roles and duties performed by an employee, to limit error

and the opportunity for unauthorized actions.

 

7. Employees and Contractors Are To Be Trained in Information Security Awareness

and Ethics. Depending on job duties, all MDH employees and contractors and agents will be

provided with training in information ethics. This training will be provided prior to access to MDH

information systems, or prior to commencement of contractual services, and annually thereafter.

 

8. Employees Are to Be Aware of Their Obligation to Protect Information. Laws and

regulations specifically require maintaining the confidentiality of certain records. MDH

employees are responsible for knowing, or determining, in consulation with their supervisor, the

specific protective requirements for information in their care, and for understanding their

obligations to protect these resources. Employees are to report any suspected or realized

violations.

 

C. ROLES AND RESPONSIBILITIES

 

Every employee has a role and responsibilities to fulfill in information assurance. Employees'

roles and responsibilities are described in more detail in the MDH Information Security Procedures. They are necessary to direct, implement, enforce, and access the effectiveness of security and privacy

policy, planning, and administration. The success of this policy is dependent upon supportive

mangageme

nt, appropriate role assignment, and employees' understanding of their roles and

responsibilities for implementing and enforcing the policy. Every MDH employee is assigned at least

one role and its related responsibilities:

 

1. Chief Information Officer (CIO) - For the purpose of this policy, the MDH CIO is

responsible for providing guidance on all Information Technology issues. The CIO is also

responsible for directing the management and administration of the MDH information security

program and initiating measures to assure and demonstrate compliance with security and

privacy requirements.

 

2. Information Assurance Officer (IAO) - The IAO is directly responsible for the

Department-wide coordination of all aspects of security and confidentiality, pursuant to applicable

federal and State laws, regulations, and policies, and MDH policies, procedures, and protocols.

The following are the responsibilities of the IAO:

 develops and reviews system security and privacy policies and grants exceptions to them;

 provides guidance to assure the integrity of all MDH information;

 reviews the security and confidentiality of the resources associated with the processing

functions;

 reports security status of MDH, as required;

 assures software controls are implemented;

 ensures procurement requirements of the IAP are met;

 supervises the resolving of security and privacy incidents;

 acts as Chief Privacy Officer (unless the role is otherwise assigned);

 coordinates with network security staff;

 assists in the preparation and review of IT risk assessments and contingency plans; and

 coordinates with internal and external audit staff to assure IAP requirements are included

in audit reviews.

 

3. Security Officer (SO) - The MDH SO serves as the single point of contact and as the

access control agent for the daily IT security program. The following are responsibilities of the

SO's:

 performs system audits, as directed;

 coordinates with MDH Monitors for access controls;

 resolves authentication and authorization issues or concerns;

 participates in addressing general security issues;

 provides appropriate IT security awareness and training to all employees;

 assists in the development of MDH systems contingency and disaster recovery plans;

 functions as the daily operational central point of contact for any type of IT security related

incidents or violations;

 disseminates information concerning security alerts and potential threats to all MDH

system owners;

 notifies users of security-related policies and procedures;

 assists in preparing annual systems evaluations of major processes including incident

handling and security awareness training; and,

 assists in risk management analysis to determine effectiveness in reducing security

incidents.

 

4. Security Monitors (SMs) - The MDH System Monitors serve as the central point of contact

and as the authorization control agents in their designated units for the daily IT security program.

The following are SM responsibilities:

 coordinates with the MDH Security Officer in the preparation of lists of authorized users;

 makes changes to lists, and audits, as required;

 participates in addressing unit and MDH security issues;

 participates in IT security awareness and training;

 performs as the central point of contact for unit-level IT security related incidents or

violations;

 disseminates information concerning security alerts and potential threats to MDH system

owners;

 ensures that users are aware of security-related policies and procedures; and,

 assists in the annual systems evaluation process.

 

5. User - The User is an employee or agent or contractor who has access to MDH information.

Users are responsible for consulting with supervisory staff to:

 determine the user's role and responsibilities to protect information resources in the user's

control or posession

 understand and comply with all applicable MDH and other security and privacy

requirements, and

 to facilitate a better understanding of the general and specific requirements for the

confidentiality of protected and/or proprietary information.

 

6. Specific Personnel - The positions previously listed under Section III A - Definitions -

Specific Personnel, within the scope of their assigned duties, are instructed to implement the

following provisions as necessary to protect information from inadvertent or intentional

improper use or disclosure.

 

a. Information is to be Protected. Protection of information requires a diligent coordination

of organizational and administrative requirements, physical security safeguards, and

technological security measures further detailed in MDH Information Security Procedures.

http://inMDH/secpolcy/html/iaphic2.htm.

 

b. Employees Are to Actively Comply with IAP Requirements.

Specific Personnel are to act as required or directed in order to assure compliance with

Federal, State and MDH directives. They are to report any known or suspected violations

of these directives, throughout the lifecycle of the MDH information resources in their custody.

 

c. Proprietary Interests In MDH Information Are To Be Maintained. Specific personnel are

to assure the Department's proprietary interest in information is protected through both legal

and administrative means, describing and documenting the qualities and limitations of MDH

information in their custody.

 

d. Information Must Be Collected, Maintained, Transferred, Stored, and Disposed of

As Authorized. In accordance with applicable laws and regulations, employees who have

access to information must be diligent to protect consumer rights and MDH interests.

Specific personnel may not transmit information electronically unless permitted by

approved written procedures.

 

e. Employees Are Authorized To Release Non-protected Information to the Public.

Specific personnel will classify information in their custody, authorize certain employees,

establish procedures to prevent unintended disclosure, facilitate and clarify the

decision-making processes related to release/sharing in accordance with MDH

copyright requirements.

 

f. Employees Will Not Allow the Unauthorized Sharing of Protected and Proprietary

Information. The sharing of MDH protected or proprietary information is encouraged

as a good business practice, however, such sharing must be as necessary, appropriate

and legal, in accordance with an explicit written understanding. MDH protected or

proprietary information will not be physically or electronically removed or shared, without

the explicit authorization of the official custodian of record or designee.

 

g. Specific Personnel Will Not Allow the Unauthorized Disclosure of Protected and

Proprietary Information. MDH protected or proprietary information may only be disclosed

to others if necessary, appropriate, legal, and only as authorized by the official custodian

of record or designee.

.

h. Certain Specific Personnel Will Monitor the Sharing of Protected Propietary

Information - When information is shared or accessed, Specific personnel will establish

and follow written procedures to hold all subsequently approved users to the same

Department and/or other requirements and responsibilities. This includes an extension

of the requirements and the continued strict adherence to all rules required by a MDH

recognized Institutional Review Board including resubmission requirements.

 

i. Certain Employees May Authorize Disclosure of Protected and Proprietary

Information. Authorized Specific personnel, as defined in this policy, are permitted to

disclose protected or propietary information resources in the course of their official

duties, only if the requirements of this policy or other more stringent requirements

are met before such disclosure.

 

j. Employees Are To Notify Vendors Of The IAP And Other Applicable

Requirements. - Specific personnel involved in the preparation and monitoring of

MDH contracts and memoranda of understanding (MOU) will ensure that vendors,

agents, or other entitles who provide work-for-hire, understand and comply with all

applicable requirements for the protection of MDH information resources. This will

be required when such resources are shared, or when MDH information systems

are maintained, changed or developed.

 

k. Specific Personnel are Responsible for IAP Compliance. Persons designated

or authorized to act in the capacity of Specific personnel, as defined above, are

responsible for taking any and all reasonable, appropriate, and legal steps to ensure

all employees comply with the terms of this policy.

 

D. DISCIPLINARY, CIVIL AND CRIMINAL CONSEQUENCES

 

Violation of this policy may result in disciplinary action up to and including separation from

State service and civil or criminal penalties. These remedies include, but are not limited to,

those specified in the Annotated Code of Maryland, SG §10-626 through §10-628,

HG §4-309, and Crimes and Punishments Article 27 §45A.

 V. Appendices, Exhibits, & Addenda

 

 Combined Policy Acknowledgement Form

 Software Code of Ethics

 

 

APPROVED:

 

/s/, (signed copy on file) DATE: June 1, 2001

Georges C. Benjamin, M.D., Secretary​

 ​