Asset Identification and Classification Policy
Introduction
This section uses a generic health insurance company as an example to define an asset identification and classification policy for a health insurance company (HIC). This policy includes an information classification standard that identifies the information to be protected and the security labels that will be applied to the information.
Policy: Asset Identification and Classification Policy
1. Overview of Asset Identification and Classification Policy
HIC defines information classifications based on the sensitivity, criticality, confidentiality, privacy and HIPAA requirements. All information assets, whether generated internally or externally, must be categorized into one of these information classifications:
Role-Based Access Control will the provide access within these classifications based on “need to know” for the job functions identified below.
2. Characteristics and Standards for each Security Classification
I. PHI classification level
This classification level includes: Individually identifiable health information including: name, address, birth date, Social Security Number, any demographic data, physical or mental health or condition, the provision of health care to the individual, payment for the provision of health care to the individual, and that identifies the individual.
Job Functions:
Introduction
This section uses a generic health insurance company as an example to define an asset identification and classification policy for a health insurance company (HIC). This policy includes an information classification standard that identifies the information to be protected and the security labels that will be applied to the information.
Policy: Asset Identification and Classification Policy
1. Overview of Asset Identification and Classification Policy
HIC defines information classifications based on the sensitivity, criticality, confidentiality, privacy and HIPAA requirements. All information assets, whether generated internally or externally, must be categorized into one of these information classifications:
- Protected Health Information (PHI)
- Corporate Data
- Other Data
Role-Based Access Control will the provide access within these classifications based on “need to know” for the job functions identified below.
- Only HIC employees, contractors and business associates that require access to PHI to perform their job function will have access to the PHI classification level.
- Only employees that need access to corporate financial data, human resources, sales and customer service data will have access to the Corporate Data classification level.
- All employees, contractors and business associates will have access to the Other Data classification level.
2. Characteristics and Standards for each Security Classification
I. PHI classification level
This classification level includes: Individually identifiable health information including: name, address, birth date, Social Security Number, any demographic data, physical or mental health or condition, the provision of health care to the individual, payment for the provision of health care to the individual, and that identifies the individual.
Job Functions:
Responsibilities and Restrictions for users
Individual holding these job functions are responsible for using reasonable methods to ensure to that Patient Information PHI is not disclosed. Individuals with these job functions may not disclose protected health information, except either: (1) as the HIPAA Privacy Rule [3] permits or requires; or (2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.
Access to HIC Systems is provided by Role-Based Access Control. Roles are defined based on job functions. [2] Permissions are defined based on job authority and responsibilities within a job function. Users that have job functions that are associated with the PHI classification and roles will not have access to Corporate Data unless a role is assigned to the individual.
II. Corporate Classification level
This classification level includes: Corporate financial data, employee HR and payroll information.
Individual holding these job functions are responsible for using reasonable methods to ensure to that Patient Information PHI is not disclosed. Individuals with these job functions may not disclose protected health information, except either: (1) as the HIPAA Privacy Rule [3] permits or requires; or (2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.
Access to HIC Systems is provided by Role-Based Access Control. Roles are defined based on job functions. [2] Permissions are defined based on job authority and responsibilities within a job function. Users that have job functions that are associated with the PHI classification and roles will not have access to Corporate Data unless a role is assigned to the individual.
II. Corporate Classification level
This classification level includes: Corporate financial data, employee HR and payroll information.
Responsibilities and Restrictions for users
Individual holding the job functions above are responsible for using reasonable methods to ensure to that Corporate Information, HR, Employee and Payroll information is not disclosed. Individuals with these job functions may not share or disclose this information in any manner, verbally, electronically or otherwise, without explicit authorization from the director of the department.
Access to HIC Systems is provided by Role-Based Access Control. Roles are defined based on job functions. Permissions are defined based on job authority and responsibilities within a job function. Users that have job functions that are associated with the Corporate Data classification and roles will not have access to PHI data unless PHI specific role is assigned to the individual.
III. Other Data Classification level
This information classification includes internal information that can be freely exchange without restriction within the organization.
Individual holding the job functions above are responsible for using reasonable methods to ensure to that Corporate Information, HR, Employee and Payroll information is not disclosed. Individuals with these job functions may not share or disclose this information in any manner, verbally, electronically or otherwise, without explicit authorization from the director of the department.
Access to HIC Systems is provided by Role-Based Access Control. Roles are defined based on job functions. Permissions are defined based on job authority and responsibilities within a job function. Users that have job functions that are associated with the Corporate Data classification and roles will not have access to PHI data unless PHI specific role is assigned to the individual.
III. Other Data Classification level
This information classification includes internal information that can be freely exchange without restriction within the organization.
Responsibilities and Restrictions for users
The Other Data classification is for information that can be exchange internally without any restriction.
Roles defined under this classification will not have privileges to either PHI Data or Corporate Data. Access is provided by roles associated with the job function and user. Users will not have access to other classifications unless roles defined within those other classifications have been assigned to them.
3. Penalties for violations of Policy
Violations for which individual employees are responsible can lead to disciplinary action including termination of employment.
Conclusion
In order for this policy to be effective, in addition to mandatory HIPAA training for the whole organization, additional data protection awareness and training should be required.
Systems enforcing access based on the classification levels and job function (role) could emulate the access controlled by Mandatory Access Control MAC, except for the no-reads-up and writes-down would have to be implemented in Role-Based Access Control using additional technology or with the use a DBMS that supports MAC. [4]
References
[1] Palmer, M.E., Robinson, C., Patilla, J. & Moser, E.P. (2000). META security group information security policy framework: Best practices for security policy in the internet and e-commerce age. Retrieved from http://horseproject.wiki/images/1/18/Information-Security-Policy-Framework-Research-Report.pdf
[2] Bosworth, S., Kabay, M. & Whyne, E. (2014). Computer security handbook. Hoboken, New Jersey: Wiley.
[3] hhs.gov. (2003). Summary of the HIPAA privacy rule. retrieved from https://www.hhs.gov/sites/default/files/privacysummary.pdf
[4] Oracle. (2014). Trusted extensions user's guide: Mandatory access control. Retrieved from https://docs.oracle.com/cd/E36784_01/html/E36841/ugintro-32.html
Glossary of Terms
Covered Entity (CE): Individual and group health plans that provide or pay the cost of medical care. A health care provider, regardless of size, who electronically transmits health information in connection with certain transactions. [3]
Business Associate (BA): Is a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. [3]
ePHI: Electronic protected health information.
HIPAA: Health insurance portability and accountability act.
PHI: Protected Health Information, all "individually identifiable health information"
held or transmitted by a covered entity or its business associate.
The Other Data classification is for information that can be exchange internally without any restriction.
Roles defined under this classification will not have privileges to either PHI Data or Corporate Data. Access is provided by roles associated with the job function and user. Users will not have access to other classifications unless roles defined within those other classifications have been assigned to them.
3. Penalties for violations of Policy
Violations for which individual employees are responsible can lead to disciplinary action including termination of employment.
Conclusion
In order for this policy to be effective, in addition to mandatory HIPAA training for the whole organization, additional data protection awareness and training should be required.
Systems enforcing access based on the classification levels and job function (role) could emulate the access controlled by Mandatory Access Control MAC, except for the no-reads-up and writes-down would have to be implemented in Role-Based Access Control using additional technology or with the use a DBMS that supports MAC. [4]
References
[1] Palmer, M.E., Robinson, C., Patilla, J. & Moser, E.P. (2000). META security group information security policy framework: Best practices for security policy in the internet and e-commerce age. Retrieved from http://horseproject.wiki/images/1/18/Information-Security-Policy-Framework-Research-Report.pdf
[2] Bosworth, S., Kabay, M. & Whyne, E. (2014). Computer security handbook. Hoboken, New Jersey: Wiley.
[3] hhs.gov. (2003). Summary of the HIPAA privacy rule. retrieved from https://www.hhs.gov/sites/default/files/privacysummary.pdf
[4] Oracle. (2014). Trusted extensions user's guide: Mandatory access control. Retrieved from https://docs.oracle.com/cd/E36784_01/html/E36841/ugintro-32.html
Glossary of Terms
Covered Entity (CE): Individual and group health plans that provide or pay the cost of medical care. A health care provider, regardless of size, who electronically transmits health information in connection with certain transactions. [3]
Business Associate (BA): Is a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. [3]
ePHI: Electronic protected health information.
HIPAA: Health insurance portability and accountability act.
PHI: Protected Health Information, all "individually identifiable health information"
held or transmitted by a covered entity or its business associate.