Healthcare information security

Hospital security policies & procedures

Infosec Institute
September 27, 2016 by
Infosec Institute

Providing services for healthcare brings many complexities, and risk management professionals need to consider this seriously. However, issues such as accreditation or licensing standards, regulations and third-party requirements can be mitigated with the introduction of formal policies and procedures for hospital information security infrastructure. These policies and procedures help promote safe and good quality care for patients, workplace safety, compliance to regulations, and, most of all, uniformity of healthcare practices across the hospital network.

It is important for managers to draft and update policies and procedures despite other top-priority areas such as patient care, etc. Delaying them can result in harmful consequences, as a staff member may follow an outdated policy that is no longer applicable to the hospital or may disregard the outdated policy resulting in patient harm or claim of malpractice.

Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

Purpose of policies and procedures

So what purpose do policies and procedures serve? Formally written policies and procedures help achieve the following purposes for hospital security:

Policies and procedures for IT security

In terms of hospital IT security, hospitals need to implement strict policies and procedures to keep their networks secure, maintain secure transmission of data, and protect the confidential records of their patients. All 42 HIPAA safeguards need to be addressed in this regard. Developing such policies and procedures and conducting real-time monitoring and audit of security practices ensures the security of the hospital’s IT environment.

It is important to allocate resources effectively and manage the IT environment proactively in order to curb ever-evolving threats and changing regulations. This can be achieved by managing strict access control, employee orientation and regular trainings, and the identification of staff, visitors and patients according to industry regulations.

Let us look at three important aspects of hospital security in general and IT security in particular that are addressed by such policies and procedures.

Access control

Access control is the means by which access to people such as patients, visitors, and staff is granted or denied throughout the healthcare facility and access to its IT assets. These areas include, but are not limited to, maternity wards, pediatric department, emergency, intensive care unit ICU, pharmacy, etc.

Video surveillance

Video surveillance cameras in the past mostly consisted of time lapse recorders or video cassettes that made it difficult and time-consuming for the staff to identify certain incidents or events. With improved technology, cameras now have embedded processors and videos can be compressed and transmitted over IP networks in real time. This concept of having the ability to view and record any activity at any time from any location has fundamentally helped healthcare facilities to optimize their security with video surveillance.

Staff, patient and asset tracking

Regardless of which facility your patients are admitted in, it is critically important to provide them safety and protection. With the help of technology, security professionals and concerned staff can now identify, track and locate patients to provide safeguard against patient abduction or elopement.

Protected health information (PHI) and personally identifiable information (PII)

What is protected health information (PHI)?

Protected health information, also known as personal health information, is information such as medical history, patient demographics, laboratory and test results, insurance information, and any other important information about the patient that helps a healthcare professional in identification and appropriate treatment.

According to the Health Insurance Portability and Accountability Act (HIPAA), healthcare institutions and insurance companies are not allowed to share or sell PHI data except for the use of treatment research, public health activity, service rendered, or the acquisition or merger of an HIPAA-covered entity.

PHI data that is no longer required needs to be disposed of properly so as to make it completely unreadable. Data on paper needs to be shredded or made unable for reconstruction. PHI data on electronic systems should be totally eradicated and erased with the help of software tools.

It is important to point that PHI is different from the personal health record (PHR), which is maintained and updated by the patient using software tools such as Apple Health, Samsung S Health or Microsoft HealthVault.

What is personally identifiable information (PII)?

Personally identifiable information is any information that can help in identifying, contacting, or locating an individual. It includes all information that relates to a certain individual such as their medical, financial, employment, or medical record.

Data elements that help identify an individual are name, biometric data, email address, telephone number, etc. It is the responsibility of the hospital and its workforce to protect the PII of patients. No matter what role a member of the workforce has, they should be aware of their responsibility to safeguard PII data at all costs.

HIPAA restricts authorities to inappropriately share PII and has strict requirements to protect such information. This is because PII can be exploited by malicious criminals to steal an individual’s identity and commit crimes in their name. Identity theft causes financial and emotional damage to the victims and can also have dire consequences for liable organizations resulting in damaged reputation. Many governments are now passing legislations in favor of limiting the distribution of Personally Identifiable Information.

Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

Implementing security best practices for PII

All stored data has the potential to be compromised and is vulnerable. The best way to reduce and overcome the vulnerability is to collect the least required data and remove any unnecessary collected PII from the record. Wherever possible, de-identify the data by making patient feedback anonymous or tokenizing the information. This will help remove the data from the scope of HIPAA.

Implementing access control also ensures that sensitive information such as PII is only accessible by authorized individuals who need it to carry out their routine job duties. Unauthorized staff need not access such information.

Encryption of all sensitive information should be ensured when transferred across online networks. Encrypted cloud storage and HIPAA-compliant email will not let hackers decipher PII, even if they may intercept it.

Difference between PHI and PII

Protected health information (PHI) and personally identifiable information mainly differ in terms of their data sets. The difference can better be explained with a side-by-side comparison table. The following outline below will help us understand and classify the two types of information.


Infosec Institute
Infosec Institute

Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training.