Information Security Policy

Organization Overview

Mayo Clinic is an American nonprofit medical practice, as well as a medical research group with

many locations in very few different states that adhere to clinical practice, education, and

research. It also provides care to everyone who needs recovery. They are based in Rochester,

Minnesota, and have a major campus that is also located in Scottsdale, Arizona. Phoenix,

Arizona; Jacksonville, Florida. They employ thousands of allied physicians, scientists, and

healthcare professionals who specialize in treating the most difficult types of conditions with

tertiary care and spend millions annually on their research.

Security requirements and objectives

There are many security requirements and objectives that must be met for this company. There

must be full network coverage that does not lose connectivity and this network will be used only

for corporate devices. Therefore, only mobile phones and laptops designated for company

employees should have access to the corporate network. The guest network may have the

possibility to be established so that patients can connect to the Internet if necessary; however,

this must be separate from the main corporate network to avoid any problems with the loss or

theft of confidential patient information. There must also be data encryption to obtain patient

information, so if someone can gain unauthorized access from outside the company, they cannot

obtain patient information.

1
Barriers must be put in place to help prevent unauthorized access throughout the hospital.

Obstacles that have been implemented should be the need for employee identification cards so

that they can access through various hospital doors. These ID cards must be worn and visible at

all times. Employees may not pass their badges on to each other to reach different areas for

which they are not assigned. If a badge is left at home or lost, temporary badges will be issued

until such time as the original card is brought in or a new badge is issued. Other possible barriers

to place are specific doors that require a key symbol, for example, areas such as computer

pharmacies, areas where patient files will be handled, or hospital personal elevations in hospitals.

Security cameras must be installed, and there should be no policy that allows other weapons in

addition to their possession.

There must be adequate training for employees while maintaining training records for all

employees, and there must be training sessions to refresh the information on all employees from

time to time to ensure they understand all the rules that must be followed. There must be security

updates and policy communications. The hospital's security policy will also comply with HIPAA

standards.

Security of the Facilities

Physical Entry Controls

Different types of locks will be placed in places, such as physical keys and key codes. These will
be placed in areas like server rooms and any other rooms that need insurance. Doors will be
placed to allow employees, patients and visitors to enter the different facilities. For these doors,
employees must have a magnetic strip on the back of their identifier. A card that allows you to
navigate and access through these doors, while patients and visitors must be surrounded by an
employee. Only allowed visits (that the patient or immediate family has shown the patient)
should resonate

2
.

Security Offices, Rooms, and Facilities

There should be CCTV or Closed-circuit television (surveillance) put into place to help monitor
everything around the hospital and to catch anything that the security personnel may not have
seen. There should also be 24/7 security personnel in place since hospitals operate 24/7.

Isolated Delivery and Loading Areas

For areas where ambulances enter a single entrance, there will be emergency medical teams and
active personnel from the emergency area. To load the shipyard areas where medical supplies are
delivered/received and members will isolate themselves from delivery personnel and hospital
personnel who receive and deliver medical supplies and devices.

Security of Information Systems

Workplace Protection

There must be no weapons allowed in the building at any time by visitors, patients, or
individuals. The only exception to this policy is that any security needs weapons and if law
enforcement is required in the building, they will be allowed to bring their weapons. The best
way to enforce this policy is to allow visitors/patients to enter through metal detectors that must
explode at any sign of a weapon because most, if not all, weapons contain some form of metal.
In addition to the signs posted at each hospital entrance that there is no "no weapons" policy in
the building, especially in the hospital itself.

Poles and cables not used

Disconnect any unused job access for all employees except for higher-level employees such as
management or higher. Cables must be physically cut or through the network and thus no
external input is possible through cables that generally have little or no traffic through them or
where there is no monitoring or security screening from time to time.

3
Network or server equipment

All equipment must be secured in flammable rooms in the event of a possible fire. Access to
network and server equipment should be available to specific IT personnel who have been
entrusted to work with and handle this type of equipment. There must be firewall
hardware/software to help combat any potential threats to destroy or steal data.

Equipment maintenance

To maintain any equipment, there should be checks and updates approximately every week to
every two weeks at a time. This should be done to ensure that everything continues to run
smoothly and that all systems are up to date. Also, if any monitoring system needs to be replaced
because it no longer works properly. Systems must also have backups at least every 3 days in
case of system malfunction for minimal or no data loss. Routine maintenance of hospital
equipment should also be performed to ensure that it can be used properly on the patient in an
emergency.

Laptop or mobile device security

Only specific employees may remove any laptop or mobile device from the facility and any
laptop or mobile device must be returned to this employee when not in use. There must be a
registration and log sheet for laptops or equipment that must be approved and signed by the
administration. There should be training for workers who want to borrow these computers and
laptops and sign a document saying they will abide by all the rules related to off-site work. There
must be training for the healthy use of the computer. There must be training and use of strong
passwords and strong password requirements (at least one letter, symbol, and at least one
number). These passwords must be changed repeatedly every 90-120 days maximum.

User Enrollment

When assigning a new employee to the company, the user's registration will be automatically
completed with the help of the information provided by the new employee before his
appointment. This information will be taken from the employee's application and any confirmed
information from the background check that was performed on them. This automated registry
4
will be created in cooperation with information technology and human resources. The IT side
will help create user names, as well as grant access to network drives, and the Human Resources
side will help verify employees' personal information. User ID will be created for new
employees automatically based on any of the following: a combination of the first three letters of
the last name and then the first three letters of the name if there is another employee with the
same name as the new employee will receive a number has been added to your username; Or, the
user ID is a series of numbers. After creating the account automatically, the new employee will
receive a temporary password that must be changed in two hours to a personalized password.
Otherwise, the employee must go to the new employee and request another temporary password.
The minimum required passwords will be the following: at least one capital letter, a number, and
a symbol, and will consist of at least 8 characters or more.

Identification

Each employee must receive an identity card when designated, which must be worn at all times
in an area that allows a clear view of the identity card. Each employee ID badge will also
function as a smart card that allows them to reach blocked areas by swiping and can also load
money into them for the purpose of shopping at the café. Each identity card must be kept and
issued by the security department. A photo will be taken of each employee by appointment and
will be recorded on their profile in addition to placing their identification badge to show.
Employees cannot share their badges with each other, even if another employee forgets their
badges, especially if that employee has not had access to certain rooms, areas, or suites that are
not authorized on their own badge. If the ID card is forgotten/abandoned for any reason or is lost
in your home or if the temporary ID card is lost, the Department of Safety will issue you a
license and issue it to the employee and the original employee ID card will be canceled until the
temporary ID card is returned or completely deactivated if the employee must receive the ID
card. A completely new identity. Temporary labels are only valid daily and must be renewed the
next day if the employee requires them for an extended period of time.

5
Authentication

Every time an employee swipes their badge to reach a room/region, the name, photo and
information of the employee in question associated with that badge will be logged into the
system. Identification cards must not be passed between employees to reach unauthorized
persons previously. If access is desirable, guaranteed, or must be purchased, the Security
Department must complete an online form with the signed permission and acknowledgment from
the direct manager of the applicants along with the district manager for the area where the
employee requests access. Once all of this is provided, security can add access to the staff badge;
if necessary, a time frame can be added to verify this access. Some rooms and computer systems,
such as patient files, require multiple authentications. There may be some wards that require
criticism of a badge and key code, while patient files can be accessed by criticizing the badge
and entering the user ID and password. Only the doctors, nurses, and assistants assigned to this
specific patient will have access to these patient files. There will be a review path that tracks
every time the patient file is accessed and / or modified.

Privileged and Special Account Access

The chief physician will have private and privileged access to all files. Only medical personnel
assigned to them will have access to patient files, with the exception of the chief physician. IT
support staff will have privileged access to all employee accounts for remote access purposes,
and will only be used when requesting assistance. The head of the information department will
also have permission and will have the same access to the account that the medical officer
allows.

Remote access

Only ITO staff will have continuous permissions to access systems remotely. This can also be
done only when the employee needs to request assistance, either through an online request, as IT
staff will communicate with the employee or through a request made by a phone call to the
hotline at the desk. help. No, IT staff must access any employee's computers without prior
request or approval to do so. Each remote access will be logged.
6
Network security Control Devices.

There must be many types of security checks here at the Mayo Clinic. Content filtering devices
will be used as a tool to help maintain user compliance when it comes to accessing only
business-friendly sites. Therefore, it will also include that access to social networks of any kind
must always be blocked at the time of the company or the network. Additionally, there must be
firewalls to prevent as many attacks as possible on the network, as well as a reliable antivirus
scanner to check for potential network threats or vulnerabilities often throughout the day and
scanned at the end of each day.

Monitor and protect threats

There should be continuous analysis and evaluation of all security data to help identify possible
cyber-attacks or even data breaches that may arise during the day. All network monitoring
software for the company's network should be periodically reviewed and updated on the latest
programs to stay on top of any threats or risks on the network. This would allow a better view of
the attacks and would be able to see data across the network.

Identify and address threats.

All applications must be updated on the company system and network with the necessary patches
and must be verified to ensure that they are updated with the latest patches. Any changes to
firewalls or other devices that help protect against vulnerabilities often need to be updated to
help protect the network. There must also be at least one type of scanner to help mitigate any
potential threats or vulnerabilities to the business, its network, system, and software/hardware.

Information security policy

The ability to provide a referenceable information security policy with well-defined, complete,
and clear rules is the way to go. In addition to an information security policy that can be
exercised by regulating access to the company's system and any sensitive information or data in
general. When developing and finalizing an information security policy, it must be given to each

7
employee, employee and security department so that it is recognized, read and signed to verify
that they have read, understood and agreed on what the policy is and that they will comply with
its rules.