DEPARTMENT: Information Protection / POLICY DESCRIPTION: Information Security – Security Committees
PAGE: 1 of 4 / REPLACES POLICY DATED: 2/25/98 (IS.AA.002), 4/21/05, 1/15/10, 5/1/11, 12/1/13, 3/1/14
EFFECTIVE DATE: December 1, 2014 / REFERENCE NUMBER: IP.SEC.007 (formerly IS.SEC.007)
APPROVED BY: Ethics and Compliance Policy Committee
SCOPE: All Company-affiliated facilities including, but not limited to, hospitals, ambulatory surgery centers, imaging and oncology centers, physician practices, shared services centers and corporate departments, Groups, Divisions and Markets.
PURPOSE: To establish requirements for Information Security Committees at the facility and Division level needed to respond to information security issues and serve as a decision-making authority for information security and other compliance-related concerns in the Divisions and facilities.
POLICY:
  1. The Director of Information Security Assurance (DISA)/Director of Information Governance & Security (DIGS) or designee must establish a Facility Security Committee (FSC), or work within an equivalent committee (e.g., Facility Ethics and Compliance Committee) at each Company-affiliated Facility. The DISA/DIGS must work with Facility leadership to appoint a chair for the FSC. This committee is an authority that addresses escalated Facility information security concerns and decisions, thus must have an adequate and recurring timeslot on a Facility-level committee agenda to discuss information protection.
  1. The DISA)/DIGS or designee must establish and maintain a Division Security Committee (DSC), or equivalent committee (e.g., Multi-Facility Committee), to serve as an authority that addresses escalated Division information security concerns and decisions. The DISA/DIGS must be the chair of this committee.

PROCEDURES:
Requirements for Facility Security Committees (FSCs):
  1. The FSC, or equivalent committee, must be established and maintained in all Facilities in order to serve as a decision-making authority for Facility information security topics. This committee must provide insight and direction for all Information Security operations at each facility. If an alternate committee is used in place of an FSC (e.g., the DSC for ambulatory surgery centers, physician practices, and other freestanding outpatient centers), the alternate committee must meet the requirements for the FSC as outlined in this policy.
  1. The FSC must meet at least quarterly and must establish procedures for recording and publishing minutes and related documentation.
  1. In order to adequately address concerns and effectively make risk-based decisions that impact the Facility, the FSC must have a regular membership with voting rights. The FSC membership must include the following representatives except when the individual is not applicable to the facility setting (e.g., ambulatory surgery centers, physician practices, or other freestanding outpatient centers):
  2. Facility Information Security Officials (FISOs)
  3. Facility IT Director
  4. Ethics and Compliance Officer
  5. Facility Privacy Official
  6. Health Information Management Director or Manager
  7. Risk Management
  8. Clinical Analyst
  9. MEDITECH Clinical Support
  10. Physician Support Coordinator
  11. Chief Nursing Officer
  12. Human Resources
Facility administration representation (e.g.,CFO) must review requests that have a financial impact to the facility and may veto or request revisions to decisions made by the FSC.
  1. The FSC members may invite other roles to attend FSC meetings as participants to contribute subject matter expertise as needed. Participants do not have voting rights.
  1. In addition to serving as a decision-making authority for Facility security concerns, FSCs must also:
  2. Provide oversight to ensure the Facility is complying with Company Information Security Policies and Standards;
  3. Facilitate business decisions and development of mitigation plans associated with accepting risks as outlined in Information Security Risk Acceptance and Accountability Policy, IP.SEC.009, and escalate to the DSC as appropriate;
  4. Establish, procedures, guidelines, tools, and reports for monitoring security functions;
  5. Collaborate with others on an incident response team to determine appropriate sanctions;
  6. Provide guidelines and communication for implementing company, division, zone, market, and facility Information Security policies, standards, toolkits, procedures, and initiatives;
  7. Develop, review, and communicate local facility Information Security policies, procedures, standards, toolkits, and initiatives; and
  8. When security issues affect a zone, market or division, communicate to the next higher level such as Multi-Facility Security Committee and/or Division Security Committee as designated by division leadership.
Requirements for Division Security Committees (DSCs):
  1. The DSC must be established and maintained in each Division to serve as a risk-based decision-making authority for Division information security topics.
  1. The DSC must meet at least quarterly and must establish procedures for recording and publishing minutes and related documentation.
  1. In order to address concerns, serve as an escalation point for issues identified in FSCs, and effectively make risk-based decisions that affect the Division as a whole, the DSC must have a regular membership with voting rights. The DISA/DIGS and CIO must determine the appropriate members for the DSC. The members should include representation from facility administration and IT&S.
  1. Each Division may make determinations about other roles who may attend DSC meetings as participants to contribute subject matter expertise as needed. Participants do not have voting rights.
  1. In addition to serving as a decision-making authority for Division information security concerns, DSCs must also:
  2. Provide oversight to ensure Division facilities are complying with Information Security Policies and Standards;
  3. Facilitate business decisions and development of mitigation plans associated with accepting risks as outlined in the Information Security Risk Acceptance and Accountability Policy, IP.SEC.009;
  4. Ensure operational and technical security initiatives are aligned with Division business and operational goals;
  5. To the extent practical, standardize Facility and Division information security procedures across the Division;
  6. Collaborate with others on an incident response team to determine appropriate sanctions; and
  7. Provide guidelines and communication for implementing company, division, zone, market, and facility Information Security policies, standards, toolkits, procedures, and initiatives.

REFERENCES:
  1. Records Management Policy, EC.014
  2. Information Security - Program Requirements Policy, IP.SEC.001
  3. Information Security Roles and Responsibilities Policy, IP.SEC.006
  4. Information Security Risk Acceptance and Accountability Policy, IP.SEC.009
  5. Code of Conduct

10/2014