What is this Information Security Officer role in a Healthcare Facility that is mandated by DHA as a part of NABIDH?

Posted on by

Introduction

This topic is about the role of Information Security officer in a healthcare facility when integrating with NABIDH as mandated by Dubai Health Authority.

The role of an Information Security Officer (ISO) in a healthcare facility in Dubai, is crucial in establishing and maintaining a robust security framework. This article explores the responsibilities, skills, and qualifications of an ISO for NABIDH related activities in the healthcare facility, emphasizing the importance of their role in protecting sensitive information.

Information Security Officer (ISO) role by each NABIDH policy

This article gives an overview of the role of the Information Security Officer with respect to each of the policies published by NABIDH.

Information Security Officer role in Subject of Care Policy

  1. Documentation: When dealing with patients (referred to as subject of care in NABIDH terminology), there are many important documents that have to be documented and published with respect to the rights of the patient. The Information Security Officer is responsible to ensure this is done in the healthcare facility. They have to review it periodically to make sure it is up to date.
  2. Training: Information Security Officer is responsible to ensure the training of healthcare facility staff is provided on a periodic basis on this topic so they know exactly how to guide the patients (subject of care) when dealing with them.

Information Security Officer role in Consent and Access Control Policy

  1. Documentation: The Information Security Officer has to ensure the policies and procedures related to consent and access control policy are in place.
  2. Auditing: The policies and procedures have to be audited to ensure they are implemented the way they have been defined. This should be done at least once a year by the ISO.

Information Security Officer role in Incident and Breach Notification Policy

  1. Documentation: The Information Security Officer is responsible to ensure that the policy and procedure documents relevant to Incident and Breach Notification policy is in place.
  2. Training: It is important to educate the healthcare facility staff as well as the subject of care (patients) on what they have to do when they notice a breach.
  3. Incident Management: When a breach is identified, either by DHA or by the healthcare facility staff or by the subject of care (patient), the Information Security Officer has to get involved in following the process guidelines as established by DHA.
  4. Working with NABIDH Information Security Officer: When a breach is identified, the NABIDH Information Security Officer and the healthcare facility Information Security Officer have to 
    1. Ensure they handle the breach as defined in NABIDH guidelines
    2. Send out proper communication to the relevant parties
    3. Document the event related details as per the timelines defined
    4. Collaborate to develop, approve and implement mitigation plans to prevent such breach from reoccurring in the future.
    5. Update the policies and procedures document if necessary to avoid such breaches in the future.

Information Security Officer role in Audit Policy

  1. Documentation: The Information Security Officer has to ensure the policies and procedures related to audit policy are in place.
  2. Licensing: ISO to ensure licensed software and applications are used at the healthcare facility. ISO to verify the copyrights and intellectual property rights are also maintained as per legal requirements.
  3. Logs: ISO to ensure the audit logs contain sufficient information as defined under NABIDH guidelines.
  4. Auditing: These policies and procedures have to be adhered to by all the applications (eg. EMR, router software, website, emails, other software used in the healthcare facility etc). It has to be audited to ensure they are implemented the way they have been defined. This should be done at least once a year by the ISO.

Information Security Officer role in Data Management Policy

  1. Documentation: The Information Security Officer has to ensure the policies and procedures related to data management and data usage are in place.
  2. Auditing: These standards have to be adhered to (primarily by the EMR that is used by the healthcare facility). It has to be audited to ensure they are implemented the way they have been defined. This should be done at least once a year by the ISO.

Information Security Officer role in Identity Management Policy

  1. Documentation: The Information Security Officer has to ensure the policies and procedures related to identity management are in place. Since it requires the manual verification of ids, sufficient care has to be taken to provide clear documentation of the steps.
  2. Training: Healthcare facility staff have to be provided sufficient training to ensure they know the exact kind of documents to be checked from patients, staff (administrative as well as healthcare specialists), consultants, vendors etc.
  3. Auditing: On a periodic basis, the ISO has to audit if the documented processes are followed as per the policies and procedures defined on identity management.

Information Security Officer role in Authentication Policy

  1. Documentation: The Information Security Officer has to ensure the policies and procedures related to authentication policy are in place. 
  2. Training: Since this policy involves making sure the healthcare facility complies with all applicable local laws as well as the systems and processes, ISO should ensure that sufficient training is given to all the staff involved in this.
  3. Auditing: On a periodic basis, the ISO has to audit if the documented processes are followed as per the policies and procedures defined in authentication policy management.

Information Security Officer role in Information Security Standards

  1. Documentation: The Information Security Officer has to ensure the policies and procedures related to information security standards are in place. 
  2. Training: There are numerous topics under the information security standards and it involves management, administration as well as other staff. Hence ISO has to coordinate sufficient training for each of these types of users.
  3. Auditing: On a periodic basis, the ISO has to audit if the documented processes are followed as per the policies and procedures defined in information security standards.

Information Security Officer role in Clinical Data and Coding

  1. Documentation: The Information Security Officer has to ensure the policies and procedures related to clinical data and coding standards are in place.
  2. Auditing: These standards have to be adhered to (primarily by the EMR that is used by the healthcare facility). It has to be audited to ensure they are implemented the way they have been defined. This should be done at least once a year by the ISO.

Information Security Officer role in Interoperability and Data Exchange

  1. Documentation: The Information Security Officer has to ensure the policies and procedures related to interoperability and data exchange standards are in place.
  2. Auditing: These standards have to be adhered to (primarily by the EMR that is used by the healthcare facility). It has to be audited to ensure they are implemented the way they have been defined. This should be done at least once a year by the ISO.

Information Security Officer role in Technical and Operational Standards

  1. Documentation: The Information Security Officer has to ensure the policies and procedures related to technical and operational standards are in place.
  2. Auditing: These standards have to be adhered to (primarily by the EMR that is used by the healthcare facility). It has to be audited to ensure they are implemented the way they have been defined. This should be done at least once a year by the ISO.

Conclusion

As observed above, the role of an ISO in a healthcare facility is a very important one as per NABIDH. Also this role cannot be performed by someone who is implementing the policies and procedures, as NABIDH expects the right maker-checker process to be in place.

If your healthcare facility requires assistance on this topic, please feel free to reach out to us.