Custom «Heart-Healthy Insurance Information Security Policy» Essay Paper Sample

Heart-Healthy Insurance has a robust information security department that operates on a security policy that seeks to ensure that provide assurance on user data confidentiality, integrity, as well as availability across the spectrum of the insurance firm.

The object of the Heart-Healthy Insurance is to provide services such as insurance rate underwriting, acceptance of payments from claimants and receiving payments from premium customers. It also provides evaluation services for patient-history.

In accordance to recent regulation requirements that the US. Department of Health and Human Services (HHS) made, it beneficial to review the user and password requirements policies that Heart-Healthy Insurance enforces. This report provides recommendation on how to improve the current security policy by aligning the policy to HHS standards, U.S. Federal privacy Laws, HIPAA and HITECH, GLBA, and PCI-DSS specification. Below is a report of from the information security analysis team on how to improve the current policy.

Review of heart-healthy insurance information security policy

New Users

The team found that the current policy is focused on providing users with access to systems, but not on enforcing privacy regulations that can hinder users from abusing data available in the system. Because of this, the security analysis team recommends that

New users should sign a document requiring them not to disclose any information from users available in the system. This information will be accordance with HIPPA that aims at protecting patient’s data from misuse (Winn, 2001).

Users should also agree of notifying patients whenever they access records, before using patient information in the system. Administrators must perform system audits should be performed periodically to identify any violation.

Administrators should place be placed on the information provided to users. Whereas the current policy allows users to request access to different parts of the system, the team recommends that administrators classify and given access based on their functions.

Administrators to include custom controls that make the system more secure thus avoiding users from accessing other restricted of the sections upgrade the insurance information system. The policy must stipulate the users will be required to access information at their levels that administrators give them access (Smedinghoff, 2008).

Users should also be notified of potential litigation in the event where they violate privacy policies as stipulated by HITECH and HIPPA.

Password requirement

The current password requirement seems sufficient, but lacks a number of essential requirements. Because of this, the security team requires that

Passwords requirements must be reviewed to enforce password reuse by tracking the usage of passwords. This can be achieved by preventing users from changing passwords frequently. Management of accounts should also be documented in the system and logs stored in order to comply with GLBA.

Password requirement must also be changed to include the need of minimum password age. This will ensure that users change their passwords as a way of improving security of the system. Administrators should give users should be given a significant number of days to change the passwords.

The security analysis team should review the password requirement to include clauses on the usage of passwords. In accordance with Federal laws such as Federal Information Processing Standards Publications, new policy must allow users to change passwords whenever a given time lapse.

In order to create compliance with the PCI-DSS regulation, the password requirement policy must be changed in order to provide for the encryption of passwords. Most important, the Heart-healthy insurance information system must give a sound framework that can be used by system administrators to prevent a fraud through detection and reacting appropriately to threats experienced by the system.