Sample Paper on Hospital’s Security Management Policies

Hospital’s Security Management Policies


With the advent of technological advancement and heightened security issues, there is need to handle data with a lot of care. This data protection policy has been created to enable each staff member in our hospital to handle data with a lot of care. As you follow our security policies, please remember the following. First, you should process and obtain information from our database fairly meaning that you should use it when necessary. Second, you should secure any information that you obtain from our databases meaning that you should use it for lawful purposes only (Krause, 2006). Third, you should not retain the data more than you need it.

As a way of ensuring that our data is protected, the following information needs to be protected. First, information relating to customers should be handled with a lot of care. This means that unauthorized individuals should not have access to this data. In this regard, all of you are to secure your log in details by ensuring that they are not exposed to anyone (Rabasa, Brebbia, & Bia, 2013). At the same time, you need to secure information relating to doctors and the hospital by exercising due diligence. Second, the institution is to secure the wireless connection through Wi-Fi protected access, and it will also define efficient policies to safeguard our wireless security.  Third, in terms of physical security, every staff member should not leave his/her computer unlocked at the same time he/she should not log in to his/her computer and leave without logging out. Furthermore, all patients’ records are to be placed in the information store and unauthorized access should not be allowed into the store. Fourth, all your passwords will be stored into our computers as secret codes (Sharma, 2014). At the same time, each of you is to secure his/her username and should change these details after three months.

Managing change policies

With regard to internet explorer configuration, you are not supposed to change anything the way it has been configured. This means that you are not supposed to disable anything or even tamper with it especially the firewall. Therefore, nothing that is blocked should be unblocked. At the same time, you are not supposed to add sites to our trusted sites even if you trust them. Only our technicians can do this with consultation with our system administrator (Petković, & Jonker, 2007). None else no matter his /her IT qualifications should do this. More importantly, you are not supposed to allow cookies into your browser or even download online PDFs except the ones in our databases.

In relation to all these, a group policy have been set to guide you in setting your passwords anytime you change them and define what each one of us can do on his/her computer depending on one’s roles in the hospital. Therefore, no one should try to alter this policy except the technicians with the help of the chief technician in charge of information.

Most importantly, not every one of you can add or remove files from our operating system. Instead, a team of experts in the system administration has been set for that task and has been mandated with managing files in our operating system. Consequently, everything that each of us can access or not access in our operating system has been designed based on our roles in the hospital (Sharma, 2014). In this respect, no one should try to maneuver his/her way into the system in pretence of looking for particular information.


Policy change request

In case of a change, all requests should be directed to the system administrator who in return will advise the technicians what to do. Nothing that is not directed to him/her will be acted upon because it will be considered to be misdirected. Nevertheless, a temporary waiver of the policy that is not risky to our databases can be directed to the head of technicians who will handle this issue without necessarily involving the team of experts. However, before acting on such waiver of policy, he/she should review our security policies to ensure that they are not compromised.

Once the change request have been received by the system administrator, a committee of technicians and business personnel headed by the chief technician who will act as the data manager will review the request, and decide the way forward. In case this team decides that the change will be a threat to our databases, then the change will not be granted. However, if the team decides that the change will not be a threat to our databases, then the change will be granted upon approval (Chennault, & Strain, 2010).

The chief technician in charge of information will be the one approving all the changes. He/she will also be the one giving the necessary directions relating to our databases in conjunction with the system administrator. In his/her absence, the assistant chief technician will approve the changes, but will inform the chief technician about the changes when he/she returns to the office.

In case of unintended consequences, the chief technician or his/her assistant will communicate the change immediately to the respective persons that will act upon the change immediately. Finally, all feedbacks from our customers, patients, and doctors as well as from EMT will be received and acted upon by the assistant chief technician in charge of information.



Chennault, D., & Strain, C. (2010). SharePoint deployment and governance using COBIT 4.1: A practical approach. Rolling Meadows, Ill: ISACA.

Krause, M. (2006). Information security management handbook on CD-ROM. New York: CRC press.

Petković, M., & Jonker, W. (2007). Security, privacy and trust in modern data management. Berlin: Springer.

Rabasa, A., Brebbia, C., & Bia, A. (2013). Data management and security: Applications in medicine, science and engineering. Southampton, United Kingdom : Wit Press.

Sharma, S. (2014). Governometrics and technological innovation for public policy design and precision.