1. Definition:
Information security ensures the protection of information from widespread threats in order to ensure business continuity within the organization, minimize disruptions to operations, and maximize the benefits derived from investments.
Information security essentially targets the following three elements:
• Confidentiality
• Integrity
• Availability
Let's elaborate on these concepts a little further:
Confidentiality can be defined as information being closed to unauthorized persons. Another definition of confidentiality is preventing information from being disclosed by unauthorized persons.
Integrity is the protection of information content against threats of modification, deletion, or any form of destruction by unauthorized persons. In short, integrity means that information is not corrupted accidentally or intentionally.
Availability means that information is ready for use whenever needed. Even if any issues or problems arise, the information must remain accessible as a requirement of the availability principle. This access must be within the scope of the user's rights. According to the availability principle, every user must be able to access the information source to which they have access rights during the authorized time period.
2. Scope:
This policy covers all units using the Hospital Information Technology infrastructure, users accessing information systems as third parties, and service, software, or hardware providers providing technical support to information systems.
3. Purpose:
From the perspective of hospital management, it aims to ensure the security of all physical and electronic information assets used in the provision of IT services in order to:
• Protect the hospital's reliability and the image of the institution it represents,
• Ensure compliance with third-party contracts,
• Ensure the continuity of the hospital's core and supporting business activities with minimal disruption.
4. Principles:
Everyone who uses the hospital's information technology infrastructure and accesses information resources:
a) Must ensure the confidentiality of hospital information in personal and electronic communications and in information exchanges with third parties,
b) Must back up the information they process according to its criticality level and take the specified security measures,
d) Must report information security breaches and notify the Information Technology Unit, taking measures to prevent such breaches.
e) Hospital internal information resources (announcements, documents, etc.) cannot be disclosed to third parties without authorization.
f) Hospital IT resources cannot be used for activities that violate Turkish laws and related regulations.
All employees of the institution are obligated to comply with this policy, procedures, and instructions.
5. Roles and Responsibilities;
a) As required by business processes, all types of information shall be accessible to the units, service providers, and necessary third parties within the scope of the system with minimal disruption.
b) The integrity of information shall be protected at all times.
c) The confidentiality of information produced and/or used shall be ensured in all circumstances, regardless of whether it belongs to service recipients, providers, or third parties.
d) Risks shall be reduced to an acceptable level through the design, implementation, and maintenance of the Information Security Management System.
e) Information will be protected regardless of its form of use, such as electronic communication, sharing with third parties, use for research purposes, or storage in physical or electronic environments.
f) In accordance with the “Clean Screen/Clean Desk” principles in work areas, measures will be taken to prevent information, except for information with non-classified characteristics, from being seen by others.
g) All employees will be informed according to the “need-to-know” principle in all activities and will be accessible in the electronic environment within the framework of the “need-to-know” principle.
h) All unit managers will be primarily responsible for the implementation of these principles and will ensure that the personnel work in accordance with these principles.
6. Policy Violations and Sanctions;
In the event of non-compliance with information security policies, procedures, and instructions, legal and administrative proceedings may be initiated against the individuals concerned, and one or more of the following sanctions may be applied:
• Warning,
• Reprimand,
• Suspension of salary,
• Suspension of promotion,
• Monetary penalty,
• Termination of contract,
7. This “Information Security Policy” shall enter into force upon approval by the hospital management and must be complied with by hospital personnel.