Information Security Officer Role Guidance

Information Security Officer Role Guidance

In every practice, responsibility for managing health information security requirements needs to be clearly defined and reside with at least one senior individual.

All staff must be aware of the security responsibility undertaken by that nominated individual or individuals.

For smaller organisations, this is likely to be a secondary role to their normal role within the organisation, that may oversee also Information Governance and Risk Management activities.

The Information Security Officer role responsibilities are:

  • manage the security strategy,[ governance and risk management frameworks], following HISO standards
  • assists with developing and updating the information security policies
  • perform risk assessments, monitors and manages identified risks
  • monitor the appropriateness, effectiveness, resilience, and security of digital systems, backups and policies
  • manage third-party service providers compliance with security policies
  • ensure all staff are trained in information security and privacy topics
  • provide leadership, oversight and security awareness to practice members
  • act on MOH, PHO and CERT NZ information security alerts and notifications

Resources

HISO 10064:2017 Health Information Governance Guidelines: https://www.health.govt.nz/publication/hiso-100642017-health-information-governance-guidelines

HISO 10029:2015 Health Information Security Framework: https://www.health.govt.nz/publication/hiso-100292015-health-information-security-framework

CERT NZ: https://www.cert.govt.nz/businesses-and-individuals/guides/

Patients First: https://www.patientsfirst.org.nz/services-products/health-information-security/

https://www.patientsfirst.org.nz/cyber-smart-week-2018/

AU RACGP Information security in general practice https://www.racgp.org.au/FSDEDEV/media/documents/Running%20a%20practice/Security/Information-Security-in-General-Practice.pdf

UK NHS: https://digital.nhs.uk/services/data-and-cyber-security-protecting-information-and-data-in-health-and-care/cyber-and-data-security-policy-and-good-practice-in-health-and-care/information-security-guidance-for-health-and-care-organisations/information-security-policy-example-policy