Sign In
heroBackgroundImg

ProjTitle.icon Privacy and Security

Dimension Definition: Privacy and Security dimension is related to patient electronic health information consent management and cybersecurity measures to protect against unwanted access, manipulation or sharing of medical records 

 

 

Scope:

  • This dimension is related to the importance of privacy and security with the increased usage of digital health technologies and consumer-enabled care especially with the introduction of new digital workflows and processes.
  • As data becomes more plentiful and complex, there is a need for improved understanding of its use while ensuring security and privacy measures are robust and access to data is appropriately managed.

     

     

    Relevance to SeMA:
  • Identify the Digital health baseline within the healthcare provider facilities within the privacy & security dimension
  • Identify the Digital Health maturity levels/scores and any gaps in the baseline within the privacy & security dimension
  • Propose Digital Health areas of improvements and suggestions in the baseline within the privacy & security dimension

     

    Key Criteria:

     
  • Privacy framework in place or planned
  • Compliance readiness with the MoH/NHIC Saudi eHealth Security and Privacy Interoperability Specification

     

    Sub-Dimensions:

     

5.5.1 Consent Management & Patient Health Information Sharing and Confidentiality

5.5.2 Cybersecurity

 

 

 

 

 

 

 

 

Assessment Questions

 

Consent Management & Patient Health Information Sharing and Confidentiality

 

#Assessment ElementsAnswer OptionsWhat looks immatureWhat looks mature Evidence Type
Does your consent management services provide patients with the flexibility to allow third parties (family member, friend) to access their PHI-Yes
- No
- No e-Consent management in use
- No consent management services available to handle personal health information and their access- Consent management services implemented to provide the decision support capability that will determine whether any personal health information (PHI) disclosure (e.g. queries, reporting, data extract, etc.) is allowed. It also provides patients the flexibility to allow third parties (family member, friend) to access their PHIPlease provide a screen sample of the configuration capability to disclose personal health information
Do you have clear governance and consent agreements around the use of remote and assistive care technologies?-Yes
-No
No clear governance and consent agreementsClear governance and consent agreements around the use of remote and assistive care technologiesPlease attach a sample of the consent agreements around the use of remote and assistive care technologies
Do you have a digital consent form that gets signed by the patient for the use of his personal and non-personal health information in medical research -Yes, for PHI
-Yes, for NPHI
No digital consent form gets signed by the patient for the use of his personal and non-personal health information in medical research Digital consent form gets signed by the patient for the use of his personal and none personal health information in medical research Please attach a sample of the digital consent form that gets signed by the patient

 

 

 

 

 

Cyber Security

 

#Assessment ElementsAnswer OptionsWhat looks immatureWhat looks mature Evidence Type
Do you meet KSA's National Cyber Security Authority standards and international Cyber Security standards?- KSA National Cyber Security Authority
- International Cyber Security Authority
- Not available
No compliance to Cyber Security standardsPolicies and procedures in place in line with renowned national standards such as NCA and internal standards such as ISO27K and NIST ensuring proper information security practicesKindly attach the NCA and or ICA certifications
Do you have a documented, implemented and regularly reviewed Cyber Security strategy? -Yes
-No
Strategy not definedCyber Security strategy is defined, documented, supported by the head of the organizations, and regularly reviewed. A roadmap is executed to implement the strategy.Please attach the cyber security strategy
Do you have a dedicated Cyber Security function in the organization with clear roles and responsibilities?-Yes
-No
No independent Cyber Security function.Dedicated Cyber Security function established with clear roles and responsibilities which are periodically reviewed Please highlight within one of the existing organization structures of your facility where the cyber security function lays
Do you have defined and documented Cyber Security policies and procedures by the Cyber Security function?-Yes
-No
No Cyber Security policies and procedures in placeCyber Security policies and procedures defined, documented, implemented and reviewed. They are supported by technical security standards (e.g.
operating systems, databases and firewall technical security standards)
Please attach a sample of the cyber security policy and procedures (one policy and one procedure)
Risk assessment procedures are documented and implemented in:- Early stages of technology projects
- Before major tech infrastructure changes
- During planning and before going live for new technology services and products
- Risk assessment procedures are regularly reviewed.
No risk assessment procedures in placeRisk assessment procedures are documented and implemented in 1) early stages of technology projects 2) before major tech infrastructure changes 3) during planning and before going live for new technology services and products. Risk assessment procedures are regularly reviewed. Please attach a documented sample of a risk assessment procedure
Is cyber security considered a strategic risk, integrated into the enterprise risk register and regularly reviewed by the board?- Yes. The risk register is regularly reviewed and appropriate treatment actions for cyber risks are flowed into the security governance structure.
- No
Cyber security is not included in the enterprise risk register.Cyber security risks are clearly identified, and articulated in sufficient detail in the enterprise risk register. This includes assessing the impact of cyber risks to the business (in business terms). The risk register is regularly reviewed and appropriate treatment actions for cyber risks are flowed into the security governance structure.Please attach a sample of the cyber security risks that are articulated with your enterprise risk register (Screen Sample or Attachment)
With regards to Project Management, what Cyber Security requirements are in place? - Secure coding standards
- Trusted and licensed sources for software development tools and libraries
- Secure integration between software components.
- The requirements are periodically reviewed.
- None
No Cyber Security requirements in place for project managementThe Cyber Security requirements related to software and application development projects
include secure coding standards, trusted and licensed sources for software development tools and libraries, secure integration between software components. The requirements are periodically reviewed.
Please attach the documented cyber security requirements for project management
Do you have a Cyber Security awareness program implemented in which it is covered through secure handling of emails, mobile devices, internet browsing, and use of social media?- Cyber Security awareness program
- Cyber Security training implemented
- None
No Cyber Security awareness program in placeCyber Security awareness program developed and implemented. It covers secure handling of emails, mobile devices, internet browsing, and use of social media. Kindly attach the cyber security awareness training manual or content
Do you have training programs in place for Cyber Security personnel?-Yes
-No
Basic programs implemented on an ad-hoc basisTraining programs implemented and tailored to job functions related to Cyber Security. These programs are periodically reviewedKindly attach the cyber security personnel training manual or content
Do you have use policy for information and tech assets defined, implemented and regularly reviewed. In which, IT assets must be labelled and classified as per related regulatory requirements-Yes
-No
Asset management policies not implementedAcceptable use policy for information and tech assets defined, implemented and regularly reviewed. In addition, IT assets must be labelled and classified as per related regulatory requirementsKindly attach the required policy
Do you have measurements in place to prevent storage of patient data on local devices?-Yes
-No
No procedure in place to prevent such eventDefined and implemented procedures in place to prevent storage of patient data on local devicesPlease provide the documented procedure to prevent storage of patient data on local devices
Which authentication mechanism does your solution support?- User authentication based on username and pass
- Multi factor authentication
- Privileged access management.
- Single sign-on
- No IAM in use
No IAM cyber requirements documented nor implementedIAM requirements are documented, implemented, and reviewed. They cover user authentication based on username and pass, multi factor authentication, privileged access management and single sign on.Please provide a screen sample of the authentication mechanism used in your solution
Which of the following requirements for the protection of information systems and information processing facilities are documented and implemented- Firewall implementation
- Network segregation (production, testing, deployment)
- Security of domain name service
- Intrusion prevention and detection systems
- None
No requirements documented nor implementedRequirements are documented, implemented, and periodically reviewed.

-They cover firewall implementation, network segregation (production, testing, deployment), intrusion prevention systems, security of domain name service, etc.
- They cover advanced, up-to-date management of malware and virus protection
on servers and workstations, Restricted use of external storage media, Patch management for information systems, software and devices
Please specify the implemented solution name and provide a screen sample
Is there an Intrusion detection system in place?-Yes
-No
No intrusion detection system in placeIntrusion detection system implementedPlease provide a screen sample of the intrusion detection system used
Which of the following requirements do you have for mobile device security, if any?- Secure wiping of organization's data and information stored on mobile devices and BYOD
- Separation and encryption of organization's data and information stored on mobile devices and BYODs
- None
No requirements documented nor implementedRequirements are documented, implemented, and periodically reviewed. They cover Secure wiping of organization's data and information stored on mobile devices and BYOD, Separation and encryption of organization's data and information stored on mobile devices and BYODs, etc.Please highlight the requirements within the policy and procedure documents (Screen Sample or attachment)
Are portable/mobile devices recognized and authorized to operate on network?-Yes
-No
Portable devices are not recognized nor required access to operate on networkPortable/mobile devices are recognized and authorized to operate on networkPlease provide a screen sample of the recognition page in the system of the devices operated in the network

Can hospital owned devices be remotely wiped if they are lost or stolen?
-Yes
-No
Hospital owned devices cannot be remotely wiped if they are lost or stolenHospital owned devices can be remotely wiped if they are lost or stolenPlease provide a screen sample of the ability in the system to perform that option
Is there a Data destruction policy in place, if so how often is it reviewed?- Quarterly
- Half Yearly
- Yearly
- None
No data destruction policy in placeData destruction policy is documented and regularly reviewedPlease attach the data destruction policy
which of the data and information protection requirements to ensure confidentiality, privacy, integrity and availability of organization's data and information exists?- Data and information ownership
- Data and information classification and labelling mechanisms
- Data and information privacy
- None
No requirements documented nor implementedRequirements for protecting and handling data and information are documented, implemented, and periodically reviewed. They cover data and information ownership, data and information classification and labelling mechanisms, data and information privacy.Kindly highlight the requirements for handling and protecting data and information in the related document (Screen Sample or attachments)
Which of the following data-related policies are documented in your organization? - Data privacy policy
- Data protection policy
- Data storage policy
- Data release policy
- Data security policy
No data policies exist Data privacy, protection, storage, release and security policies are documented, regularly reviewed, and amended when necessaryPlease attach the available data policies as per the box selection
Which incident and threat management requirements are in place in which they are documented, implemented, and periodically reviewed?- Vulnerability assessments
- PEN testing
 -Event logs and monitoring management
- Incident and threat management
- None
No requirements documented nor implementedRequirements are documented, implemented, and periodically reviewed. They cover vulnerability assessments, PEN testing, event logs and monitoring management, and incident and threat managementKindly highlight the requirements for incident and threat management in the related document (Screen Sample or attachment)
Do you have proper physical security requirements in place to protect against unauthorized physical access, loss, theft and damage?
(Select applicable options from the list below)
- Authorized access to sensitive areas within the organization (e.g., data center)
- Facility entry/exit records and CCTV monitoring
- Secure destruction and re-use of physical assets that hold classified information, etc.
- None
No requirements documented nor implementedRequirements are documented, implemented, and periodically reviewed. They cover authorized access to sensitive areas within the organization (e.g., data center), facility entry/exit records and CCTV monitoring, secure destruction and re-use of physical assets that hold classified information, etc.Kindly highlight the requirements for backup and recovery management in the related document (Screen Sample or attachments)
Do you have proper web application requirements to protect against cyber risks?- Use of web app firewalls
- Secure protocols (e.g. HTTPS)
- Secure usage policy for users
- Others
- None
No requirements documented nor implementedRequirements are documented, implemented, and periodically reviewed. They cover use of web app firewalls, secure protocols (e.g. HTTPS), secure usage policy for users, etc. Kindly highlight the requirements for web application management in the related document (Screen Sample or attachment)
Kindly select the proper Cyber Security resilience requirements that are implemented within the organization's business continuity management to remediate and minimize the impacts on systems, and digital services? (if any)- Plan for continuity of Cyber Security systems and procedures
- Response plans for Cyber Security incidents
- Disaster recovery plans.
- None
No business continuity requirements documented nor implementedCyber security requirements for business continuity are documented, implemented, and periodically reviewed. They cover continuity of Cyber Security systems and procedures, response plans for Cyber Security incidents, disaster recovery plans.Kindly attach the required plans from the question's answer options
Have disaster recovery processes for critical systems been tested and audited and regularly reviewed?-Yes
-No
No tests or audits conductedTests and audits regularly conducted to identify and rectify gapsKindly provide a screen sample of the recovery testing reports (No need to show the results)
Which of the following applies for Third-Party and Cloud Computing Cyber Security in your organization?- Cloud computing security requirements are documented, implemented, and periodically reviewed
- The organization has a centralised online database of suppliers.
- All details populated and regularly updated.
- Supplier onboarding process ensures that database is maintained.
- Policies and procedures around the use of informal suppliers are disseminated and understood by all staff.
- Regular supplier reviews are carried out.
- None
There is no central list or database of suppliers. The organisation has no control over the use of informal suppliers such as Dropbox.Centralised online database of suppliers.  All details populated and regularly updated. Supplier onboarding process ensures that database is maintained. Policies and procedures around the use of informal suppliers are disseminated and understood by all staff. Regular supplier reviews are carried out.Please provide the following evidence: -

- Attachment of Cloud computing security requirements document
- Screen Sample of the online database of suppliers
- Attachment of supplier onboarding process
- Attachment of policies and procedures for the use of informal suppliers
Which Cyber Security requirements in regard to third parties including outsourcing and managed services apply?- Cyber security requirements for third parties are documented, implemented, and periodically reviewed
- They cover non-disclosure clauses and secure removal of organization's data by third parties upon end of service
- They include communication procedures in case of Cyber Security incidents, etc.
- None
No third-party requirements documented nor implementedCyber security requirements for third parties are documented, implemented, and periodically reviewed. They cover non-disclosure clauses and secure removal of organization's data by third parties upon end of service, Communication procedures in case of Cyber Security incidents, etc.Please provide the following items:

- Attach Cyber Security Requirements Document
- Attach Non-disclosure clauses
- Attach the procedure document used in the case of cyber security incidents​





By continuing to use our website, you acknowledge the use of cookies Privacy Policy