Tenet has a duty to protect the confidentiality, integrity and access of information we use, and the information systems at hospitals, clinics and other facilities used by Tenet to manage our day to day business operations and healthcare information. This means that we classify all information by levels of sensitivity and handle information based on how they are classified and ensure we follow best practices, information security standards, federal and state laws, professional ethics and accreditation requirements to protect this information.
- To protect accidental or deliberate modification or destruction
- To prevent unauthorized disclosure or misuse of information
- To detect unauthorized access or misuse of information and information assets
- To perform timely and accurate damage assessments after detection
- Access Controls
- Access by only authorized individuals and preventing access by any unauthorized
- Audit Controls
- Accountability by documenting and assessing system activities
- Authorization Controls
- Access to Confidential or Proprietary Information based on user’s access level
- Data Authentication Controls
- Verification information hasn’t been modified or destroyed by unauthorized ways
- Entity Authentication Controls
- Unique user accounts, auto logoffs,biometrics, passwords, tokens or PINs
- Configuration Management Controls
- Alignment to Tenet’s Information Security Policies and Procedures for overall security
- Classifying Information
- Confidential
- Proprietary
- Public
- Accessing Information and Records
- Access to information is on a “need to know” and job function basis
- Individuals have a unique User ID and password
- User access is managed with system controls, physical controls and auditing
- Supervising Access for Contractors
- ConTrack
- Internal eTenet contractor management application
- System is linked to Tenet’s Active Directory
- Contractor’s account is immediately disabled when it is not sponsored
- Contractor can no longer access network resources(e.g., e-mail, eTenet)
- Department Manager or Supervisor
- Assigned as sponsor for contractors in ConTrack
- Authorizes, manages and disables contractors’ access to Tenet networks
- Processing, Transmitting and Disposing Information
- Transmit information following processes to protect against unauthorized access, accidental disclosure and loss of data integrity
- Dispose confidential and proprietary information per records retention policy
* Confidential
* Payment Card Industry (PCI) Information
* Protected Health Information (PHI)
* Electronic Protected Health Information (ePHI)
* Personally Identifiable Information (PII)
* Employee personnel files
* Payroll information
* Business strategies
* Quality Assurance documentation
* Clinical Research documentation
* Attorney-client privileged documents
* Attorney work product
* Trade secrets
* Proprietary
* Internal telephone numbers
* Financial information
* Policies and procedures
* eTenet Intranet website content
* Public
* Job postings
* Annual reports
* Facility internet website content
- Background checks before any access is allowed
- Compliance with Tenet Information Security Standards
- Completion of Information Privacy and Security Awareness training program
- Understanding of Tenet’s right to monitor usage of information access
- System Management
- Audit Log Reviews
- System Administrators monitor security event logs daily
- All Security Events
- System logs of systems that store, process, or transmit Cardholder Data and/or Sensitive Authentication Data (SAD)
- Critical system components logs
- Logs of all servers and systems that perform security functions
- All other logs are examined at least every thirty days
- User Activity Reviews
- Reviews to assist in identifying unusual, unexpected, or suspicious behavior
- Technical Security Management
- Configurations must meet Information Privacy and Security Program standards
- Training
- Annual Training
- Personal trained annually on securely protecting customer payment card data
- Acknowledgement personnel read and understood security policy and procedures
- On-Line Training
- Documented and maintained in Tenet’s online education system
- Classroom Training
- Attendance is documented and maintained by HR
- Training Materials
- Maintained per records and retention policy
- Training Completion
- Documentation includes time, date, place and content for training session
- Mitigation
- Violations or Allegations
- Reported to Tenet Facility’s PIRT or Privacy and Security Compliance Officer
- Investigations
- Privacy and Security Compliance Officer investigates all violations and allegations
- Patient Reporting
- Patient, visitor or another individual may report to any Tenet person
- Mitigation
- PIRT and department leader mitigates harmful results that have occurred
- Sanctions
- Documentation
- HR document-imposed sanctions on the workforce member
- Documentation is maintained per records and retention schedule