High Level Security Policies (HLSPs) are management instructions indicating how an organisation is to be run. They are the primary building blocks for any information security effort. In order to successfully install security in Information Systems operating in European Health Care Establishments (HCEs), a set of principles and guidelines must exist, which establishes both direction and management support.

A HLSP should be used as a reference for a wide variety of information security and privacy activities which include establishment of user access privileges, performing risk analyses, conducting investigation of security and privacy threats, etc. It should also be considered as an essential part of the overall information policy of every HCE, which helps integrating the procedural aspects within the administrative organisation in the HCE.

A HLSP refers primarily to two main actors, namely the acting subjects (patients, physicians, health informaticians, administrators, health care authorities, insurance companies, etc.) and the data objects that should be protected (medical records, communication data, etc.).

The High Level Security Policy proposed herein should be fully adopted in order to be effective; moreover, conformance to its provisions should be made mandatory for all members of staff; special approval should be required when a HCE staff member wishes to take a course of action divergent from policy rules.

It is worth noticing that even when a High Level Security Policy already exists, it is advisable to the management of the Health Care Establishment to periodically revisit it to see whether it should be modified or augmented.

Security in Health Care Automated Information Systems can be conceptually viewed at four distinct levels of abstraction, namely generic principles (society and culture dependent); principles (administration dependent); guidelines (technology dependent) and measures (installation dependent).

HLSPs address the two middle levels of abstraction, namely principles and guidelines. Hence, HLSPs depend on generic principles and must be complemented by measures.

The HLSP, as it stands, defines the general approach that a Health Care Establishment should have towards implementing security. In other words, it states what should be done in order to implement security efficiently; it does not provide technical details on how to do this. These details can be found in the specialised technical guidelines developed within SEISMED.

No formalised security levels have been considered in this document. Rather, the High Level Security Policy herein provides a set of mandatory conditions to ensure adequate security of personal information processed by Health Information Systems.

The HLSP proposed herein was developed by a top-down approach. Specifically, principles were first derived as a result of:

✓ consulting, analysing and adapting relevant similar efforts of international bodies, including - inter alia - the CEC (Directives 287 and 288), the Council of Europe, the Organisation of Economical Co-operation and Development (DECD), the US Department of Health Automated Information Systems Security Program Handbook, etc.

✓ considering what the functional model of a “secure” HCE should be.

Secondly, guidelines were developed, by detailing principles. The end result is a set of nine principles and eighty seven guidelines.

The HLSP was developed in three phases. The first phase aimed at providing the reference centres with an initial draft of the HLSP, based on:

✓ the results of an attitude survey among Health Care professionals in Europe;

✓ the results of Risk Analysis exercises conducted at the four hospitals acting as reference centres;

✓ the results of the analysis of existing and emerging data protection legislation throughout Europe;

✓ relevant international literature.

The second phase consisted of the evaluation of the draft HLSP produced by the first phase by Health Care professionals, Health Informaticians and management.

The third phase consisted of the evaluation of the draft HLSP by all SEISMED partners and resulted in the current document.

The end result is a compromise between several different (but mostly fundamentally convergent) opinions expressed by project participants or external experts; nevertheless it is felt that this has not led into major internal inconsistencies or contradictions.

It is also felt that the HLSP should undergo a further, lengthy period of implementation in several HCEs across Europe, so it can be verified, amended, or modified according to everyday practice.