Leaving the office desk a little cluttered at the end of a busy workday seems like a typical picture in any organization. But at Toronto-based Smart Systems for Health Agency (SSHA) that habit could earn an employee a warning memo the next day.
That’s because as the agency mandated by the Ontario government to provide secure and reliable electronic communications to the province’s healthcare sector, SSHA cannot afford to have a weak link in its security chain. “When the agency was being envisioned and constructed, privacy and security were the foundation components of everything that we do,” said Roman Olarnyk, SSHA’s chief information officer.
Established in 2003, SSHA’s highly secure and private network infrastructure allows it to provide a number of services to healthcare institutions and practitioners such as round-the-clock application hosting, telecom services, portal hosting, electronic health records, e-mail and registration.
Millions of sensitive, confidential health records pass through the SSHA network regularly and the assurance that the data is not compromised is paramount to SSHA’s operations. That trust element is a vital ingredient for all its product and service offerings, Olarnyk said. “If we lose that trust element we’re not going to go any further,” the SSHA executive said.
Part of maintaining a security culture among SSHA employees is policy implementation and monitoring.
Its “clean desk policy” for instance requires staff to exercise good housekeeping in their respective workstations, which means emptying the top of their desks everyday before leaving the office. Nothing, not even a newspaper, must be left lying around for someone to see, said Olarnyk.
The printer area must likewise be free of any loose documents, he said. Employee badges are required to be worn within the SSHA facility at all times. Visitors are diligently asked for two pieces of government-issued ID.
A self-policing culture exists among the agency’s 350 employees, Olarnyk said. Everyone is obligated to “challenge” anybody that’s found not complying with the company’s internal policies.
The agency’s entire facility is subdivided into zones as a means to control access to more sensitive environments, explained Olarnyk. The badge issued to each employee determines the type of access privilege a specific employee has, depending on their scope of responsibility.
Corporate workers, for instance, don’t have access to the data centre where the client applications and data exist, said Olarnyk.
“Sometimes your (job) title means nothing especially from a security standpoint. My badge does not give me access to the server room because I have no business being there.”
Remote workers are only allowed to use SSHA-issued laptops for accessing the company network, said the agency’s CIO. And if a “rogue” user attempts to access the network without proper authorization, alarms are set off and the laptop gets locked down, he added. This is made possible through “inward-facing” intrusion detection systems installed between zones and between business units, Olarnyk said.
SSHA’s security systems deployment ranges from one-factor and two-factor authentication to biometrics-based access, but the CIO said technology is only half of the equation; employee cooperation on any security initiative comprises the other half.
He said building a “cultural awareness” among the employee population means making them understand why security measures are implemented and the consequences of not enforcing them.
The SSHA executive, however, stressed that any security implementation must be balanced with business needs. For example, your business may require an extensive and integrated security infrastructure to ensure the protection of valuable information assets.
The challenge for the security management group lies not only in the ability to put in protection tools, but in recognizing the relationship between the value of the company’s information assets and the types of roles that define access to those assets, said Robert Garigue, vice-president for information integrity and chief security executive at Bell Canada.
“For things that have more value, [such as those covered] under the privacy law…you would want to put a lot more restrictions and therefore you’re looking for a lot more assurance,” said Garigue.
On the other hand, there are instances where basic access control, such as username and password, and an educated user population may be sufficient, he added.