Information Security Policy
Information plays a key part in clinical governance, service planning and performance management. It is of paramount importance to ensure that information in any form (e.g. electronic, hardcopy, verbal), is efficiently managed and that appropriate policies, procedures and management accountability provide a robust governance framework for information management.
The management of the Clinic has adopted the following information security policy. This Policy is derived from the information security objectives as formulated by the responsible management of the Clinic.
The Clinic adopts the ISO/IEC 27001:2013, Information Security Management Systems (ISMS) for the structuring, maintenance and continual improvement of procedures and measures to safeguard the confidentiality, integrity and availability of information and information processing facilities.
The ISMS is under the umbrella of the Integrated Management System (IMS), which encompasses all related components of the Clinic (e.g. Accreditation, ISO certifications, policies, procedures, manuals, e.t.c.) into one system for optimized processes and resources. Further to that, the ISMS provides an excellent framework for compliance with most of the EU General Data Protection Regulation (GDPR) requirements. To achieve this, we systematically make improvements.
The Company Information Security Policy is binding for all the staff of the clinic, as well as for all organizations, third party and sub-contractors who perform services for the Clinic.
Exceptions from parts of this Policy are allowed, provided they are authorized by management responsible and have substantiated reasons.
All employees, third parties and sub-contractors of the Clinic have a duty to protect data and information systems against unauthorized access, use, modification, disclosure, destruction, loss or transfer.
The Clinic actively promotes security awareness in its employees, contractors and visitors and ensures that all parts of this Policy are translated into actual measures, tailored to the tasks and responsibilities of the people concerned.
The Clinic undertakes a business impact analysis and risk assessment at least once a year to determine whether additional measures are necessary, data or information systems require additional security measures and an explicit owner to determine so.
Clinic’s information systems are physically protected and operated in a manner that prevents unauthorized physical access.
Existing applications are reviewed against this Policy. In case of exceptions a formal risk acceptance is carried out.
New applications and software should comply with the requirements specified in the ISMS.
To ensure that information is available to users when it is required, the Clinic has documented and tested a Business Continuity Plan.
The Clinic management ensures that applicable legal and contractual requirements are identified and addressed.
The Clinic management will review the policy at least once a year and update it as necessary.
Dr. George Zachariades