Standards for Canadian organizations

2020 Edition

Risk Prevention and Management (CA-RPM) 5: Security of Information

Electronic and printed information is protected against intentional and unintentional destruction or modification and unauthorized disclosure or use.

Interpretation

The standards in this section address security of all types of paper and electronic information maintained by the organization, unless otherwise noted, including:
  1. case records and other information of persons served;
  2. administrative, financial, and risk management records and reports;
  3. personnel files and other human resources records; and
  4. performance and quality improvement data and reports.
2020 Edition

Currently viewing: RISK PREVENTION AND MANAGEMENT (CA-RPM)

VIEW THE STANDARDS

Purpose

Comprehensive, systematic, and effective risk prevention and management practices sustain the organization's ability to positively impact the communities and people it serves by reducing its risk, loss, and liability exposure.
1
The organization's practices fully meet the standard, as indicated by full implementation of the practices outlined in the CA-RPM 5 Practice standards.
2
Practices are basically sound but there is room for improvement, as noted in the ratings for the CA-RPM 5 Practice standards.
3
Practice requires significant improvement, as noted in the ratings for the CA-RPM 5 Practice standards.
4
Implementation of the standard is minimal or there is no evidence of implementation at all, as noted in the ratings for the CA-RPM 5 Practice standards.
Self-Study EvidenceOn-Site EvidenceOn-Site Activities
  • Data security policies 
  • Data security procedures
  • Policies on the use of social media, electronic communications, and mobile devices
  • Procedures on the use of social media, electronic communications, and mobile devices 
  • Procedures for managing data interruptions/disaster recovery plan 
  • Agreements with third parties (e.g., information technology vendors, business associates, etc.), when applicable
  • Interviews may include:
    1. Relevant personnel
  • Observe case record room/files and information system accessibility

 

CA-RPM 5.01

The organization protects confidential and other sensitive information from theft, unauthorized use or disclosure, damage, or destruction by:
  1. limiting access to authorized personnel on a need-to-know basis;
  2. using firewalls, anti-virus and related software, and other appropriate safeguards;
  3. monitoring security measures on an ongoing basis;
  4. having the ability to remotely wipe or disable mobile devices, if applicable, in the event that a device is lost, stolen, re-purposed, or discarded; and
  5. maintaining paper records in a secure location when not in use by authorized staff.
Examples: In regards to element (a), the organization may limit access to authorized personnel by:
  1. limiting access based on staff role within the organization;
  2. ensuring the electronic system requires strong passwords/passcodes for access to confidential information, requires passwords/passcodes to be regularly changed, locks the user out of the system for incorrect login attempts, and automatically times out after a period of inactivity and prompts reauthentication;
  3. disabling the equipment, passwords, and access of former employees; and
  4. ensuring the system is capable of tracking who accesses confidential information in the system and recording when information is altered or deleted, also known as audit logs.
In regards to element (e), secure storage of paper records can include:
  1. locked file cabinets;
  2. a locked file room with limited access or a gatekeeper system whereby one person or a few people can unlock the file storage area or access the files themselves; or
  3. a system using a keypad or keys where only authorized individuals are given the keypad code or copies of the keys.
 Other important considerations can include procedures related to information taken off-site by staff.
Note: Please see the Facility Observation Checklist for additional guidance on this standard.
1
The organization's practices reflect full implementation of the standard.
2
Practices are basically sound but there is room for improvement; e.g.,
  • Some aspect of the organization's data security procedures needs strengthening; or
  • With few exceptions, procedures are understood by staff and are being used.
3
Practice requires significant improvement; e.g.,
  • There is a major deficiency in at least one of the listed elements resulting in risk to the organization; or
  • There have been instances of unauthorized access to confidential or sensitive information; or
  • Procedures are not well-understood or used appropriately.
4
Implementation of the standard is minimal or there is no evidence of implementation at all.

 

CA-RPM 5.02

Proper safeguards protect confidential information when transmitted electronically.
1
The organization's practices reflect full implementation of the standard.
2
Practices are basically sound but there is room for improvement.
3
Practice requires significant improvement.
4
Implementation of the standard is minimal or there is no evidence of implementation at all.

 

CA-RPM 5.03

The organization has policies and procedures addressing the use and monitoring of:
  1. social media;
  2. electronic communications; and
  3. mobile devices, including staff-owned devices, if applicable.
Examples: “Social media and electronic communications” include a variety of applications and websites used to create and share content, for example:
  1. the organization’s own website;
  2. external websites;
  3. email;
  4. texting;
  5. blogs;
  6. social networking and bookmarking sites such as Pinterest, Instagram, Twitter, and Facebook;
  7. wikis; and
  8. discussion forums.
Risks associated with the use of social media and electronic communications may include:
  1. unauthorized or prohibited contact between staff and service recipients;
  2. unauthorized or inappropriate use of organization logos or trademarks;
  3. personal comments or opinions that can be misconstrued as representing the views of the organization, or that present the organization in a negative light;
  4. inadvertent or deliberate disclosure of confidential or proprietary business information; and
  5. inadvertent or deliberate disclosure of confidential or protected information about service recipients.

Examples: A social media policy typically addresses:
  1. the organization’s definition of “social media;”
  2. responsible parties (e.g., individuals responsible for setting up accounts, contributing content, monitoring content, etc.);
  3. prohibited forms of communication;
  4. the appropriate use of social media including confidentiality and privacy considerations; and/or
  5. consequences for failure to follow the policy and/or related guidelines.
1
The organization's practices reflect full implementation of the standard.
2
Practices are basically sound but there is room for improvement; e.g.,
  • Some aspect of the procedures need further development.
3
Practice requires significant improvement; e.g.,
  • Procedures are very basic and provide minimal guidance to staff; or
  • Procedures are not well-understood by staff or are frequently not being followed; or
  • Procedures are still under development and have only been partially implemented.
4
Implementation of the standard is minimal or there is no evidence of implementation at all.

 

CA-RPM 5.04

The organization is prepared for planned and unplanned interruptions of data and limits the disruption to its operations and service delivery by:
  1. maintaining procedures for managing data interruptions and resuming operations;
  2. backing up electronic data regularly, with copies maintained off premises;
  3. regularly testing the organization’s back-up plan including data restoration processes; and
  4. developing procedures for alternative methods of communication with staff and stakeholders during periods of disruption.

Interpretation

 This standard applies to any instance of prolonged data disruption, regardless of whether there is a corresponding emergency.
Examples: A disaster recovery plan is a set of procedures put in place to protect and recover an organization’s IT infrastructure to ensure the continuation of business in the event of a disaster. The plan clearly defines what disaster means for the organization’s administrative operations and service delivery. It also includes specific guidance on when primary systems are considered nonfunctional/shut down, at what point secondary systems should be activated, who has the authority to make that determination, and how to inform staff and stakeholders that a disaster has occurred.

Factors that increase the effectiveness of a disaster recovery plan include:
  1. training staff on response procedures; 
  2. practicing procedures/conducting downtime drills; 
  3. testing disaster recovery systems on an ongoing basis; and
  4. monitoring plan implementation.
1
The organization's practices reflect full implementation of the standard.
2
Practices are basically sound but there is room for improvement; e.g.,
  • Some aspects of the procedures need further development.
3
Practice requires significant improvement; e.g.,
  • Procedures are very basic and provide minimal guidance to staff; or
  • Procedures are still under development and have only been partially implemented.
4
Implementation of the standard is minimal or there is no evidence of implementation at all.

 

CA-RPM 5.05

The organization ensures its electronic system for managing health records or protected health information limits access to information in accordance with confidentiality rules and the person's privacy preferences to the greatest extent possible.

Interpretation

If the electronic health record system employed by the organization is not able to meet all client privacy preferences and/or all of the necessary confidentiality rules, the organization informs the service recipient of the system’s limitations and obtains consent for the exchange of electronic health information based on those restrictions.
NA The organization does not electronically manage health records or protected health information.
1
The organization's practices reflect full implementation of the standard.
2
Practices are basically sound but there is room for improvement; e.g.,
  • Procedures for monitoring and maintaining legal compliance require greater clarity or specificity.
3
Practice requires significant improvement; e.g.,
  • The organization is aware of compliance problems and is working to remediate deficiencies.
4
Implementation of the standard is minimal or there is no evidence of implementation at all; e.g.,
  • The organization is aware of compliance problems and is not working to remediate deficiencies.