Information Security Policy

The mission of the Center for eHealth Applications and Services (CeHA) is to provide services and products that ensure the integrity and security of its users' data with particular importance to the health data hosted on its systems..

To serve the aforementioned purpose, the management of CeHA recognizes the risks that threaten the Information Security and are produced and handled in the context of the Center’s activities, and provides all the necessary resources in order to apply an Information Security Management System in accordance with the international standard ISO 27001:2013. In addition, CeHA extends the Information Security Management System according to the requirements of ISO 27799: 2016 in order to protect health systems and information.

For this reason, CeHA implements an Information Security Policy, aiming at:

  • ensuring the smooth operation of the information systems that support its operation
  • ensuring the confidentiality, integrity and availability of the health data it manages
  • the timely and effective handling of Information Security incidents involving user health data
  • the continuous improvement of the level of Information Security
  • meeting the legislative and regulatory requirements that fall within the scope.

 

The commitment to Information Security, which results to avoid incidents that can affect the Information Security, is implemented through the following individual steps:

  • Identification of critical activities as well as critical resources,
  • Protection of assets and information involved in the services of the Institute from any threat, internal or external, deliberate or accidental,
  • Regular evaluation and assessment of risks related to information security that lead to correct and timely management,
  • Secure development and maintenance procedures for applications, systems and services,
  • Backup data, virus and malicious intrusion protection, access control in the systems, logging of all security incidents and management of unexpected situations,
  • Continuous training in Information Security for management and staff,
  • Control of transmitted and exchanged information and data (especially health data),
  • Protection of the Institute’s interests and people who involve with it and trust it,
  • Immediate and effective handling of incidents and security breaches that also concern health data,
  • Encourage internal and external communication about Information Security issues and security incident disclosure. In this context, communication is made with the information security committee of the Center (Information Security Management Forum - ISMF) at ismf@ics.forth.gr,
  • Commitment to the full compliance with the Information Security Policies and the national and EU legislation,
  • Commitment to respect for the rights of individuals regarding health data
  • Ongoing information on the protection of health data as well as the incident management process, through a specific communication channel.
     

The Information Security Policy applies to both the permanent staff of the Center and the temporary staff (researchers, interns, etc.). In addition, it applies to external partners who have or may have access to systems and applications with health data. The above commitment is reflected in a confidentiality agreement that is signed at the start of cooperation with staff and external partners.

The Center is committed for trying the continual improvement of the Information Security Management System in order to offer high levels of information security to all involved.