To protect your personal and website data during your visit to Tri-Service General Hospital Website (hereafter referred to as the “Website”), we set out the Website Security Policies below, explaining our data protection practices:
The following website security policies are applicable to the collection, use and protection of personal data when you are visiting on our website; however, it is not applicable to other websites that you linked there from. When you use a link to go from our website to other websites, the website security policies of that website apply.
２、The Control of Information Access
●System access policies and authorization guidelines shall be established and inform employees and users their responsibilities in writing, electronically or by other means.
●Deactivate access privileges to all data resources for employees who are resigned or temporary leave; such procedure shall become mandatory in Employee Resignation and Exit Procedures. Applicable changes to shall be made within a certain period of time for employees who have changes in their job duties.
●Set up User Account Management rules to enhance password management and require users to change passwords periodically; at least once every six months.
●Security controls on vendors who remotely log into our system for maintenance shall be enhanced and a list of all related personnel shall be maintained to ensure they comply with data security and confidentiality policies.
●Established Information security audit program, conducted security audits either regularly or randomly.
３、Website Security Practices and Standards
Any unauthorized action to intentionally upload or modify the services provided by the website and related information, is strictly forbidden and may violate the laws. For website safety reason and assuring continuity for servicing users of the website, we have set out the following practices to address website safety:
●At the points connecting to external networks, firewall should be established to manage data transmission and access between internal and external networks and execute strict authentication measures.
●Web penetration detection system shall be implemented to monitor website traffic to detect unauthorized actions to intentionally upload, change, or harm website information.
●Installed anti-virus software; performs virus scanning regularly in order to provide visitors a safer web browsing environment.
●Created a system backup & recovery plan; periodically perform backups of important data and software and implement recovery measures ensuring system resume to normal operation after disasters or storage failures.
●Unscheduled simulation of hacking attacks to test system recovery procedures and provide adequate security defense level.
●All confidential and sensitive information or documents shall not be saved in a public information system and not delivered through e-mail.
●Automatically receive e-mail notifications from operating system or application vendors and install suggested patch following their instructions.
●Please be noted that transmitting data over internet can be guaranteed 100% safe, but to the very best of our ability we dedicate to keep the website and your data safe. In some cases, SSL, a standard security system, will be used to secure data and transmission process; however, since safety of data transmission is influenced by your online environment, we can’t guarantee safety of your transmitting and receiving information to and from the website. You shall pay attention to and be responsible for the risk that may be involved in internet data transmission. Please understand any consequence resulted from this is beyond the website’s control.
４、Firewall Security Management
●Firewalls shall have network forwarding service to server, e.g. proxy server, to manage transmission of network service such as Telnet, FTP and WWW.
●Firewall is the core of entire network of our hospital. One copy of firewall server and software shall be kept for the unpredictable.
●Firewall systems log all the activities in the network. The log shall at least contain even date, time, source and destination IP address, protocols etc for routine management and future audits.
●Firewall system logs shall be examined and analyzed by firewall system administrators for unusual situation.
●In assuring the safety of firewall host computer, we only allow personnel log into from system terminal; logging into system by other means are prohibited.
●The safety control settings of our hospital’s firewall system shall be reviewed often and adjustments shall be made if necessary to assure the objectives of security controls are met.
●Our hospital’s firewall system shall be backup periodically, on a stand-alone computer. All other methods including internet backup are not allowed.
●Our hospital’s firewall system will be frequently updated to be able to respond to various cyber attacks.
５、Principles for Data Backups
●The valued information backup shall be kept for at least three hierarchies.
● The backups shall be protected by appropriate physical and environmental measures; the security control measures used in main operation environment shall be applied to the backup operation environment.
●Shall periodically test the backups to ensure the saved data is usable.
６、Principles of Data Recovery
●When starting recovery, we will check the consistency and completeness of information of data .
●Except in the cases that server or internet can’t be recovered due to a sudden large scale incident, data can be recovered within 24 hours. The backups shall be maintained and updated to the most recent two days. After data is restored, application and database should immediately resume normal operation.
●Shall periodically test the backups ensuring the saved data is usable.
●After recovery has completed, relevant personnel should monitor the system for three consecutive days to ensure system works normally and the updated data is accurate.
７、Due to rapid changes of technologies, regulations haven’t be finalized and unpredictable environmental changes, the information security policies are subject to change in assuring proper network security protection. When the changes are completed, we will immediately post the updates, with highlighted mark, on the website.
８、For any questions or comments about the policies above, please refer to the contact information listed on the website.