1. Purpose of the Policy
To ensure the confidentiality, integrity, and accessibility (only to authorized personnel) of the information assets used within the institution.
To define the information security requirements that all personnel and other stakeholders must comply with.
2. Scope
All information systems, IT resources, physical information assets, information networks and infrastructure, application software, database systems, and personnel and suppliers involved in these processes.
This policy covers Silifke State Hospital and the Provincial Directorate of Health.
3. Legal Basis
Regulation on Personal Health Data (Official Gazette No. 30808, dated 21/06/2019)
Ministry of Health Information Security Policies Directive (02/05/2018)
Ministry of Health Information Security Guide (Version 2.1)
Institutional CSIRT Establishment and Management Guide
Presidential Circular No. 2019/12 (“Information and Communication Security Measures”)
4. Key Definitions
Information Security: The safe and reliable use of information and information processing facilities, including confidentiality, integrity, and detection of unauthorized access.
Information Security Breach: Any incident where information is corrupted, altered, accessed, or captured without authorization.
ISMS (Information Security Management System): A systematic and sustainable set of activities to ensure institutional information security.
CSIRT (Computer Security Incident Response Team): The team responsible for responding to cyber incidents.
PHD (Provincial Health Directorate): Refers to the Provincial Directorate of Health.
5. Information Security Organization
PHD Information Security Sub-Commission: The high-level decision-making body; coordinates activities and implements action plans.
Information Systems Coordinator: Serves as the chair and coordinator of the commission.
Information Security Officer & Institutional CSIRT Leader: Ensures coordination with all relevant institutions and organizations.
Institutional CSIRT: Responds to cyber incidents across the province.
Hospital Information Security Team (if applicable): Manages information security activities at the hospital level.
Primary Healthcare Facilities: Personnel responsible for daily information system operations carry out information security activities.
6. Implementation Principles
The confidentiality, integrity, and accessibility of institutional information assets shall be ensured.
The Provincial Health Director approves the policy with the Information Security Commitment and ensures its implementation.
All personnel are obliged to understand and comply with ISMS policies.
Any information security breach must be reported via https://bilgiguvenligi.saglik.gov.tr/Home/OlayBildir.
Compliance with physical security measures (access control, storage areas, staff ID cards, etc.) is mandatory.
External parties (suppliers, other institutions) must access systems in accordance with institutional procedures.
Confidentiality agreements must be signed with all service providers.
7. Supporting Documents
Commonly Used Documents:
Annex-1: PHD Information Security Organization Personnel Information
Annex-2: Password Policy
Annex-3: Access Control Procedure
Annex-4: Remote Access Procedure (VPN, etc.)
Annex-5: Information Retention and Destruction Procedure
Annex-6: Internet and E-mail Usage Policy
Annex-7: Social Media and Social Engineering Policy
Annex-8: Information Security Disciplinary Procedure
Annex-9: Clean Desk / Clean Screen Procedure
Institution-Specific Documents:
Access Control Procedure and Matrices
Acceptable Use of Assets Procedure
Recruitment and Offboarding Procedures
Backup and System Security Procedures
E-mail and Server Request Forms
Database Authorization Forms
Business Continuity Forms