Information Security for Medical Organizations – First Steps

 

To implement security effectively, you need a balanced approach that covers your staff, your administrative processes and your technology. This section deals with the fundamental first steps:

• Set up a security program that takes a comprehensive approach to your physical, technological and administrative operations.  Assess your current security situation to determine your priorities and serve as a baseline for the program.
• Develop a security policy that commits the organization to appropriate security measures and provides high-level direction on how this will happen.
• Develop an appropriate set of security standards and procedures based on your policy.
• Appoint a staff member with overall responsibility for security.
• Define, document and communicate the responsibilities of this role and all the other roles required to support your security policy.

Documents you should create as a result of carrying out these steps include:

• Information Security Policy, Standards and Procedures
• Initial Security Review Results
• Personal Health Information Inventory

Security Program and Information Security Policy

You must take reasonable steps to keep personal health information secure. What is reasonable may vary depending on your organization’s size and complexity, and the nature and extent of risks faced within the organization. Large hospitals dealing with significant amounts of sensitive personal health information that have internal networks, centrally managed IT and many staff members accessing information electronically will need different security than small offices. You must decide where your organization falls on the range between large institution and small office. Scale your measures to a reasonable level that fits your circumstances.

What You Should Do

Set up a security program that takes a comprehensive approach to your physical, technological and administrative operations. Assess your current security situation to determine your priorities and serve as a baseline for the program. Develop a security policy that commits the organization to appropriate security measures and provides high-level direction on how this will happen. Develop an appropriate set of security standards and procedures based on your policy.

Your security program must be comprehensive because good security does not rely only on a strong lock on the front door. Good security relies on a series of measures in place just in case the lock gets broken or the back door is left open. Your program must also cover all security measures and not just technical ones. Installing anti-virus software to secure personal health information is important. But, it is not enough. Security is easily breached by simple mistakes such as sensitive information being left lying around or a wrong number being punched in when faxing a patient record.

You need to make an initial assessment of your current security situation to determine the critical areas you must address first and also to set the baseline you will measure against to determine the effectiveness of your security program. This assessment should analyze both your current security risks and controls.  If you don’t have the skills within your institution to do this, seek outside help to do the assessment properly since it will serve as the foundation for your program.

A written security policy is important as it will guide your staff on overall security matters and provide a base for creating specific standards and procedures. Your initial security assessment will provide input to help you build the policy that best meets your security needs. You also need to have a good understanding of your legal, regulatory, ethical and contractual security obligations in order to build your policy.

At a minimum, the highest levels of your management should approve your security policy. Your security policy should include:

• what security means to your institution and why it is so important,
• key security goals and principles,
• individuals’ basic security responsibilities and accountability,
• how staff will be trained,
• who will review and update your policy, and
• how you will comply with your contractual and legal security obligations.

You should use your policy to help develop a fully documented set of security standards (for example, password rules) and security procedures covering both:

• how you protect your perimeter (such as the main entry point to your building or computer network), and
• what occurs inside your building or network (because your employees are not free to see any information they want, nor are they immune from mistakes or bad judgement).

The security policy should integrate with other policies, particularly privacy.

Tell your staff and outside contractors about the policy.

Small Office Applicability

• Give your staff a concise written set of security rules that also explain why the rules must be followed.
• Remember that everyone must play their part in protecting your patients’ personal health information and your facilities.
• The Small Office Applicability sub-sections in this section will help you customize rules that fit your office.