Security Roles and Responsibilities

People, Privacy and Security -Key Points

Your security is only as strong as your staff. Even the best technological security is vulnerable if you do not have staff committed to safeguard confidential information. This section deals with the steps needed to address the people aspect of security:

Inform and motivate all staff and contractors. Give them the necessary tools to carry out their personal security responsibilities. Training should include awareness and commitment to:

• Security Policy
• Malicious Software Rules
• Responsibilities for Physical Security
• Acceptable Use Policy
• Rules for Fax Machines
• Confidentiality Agreement
• Password Policy
• Guidelines for Mobile Computing
• Incident Reporting Rules

Impose controls to ensure that no one gains access to personal health information without proper authorization.

Documents you should create as a result of carrying out these steps include:

• Staff Responsibilities for Physical Security (See Security Bastion)
• Acceptable Use Policy and Rules for Fax Machines (See Security Bastion)
• User ID and Access Management Procedures (See Security Bastion)
• Password Policy (See Security Bastion)

 Personal Responsibilities for Security – What You Should Do

Inform and motivate all staff and contractors. Give them the necessary tools to carry out their personal security responsibilities.

• Run appropriate background checks before hiring staff who:

1. deal with personal health information,
2. work on IT infrastructure, and
3. have special security responsibilities.

• Staff should sign confidentiality agreements.

 

1. Have staff sign the agreement when they are hired and initial their pledge annually as a reminder. Use this as an annual opportunity to reinforce training on privacy and security and brief staff on recent changes.
2. All third-party contractors (for instance, consultants) and key contractor staff who may have access to sensitive information should sign an agreement before they begin work.

  Physical Security

• Your staff must:

1. be aware of physical security responsibilities,
2. lock up sensitive material,
3. wear identity badges,
4. secure information outside the normal work area, and
5. report suspected incidents.

Lock up hardcopy personal health information if left unattended. Assign
• all computers. Install locking screen savers and
instruct staff to use the screen saver whenever they leave their computer. Set
of time.
-
• Make sure staff understand that they should not install any unauthorized
use their
• Make sure staff understand that they may not copy or transmit any
rs loud conversations.
• Give staff facilities (for example, shredding machines) to securely dispose of
personal health information no longer required.
• Tell staff what they need to do for on-line security. Issue an “Acceptable
Use” policy (see Appendix A f
• Provide staff with necessary security tools (such as anti-virus software and
laptop computer
• Create an ongoing security a
regular updates.