6.6 SECURITY MANAGEMENT PROGRAM

Previous page
Table of content
Next page

6.6 SECURITY MANAGEMENT PROGRAM

A security management program includes encompasses the creation, administration and oversight of policies and procedures to ensure the prevention, detection, containment, and correction of security breaches. It involves risk analysis and risk management, including the establishment of accountability, management controls (policies and education), electronic controls, physical security, and penalties for the abuse and misuse of organizational assets (both physical and electronic). The program should be documented with an entitywide security plan that concisely documents at least the following:

  1. Security management structure and security responsibilities;

  2. Security Policy, procedures, guides, and standards;

  3. Security Training and Awareness;

  4. Incident Handling and Security Advisory Handling; and,

  5. Compliance Reviews and Enforcement (including vulnerability scanning and penetration testing).

The activities involved in this category include:

  1. Development of an entity-wide security plan as outlined above;

  2. Formal program for incident reporting, including the mechanisms to respond and investigate security breaches or incidents;

  3. Determination of security roles and responsibilities, including Chief Security Officer, supporting staff, designation of physical versus information security related roles, incident response such as CERT team, support trees, and so forth;

  4. A demonstrable risk analysis [1] and management program [2] ;

  5. Established sanctions for security incidents; and,

  6. Physical site security planning, documented in the overall security plan and consistent with any individual facility plans.

6.6.1 Business Continuity Planning and Disaster Recovery

Business continuity is based on contingency planning to respond to a system emergency, formally documented and periodically tested . The plan includes performing backups , preparing critical facilities that can be used to facilitate continuity of operations in the event of an emergency, and recovering from a disaster. Disaster recovery is the part of an overall contingency plan that contains a process enabling an enterprise to restore any loss of data in the event of fire, vandalism, natural disaster, or system failure. An emergency mode operation plan, also part of the contingency plan, contains the processes to enable an enterprise to continue to operate in the event of fire, vandalism, natural disaster, or system failure. FOX considers the following as activities associated with this remediation category:

  • Develop a plan for responding to system emergencies and disasters, including both physical disasters and intrusion;

  • Ensure that major required elements exist in the plan: Criticality Analysis, Emergency Operations Plan, Manual Procedures, Records Recovery, Network Recovery, Off/Hot Site Designation, Team Roles and Responsibilities, Formal Test Plan, and a program of Regular Testing; and,

  • Provide a physical site contingency plan for each site where an entity has more than one physical location.

6.6.2 Policies and Procedures

Policies, including those for security, provide the framework within which an organization establishes needed levels of information security and privacy to achieve the desired confidentiality goals. A policy is a statement of information values, protection responsibilities, and organization commitment for a system. Security policies apply to a wide variety of activities within an organization, including human resources, information technology, records management, facilities management, and so forth. The development and maintenance of security policies can be part of the overall process that the entity has adopted for all its policies.

Policies need to be written so that they can be complied with and, if necessary, enforced. Procedures and guidelines need to be developed for both compliance with and enforcement of the policies. An organization also needs to establish processes for evaluating the quality of the policy-based practices and the degree of compliance required. Activities in this area include:

  • Identification of all appropriate areas in the organization, such as HR, IT, records management, and facilities management, that require security policies;

  • Formal documentation of security policies and procedures, either independently or as part of other current, documented policies and procedures. The security aspects, however, should be traceable to the organizations' security configuration management plan;

  • Process for establishing new, reviewing, updating security policies and procedures; and,

  • Process for evaluating quality of practice and degree of compliance.

6.6.3 Human Resources Policies and Procedures

The 'threat from within' should be one of the main concerns for any covered entity. Formal, documented human resource policies and procedures need to address personnel security and other security related aspects of dealing with employees . Formal documentation of policies and procedures must be established to ensure that all personnel who have access to sensitive information have the required authority as well as appropriate clearances. Associated activities with this category include:

  • Hiring practices/procedures including screening and clearance process;

  • Supervisory practices/procedures;

  • Termination practices/procedures; and,

Employee status change procedures that reflect access and authorization.

6.6.4 Business Associate Agreements

The HIPAA Security Rule calls for contracts to be established between any two business partners for the electronic exchange or handling of data, protecting the integrity and confidentiality of the data exchanged or handled. These contractual agreements must establish the terms and conditions for the exchange of information. This area includes the following activities:

  • Development of standard contracts or memorandums of agreement;

  • Identification of all 3 rd parties with which health information is exchanged; and,

  • Execution of the contracts or agreements for all 3 rd parties with which health information is exchanged electronically .

You need to also consider agreements between your organization and support vendors who may or may not directly handle PHI but whose role in your organization may be subject to accidental exposure. This can include the phone vendor, the provider of the Virtual Private Network (VPN) connecting your regional sites, or the vendor you select to conduct your security gap analysis or risk assessment.

[1] Risk analysis is the process whereby cost-effective security/control measures may be selected by balancing the costs of various security/control measures against the losses that would be expected if these measures were not in place.

[2] Risk management is the process of assessing risk, taking steps to reduce risk to an acceptable level and maintaining that level of risk.



Previous page
Table of content
Next page
HIPAA Security Implementation, Version 1.0
HIPAA Security Implementation, Version 1.0
ISBN: 974372722
EAN: N/A
Year: 2003
Pages: 181
BUY ON AMAZON
Beginning Cryptography with Java
Strategies for Information Technology Governance
Network Security Architectures
Data Structures and Algorithms in Java
Web Systems Design and Online Consumer Behavior
Junos Cookbook (Cookbooks (OReilly))
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy