11.7 STANDARD: SECURITY AWARENESS TRAINING


11.7 STANDARD: SECURITY AWARENESS TRAINING

The Security management process Standard has 4 separate Implementation Specifications, all of which are addressable:

  • Security Reminders

  • Protection from Malicious Software

  • Log-in Monitoring

  • Password Management

This Standard encourages a process for increasing awareness of security risks among workforce members and implementing a security awareness and training program. Training will have to include management as well as Physicians.

11.7.1 Security Reminders

The first of the four separate Implementation Specifications in the Security Awareness Training Standard are Security Reminders, addressable by the HIPAA Security regulations.

Periodic security updates would be an easy way to address this specification. Articles in a company newsletter about computer security concerns, signs or posters in locker or lunch rooms, monthly e-mail reminders, all would qualify in this category.

11.7.2 Protection from Malicious Software

The second of the addressable Implementation Specifications in the Security Awareness Training Standard is Protection from Malicious Software.

Although only addressable, any modern hospital, medical center, or any other business for that matter, would be completely negligent if they forsook using anti-virus software on all their desktop PC's and Servers. Guarding against, detecting and reporting malicious software or 'Malware'-virus, worms, and program code, is the least a covered entity can do to address this specification.

Besides anti-virus software, there are other software and hardware option to help a covered entity address this specification to whatever degree it felt to be adequate or responsibly.

As previously mentioned in this chapter, Firewalls are the second layer of a multiple-layer defense against malicious software coming from outside the internal network. There are 5 basic types of Firewalls, each of which performs slightly different. For more information on Firewalls, please see Appendix C.

While Firewalls can protect against malicious software coming from outside an internal network, there are also risks and threats from within the network. Users who bring floppy diskettes or CD/RW's from home can also bring viruses or worms that won't be caught, blocked or stopped from wreaking havoc on the internal network by a Firewall. This is where a comprehensive corporate or enterprise version of anti-virus software works best for any size organization.

11.7.3 Log-in Monitoring

The third addressable Implementation Specifications in the Security Awareness Training Standard is Log-in Monitoring.

This specification suggests the covered entity create procedures for monitoring log-in attempts and reporting discrepancies. Most modern Server software products like Windows 2000 or 2003 Server, and all of the Unix/Linux Server flavors come with built-in capability to monitor user log-ins and keep a log of these. Setting these built-in options to log this activity will create large log files and can take up some serious disk storage space. The question is, who will review these logs and look for malicious attempts at cracking into the network or other harmful activity?

As previously mentioned, detecting security violations from inside a network will require Servers and other data storage devices to have their built-in logging systems turned on and monitored . This only allows for after-the-fact detection, but it can still be a source of information on how attackers or users are accessing or attempting to access 'Electronic Protected Health Information'.

Since the HIPAA Security regulations specifically apply to EPHI not every network login would necessarily need to be logged to meet this rule. Since most hospitals and medical centers have specific a Health Information System (HIS) software program (or groups of such programs), it is the HIS programs that would be the direct focus of Log-in Monitoring. However, there will no doubt be patient information saved in word processing documents, spreadsheets and other application programs formats by users, and so monitor network log-ins would also be appropriate.

One issue that some covered entities deal with is that their HIS systems come from different or multiple vendors rather that an entire system from a singe vendor. These 'best of breed' combination systems usually all have their own log-in sequence, making the task of Log-in Monitoring quite large. A 'single sign-on' piece of software can make this less of a burden on the already over-worked IS/IT department or whomever is reviewing the logs, by allowing users to sign-on one time and having that username and password transmitted to all the individual HIS systems in use.

11.7.4 Password Management

The fourth addressable Implementation Specifications in the Security Awareness Training Standard is Password Management.

The specifications recommend the covered entity create procedures for creating, changing and safeguarding passwords, and educating users on topics such as no password sharing, and logging off a system before walking away.

The February 2003 issue of Healthcare Information Security newsletter includes an article of industry 'best-practices' for password usage. Information security professionals know these basic rules about passwords: don't use your name; don't use common words, your license plate number, or your pet's name , etc. Other suggestions from the article are:

  1. Prohibit use of words from the dictionary.

  2. Base requirements on level of access to information.

  3. Use a combination of letters and numbers .

  4. Use some capital letters.

  5. Change passwords every 30-90 days.

While this implementation specification is only addressable, the use of passwords is so prevalent in today's society that each computer user must be made aware of the security threats from sharing their password, posting there password in an easily viewable place, not changing passwords regularly, and what makes a good password.




HIPAA Security Implementation, Version 1.0
HIPAA Security Implementation, Version 1.0
ISBN: 974372722
EAN: N/A
Year: 2003
Pages: 181

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net