|
Posted on 24 Feb 05
Has your agency started the implementation of security policies and procedures to meet HIPAA Security Rule requirements? What about other laws for essential security requirements? Have you developed your security training plans? Just what are these requirements? The answer comes right from the final security rule:
"163.308 (a)(5)(i) Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management)."
If you are like most agencies, you aren't in a hurry to start this training. More likely, you are probably not even thinking about training your staff and certainly not before the beginning of 2006. After all, the rule does not affect small health plans until April 20, 2006, so why rush it. Waiting, however, may not be the best approach.
Consider that the true goal security training and awareness is to modify future behavior. The real benefits aren't in the act of training, which makes you "compliant" with the rule, but in the proactive value in protecting the confidentiality, integrity, and availability of your data. You begin to receive those benefits only after you successfully change the thinking of your employees.
Here are four more good reasons why you shouldn't wait to begin the required security training: Remember that you are already held accountable to the "mini-security" requirement of the Privacy Rule 164.530 (c), which requires the covered entity/business associate to "reasonably safeguard protected health information from any intentional or unintentional use or disclosure... " It's hard to imagine a more "reasonable" security control than proper training of the staff.
Consider that there is no better security measure than a well-trained staff. Alert, cautious staff members can limit many security issues that arise. A great many more security issues are caused by actions on the part of uneducated staff. Such actions as loading software, disabling virus protection, or sharing passwords can be major contributors to risk.
You may also wish to consider the value of a well-trained staff from a different position. A broadly trained workforce can serve as a self-policing one, and will be more likely to identify and correct or report security issues that might otherwise go unnoticed for some time.
Finally consider that the rule calls for ongoing security awareness training. You know there is real value in repetition and reinforcement. There's no substitute for repeating yourself to make an important point, or for implementing appropriate ways to consistently reinforce your message.
Once you make the critical decision to begin training, you must carefully consider the content that makes up the security training. The Security Rule requires that, in addition to your security reminders (periodic security updates), you must provide training in the following:
Protection from malicious software (Procedures for guarding against, detecting, and reporting malicious software); Log-in monitoring (Procedures for monitoring log-in attempts and reporting discrepancies); and Password management (Procedures for creating, changing, and safeguarding passwords). The above issues represent only a subset of topics that must be included in training, not a complete list of security factors. If the point of security training ultimately is to reduce the risk of security breaches and violations, training must be broad enough to cover several other critical issues. Consider the following list as a much more inclusive starting point: Security policies Audit trail Sanctions Confident
|
