MeasurableHow do you define your security policy? What metrics do you follow for it to be successful? Does your policy address risks to Electronic Health Records? For Healthcare, it’s important to know who can see, touch and move data. In the case of a Healthcare provider: doctors, nurses and patients. All three want real-time access to information and data to make quick and decisive decisions for the benefit of the patient. Providing this information safely and securely under government regulations and HIPAA privacy is challenging. Any document or file received can be constituted as “risk.” For healthcare organizations, how do you work to mitigate that risk? It is beneficial to measure your own security policies by doing internal risk assessments to ensure you are following HIPAA guidelines, along with a scorecard/checklist and sharing the results of your findings within each department. This helps demonstrate whether your policy is being recognized across the organization, as well as gauging your staff’s understanding as to why the rules and regulations are placed. Setting up security measures for Identification, Authentication, Workstation Security, Mobile Computing and Electronic Mail Systems are imperative to a healthcare environment to follow both for good “housekeeping” and federal law.
RepeatableIs your security policy continuous and simple enough for the organization to comprehend? Enforcing an effective security policy means that the measures you take as an organization are continuous. It doesn’t stop with a simple check mark that you are HIPAA compliant. Your IT infrastructure grows on a daily basis and your policy must address and adopt new security risks that are evolving 24/7, 365 days a year. In healthcare, there are a wide array of different technologies being used every day. Issuing activities, such as security training, seminars and initiatives on a continuous basis, helps enforce the messaging of what the organization wants to accomplish and to raise overall awareness of changing security threats that grow with each passing day.
EnforceableWithin your organization, the policies you set must come from the top of the organization downward. It’s important to put together an IT security team within the organization mixed with people from different departments across the organization. IT, doctors, nurses and others touch the hospital system each day – to have them involved in the security decision-making processes will help resonate and ingrain itself within the organization quicker and more efficiently. It also makes end-users feel empowered by encouraging their participation to assist in the direction of how the organization protects itself while making the end-user experience as easy and simple as possible. Your team should set up administrative, physical and digital safeguards for all IT needs ranging from risk assessments of your IT environment, locked offices containing computing equipment with EMR information, and the standards of securely configured computing equipment and mobile devices.
Final ThoughtsImplementing your security policy requires a collaborative effort across your entire organization. Fifty-two percent of healthcare security personnel reported that their organization spent less than 3 percent of their IT budget on IT Security. The value of healthcare records will continue to grow, resulting in more risk. Breaches in healthcare will continue to be a major contributor to the continuous rise in healthcare costs across the US. Where does the security start and end? How do you define your security policy in your organization?