Getty Images/iStockphoto

HIPAA Best Practices: Acceptable Use Policies, Team Training

Creating Acceptable Use Policies (AUP) and then training your employees is essential for security at your healthcare organization.

In an earlier post, we discussed the steps to performing a Risk Assessment. Once you’ve determined the risks within your healthcare environment, you can enlist your staff members to help you address those risks. To do this, you need to create policies about acceptable use – formally known as Acceptable Use Policies (AUP) – for your staff members and then must train your staff accordingly. But how do you do this if neither you nor your employees are particularly security-savvy already?

Where do we start?

If you’re starting at or near absolute zero when it comes to information security knowledge, the first question to ask is: Would it be better to train one designated individual in the ways of the security ninja? Or would it be preferable to improve overall knowledge within your organization?

Unless you have someone in your organization who is dedicated to IT tasks, it may be difficult to find staff you can train as your own in-house security expert(s). If you do have IT staff, it’s essential for all of them to be security-aware. At a minimum, when you train the rest of your employees on their security roles and responsibilities, your IT personnel should go through at least as much training. They will likely be in charge of setting up the technological protections that are to be used by the organization.

If you have a smaller healthcare organization, you can still create an AUP, without needing to have a security guru. In fact, having a less complex organization can simplify the process. HealthIT.gov provides a template that could work well for smaller organizations.

For medium-sized and larger organizations, the SANS Institute is a good place to start for all sorts of security training. They have in-depth training workshops in person and online, for all levels from beginner to very advanced. (This includes a class specifically on how to write policies). They even have classes designed for that person who’s just been “voluntold” that they are now the organization’s security expert, and get them quickly up to speed. The SANS website also has policy templates for a variety of specific needs. This includes a basic Acceptable Use Policy document to HIPAA-specific considerations, among many others.

It’s important to note that the secret of success for any AUP is that it is both well understood and reasonably palatable to the people who will be expected to use it. Getting input from the various groups of people who will need to use it (e.g., doctors, nurses and administrative staff) is essential – they may have questions or be aware of situations that the policy needs to address but that the policy-writers have not foreseen. The intended users may also have concerns about usability, which may need to be taken into account and balanced with security requirements. Contrary to common misconception, security does not always have to be at the expense of usability!

Continuing Education

The weakest link in most security chains is the human element; people thwarting protections put in place, often inadvertently. Technology can only help so much if people don’t know how to avoid giving away the metaphorical keys to the kingdom. Regular training can help keep staff members from compromising your security accidentally.

If you do not have someone on staff who is prepared to lead a training session, there are a variety of resources online to help you educate your users. The National Institute of Standards and Technology (NIST) has a Security Awareness Training site that can help you find training that works for you and your staff, or materials and projects for you to undertake training on your own.

It is a good idea (one mandated by HIPAA) to train users when they are first hired and again on a regular basis. Ideally, this should be done quarterly, but it should happen at least annually – more frequently after a security incident. The American Health Information Management Association (AHIMA) has good suggestions for how to focus your security education for different staff members. Security advice changes often, as threats and technology used to prevent them change over time, so this helps keep everyone’s knowledge up-to-date.

While it might seem frivolous to consider using an entertaining approach to something as serious as security training, it can drastically improve both retention and compliance to keep a sense of fun and humor with your training materials. User-created materials or gamification can help you keep things light and motivating.

Information security, such as how to create Acceptable Use Policies, can seem daunting and unapproachable, especially when that is not your primary discipline. But it is very important for people in your healthcare organization to have a good understanding of how to protect your facility and your patients’ information. There are a lot of resources which can help you make security topics more easily digestible and apply them in the organization.

Additional Resources:

http://www.sans.org/find-training/

http://www.sans.org/course/intro-information-security

http://en.wiktionary.org/wiki/voluntell#English

http://www.sans.org/security-resources/policies/

http://www.sans.org/security-resources/policies/general/pdf/acceptable-use-policy

https://www.youtube.com/user/SecurityVideoContest

http://www.computerworld.com/article/2489977/security0/boost-your-security-training-with-gamification-really.html

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all this change can be difficult for even the most tech-savvy users, she enjoys explaining security issues in an approachable manner for companies and consumers alike. Over the years, Myers has worked both within antivirus research labs, finding and analyzing new malware, and within the third-party testing industry to evaluate the effectiveness of security products. As a security researcher for ESET, she focuses on providing practical analysis and advice of security trends and events.

 

Dig Deeper on HIPAA compliance and regulation