There is a long-standing assumption by many managers that IT professionals are, by definition, also security pros. The truth is that IT and information security are not synonymous. Information security is a specialized field, and IT staff often falls short of the knowledge needed to implement a good security program that provides adequate patient privacy.
But there are remedies.
One excellent and often overlooked source of free advice is the National Institute of Standards and Technology (NIST) Computer Security Resource Center (CSRC). Unlike certain other generally accepted security standards, the CSRC’s standards and guidelines are available to everyone. A recent burst of CSRC activity has resulted in numerous new and revised publications, and they deserve the attention of healthcare IT staff, leaders and business associates.
A significant benefit to following NIST standards and guidelines – even if tempered to suit a particular organization – is that external auditors and investigators will more likely be positively predisposed to that organization. Unless an organization runs federal information systems and is therefore required to follow NIST standards, the standards are voluntary. But by adopting them, such an organization demonstrates that it is tuned in to the security world and that it is following the specific security practices referenced by healthcare regulators.
Among the various helpful documents posted at the CSRC’s website (http://csrc.nist.gov) are the Special Publications. Some titles may sound intimidating – for example, “Recommendation for Key Derivation Using Pseudorandom Functions” – but most are more approachable and have practical value for healthcare organizations.
Here is a sampling of Special Publications, all new or updated within the past year, on critical security topics:
- “Guidelines for Securing Wireless Local Area Networks (WLANs)”;
- “BIOS Protection Guidelines”;
- “Cloud Computing Synopsis and Recommendations”;
- “Guidelines for Managing and Securing Mobile Devices in the Enterprise”;
- “Guide to Intrusion Detection and Prevention Systems (IDPS)”;
- “Guide to Malware Incident Prevention and Handling for Desktops and Laptops”; and
- “Guide for Conducting Risk Assessments.”
Older but still valuable documents give advice on encryption, media disposal, security risk management and workforce training. Although HIPAA’s security rule does not specifically cite them, other essential security topics include firewalls, remote access and telework security, mobile code security, and patch and vulnerability management. Government reports of audits and investigations show that these are important areas to secure, regardless of whether they are regulatory specifications.
Many Special Publications relate directly to HIPAA requirements, and, when followed, can provide strong evidence of compliance with Volume 45 of the Code of Federal Regulations (CFR) Part 164. In fact, the Special Publication 800-66, “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule,” describes each standard, gives advice on compliance and identifies other NIST publications with in-depth guidance on a particular security rule topic.
For example, to meet the Security and Awareness Training standard, SP 800-83 Rev. 1 DRAFT “Guide to Malware Incident Prevention and Handling for Desktops and Laptops,” released in June 2012, lists specific training points. To meet the Workstation Security standard, SP 800-66 suggests asking “What safeguards are in place, e.g., locked doors, screen barriers, cameras, guards?” And in response, “Implement physical safeguards … to minimize the possibility of inappropriate access to EPHI …” which might include installing privacy screen protectors to avoid exposing information. While the questions and responses may seem obvious, following NIST guides helps ensure that an organization’s security and privacy programs are comprehensive and meet government expectations.
NIST’s CSRC Special Publications are very readable, even for less technical individuals, and typically include a glossary of terms, explanations of security risks and practical advice for mitigating those risks, whether through local controls or in negotiating with a vendor or business associate.
Lack of knowledge on the part of IT professionals is no longer an acceptable excuse for weak security controls. Every healthcare organization should read and apply these free and easy-to-use NIST Computer Security Resource Center documents.
About the author