Key Elements of Security and Privacy Policies

By Rebecca Herold (The Privacy Professor) CIPP, CISSP, CISM, CISA, FLMI

Excerpt from the book I co-wrote with Kevin Beaver, “”The Practical Guide to HIPAA Privacy and Security Compliance” which is being updated for a 2nd edition:

Too commonly, information security and privacy policies either do not exist or are not enforced in today’s healthcare environments.

The first major hurdle that must be addressed to ensure information security and privacy policies are implemented and managed properly is that of upper management support.

Even though HIPAA compliance is federal law, healthcare organizations still need buy-in from their upper management if policies are to be successfully developed and embraced.

If you have reached the point of communicating the value and requirements of HIPAA to upper management and are already working toward compliance, this should not be a major issue for you as it is in other nonregulated environments.

Beyond upper management buy-in, there are six other critical factors that will determine whether or not security policies are effective.

In no particular order, these factors are as follows:

• People must be aware of information security and privacy policies.

Perhaps the greatest mistake in information security and privacy policies management is that organizations create them and then put them on a shelf without making anyone aware of them.

The organization would be just as well off without information security and privacy policies in this case. Refer to Chapter 24 for details on the best ways to get the word on your security policies out to everyone involved.

• Create a committee to develop information security and privacy policies.

You do not want to develop information security and privacy policies all by yourself. This could be misconstrued as one-sided or biased, and this is certainly not the position any one individual wants to be in.

Additionally, you must consider the expertise of your business leaders to ensure the policies you create are feasible. Get other people involved. It is preferable to get HR, Legal, facilities management, IT and applicable business unit representatives to help with this.

• Information security and privacy policies must be specific to your organization.

You cannot simply buy an information security and privacy policies book or download sample policies off the Internet and apply them verbatim to your immediate needs.

Do not get us wrong; these policies are a *great* place to start — they can definitely save you a lot of time, money, and effort.

Plus they help you to ensure you are covering all the topics you need to cover. Just remember to tailor these policies to your organization’s specific needs and requirements.

In fact, try to relate your information security policies to your privacy policies whenever possible.

Tailoring these policies should not take a lot of work, and it is absolutely necessary to make sure your information systems and protected health information (PHI) are properly protected in your particular environment.

• Information security and privacy policies must be readable and understandable.

Make sure you know your intended audience before you start writing your policies. Regardless of who will be reading them, use the legal and technical jargon sparingly.

All of your employees, independent of their knowledge and intellect, need to be able to read any and all of your organization’s information security and privacy policies and completely understand them.

This is not just an education or awareness issue. It also depends on how well written the policies are in the first place.

• Information security and privacy policies must be fair, reasonable, and legal.

Put yourself in your end users’ position. Do the policies seem fair and reasonable in order to get the job done?

If security policies are not fair and reasonable, people will break them, and that is the last thing anyone needs to have happen with their HIPAA policies.

It really is possible to balance security, HIPAA compliance, and convenience. Make sure your organization is doing that.

Also, do not forget to run your security policies by your legal counsel before you publish them to make sure they are legal from an HR and employees’ rights perspective.

• Information security and privacy policies must be enforced.

It is not enough for information security and privacy policies to be fair, reasonable, in compliance with applicable laws and regulations, and legal.

They must also be enforced within the organization for all users, including upper management.

Sure, HIPAA mandates information security and privacy policies, but similar to the awareness issue discussed previously, if policies are not enforced by the policies committee (if you have one), HIPAA Officer(s), or upper management, then it is probably not worth the time, money, and effort to develop them in the first place.

Not only this, but HIPAA, and many other laws and regulations, also mandates sanction policies and requires documentation that you are actually enforcing the policies.

Rebecca Herold, CIPP, CISSP, CISM, CISA, FLMI, is an information privacy, security and compliance consultant, author and instructor with her own company, Rebecca Herold & Associates, LLC, who has provided assistance, advice, services, tools and products to organizations in a wide range of industries throughout the world for over two decades.

The Privacy Professor, aka Rebecca Herold & Associates, LLC, has been a trusted source for effective information security, privacy and compliance tools, education and consulting since 2004. The Privacy Professor is located in Des Moines, Iowa within easy driving distance to Minneapolis/St. Paul, Chicago, Omaha, Kansas City and St. Louis, and easy flights to the east and west coasts. The Privacy Professor brings over two decades of expertise to organizations of all sizes, in all industries throughout the world.

You can reach her at rebeccaherold@rebeccaherold.com or www.theprivacyprofessor.com.

*   *   *

Stay Informed With ISR News Feeds and Email Alerts Here:

Enter your email address:

Delivered by FeedBurner

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

Filed under: Breach, Class Action Lawsuit, D&O Liability, FEATURE ARTICLE, Financial, Government, Insider Threat, Rebecca Herold, The Privacy Professor, Uncategorized, due diligence, hackers, healthcare, identity-theft, malware, national security 

Comments

• ISR Headline Index

  • Perplexities of Enterprise Privacy Policies
  • Sorting Out Social CRM Options for Business
  • Police Make Arrests In ATM Skimming Ring
  • Insurance Industry Fights Liability Claims
  • More Talks with Anti-Jihadi Hacker The Jester
  • Avoiding Enterprise Software Vendor Lock-In
  • The FCPA Role In International Acquisitions
  • Vigilante Hackers as Heroes, but at What Cost?
  • China: Internet Freedom Is Culturally Relative
  • Advantages of Data-Focused Risk Assessments
  • WireHead Security Partners With NCICU
  • FaaS: The Emergence of Fraud as a Service
  • Pet Lovers are Target of Latest Online Scams
  • Behavioral Based Email Security Systems
  • Web Security From A New Perspective

• Recent Comments

  • James C. Roberts III on The FCPA Role In International Acquisitions
  • LH on Q & A With Anti-Jihadi Hacker The Jester
  • Some Sun Tzu quotes… | D90 Tools & Techniques on Sun Tzu: PCI-DSS and Situational Awareness
  • JT on More Talks with Anti-Jihadi Hacker The Jester
  • j35t3r on Q & A With Anti-Jihadi Hacker The Jester
  • Albert Lea Tribune | Military News | Military Fitness Wisdom on Sun Tzu: PCI-DSS and Situational Awareness
  • ravenwaver on Q & A With Anti-Jihadi Hacker The Jester
  • badgamon on Q & A With Anti-Jihadi Hacker The Jester
  • How th3j35t3r And Other Hackers Are Using Their Skills To Bring Real World Bad Guys To Book on Q & A With Anti-Jihadi Hacker The Jester
  • “We want heroes” – at what cost? « jpskaar on Patriot Hacker Hits Jihad With DDoS Attacks
• 
  

  Information Security Resources

  Top network security blogs

• Categories

  • Anthony M. Freed (28)
  • Bill Brenner (2)
  • Bob Violino (1)
  • Bozidar Spirovski (22)
  • Breach (492)
  • Britt Womelsdorf (5)
  • By Dr. InfoSec (2)
  • Cara Garretson (7)
  • CCCNews (1)
  • Chorey Taylor & Feil (8)
  • Christophe Veltsos (2)
  • Christopher Burgess (7)
  • CIOZone (24)
  • Class Action Lawsuit (109)
  • Cloud computing (68)
  • Coby Royer (5)
  • CTO Forum (8)
  • D&O Liability (541)
  • Daniel Wallace (5)
  • Danny Lieberman (11)
  • DataLine (10)
  • David Alexander (2)
  • Derek Crawford (1)
  • Doug Pollack (6)
  • due diligence (251)
  • Fame Foundry (1)
  • FEATURE ARTICLE (398)
  • Financial (526)
  • Fred Leland (7)
  • Gene Kim (3)
  • Government (334)
  • Greg George (3)
  • H1N1 (15)
  • hackers (481)
  • healthcare (94)
  • Heather Bourgoin (1)
  • HomeATM (8)
  • identity-theft (478)
  • IDExperts (16)
  • Ike Z. Devji (1)
  • Insider Threat (435)
  • Internet Crime Complaint Center (1)
  • Internet Security Alliance (40)
  • ISR News (315)
  • Jacqueline Herships (1)
  • Jenni Hesterman (3)
  • John M. Salomon (2)
  • John Watkins (7)
  • John-Patrick Skaar (1)
  • Kaliber Data Security and Compliance Consultants (3)
  • Kat Sanders (2)
  • Ken Leeser (3)
  • Kevin L. Jackson (10)
  • Kevin M. Nixon (22)
  • Laton McCartney (6)
  • Laura Wilson (14)
  • Lauren Taylor (1)
  • Linda McGlasson (1)
  • malware (446)
  • Mark Wright (1)
  • Mel Duvall (3)
  • Michael Eggebrecht (2)
  • Michael Lohr (1)
  • Michael O'Conner (4)
  • Mike Duncan (3)
  • Mike Meikle (3)
  • Mike Spinney (1)
  • Military (174)
  • national security (402)
  • PCI (268)
  • PCI Security Standards Council (30)
  • Physical Security (11)
  • privacy (496)
  • Rachel James (10)
  • Rebecca Herold (16)
  • Richard Stiennon (27)
  • Robert Siciliano (30)
  • Sarbanes-Oxley (443)
  • ScamStop (2)
  • Sean Wilkins (2)
  • Semyon Dukach (1)
  • Simon Heron (14)
  • Software Associates (11)
  • Steven Fox (19)
  • SUPERAntiSpyware (3)
  • Sybase (6)
  • Symplified (5)
  • The Jester (4)
  • The Privacy Professor (16)
  • Thomas R. Fox (4)
  • Tom Groenfeldt (2)
  • Tom McLain (2)
  • Trefis (6)
  • Tripwire (18)
  • Uncategorized (579)
  • virtualization (57)
  • Webcast (31)