Acceptable Use Policies: Security Hygiene Starts with a Healthy Dose of Training

Lysa M.
Lysa Myers

Guest post by Lysa Myers, security researcher, ESET

In my last post, I discussed the steps to performing a healthcare IT risk assessment. Once you’ve determined the risks within your environment, an important part of addressing those risks is to set up policies about acceptable use – formally known as Acceptable Use Policies (AUP) – for your staff members and then to train your staff accordingly.

The weakest link in most security chains is the human element, namely people thwarting protections put in place, intentionally or by mistake, or simply through lack of understanding. But how do you set up policies and train people if neither you nor the people on your staff are particularly security-savvy?

Trainings and Templates

If you’re starting at or near ground zero when it comes to information security knowledge, the first question to ask is: Would be better to train someone to become your security guru, or to simply improve overall knowledge within the organization and establish common-sense usage policies?

Unless you have someone in your organization who is dedicated to IT tasks, it may be difficult to mandate security training, but it’s wise to have a security-conscious person handling your infrastructure. At a minimum, when you train the rest of your staff on their security roles and responsibilities, your IT personnel should go through at least as much training: they will likely be in charge of setting up the protections that are to be used by the rest of the organization.

If you have a smaller healthcare organization, you can still create an AUP, without a security guru. In fact, having a less complex organization simplifies the definition process. In this case, something which is focused on healthcare and yet very simple, where you can “fill in the blanks” could be quite helpful: HealthIT.gov provides a template that could work well for smaller organizations.

Continue Reading

Tips for Risk Assessment in Healthcare IT Security

Lysa M.
Lysa Myers

Guest post by Lysa Myers, security researcher, ESET.

Risk assessment is something we all do, every day, in healthcare and in our daily lives. Consider crossing the road. Should you cross at the lights? Can you trust the traffic to obey the lights? Doctors perform risk assessments when prescribing medications or evaluating a patient for an operation. Unfortunately, risk assessment for electronic health records (EHRs) is not fully understood or implemented by some healthcare organizations, especially smaller facilities that lack dedicated IT or security staff. Yet, this type of risk assessment is increasingly important to the success of healthcare-related businesses.

How do you proceed if your organization lacks the expertise to complete an EHR risk assessment? Because this is such a complex topic, the answer to that question could easily fill volumes. But we all have to start somewhere, so I will provide a basic description to steer you in the right direction to do more in-depth research on your own.

How to do an EHR risk assessment

There are four basic steps – the time and effort they require depends upon the size and complexity of your organization, and the thoroughness of your assessment. You may wish to do your assessment in multiple passes over time, getting more in-depth as you go. This turns a huge headache that must be dealt with all at once into something more manageable that can be revisited to keep up with changes as they occur.

Continue Reading