Guest post by Lysa Myers, security researcher, ESET
In my last post, I discussed the steps to performing a healthcare IT risk assessment. Once you’ve determined the risks within your environment, an important part of addressing those risks is to set up policies about acceptable use – formally known as Acceptable Use Policies (AUP) – for your staff members and then to train your staff accordingly.
The weakest link in most security chains is the human element, namely people thwarting protections put in place, intentionally or by mistake, or simply through lack of understanding. But how do you set up policies and train people if neither you nor the people on your staff are particularly security-savvy?
Trainings and Templates
If you’re starting at or near ground zero when it comes to information security knowledge, the first question to ask is: Would be better to train someone to become your security guru, or to simply improve overall knowledge within the organization and establish common-sense usage policies?
Unless you have someone in your organization who is dedicated to IT tasks, it may be difficult to mandate security training, but it’s wise to have a security-conscious person handling your infrastructure. At a minimum, when you train the rest of your staff on their security roles and responsibilities, your IT personnel should go through at least as much training: they will likely be in charge of setting up the protections that are to be used by the rest of the organization.
If you have a smaller healthcare organization, you can still create an AUP, without a security guru. In fact, having a less complex organization simplifies the definition process. In this case, something which is focused on healthcare and yet very simple, where you can “fill in the blanks” could be quite helpful: HealthIT.gov provides a template that could work well for smaller organizations.
For medium-sized and larger organizations, a good place to start for any sort of security training or knowledge-gathering is the SANS institute. It has in-depth training workshops in person and online, for all levels from beginner to very advanced (including one specifically instructing people how to write policies). As well, their website has policy templates for many of your specific needs. This includes anything from a basic Acceptable Use Policy document to HIPAA-specific considerations, among many others.
It’s important to note that the secret to the success of any Acceptable Use Policy is that it is both understood and reasonably agreeable to the people who will be expected to use it. Getting input from the various groups of people who will need to use it (e.g., doctors, nurses and administrative staff) is a good idea. They may have questions or be aware of situations that the policy needs to address but that the policy-writers have not considered. They may also have concerns about usability, which may need to be considered and balanced with security requirements.
Once you’ve got policies in place, the next thing you’ll need to do is to make sure that the people in your organization thoroughly understand what is expected of them. Technology can only help so much if people don’t know enough to avoid giving away the keys to the castle. Regular training can help keep them from accidentally compromising your security.
If you do not have someone on staff who is prepared to lead a training session, a variety of resources online can help you educate your users. The National Institute of Standards and Technology (NIST) has a security awareness training site that is a great resource to help you find training that works for you and your staff, or materials and projects for you to undertake training on your own.
It is a good idea to train users when they are first hired, and again on a regular basis. Security advice changes often, as both threats in the wild and technology change over time, so this helps keep everyone’s knowledge fresh and up-to-date. It’s also helpful in making sure people are regularly reminded of good computer hygiene.
While it might seem frivolous to consider using an entertaining approach to something as serious as security training, it can drastically improve both retention and compliance to keep a sense of fun and humor with your training materials.
Information security can seem daunting and unapproachable when that is not one’s primary discipline. It is very important that someone in your organization (especially those working under the HIPAA rules) be conversant in the subject. But fear not, there are lots of places to go for help when you wish to improve your own knowledge, or to help improve the security of your organization.