SETA – Security Education, Training, and Awareness Programs
August 27, 2008
Thank you for joining us as we continue our HIPAA compliance series. This week, we will discuss the importance of Security Education, Training, and Awareness (SETA) programs. HIPAA section 164.308(a)(5) states that covered entities must “implement a security awareness and training program for all members of its workforce (including management).” The most expensive security technologies can be thwarted by people who lack sufficient training. You don’t have to spend thousands of dollars sending your staff to elaborate security training classes, but you should outline some responsibilities, and set policies governing staff behavior.
This section has four implementation specifications: security reminders, protection from malicious software, log-in monitoring, and password management. Security reminders are simply a mechanism to make sure employees are aware of security risks, policies, and their responsibilities. The reminders can take any form, but you must document the reminder, its message, and the date it was sent.
Anti-virus and anti-spyware software usually provides protection from malicious software. Your staff should understand how it works, and should check each morning to make sure it scanned and updated overnight. Your staff should also know how malicious software infects computers – usually through fraudulent or infected websites, email attachments, or open firewalls. Train your staff be on the lookout for these threats.
Login monitoring can be handled through Windows – providing you are using the professional and not the home version. You can use the local security policy setting to record login attempts and lock users out after a specified number of failed attempts.
Password management is a critical and difficult issue. Your practice should have policies and procedures for “creating, changing, and safeguarding passwords.” You should set minimum standards for creating passwords, such as number of characters, using numbers, capital letters, and special characters. You should also set policies for changing passwords. You can set password policies under Windows to expire after a certain time, and prevent employees from using the same password over again.
However, the third criteria should balance the first two. You should have policies that forbid employees from sharing or writing down their passwords. You do want your employees to choose good passwords, but you also want them to remember their passwords without writing them down. Otherwise anyone can look through their desk and find the passwords, and if that happens, they have circumvented your entire security system.
The take-home message is that your staff needs to be aware of security. They should understand the consequences your practice will face if it is found to be non-compliant with HIPAA or worse, loses or discloses sensitive patient information. Finally, they should know their responsibilities and how to keep your systems safe.
Ryan Ricks
Security Officer
www.xlemr.com
Save to Browser Favorites
Ask
backflip
blinklist
Bloglines
BlogMarks
Blogsvine
BUMPzee!
CiteULike
co.mments
Connotea
del.icio.us
DotNetKicks
Digg
diigo
dropjack.com
dzone
Facebook
Fark
Faves
Feed Me Links
Friendsite
folkd.com
Furl
Google
Hugg
Jeqq
Kaboodle
linkaGoGo
LinksMarker
Ma.gnolia
Mister Wong
Mixx
MySpace
MyWeb
Netvouz
Newsvine
PlugIM
popcurrent
Propeller
Reddit
Rojo
Segnalo
Shoutwire
Simpy
sk*rt
Slashdot
Sphere
Sphinn
Spurl.net
Squidoo
StumbleUpon
Technorati
ThisNext
Webride
Windows Live
Yahoo!
Email This to a Friend
If you like this then please subscribe to the Optimize your EMR/EHR - Connect your lab instruments
August 26, 2008
Fletcher-Flora Health Care Systems, Inc. released their FFlex eLink™ laboratory instrument integration software for small to mid-sized laboratories, including Clinical Laboratory Improvement Amendments (CLIA) waived laboratories.
In absence of a traditional Laboratory Information System (LIS), FFlex eLink is software designed to provide much needed connectivity directly between a laboratory’s clinical instruments and an Electronic Medical Records, Practice Management System, Electronic Health Records or other host system. FFlex eLink streamlines integration of one or more instruments to a host reducing the need for manual transcription of results. This will help increase lab efficiency, improve accuracy in the patient’s electronic record, and reduce liability associated with transcription errors.
FFlex eLink not only accepts and transmits data, but also provides a user interface that allows you to define tests and reference ranges, approve or reject results and monitor real-time instrument logs. If offline results from manual tests need to be entered, FFlex eLink provides an intuitive way to manually enter results.
“FFlex eLinkis a simple and cost effective integration solution for an underserved segment of the laboratory market,” said Neal Flora, President and CEO of Fletcher-Flora Health Care Systems, Inc. “While a full LIS may be too large an investment for many labs, FFlex eLink can help streamline operation in the lab and optimize your IT investment by integrating otherwise separate pieces of your operation.”
More information can be found at www.fletcher-flora.com or email FFlexeLinkSales@fletcher-flora.com.
Workforce Security – A Brief Overview of HIPAA Requirements
August 20, 2008
Hello and welcome back. This week we continue our discussion of HIPAA compliance with the workforce security requirement. Section 164.308(a)(3) of the HIPAA security rule requires covered entities to “implement policies and procedures to ensure that all members… have appropriate access to protected health information… and to prevent those workforce members who do not have access… from obtaining access…” We will look at three of the requirements here: limited access using role-based access controls, supervision procedures to check up on your employees, and termination procedures that will protect your systems when you must dismiss an employee.
First, make a list of your employees and determine their job function. Role-based access control is the best approach for determining what data your employees need to know. Think about the different positions within your practice. You probably have one or two providers, a practice manager, nurses, billing staff, and maybe a receptionist. Once you identify the different jobs in your practice, decide what kind of information they need. The general rule of thumb is that if they do not need to see it, they should not have access to it. Limited data access using role-based access controls will significantly improve your security.
The next requirement of this section calls for authorization and supervision procedures. Authorization can be handled through passwords, windows file permissions, or controls built-into your EMR software. Supervision can be a burden though, if you have a large office. Consider installing remote administration software on your computers such as pcAnywhere or Log Me In. There are even remote administration packages that will run from smart phones and PDAs. If you use a third-party IT service provider, they may already have remote access software installed on your system. You can use remote administration software to connect to their computers to give them assistance, or just pop in and see how they are doing.
Your practice should also have termination procedures that will go into effect if you must fire, layoff, or otherwise dismiss an employee, contractor, or anyone with access to your data. Generally speaking, you should revoke all their access before you terminate them. This way it will not be possible for them to cause any damage should they be upset and wish to get revenge or take out their anger on your computer systems. Be sure to change or disable their user accounts in Windows, and your EMR software, if applicable. You will also want to disable or remove any email or instant messaging accounts they have.
While it may seem paranoid and callous to lock your system down against your own employees, workforce security requirements are included in the HIPAA security rule for a good reason. Studies show that you are much more likely to suffer harm from an employee than from a hacker over the internet. Employees can steal or destroy your data, either maliciously or by accident. The best way to protect yourself is to make sure your employees only have access to the information they need to perform their job.
For some brief statistics about the insider threat, click here.
Ryan Ricks
Security Officer
www.xlemr.com