With the increased emphasis on cyber security and data security, we’ve experienced a surge in inquiries about Security Risk Assessments. The conversation typically begins with two questions: “what is a Security Risk Assessment” and “am I required to complete one?”
A Security Risk Assessment (SRA) is an annual requirement which identifies and documents gaps in your security protocols. It provides required documentation to re-mediate the identified risks or gaps and sets the ground work for maintaining a safe and secure environment.
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and its business associates conduct a risk assessment of their healthcare organization annually. A Security Risk Assessment is an on-going process of discovering, correcting and preventing security problems. The risk assessment is an integral part of a risk management process designed to provide appropriate levels of security for information systems, especially those containing PHI.
Every medical practice would benefit from an SRA because it identifies and documents gaps in their security protocols. It also provides the required documentation to re-mediate the identified risks or gaps. If a practice is not paying attention to their vulnerabilities, security problems will continue to escalate and the end result can be devastating.
One valuable outcome of a SRA is a Network Security Policy. If your practice does not have a network security policy, the following 8 key components are a good starting point. While this is not an exhaustive list, it does provide guidelines for improvement and securing your environment.
8 Key Components of a Network Security Policy
1. Establish password management
A password policy should be established for all employees or temporary workers who will access an organization’s resources. In general, password complexity should be established according to job functions and data security requirements. Passwords should never be shared by any worker.
2. Govern Internet Usage
Most people use the Internet without a thought to the harm that can ensure. Employee misuse of the Internet can place your organization in an awkward or even illegal position. Establishing limits on employee Internet usage in the workplace may help avoid these situations. Every organization should decide how employees can and should access the web. Employees should be product and this may be the main concern for limiting Internet usage, but security concerns should also dictate how usage guidelines are formulated.
3. Manage email usage
Many data breaches are a result of employee misuse of email that can result in the loss or theft of data and the accidental downloading of viruses or other malware. Clear standards should be established regarding use of emails, message content, encryption and file retention.
4. Govern and manage the organization’s mobile devices
When organizations provide mobile devices for their employees, a formal process should be implemented to help ensure that mobile devices are secure and used appropriately. Requiring employees to be responsible for protecting their devices from theft and requiring password protection in accordance with the the password policy should be minimum requirements.
5. Set an approval process for employees’ devices
With the increased capabilities of consumer devices, such as smart phones and tablets, it has become easy to interconnect these devices to an organization’s applications and infrastructure. Use of these devices to connect to an organization’s email, calendaring and other services can blur the lines between its controls and consumer controls. Employees who request and are approved to have access to company information via their personal devices should understand and accept the limitations and controls imposed by the organization.
6. Establish social media policies
All users of social media need to be aware of the risks associated with social media networking. A strong social media policy is crucial for any business that seeks to use social networking to promote its activities and communicate with its customers. Active governance can help ensure employees speak within the parameters set by their company and follow data privacy best practices.
7. Oversee software copyright and licensing
There are many good reasons for employees to comply with software copyright and licensing agreements. Organizations are obliged to adhere to the terms of software usage agreements and employees should be made aware of any usage restrictions. Also, employees should not download and use software that has not been reviewed and approved by the organization.
8. Report security incidents
A procedure should be in place for employees or contractors to report malicious malware in the event it is inadvertently imported. All employees should know how to report incidents of malware and what steps to take to help mitigate damage.
We take security very seriously at AssuranceMD. Please contact us to further explore the benefits of a Security Risk Assessment.