Staggering fines are being levied against companies that fail to comply with HIPAA regulations. Here are 10 critical policies to have in place (even if you don't fall under HIPAA).
Legal compliance. If you are like me, those two words elicit a groan. Is there anything less fulfilling than a legal compliance initiative? There is seldom anything cool or flashy about them. The ROI is usually just measured in "risk mitigation," which is difficult to allocate to your team's bonus pool. ("You've done great work this year. For your bonus, we are happy to present you with this envelope full of mitigation. Congratulations."). And whether you are sitting in a room with your lawyers or typing up page after page of policy documents, they are BORING.
But that doesn't mean they are not important.
In the healthcare world, HIPAA & HITECH have been around for a while. It's become a cliché to say that HITECH has given HIPAA teeth. But it's true. Audits have begun. And so have the fines (for large and small companies alike). What follows is a list of 10 sets of policies/procedures that companies falling under HIPAA regulations MUST have. In fact, these are things that all organizations should have anyway. So even if you are not a "covered entity" or a "business associate," you might want to continue reading and not just skip over to the gallery of the Sexiest Costumes from Comic Con.
If you have these documents in place, that's great. You may find that you have informal (read: undocumented) policies and procedures that your staff follows. If so, now is the time to get those formalized.
In case you are like me and you don't find this subject completely riveting, I have provided helpful references to geeky movies by way of example.
1: Physical security policies
These policies should specify who is and isn't allowed physical access to your facilities and equipment. This could include a policy on guests entering your premises, what staff members have access to server rooms, and who is authorized to get into the executive wing. Once you have the policies, your procedures should describe how you enforce your policies. (This would include discussion of how you make use of security badges, key-codes, access logs and the like.)
In Star Wars, if the Death Star had paid more attention to its physical security policies, an unaccompanied Jedi without an "employee badge" would never have been able to gain access to the tractor beam which, when disabled, allowed the Millennium Falcon to escape.
2: Access control
There should be specific policies and procedures on how users are granted access to programs, sensitive data, or equipment. This includes how access is requested and authorized, how administrators are notified to disable accounts when appropriate, frequency of account audits, and how records of all this activity are maintained.
In Flash Gordon, Ming may be merciless, but he has issues with his access control policies. How else could the human Hans Zarkov be reprogrammed with "Level 6 Conditioning" when he was only authorized for level 3?
3: Workstation use policies
This is a fairly broad topic and includes some of the most basic system safeguards: limiting unsuccessful login attempts, monitoring login records, and requiring passwords to be of an appropriate strength and to be changed regularly. This should also include policies on how the equipment is used, such as mandating that users not write down their passwords or share them with other employees.
In Return of the Jedi, the Imperial base on the forest moon of Endor is well-known for its lax password policies. For example, Han Solo is able to land his strike team when a stolen code is accepted even though it is "old." If the Death Star had been a covered entity under HIPAA, they would have been required to change that code regularly — which would have prevented Han Solo's well-known breach and ultimately, the demise of the Empire.
4: Security awareness
A security awareness and training program should be put in place that encompasses everyone in the organization. This should include programs for new hires, annual training, and periodic security reminders. I send security updates to all staff with information about some of the latest threats and concerns. I particularly like to send out screenshots of notable phishing attacks and compromised Web sites to raise awareness. It is crucial that you keep an audit trail of your reminders.
Here's a great security awareness reminder that could have been sent to the team building the intergalactic transport machine in Contact: "If you happen to see a guy with white hair who was previously seen preaching a prophecy of doom, have him removed from the premises." It would have saved a lot of trouble.
5: Malicious software
Of course you have antivirus software installed. But do you have documented policies and procedures for when and how often virus definitions are updated? Do you have a response procedure for a virus outbreak? How about staff policies on reporting detected viruses, not opening attachments from unknown senders, and not disabling the software?
You know who else didn't have any of these things? The aliens in Independence Day. It just took one overachieving cable guy uploading a virus into the mothership to wipe out their entire civilization.
6: Disaster recovery
Policies and procedures should be in place for responding to an emergency. This includes small emergencies, such as a server going down, as well as large emergencies, such as prolonged power outages or fires. Included in this are also data backup and recovery, policies for how often these procedures are tested, how they are tested, how emergency situations are identified, how operations are restored back to their primary mode when the emergency is over, and more. Don't forget to include a policy on where the DR plan is stored so you can get it in the event of an emergency.
Terminator 2 is really nothing more than a cautionary tale for good DR. If your company is basing all its amazing new products on some broken parts left behind by a time-traveling robot, make sure your data is stored offsite in case a different time-traveling robot steals your parts and blows up your building.
7: Business continuity
Business continuity and disaster recovery go hand-in-hand. Frequently, IT takes on the responsibility of DR but limits its scope to making sure the critical systems are operational. A "BC" plan documents procedures for ensuring that critical business processes continue to operate in the event of an emergency. This will go beyond just systems to include command structure, personnel procedures, customer communication, secondary work sites, and more. A true BC plan will go beyond IT to encompass all areas of the business in both its development and execution.
2012 provides a great example of BC plans in action. When warned of an impending geophysical apocalypse, world leaders needed only to take their handy Business Continuity binder off the shelf and flip to the section titled "Crust of Earth Becoming Unstable." Then, it was just a matter of following the step-by-step instructions for collecting funds from the world's rich and powerful, outsourcing the construction of gigantic floating metal pods to China, and setting sail in the nick of time.
8: Media disposal
Medial disposal is one of many additional areas that need to be addressed. I included it, though, because I am asked about it frequently. A common concern is data that lives on equipment other than computers: copiers, smartphones, and even fax-machines (in case you still have one somewhere). We have policies and procedures in place that mandate how we wipe the data off each kind of storage media and how these activities are logged.
At the end of Men in Black, Jay uses the "flashy thing" on Kay to erase his memory. However, he clearly didn't have it set to DOD published standards for secure deletion, since it was restored in the next movie with a highly improbable deneuralizer. With a better media disposal policy, we might have been spared Men in Black 2. (I hear 3 is better....)
9: Risk analysis
I found this to be the most interesting of the areas discussed here. At a very high level, a process is needed to identify risks and the controls that are in place to mitigate them. Under HIPAA, the primary concern is risk to systems and processes that deal with health information, although it can be extended to any part of the organization. Ultimately, every other item on this list is really a control to mitigate against risk.
There are plenty of good online resources to assist in developing a risk analysis and management strategy. I recommend the National Institute of Standards and Technology's publication on Risk Management for IT Systems. A well-documented risk analysis and management program will include the process by which risks are identified, as well as the process for establishing and executing action plans in response.
Really, most geeky movies are exercises in risk management or lack thereof. Besides the ones already mentioned, examples can be drawn from Armageddon (risk: giant meteor threatens Earth... control: Bruce Willis), Knowing (risk: killer solar flares... control: bright-eyed aliens rescue kids and bunnies) among many others.
10: Review and audit procedure
Every item on this list has a couple of things in common: First, it must be auditable. You don't get credit unless there is a documented audit log that shows that these procedures are being executed. There also needs to be a process that ensures that the policies and procedures are reviewed regularly. And when you review a policy or procedure and find that it needs to be updated? Well, you need a policy and a procedure for that.
Got a good movie example for this one? Let me know in the comments!
This is just a start. There is plenty I did not touch on. If you are a covered entity, I recommend enlisting the help of an attorney who specializes in HIPAA to help make sure you have your house in order. There are also lots of consulting companies that provide compliance services. If you are doing it yourself and starting from scratch, you can get a jump on it by purchasing a prewritten set of policies and procedures you can then customize.
Good luck and remember to compute safely.