Brands
HIPAA
Securing the End-User PC Environment
Many healthcare companies have spent large amounts of time and expense on securing the network. HIPAA regulations and general concerns over patient data have spurred changes that make security a top priority for IT administrators. If your back end data is well-secured, it's time to move on to educate your end users on how to do their part to prevent data theft, data loss, and network compromise. Doing so is an important part of following HIPAA guidelines, which state that access to equipment containing health information should be carefully controlled and monitored and standard security practices be put in place across the organization.
Security policy for end-users
The best way to address end-user security is to draft a set of standard security practices and recommendations that you then communicate to all staff. This may be part of HIPAA compliance, which states that organizations must adopt a written set of privacy procedures and designate a privacy officer to be responsible for developing and implementing all required policies and procedures.
Part of securing your technology infrastructure includes educating your staff about the very real dangers of security breaches. This is especially important in the healthcare environment, where doctors, nurses, and other staff are often so pressed for time that the extra seconds it takes to enter a password or lock up a workstation can seem like a waste of precious resources. It is crucial to communicate just how important simple security practices are in an environment rich with sensitive data.
Your security standards should be easy to understand. Instead of sending out a written memo or email, try to arrange a brief meeting where you actually show your staff how to set up passwords on their devices, how to guard their screen, and other important security techniques. Make it clear that you will be available to answer any questions that may arise.
Once every 1-3 months, send out a reminder that reiterates the security policy, requires that staff change their passwords, and gives any updates on your organization's security standards.
A good end-user security policy addresses a number of issues:
| ||
| • | Password length and complexity: You should require your staff to choose passwords that are six characters long or longer. It is also a good idea to recommend or require that they use both upper and lower-case letters and special symbols (!, @, or ?, for instance). Tell your end-users not to choose passwords that represent something that can be linked to them, like their daughter's birthday or their pet's name. |
| ||
| • | Other password policies: Make it clear to your staff that they should never write down their passwords, and that they should never share their passwords with anyone else. |
| ||
| • | Frequent password changes: To help ensure that your network remains secure, require your users to change their password every one to three months. You should also tell them to change it immediately if they suspect someone might have learned their password. |
| ||
| • | Workstation safety: HIPAA has specific provisions stating workstations should be removed from high traffic areas and monitor screens should not be in direct view of the public. To prevent casual passersby from glancing at monitors or notebook screens in the healthcare organization, arrange desks so that the computer screen is facing away from the door. This is especially important in the reception and waiting areas, where the staff interacts with many potential observers. Make sure to arrange furniture and devices so no one can lean over and look at a receptionist's screen. |
Train your staff to secure their workstations, notebooks or Tablet PCs when they are not in active use. In some circumstances, staff can use a screensaver password to ensure unwanted users are locked out after a certain period of inactivity. If this is too inconvenient for a staff member--for instance, if he or she sits at their computer screen reading or doing other activity for periods of time and the screensaver lock becomes a nuisance--then he or she should lock their computer by pressing Control, Alt, Delete whenever they leave the desk.
Staff should also minimize application windows with sensitive information whenever someone comes in to talk to them. This is especially important in a bedside care situation where a doctor, nurse, or other staff member must interact with a patient while carrying a notebook, PDA, or Tablet PC. Remind staff not to leave these devices in the room with a patient while the staff member is gone or in another room.
Mobile security: With wireless networking on the rise in healthcare, both mobility and security risks have increased. While some tips may seem obvious to your staff, it's important nonetheless to remind them to be careful about device theft. Tell them not to leave notebooks or PDAs in their hotel rooms unless the room has a safe. It's not a good idea to leave a notebook at a table in a coffee shop or airport while you walk up to get your coffee. It can be inconvenient to lug your mobile computing device around everywhere, but the risks of network and data compromise should the device be stolen are huge. For instance, many notebooks and PDAs are set up to automatically connect with your organization's email servers. Not only the data on the device itself, but also the data on your network could be under attack if a notebook or PDA is stolen. |
|
Mobile networking: Not all wireless networks are created equal. While your hospital or office may have a secured network, when a staff member travels, he or she may have fewer secure networking options. Many coffee shops and home networks are unsecured, leaving users open to potential packet sniffing problems. Someone else with another wireless device can wait nearby, watching not only what goes over the network but also what is stored on your device as well. Train your staff to use only networks that are secured. Most wireless networking clients (such as Microsoft Wireless Client and others) will tell you if the network you are trying to connect to is secure or not. |
|
Awareness of surroundings: Sometimes the simplest measure you can train your staff members to take is to be aware of their surroundings. If someone is in line of sight of a user's monitor, or seems to be taking a particular interest in what the user is doing with his or her device, tell the user to move away or avoid sensitive tasks. |
Choosing the right technology |
|
|
If you invest some time in training and educating your staff on basic security techniques, your organization's network and data will be well protected on both the back end and at the end-user level. That will make everyone in your organization sleep easier.
