|
security
awareness and training (HIPAA)
Covered entities
must develop a security awareness and training program as
a part of their administrative
safeguards. As with privacy
training under the Privacy
Rule, this is required for all members of the covered
entity's workforce,
"as reasonable and appropriate for them to carry out
their functions in the facility."
The HIPAA Security
Rule defines security awareness and training as including
four component implementation
specifications, all of them addressable:
The first receives
no more expansive definition in the regulations than "periodic
security updates." Presumably the focus is to raise and
maintain awareness of security issues.
The second embraces
"procedures for guarding against, detecting and reporting
malicious software" such as viruses and worms. Awareness
of such hazards would presumably be one topic to which security
reminders attend.
The third includes
"procedures for monitoring log-in attempts and reporting
discrepancies." (The security
management process standard contains a similar requirement
within its information system activity review component.)
The last is defined
as "procedures for creating, changing, and safeguarding
passwords." Covered entities that use other
authentication approaches would presumably be expected
to have analogous safeguards -- e.g., procedures for safeguarding
access tokens.
As the addressable
status of all four would imply, covered entities "have
discretion in how they implement the requirement, so they
can incorporate [it] in other existing activities." The
"amount and timing of training should be determined by
each covered entity; training should be an evolving, on-going
process in response to environmental and operational changes...."
(Final Rule, pp.98,100)
DHHS has noted
that appropriate security awareness training is required even
for members of the covered entity's workforce who may be on
the premises for a very limited time period. But "[t]his
requirement does not mean lengthy training is appropriate
in every instance." (Final Rule, p.100)
Business
associates must be made aware of the covered entity's
security policies and procedures via contract language or
other means. But there is no requirement to provide security
training to business associates' workforces.
DHHS notes that
Federal agencies all have security awareness training -- partly
due to the requirements of the Government Information Systems
Reform Act (GISRA) -- and that there are many sources of guidance
and information available to help covered entities develop
training programs. (In that regard, see the NIST publication
referenced below.)
See also:
|
