7 steps to forming a security action plan
Keeping up-to-date on the latest IT security trends can be daunting. And unless security is a core element of an individual's job, it tends to be overlooked when ongoing development needs are being considered, said Dominic Saunders, COO of policy management software company NETconsent.
"All too often, administrative and clinical staff receive initial IT training when they join, and thereafter they are expected to remember it, keep up to speed with changes and adhere to evolving IT security policies and procedures until the next annual update," he said. "Given that more and more clinical staff are working flat out in their jobs, keeping on top of IT security issues understandably slips down their professional agenda."
"Without an ongoing systematic and proactive user awareness program, a strong security posture is in jeopardy," Saunders continued. "There is no cure for stupidity or genuine human error, but you can change the way you educate your teams to help them make the right decisions and avoid unnecessary mistakes that put patient data at risk."
Saunders breaks down seven steps to forming a security action plan.
1. Rewrite your IT security policies and procedures. Use a language that can be understood, and not just impress an auditor, said Saunders. "Spell out the risks the organization faces for non-compliance."
[See also: 5 current issues with patient privacy and data security .]
2. Consider changing the way you introduce security as part of the induction process. "Smaller, more manageable documents are easier not only for the recipient to grasp, but also for the organization to review and update," said Saunders. In addition, by "drip-feeding" the information, clinical staff are more likely to find time to read it and build a deeper awareness of security issues, all while reinforcing elementary security fundamentals, he said.
3. Review and update processes regularly and that includes regularly reminding your co-workers. "Just because John in cardiology had a security briefing when he joined the trust doesn't mean he knows what the risks are today," said Saunders. That's why it's key to educate staff regularly to ensure they still understand both what's expected of them and what's changed when it comes to privacy and security.
4. Consider using an automated system. This will help to deliver polices and associated documentation directly to employees at their workstations. "This makes the whole process manageable for you both," said Saunders.
[See also: 7 types of security features for your tablet .]
5. Introduce testing, either for all or a portion of users. This will help identify where policies aren't understood, so they can be rewritten allowing everyone to know what they're doing and, most importantly, why they're doing it. "You'll also be able to identify weaknesses and, therefore, focus training energies to the necessary areas."
6. Get your employees to sign up to key policies so you know that they’re on board. As part of the process, said Saunders, include the consequences in your plan if employees should break the rules. "That said, make sure they understand that genuine errors are expected and should be reported, not ignored or covered up," he said.
7. Take action against offenders. "If people see policies being enforced consistently at all levels within an organization, and where appropriate disciplinary action is taken against those who willfully neglect corporate rules, people are more likely to take notice of security information," said Saunders. When staff members realize the circumstances and consequences of policy violations, he continued, it nudges them to choose the right course of action, "and, perhaps, to be more prepared to encourage others to conform to standards of behavior within the acceptable governance framework."