Security awareness is an essential constituent for developing a comprehensive and efficient security policy. Nevertheless, to make it productive, it is critical to focus on elaborating a well-thought and detailed awareness plan. Therefore, the paper at hand aims at designing a multidimensional framework aimed at raising security awareness in a health care facility. Except for addressing the three most common security risks, it will integrate approaches to implementing the plan including target participants and methods for guaranteeing compliance with standards and measuring the effectiveness of the proposed strategy.
To begin with, there are several common risks faced by health care facilities. It is essential to note that most of them are not connected to the weak security control environment. Instead, they are inseparable from improper actions of personnel and everyone working with an organization’s information system as well as their inactions (Security Standards Council, 2014). That said, accessing sensitive information without following a predetermined authorization procedure, exposure of patient’s private information, and breach of the information system are three primary risks, which will be addressed by the plan. At the same time, it is essential to note that all of them are connected to a range of risky behaviors.
For instance, the first one is commonly linked to ignoring the necessity of using acceptable passwords, admissibility of public accounts, sharing authorization details without asking senior management’s approval, and failing to report on improper activities or uncommon system breakdowns (Security Standards Council, 2014). As for the second risk, it is associated with both security breaches and staff incompetence, i.e. selling personal data (Mishra, Leone, Caputo, & Calabrisi, 2011). Finally, the third risk pertains to particular gaps in the control environment as well as the extensive use of mobile devices for accessing patient information, which can be easily hacked due to their portability and accessibility (Storbrauck, 2015).
The rationale behind this plan is the criticality of potential consequences of data loss and information system breach. Some of the outcomes include reputational harm, financial losses connected to penalties and legal claims against a health care facility, impact on similar instances on employees’ further career, etc. (Security Standards Council, 2014). More than that, it can be explained by the massive implementation of information systems and the necessity of being aware of how to use them properly.
Therefore, this plan targets everyone having access to an organization’s information system. It means that all employees (students, coders, contractual staff, and new employees), management and organizational staff, business associates, software providers, and even customers will be mentioned in the plan, although the scope of training will differ among occupied positions and fulfilled duties. That said, at least 90 percent of all employees and business associates will be required to complete this training for at least one time per year. Pointing to this very figure can be explained by the fact that not all employees have access to the information system. For instance, operational personnel and suppliers are excluded from the framework due to the reason mentioned above.
All in all, this plan aims at eliminating risk behaviors or, at least, mitigating potential negative consequences of misbehaviors. To achieve this objective, it is essential to mention three aspects of the plan – informative, advisory, and regulative. The informative element is critical for guaranteeing that everyone involved is aware of the training and basic requirements for security. The advisory constituent is related to sharing best practices of information security with the target audience. Finally, the regulative dimension is vital for making sure that all requirements are followed and addressing misbehaviors (Rhodes-Ousley, 2013).
As mentioned above, the scope of training will differ among individuals. For instance, all employees will be informed of common security strategies such as the criticality of virus protection, password management, log-ins, etc. The same information will be delivered to patients and business associates. Organizational and management staff will be taught to conduct audit and security drills as well as carry out monitoring procedures (Hjort, 2013). To meet regulatory requirements, necessary training will be provided and completion will be marked (Mishra et al., 2013; Rhodes-Ousley, 2013). Here, it is essential to note that training will be conducted in groups and an individual’s presence will be chosen as a measurement of completion.
Furthermore, it is essential to point to regulating a behavioral baseline. For instance, three behaviors will be measured on a timely basis – appropriateness of passwords (including frequency of changing them), shared accounts (using one account on different devices), and virus protection. In this way, making up acceptable passwords and changing them once in a month, avoiding multiple log-ins on different mobile devices, and adequate virus protection is the desired behaviors. To measure them, organizational and management staff will deploy periodical security drills and constant audits of employee security awareness (Rhodes-Ousley, 2013).
Nevertheless, regulation is not the only option for measuring behaviors. To achieve the highest levels of security awareness, it is essential to implement several motivational tricks. In this case, both positive and negative motivation will be beneficial due to their differing influence on employees. For instance, rewards for following all security procedures properly, as well as reporting any improper actions, would stimulate employees’ interest in the new policy and training. On the other hand, financial responsibility for ignoring the rules and training would contribute to the overall engagement and the desire to comply with the requirements (Rhodes-Ousley, 2013). These tools will be used after timely security checks and reconsidered every time new results of monitoring are obtained. In general, the plan would be considered effective is all employees undergo training and security drill and audit reveal that at least 80 percent of staff deploy security techniques properly.
References
Hjort, B. (2013). Privacy and security training (2013 update).
Mishra, S., Leone, G. J., Caputo, D. J., & Calabrisi, R. R. (2011). Security awareness for health care information systems: A HIPAA compliance perspective. Issues in Information Systems, 12(1), 224-236.
Rhodes-Ousley, M. (2013). Information security: The complete reference (2nd ed.). New York, NY: McGraw-Hill.
Security Standards Council. (2014). Information supplement: Best practices for implementing a security awareness program.
Storbrauck, L. (2015). Mobile device use: Increasing privacy and security awareness for nurse practitioners. Web.