• Awareness, training, and reminders
  • Metadata
  • Foster awareness of compliance
  • Notify users of their responsibilities
  • Provide compliance training that is clear and complete
  • Third-party resources
  • Enforcement
  • References

Awareness, training, and reminders

MedStack Confidential

Metadata

• responsible officer: CTO
• date
  • effective: 2018-06-20
  • revised: 2018-04-23
  • reviewed: 2018-06-20
• Applicability: standard

Foster awareness of compliance

• Provide security reminders based on compliance training materials.
• Attend privacy and security conferences.
• Maintain awareness of new and evolving security threats.

  Code	Section	Title	Text
  ISO	A.6.1.4	Contact with special interest groups	Appropriate contacts with special interest groups or other specialist security forums and professional associations shall be maintained.
  HIPAA	164.308(a)(5)(ii)(A)	Security reminders	(i) Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management). (ii) Implementation specifications. Implement: (A) Security reminders (Addressable). Periodic security updates.

Notify users of their responsibilities

• to protect their credentials (passwords)
• to apply information security in accordance with our policies

  Code	Section	Title	Text
  ISO	A.7.2.1	Management responsibilities	Management shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization.

Provide compliance training that is clear and complete

• Who
  • all employees
• When
  • during the new employee orientation period
  • before exposure to PHI
  • yearly
• Include
  • the basics of compliance itself
  • relevant compliance regimes
  • health data privacy
  • health data security
  • the duties and responsibilities of specific individuals, workgroups, departments, and divisions
  • a review of relevant and appropriate internal policies and procedures related to compliance
  • how to monitor failed login attempts and to report discrepancies
  • how to identify malware and use malware protection
  • Proper password management

    Code	Section	Title	Text
    ISO	A.7.2.2	Information security awareness, education and training	All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function.
    CHI	SR15	Training users and raising security awareness	All organizations connecting to the EHRi or hosting components of the EHRi must ensure that information security education and training and regular updates in organizational security policies and procedures are provided to each permanent or temporary employee or third-party contractor who is a registered user of a PoS system connected to the EHRi or who has access to hosted components of the EHRi.

Third-party resources

• Use recognized independent third-party resources where possible.

Enforcement

• Responsible party: All managers and supervisors
• sanctions: standard

References

Code	Section	Title	Text
ISO	A.7.2	During employment	Objective: To ensure that employees and contractors are aware of and fulfil their information security responsibilities.
HIPAA	164.308(a)(5)(ii)(A)	Security awareness and training	(i)Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management). (ii)Implementation specifications. Implement: (A) Security reminders (Addressable). Periodic security updates. (B) Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software. (C) Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies. (D) Password management (Addressable). Procedures for creating, changing, and safeguarding passwords.

November 13, 2019

Powered by