Security and Privacy Governance Program Guidelines Effective Security and Privacy Programs start with attention to Governance. Governance refers to the roles and responsibilities that are established by the Board and senior leaders to direct and oversee the Program, based on organization s mission, goals, and requirements for protecting information assets. These guidelines can be used to establish and measure Security and Privacy Program structure and processes, with governance as the foundation. Establish governance that includes and specifies the oversight role of the Board of Directors. The Board is responsible for oversight of security and privacy, including the responsibility that risk analysis and risk mitigation activities are duly considered as integral to the organization s overall risk profile. Security and privacy program oversight must be included in Board Bylaws and operating rules. Select a board committee to oversee the Security and Privacy Programs. Security and Privacy Program oversight responsibilities should be included in the committee s charter. Ideally, if there were a Board risk committee, security and privacy would be under this committee. Other committees that can assume responsibility include the Safety Committee, Quality Committee, Compliance and Audit Committee. The decision as to which committee should have oversight depends on the committee structure and trustee skills that can guide the programs. The committee should approve the annual work plan for the Security and Privacy Programs and advise on key expenditures and initiatives. The committee should assure that the full board receives regular reports regarding goals, accomplishments, and activities of the programs. The committee should oversee the evaluation of the Security and Privacy Programs. The committee should assure that board members and senior leaders receive ongoing training regarding their responsibilities with respect to the Security and Privacy Programs. The committee should assure that board members and senior leaders are briefed on the organization s Breach Notification Policy. Committee members and senior leaders should have a general awareness of the administrative, physical and technical safeguards in place. l 914-696-3622 l INFO@phyllispatrick.com
Train new and established board members and senior leaders. As with other areas the Board oversees, Security and Privacy Program issues may change over time. New risks, changes in technology, EHR development, patient portals and patient engagement are just a few areas where security and privacy will affect the organization. While it is challenging to find the time for trustees and senior leaders to devote to furthering their knowledge of security and privacy as key risk areas, it is critical that they do so. Having effective and robust security and privacy programs is key to avoiding reputation, regulatory, and financial risk. Just as boards and senior leaders are trained in quality and safety, they also need to devote adequate time to understanding their roles and responsibilities with respect to security and privacy. Establish a reporting structure for Security and Privacy Programs that enables the Officers to be effective, and emphasizes visibility and relationships. The most important aspect of the reporting relationship for the Security and Privacy Officers is to report to a senior leader who can serve as champion and advocate for the programs, someone who understands the basic components of the programs and can communicate appropriate and clear messages to other senior leaders. This champion supports the programs in the context of the overall organizational mission/vision/values. The champion assists in program development and change, within the constraints of financial stewardship and maintaining the organization s sustainability. Management responsibility for the Security and Privacy Programs may be combined under one senior Officer. Combining the jobs and placing the function with a chief risk officer may be ideal for some organizations. This assures that the position will be viewed as a senior role, with responsibility and accountability for overall program planning and development. The Information Security Officer should not report to the Chief Information Officer or to the Information Technology function, as this can create conflicts of interest in terms of achieving security compliance and protecting information assets. The ISO must be independent. There is a myth that security is a very technical discipline. Within the field of security, there are roles that require technical expertise (e.g., network engineering, implementation of technical tools such as data loss prevention, mobile security, and others); however, the senior role in Security requires communicating with clinical and operations leaders, understanding needs of the health care enterprise, having basic knowledge as to how the revenue cycle works, and being a master at explaining risks. The ISO should have the ability to present options for managing risks that take into account people, process, and technology. 2
Ideally, the budget for security should be separate from the IT budget. With this design, security does not have to compete for resources with other functions in IT. In the past, and in still in some organizations today, it is not uncommon that a security officer includes an item (e.g., encryption) in the IT budget for several years before the item gets due consideration for funding in capital and operating budgets, based on risk analysis or regulatory requirements. The Privacy Officer should not report to Health Information Management (HIM). While HIM background is ideal for a privacy officer, reporting to HIM places the position too low in the organization. Unfortunately, many senior leaders and others do not take the function as seriously as the HIM manager may have less visibility in many hospitals. Other options for reporting, depending upon the skills of the incumbents (both the champion for the functions and the officer), include legal services, compliance, chief executive officer, chief operating officer, and chief quality officer. Be clear about expectations and define essential duties of Security and Privacy Officers. The roles and responsibilities of the Security and Privacy Officers should be clearly delineated, as they serve as a check/balance to protect the organization against possible security and privacy issues that can increase risk; jeopardize the organization s mission/vision/values; or cause reputational, financial, and regulatory harm. The Security and Privacy Officer is responsible for: Strategic planning Policy development and communication Oversight and guidance of risk analysis and risk management processes Contract negotiation Oversight of training and awareness program development and success Budgeting Coordinating safeguards for physical security with facilities Leading investigations of incidents and possible breaches Program operations, Program evaluation Reporting of metrics The Officer is often the first point of contact for many outside agencies, such as health information exchanges, regulatory bodies such as OCR and state agencies, safety organizations, law enforcement, and patients/patient groups. 3
The Security and Privacy Officer is responsible for forging strong connections with key stakeholders and departments, serving as a champion of security and privacy but also helping department heads and leaders to understand their roles and responsibilities with respect to security and privacy for the functions they oversee. The Security and Privacy Officer should coordinate the selection, tailoring, and use of industryaccepted frameworks for security and privacy. A security framework (e.g., NIST standards) and a privacy framework (e.g., privacy by design) should be selected as the basis on which to develop the programs. HIPAA is the floor when it comes to designing and growing the programs. There are a myriad of other federal and state requirements that affect security and privacy of information. And, increasing patient engagement and patient expectations for accessing and managing their medical information will influence how the programs develop. The Security and Privacy Officer should partner with the organization s safety officer, clinicians, biomedical engineering staff, and others to deploy electronic health records that meet security and privacy requirements. EHRs are the focus of health care coordination and the Officer should be involved at all stages of EHR selection, implementation, change, and maintenance. The Security and Privacy Officer should champion and communicate Program objectives. These include, among others: Protecting confidential and sensitive information Managing risks associated with safeguarding patient and other confidential information Assuring data integrity Assuring that all program components are in place (e.g., auditing and monitoring, security incident response planning, business continuity, notice of privacy practices) Responding to patient complaints and inquiries Responding to regulatory requirements Enhancing compliance strategies Carefully consider the background, training, certification, skills sets, and knowledge requirements for the job. An ideal background for Security and Privacy Officers includes operations experience. Officers should have overall knowledge of the business of health care. The individual should have experience and skills in strategic planning, negotiating, and budgeting, as well as a track record of excellent communication and facilitation skills. Clinical expertise, HIM experience, IT background (infrastructure and/or applications), and knowledge of revenue cycle are a plus. A legal background may be helpful, however, legal training without the benefit of operations experience may be limiting in being able to perform the duties most effectively. 4
These skills sets will enable the Security and Privacy Professional to bridge the gap between the view that security and privacy programs are basically regulatory in nature, to the paradigm shift that is coming, i.e., an emerging model of information risk management, information governance, protection and optimization. Ensure that Security and Privacy Officers obtain ongoing education and training opportunities. Security and Privacy Officers represent relatively new professions in health care. The fields are undergoing considerable change, ranging from new and ongoing developments in regulatory and compliance requirements, new cyber security threats, increasing and changing expectations of patients and communities, new technologies, proliferation of EHRs, changes in needs of clinicians, changes in physical security requirements, and expansion of health information exchanges. Serious Security and Privacy Professionals are trained and credentialed. Security and Privacy responsibilities and accountability should not represent add-on duties to other functions such that the Officers do not have adequate time or resources to manage the functions. Security and Privacy Professionals must be permitted the time and resources to pursue ongoing training opportunities, including learning about new technologies and strategies for protecting information, and remain current in the field. Leverage resources and consider de-centralizing some functions of Security and Privacy where it makes sense to do so. Some functions of Security and Privacy may reside in other areas, depending on the skills sets of departmental personnel and organizational resources. Consider the following options: HIM may take the lead in developing and implementing an ongoing auditing and monitoring program for security and privacy. IT may include an IT security group responsible for managing security infrastructure, network monitoring, firewall tuning and vigilance, use of data loss prevention/data loss detection (DLP/DLD), audit log management, application security, mobile device security management, compiling and reporting IT security metrics, and managing technical tools. The Legal department may oversee business associate agreements, as part of its ongoing contracts and internal consulting responsibilities. Internal Audit may perform various audits in security and privacy, focusing on key risk areas and providing value to the officers by making recommendations for strengthening the programs, based on independent audit results. 5
IT auditors can assist in evaluating security of specific applications, providing neutral and independent appraisals and uncovering data integrity issues that may need attention. Human Resources and/or Training and Development may be responsible for developing, implementing, and evaluating overall training and awareness programs, with guidance provided by the Security and Privacy Officer. With a de-centralized model, the Security and Privacy Officer should remain the guiding partner and spokesperson for the program. The roles of Information Security and Privacy Officers are expanding and changing. Their influence in organizations will increase, but so will their challenges. In the future, the role of the Security and Privacy Officer will be re-defined in terms of information risk, information/data governance, policy, and strategy. 6