HIPAA Security Implementation, Version 1.0

15.3 SECURITY ORGANIZATION

Another item of critical importance with respect to maintaining compliance and managing risk in the organization is to have a solid information security management infrastructure that reports up to the highest levels of the organization. HIPAA has a requirement for covered entities to have a security officer, but, depending upon the size and complexity of the organization, a formal security organization should exist with clear leadership and visibility at the highest levels of the organization.

Security matters often enter territories that extend beyond the traditional IT boundaries of an organization, so an effective security officer is one that has enough authority in the organization to make security-relevant decisions and enforce the security policy. This is not to say that the relationship with other elements of the organization should be an adversarial one. Quite to the contrary, this relationship should be one of partnership. Security management should work with all the elements of the organization to understand the business goals of each unit so that security can be incorporated in such a way as to not present roadblocks to progress and productivity. This is accomplished by having representation from all the organization's business units in the security management infrastructure.

15.3.1 Information Security Management Roles and Responsibilities

The information security management team has a very important role to play with respect to maintaining HIPAA compliance. This team should meet regularly to discuss security related issues, receive feedback regarding the performance of the overall security program, review and approve of security policy and make security relevant decisions. Such a body should also be composed of representatives from all the business units of the organization. These representatives will be able to make policy decisions that consider the business interests of their respective units, thus enabling a security solution for the whole organization that is both considerate of its business goals and well integrated into its operations. A broadly represented security organization will also engender a broad base of support throughout the entire organization.

Other things the security management team needs to consider are as follows :

• Establish relationships with outside entities that the organization may need to engage under certain circumstances. Examples are:

  • Law enforcement agencies- In the event that an information security incident should require engagement of law enforcement authorities, either because of damage incurred or cooperation with an investigation, it is good practice to know which agencies to engage under which circumstances. Also, the security experts in these agencies may be able to provide valuable information regarding the threat landscape and alert your organization to emerging threats.

  • Security or subject matter experts- Some issues your information security management organization may be called upon to take on could go beyond the expertise of the management team. In such cases, the organization should be prepared to engage subject matter experts to help it understand the issues more clearly and make itself better prepared to make good, informed decisions.

  • Internal / External Audit- The security organization should engage it internal audit team to review and audit its policies, practices and procedures. This is a requirement in the HIPAA security rule. However, external review of the organization's security practices should be done as well to gain unbiased , third party insight into the effectiveness of the organization's security program.

  • Third party contracts- Relationships with third parties are important to any organization. However, the information security management team should review each of these relationships to understand the extent to which security considerations are addressed in these relationships. In those cases where security is not adequately addressed, the security organization should assess what security requirements the relationship should include. At a minimum, third parties should be expected to abide by your organization's own security standards. HIPAA puts similar requirements in place for business associate relationships as it pertains to protected information. However, since any information system may, at some point, process or store PHI, and service agreements may put third parties in contact with PHI, it makes sense to extend this requirement to virtually all third party relationships.

Lastly, the organization should review and settle upon a standard set of security related roles and responsibilities for everyone in the organization. Having a standard set of roles and responsibilities defined can aid in the delegation of security responsibilities and in determining who gains access to information based on their specific role. One example of how this may be applied would be to identify all of the information assets in the organization and assigning the role of asset owner to individuals such that these owners become responsible for the security of these assets. Asset owners with a vested interest in the assets they are assigned to protect can participate in the process securing their assets. For example, the owner of an information asset may decide who gets what degree of access to the asset, or the information asset owner may aid in the creation of secure practices and procedures for handling the asset. The following list outlines some typical roles:

• Senior Management- Ultimate responsibility for security throughout the organization. Must make the resources available to have good security and that these resources are operating effectively.

• Chief Information Officer- Responsible for planning, budgeting and performance of security operations.

• Information System Security Officers- IT security program managers responsible for executing the organization's security programs to identify and evaluate risk.

• System and Information Owners- Responsible for proper implementation of security controls, policies, practices and procedures for their respective systems.

• Business and Functional Managers- Responsible for business interests are addressed and integrated effectively with security implementations such that

• IT Security Practitioners- The ground forces actually implementing, operating and monitoring technical security controls.