As discussed in the previous blogs, a cyber security policy is crucial for any facility operating within the LTPAC industry. While physical security components are the first line of defense against physical cyber intrusions, a second crucial layer is to develop a comprehensive plan addressing administrative safeguards.
Administrative safeguards, as defined by HIPAA, are administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s or business associate’s workforce in relation to the protection of that information.
Administrative safeguards involve addressing and preventing the risk of unauthorized access by unauthorized users. This means that your policy must clearly spell out how you will ensure that only authorized users have access to your records, databases, and confidential communications.
Administering Access Controls and Authenticating User Identification
In accordance with HIPAA regulations, only authorized users should have access to the aforementioned information. For this reason, your policy must include administrative safeguards.
Administrative safeguards include, but are not limited to, such measures as:
- Ensuring that all employees sign an acceptable use and confidentiality agreement
- Protecting all computers with a user ID and password logon
- Requiring all users to have a strong password. Some suggestions for strong passwords include:
- Requiring passwords be at least eight characters in length
- Requiring at least one number
- Requiring a combination of upper and lower case letters
- Requiring at least one special character
- Forcing employees to change their password once every six months
- Keeping an archived record of who has accessed data and when
- Ensuring that only employees have access to workstations and to any other password-protected computerized devices and equipment
For further information regarding specific HIPAA standards for administrative security standards and the security management process, click here. As always, you may have to add additional administrative safeguards to your cyber security plan based on any specialized equipment in your facility such as tablets, handheld devices, and any electronic medical equipment.
The next two blogs will discuss the next element of a comprehensive cyber security policy, developing and implementing technical safeguards, as well as outline how to develop a contingency plan in the event of a cyber breach or attack. Additionally, the blogs will provide resources for LTPAC managers and professionals.
- Developing and implementing technical safeguards
- Developing a contingency plan in the event of a cyber breach or attack