- Not that the healthcare industry is in dire need of security frameworks to reference in forming an IT security plan, as NIST recently released its voluntary framework, but the Security Industry Association (SIA) recently released its updated Privacy Framework.
While many of these concepts are already likely integrated into organizations’ current privacy policies, sometimes refreshers can be helpful. SIA intends on the Privacy Framework helping healthcare organizations and vendors identify a set of privacy principles to serve as a guide for manufacturers, integrators and distributors of electronic security technologies; inform policymakers about how the security industry protects patient privacy; and educate end users on patient privacy.
SIA’s privacy principles include:
- Security capabilities being baked into products as they’re developed without increasing exposure
- Conducting regular risk assessments to explain to system managers how protected health information (PHI) is stored and managed.
- Maintaining HIPAA compliance
- Ensuring that only authorized individuals for authorized purposes can access protected health information (PHI)
- Safeguarding databases where PHI is stored
- Securing data in motion between different systems
- Explaining to patients how healthcare data will be used
- Writing up breach notification policies and making them transparent
- Creating data retention and disposal policies that patients are aware of
Organizations, according to SIA, should reference the Fair Information Practice Principles (FIPPs) in determining how the information collected by the system may be used and protected.
Purpose Specification – Examine why the information is collected so that the system is collecting information that is relevant to achieving the security purpose.
Data Minimization – Limit collection of information to what is determined necessary to achieve the system’s security goals.
Notice and Awareness – Determine when and how individuals affected by the security system may be notified of the information collection and its purpose.
Data Security – Examine the potential for both internal and external threats to unauthorized disclosure of PII. Use encryption, mutual authentication and other logical security measures to help protect against potential threats.