The network and data security measures you put in place for your health organization—from a firewall to protect your office network to a data backup system for your crucial patient data—are physical manifestations of business rules. You make business decisions about how important your computer network and the data it holds are to your practice, and how you want to protect those key resources. Security systems are the implementation of those business decisions.
Robust security systems don't begin with hardware and software, but instead begin with careful planning. If you don't know what you want your security systems to protect, or if you don't have an idea of how you want that protection to function, it will be difficult to configure those systems to actually protect your networks and your data.
A security policy is a general statement of the business rules that define the goals and purposes of security within an organization. While each individual practice will have its own unique policy, the basics of establishing a policy are the same, whether you are a small practice or a larger-sized hospital, because HIPAA security measures apply to all health organizations across the board. Security policies are considered strategic documents, and they define the overall purpose and direction for security. When you start with a solid security policy, configuring your security systems—or communicating with those who do—is much simpler and more effective.
One of the most important elements of your overall office security policy is a network security policy that governs what communications you will allow between your internal network and the external Internet. While the Internet facilitates information exchange in what seems like more ways than you can count and is a fundamental component of the way many health organizations do business today, it can also provide a direct route for those with less-than-good intentions to your computer networks and their data. Breaches of your network by such intruders can jeopardize the security of personal health information and potentially put you and your office in violation of HIPAA and other regulations.
When you develop a thorough network security policy and follow it with a solid implementation of that policy, you can continue to leverage the Internet as a communications medium while still protecting valuable office systems and private patient data.
There are many moving parts in the security of your organization. In addition to thinking about how to keep your networks and data safe, you must consider the security of your offices, the location and accessibility of your staff's computer equipment, and much more. Although this How-To guide focuses specifically on security policies for protecting your networks and data with firewalls, keep in mind that a firewall security policy cannot exist in a vacuum. It must be accompanied by an overall organization-wide security policy that establishes goals for maintaining physical security, staff training and awareness, and system-specific security controls.
To download the latest Adobe® Reader®, please go to the Adobe website at http://www.adobe.com. Adobe and Reader are trademarks of Adobe Systems Incorporated.
Printable version
