Hello, everybody. And welcome back to the Hcs PP certification course with Sai Buri policies, procedures and standards. My name is Shalane Hutchins and I will be your instructor for this course
Today we're gonna talk about policies, procedures and standards and the importance of them in the health care industry.
According to dictionary dot com, Ah, policy is a course or principle of action adapted or proposed by a government, party, business or individual,
and any organization policies air created to set the direction for where the organs going
and information security. It's important to have policies, procedures and standards and sometimes guidelines
Policies air the highest level and described the what that needs to be done.
They typically have must
and shall or shall not statements in them.
In my experience, working in large corporate organisations policies air dictated and governed by the leaders in the organization and disseminate it down to the workforce
and smaller startup organizations. Sometimes a bottom up approach is used whereby the workforce, through their efforts to create solutions or products, begin to build policies based on the feedback from their interactions with various customers and clients
Being in a heavily regulated environment such as healthcare. The expectation is for any covered entity and its business associates to have formally documented policies and procedures for how the organization is run.
Many policies air categorized into different areas such a security,
privacy and or compliance.
There may be operational policies, HR policies, financial policies, etcetera.
Within each area, there may be policy specific, two different functions or needs.
For instance, our comprehensive information security policy is made up of all the underlying policies for components of security, such as an email policy or remote access policy and encryption policy and an STL see policy just to name with you
as a certified hcs PP professional. It's important that you understand, in our ableto articulate and distinguish the difference between policies, procedures and standards, often times when called to perform or assist in assessing an organization.
These documents are part of the administrative controls
HIPPA requires. Health care organizations toe have administrative, physical and technical controls.
The policy sets the stage for the physical and or technical controls to be implemented.
Policies can be very long and drawn out or can be a set of small statements.
The format can vary widely their standards for how policies are to be created within some organizations, especially within the public or government sector.
Templates are available through various security organizations, such a sands dot org's for creating specific security related policy documents.
If, within your role as an HC SBP, you're called to create policies, you have a great opportunity to influence how the organization will be directed.
Policies must include management support and approval,
and policy should also identify the regulations, laws and other requirements that is needing and state consequences for failing to comply.
These can be used as a legal foundation. When employees fell to comply with the policy and disciplinary action is taken,
it's important to communicate policies at least annually and ensure that employees acknowledge receiving and reading the policy documents.
Procedures are the how to
to do the what statements within the policy document.
They may vary by business unit technology, etcetera.
I find that working with those who will actually be performing the tasks that are set forth by the policy to draft the procedures is very supportive.
Most policy creators are not subject matter experts and typically will not be performing the mandates set forth in the policies. So working with those who will make sense, who will make sense in order to ensure the policies air reasonable and will be successful in achieving compliance throughout the organization.
Working with those doing the work will enable them to become familiar with the policy, and they'll know the procedures because they created them and it's a win win situation. All around.
Procedures may change frequently due to changes in the environment the business rules, business needs or technology. While the policy will likely remain fairly consistent year over year unless there's a significant organizational, legal or regulatory change,
standards provide the boundaries or the guard rails for the how.
For instance, we have a policy that says we'll use encryption for data at rest and in transit.
There may be procedures for various transmission methods, such as email sftp ap I integration, etcetera. And for each mode there are procedures describing how to encrypt
the standards. Say that we will use nothing less than A s to 56 bit at rest and no less than TLS. One got to in transit
standards tell you what is allowed and what isn't within your organization or a particular organization
standards must be derived from the policy or else they won't support the mission of the policy.
Guidelines are similar to standards, yet provide different options for how control can be achieved.
For example, we have password that nights to document and assist users in creating passwords that will be in compliance with the policy.
The policy says that users must use a password as part of their credentials to access information systems.
The standards are the GPO rules we've implemented based on missed 863 B,
in which we've removed the complexity requirements and extended the password reset time period
and extended the minimum password length from 8 to 15 characters.
The guidelines provide examples on how to create passwords to meet this requirement by using past phrases and recommend steering away from things that are easily gettable or contained in the dictionary.
In summary, we've reviewed policies, procedures and standards, and sometimes God wants thanks for watching, and I'll see you in the next video