Developing and Implementing an Information Security Policy and Standard Framework

In August of 1998, the Department of Health and Human Services published a proposed rule (to the Federal Register) proposing, '...standards for the security of individual health information and electronic signature use by health plans health care clearinghouses and health care providers' (Proposed Security Rule 43242). As a health care provider and a covered entity under HIPAA our Information Security team began reviewing the proposed security rule requirements and formulating a compliance program. It quickly became apparent that the proposed security rule requirements were reasonable security controls that should be implemented to support normal business operations. The issue however was that our current Information Security framework was outdated. Our Information Security standards had not been updated since 1995. As a result our Information Security Program contained weaknesses brought about by new technology implementations (since 1995). In an attempt to advance the Company's Information Security Program our team began defining security program requirements including federal security requirements and security controls needed to support business and technology drivers.