Return to the main Resources page
Regulations, Standards, and Laws
HIPAA Guidance and Tools
Guidance from NIST
Document Retention Guidelines
• The US Office of Personnel Management released in April 2011 a Guide to Telework in the Federal Government that provides an overall program for handling remote workers. It's probably a bit more detailed than most healthcare organizations need, but does cover the bases pretty well, despite the lack of use of words like "privacy" and "confidentiality" (although "security" does appear). See: http://www.telework.gov/guidance_and_legislation/telework_guide/telework_guide.pdf
• epic.org publishes the fantastic EPIC Online Guide to Practical Privacy Tools which lists all the practical technical tools you could ever ask for to be used in securing information at rest and in transit. See: http://epic.org/privacy/tools.html
• SANS is providing the Consensus Audit Guidelines, Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance, now available in Draft 2.0 version, as of May 9, 2009. The CAG includes 20 critical controls to have in place to prevent the vast majority of potential security issues in any organization. The CAG is available at: http://www.sans.org/cag/
• The Department of Homeland Security has published the latest version of its Handbook for Safeguarding Sensitive Personally Identifiable Information, a very understandable, digestible guide prepared for DHS staff, contractors, etc. that is a great guide for anyone protecting information. If it's good enough for Homeland Security, it must be a good place to start for your own guide! The Handbook is at: http://www.dhs.gov/xlibrary/assets/privacy/privacy_guide_spii_handbook.pdf
• Osterman Research provides a very informative set of white papers concerning information security and data retention, and e-mail archiving in particular, free of charge via their web site at http://www.ostermanresearch.com/downloads.htm .
• California's Department of Consumer Affairs, Office of Privacy Protection has publishedRecommended Practices on Notice of Security Breach Involving Personal Information, with recommendations in three parts – protection and prevention, preparation for notification, and notification. This is an excellent guide that sets a floor for what should be done in any information security program, and explains the California law, similar to that of many other states. http://www.privacy.ca.gov/res/docs/pdf/COPP_Breach_Reco_Practices_6-09.pdf
• The New York State Consumer Protection Board has issued a Business Privacy Guide, How to Handle Personal Information and Limit the Prospects of Identity Theft, a sixteen page guide to understanding what personal information is maintained or recorded, key New York State and Federal laws, and actions to take to prepare for and respond to a breach, including a sample breach reporting form. The guide is available at: http://www.nysconsumer.gov/pdf/the_new_york_business_guide_to_privacy.pdf
• The International Security Breach Notification Survey, prepared by Foley & Lardner LLP and Eversheds LLP in November 2009, is a comprehensive guide to state, national, and international security breach notification laws, useful as a guide to any business that may suffer a breach of information security. The report is available at: http://www.mekabay.com/infosecmgmt/security_breach_laws.pdf
• The FTC has released a useful guide related to information security. Protecting Personal Information: A Guide for Business is built around five simple phrases:
• TAKE STOCK. Know what personal information you have in your files and on your computers.
• SCALE DOWN. Keep only what you need for business.
• LOCK IT. Protect the information you keep.
• PITCH IT. Properly dispose of what you no longer need.
• PLAN AHEAD. Create a plan to respond to security incidents.
The press release announcing this publication is at: http://www.ftc.gov/opa/2007/03/businessguidance_pii.htm
The guide itself can be found at:
http://www.ftc.gov/bcp/edu/pubs/business/privacy/bus69.pdf
• The SANS Security Policy Project offers A Short Primer For Developing Security Policies as well as samples of several policies and guidance in policy development and deployment, available at: http://www.sans.org/resources/policies/
• A useful set of HIPAA security policies implemented by New York University is available at http://www.nyu.edu/its/policies/#hipaa. While this is not necessarily a complete set of HIPAA security policies (some that are needed for HIPAA are covered in other, non-HIPAA policies), it does provide a good level of detail and many of the concepts are directly transferable to other organizations.
• A January 18, 2010 article in Computerworld provides a useful summary of smart phone security issues, including a good list of ten common smart phone risks, at: http://www.computerworld.com/s/article/345297/Smartphones_Need_Smart_Security
• The HHS Agency for Healthcare Research and Quality (AHRQ) has created the Health Information Security and Privacy Collaboration (HISPC), described at http://healthit.ahrq.gov/privacyandsecurity with goals and outcomes, including the Health Information Security and Privacy Collaboration Toolkit, available at http://healthit.ahrq.gov/privacyandsecuritytoolkit. This initiative is oriented toward assisting regional and state-level health information exchanges; one useful product for all healthcare organizations is the IT Privacy and Security Primer, which may be downloaded directly at http://tinyurl.com/3yby3j.
• EDT (Ensconce Data Technology) has published a very useful White Paper on Hard Drive Decommissioning that is freely available (without registration) at: http://edt.rakacreative.com/assets/documents/edt_digital_shredder.pdf (Please note that Jim Sheldon-Dean and Lewis Creek Systems have no financial interest in EDT whatsoever.)
• VeriSign Global Security Consulting Services has published an excellent White Paper: Lessons Learned: Top Reasons for PCI Audit Failure and How To Avoid Them that is freely available (without registration) at https://www.verisign.com/static/PCI_REASONS.pdf (Please note that Jim Sheldon-Dean and Lewis Creek Systems have no financial interest in VeriSign whatsoever.)
Return to the main Resources page
Regulations, Standards, and Laws
HIPAA Guidance and Tools
Guidance from NIST
Document Retention Guidelines