(ii) Implementation specifications:
(A) Security reminders (Addressable). Periodic security updates.
Tell Me More:
The Security Reminders implementation specification requires covered entities to address implementing procedures for implementing periodic security updates to members of the workforce. Periodically reminding employees of their security responsibilities is recommended. Security reminders are effective for reinforcing what has been learned through more formal security training. Periodic security reminders should roll out on a regular basis (e.g., at least quarterly) to ensure the workforce is up to date on all security issues.
Questions to consider:
- Does the organization provide periodic security updates, related to both ePHI and other PHI? If not, do they make sense for the organization?
- What media are used and what media are best for providing the updates, e.g., e-mails, posters, memoranda, Intranet, and newsletters? The organization should consider using a variety of approaches to reinforce key security policies and procedures.
- How are security update topics be selected and by whom? Security reminders should address problem areas? How often are security updates provided and by whom? Make sure developing and delivering periodic reminders is assigned to appropriate staff.
- Does the organization provide periodic “refresher” training? Is this training documented? Periodic refresher courses are an effective way to make sure workforce members understand the organization’s policies and procedures address common concerns.
- NIST SP 800-16 IT Security Training Requirements: Role and Performance Based Model
- NIST SP 800-53, Revision 3 Recommended Security Controls for Federal Information Systems and Organizations
- NIST SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems
- NIST SP 800-63 Recommendation for Electronic Authentication