By Iseman Cunningham Riester & Hyde LLP
As part of their security awareness and training programs, Covered Entities must consider training employees on procedures for guarding against, detecting, and reporting malicious software (See Tip #29 for more on security awareness and training programs). This specification is “addressable,” which means that the covered entity must implement it unless doing so would be inappropriate or unreasonable and the purpose of the standard cannot be met through an alternative measure.
In popular usage, this specification refers to training on the use of anti-virus practices. (Technical users will be quick to note that “malicious software” includes not only viruses but also worms, trojan horses and bombs, among others.) Although anti-virus computer programs (widely available) can provide first-rate protection against malicious software, even the best programs are a half-step behind the viral programmers and, in any event, are dependent upon frequent updating to keep virus definitions current and effective. Live individuals are often the last line of protection against a virus infection.
Accordingly, individuals who may come in contact with malicious software (via e-mail, sharing of floppy discs, on the web, or otherwise) should be provided with (at least) fundamental training in detecting and handling such software. Basic employee practices such as not opening unverified attachments and not following unknown embedded links can go a long way to protecting an organization from infection.
This specification should NOT be confused with the implementation of anti-virus programs themselves. This particular specification concerns awareness and training on employee practices. Whether anti-virus programs should or must be installed at a system level or on individual workstations is a question to be asked under other standards, such as the integrity standard and the access control standard in the “technical safeguards” group.
HIPAA Security Tips are written by the attorneys of Iseman, Cunningham, Riester & Hyde, LLP. ICR&H is known for legal work on complex legal problems and transactions for businesses and individuals in the healthcare, construction, and financial industries, among other areas.
(c) 2004 Iseman Cunningham Riester & Hyde LLP. License is granted for all attributed reproduction.