What should be included in the job description for an information security officer?
HIPAA Weekly Advisor, December 13, 2002
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Q: What should be included in the job description for an information security officer?
A: Many health care organizations are playing catch-up when it comes to understanding the field of information security. Security involves preserving the confidentiality, integrity, and availability of protected information assets, so the information security officer (ISO) job description should include those three areas of responsibility. Be sure to define those three terms, perhaps in your core information security policy or a glossary.
The scope of the role should explicitly cover all forms of protected information: electronic, written, faxed, and spoken, even though the security rule covers only electronic information. The impetus for your organization to create this role may be HIPAA, but it is important for business due diligence that the information security program protects all information assets, even if they don't identify patients. That includes employee personnel and payroll data, legal processes, confidential business plans, and other proprietary or sensitive information.
The fundamental responsibility of the ISO is to lead the information security program. This includes ongoing risk assessment and mitigation; development of policies, procedures, and standards; workforce education; and establishment of technical and physical controls. ISOs are generally responsible for managing hands-on security administration and oversight; planning and implementing strategic initiatives; and constantly making sure management and the workforce understand and support the security mission.
The broad ISO scope and level of responsibilities (both in strategic planning and day-to-day work) make this a very important role that health care organizations should not underestimate.
Editor's note: Answered by Kate Borten, CISSP, president of The Marblehead Group, in Marblehead, MA, and excerpted from the December 2002 issue of Briefings on HIPAA.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- HIPAA Q&A: Flu shot requirement for hospital employees
- Running an effective peer review committee meeting
- HealthDataInsights posts new issues for medical necessity claims
- Sneak Peek: Effort underway to establish caseload benchmarks
- Q/A: Coding for telescopic intraocular lens
- New FAQ posted on storing laryngoscope blades
- Tip: Perform your own internal investigation prior to government audit
- HIPAA 5010 deadline extended, but threat remains, says AMA
- HHS task force: Consider privacy, security with text messages
- What does case-mix index mean to you?
- E-mailed
-
- Running an effective peer review committee meeting
- HIPAA Q&A: Flu shot requirement for hospital employees
- HHS task force: Consider privacy, security with text messages
- What does case-mix index mean to you?
- Q/A: Coding for telescopic intraocular lens
- Q/A: Correct use of modifier -PT
- Tip: Correctly code bilateral pain management procedures
- "Wall fountains" may be spreading Legionnaires to patients, visitors
- 2012 CPT code changes for ASCs: Shoulder and knee scopes and pain management
- Case Management Monthly, March 2012
- Searched