Cybersecurity Policy: how leaders set the expectation for cyber hygiene

Aldo Febro
5 min readMar 22, 2022

Cybersecurity policy forms your staff behavior that protects your organization.

Just like any other habit, bad cyber habits are easy to form. But, left unchecked, staff with bad cyber hygiene is a liability to the organization and a threat to patient safety. After all, the threat actors only need to be right once.

As a leader in your organization, you set expectations on your staff behavior through cyber policies. These policies serve as the base where the organization can then build standards and procedures. With policies, standards, and procedures in place, they set the organization for success in managing risk and compliance.

Organizations of all sizes need to adopt this practice to ensure patient safety.

HICP on Cybersecurity Policies

The Health Industry Cybersecurity Practices (HICP) document captured cybersecurity policy as the last practice.

This practice is essential because cybersecurity is a team effort that requires everyone in the organization to participate. The staff has to remain vigilant all the time.

The leadership can set the tone and expectation for all staff by having a cybersecurity policy. It establishes what is acceptable and non-acceptable, along with the consequences. Habits tend to be caught, not taught. Leaders who modeled good cyber hygiene set an excellent example for staff. Without it, the policy will not have the intended effect.

HICP document includes policies ranging from the IT department to everyone in the organization. For example, it contains policies on roles/responsibilities, acceptable use, cybersecurity awareness, data classification, devices use, incident response, IT controls, IT procurement, and disaster recovery.

So how do we go about adopting this practice? First, as suggested by HICP, we could use the templates and customize them to fit our organization. Next, we could use a system to make it easier.

Functions required for a policy management system

Four main functions are required to create and track policies: policy creation, version control, policy distribution, and attestation tracking.

Policy creation involves getting the leadership team to collaborate to create policies. Once the team reaches a consensus, the CEO needs to approve these policies to take effect.

With changing environments and threat vectors, policies require an update to stay relevant. Version control on the cybersecurity policy document helps ensure that the staff knows the latest policies.

Once the policy is ready, it needs to be circulated among the staff and capture their acceptance.

Tools for implementing cybersecurity policies

We could use the tools we identified in this series to make cybersecurity policies widely circulated and track acceptance.

We could use SharePoint Online and Power Automate to manage approval for policy documents [1]. These two tools are included in Microsoft 365 Business Premium subscription.

With this feature enabled and a policy document is uploaded to SharePoint Online, it tracks the approval status for this document. For example, the approval status could be in the draft, pending, approved, or rejected.

We could optimize this process further by using Power Automate. Power Automate has an approval flow feature [2] where you can set the people who have the authority to approve the policy.

The flow consists of trigger, condition, and response. The trigger is when a document gets uploaded to the SharePoint Online document library. The condition is where it is waiting for a response from the approver. Once the approver’s response is captured (approve or reject), it sets the document’s approval status accordingly and sends an email to its author.

With the policy document published, the next task is to distribute it to the user population and capture their attestation. One method to accomplish this is by using Microsoft Form.

With Microsoft Form, you can create a simple form with a statement somewhere along the line of “I have read and understood the policy” and a “Yes” checkbox to capture their response.

The next step is to distribute this form via email to all staff in the organization. As the staff opened the form and provided their response, Microsoft Form will save their responses and make them accessible from the dashboard [3]. In addition, the leader can track how many people have responded to this form from the dashboard.

Looking at the cost

Small and medium organizations would not need additional tools to implement the system described in the previous section. We can use the tools we have already acquired for previous HICP practices.

With no additional cost anticipated, the projected cost for a small organization (1 FTE Physician + 3 staff) to adopt HICP practices so far is $7,792 (1st year) and $4,168 (subsequent years).


Having cybersecurity policies established is essential for organizations of all sizes. It sets the expectation and behavior of all staff to maintain a strong cybersecurity posture for the company and patient safety.

Small and medium organizations can use the tools identified in this series to adopt cybersecurity policy practice as outlined in the HICP document.