When it comes to implementing a robust security protocol, employee training is one of the most critical—and often overlooked—aspects of a solid plan. Security and awareness training is also an integral part of HIPAA compliance. But, according to a recent HealthITSecurity.com review of NueMD’s 2016 HIPAA Survey Update: “Healthcare organizations are also falling behind on annual HIPAA training. Currently, 58 percent of organizations provide annual HIPAA training for their staff, while 62 percent of organizations did so in 2014.”
As Strong as Your Weakest Link
Like any good thief, hackers approach your security measures and go for the weakest point in your defenses. There are primarily two types of hackers: those with little skill that perform exploits in bulk, hoping for easy prey to come along, and those with substantial skills, taking a targeted approach to achieve a set goal. The breaches seen in 2015 were mostly done by the second type hacker because healthcare data has become incredibly lucrative on the black market. The reason for this? Healthcare data contains a greater depth and breadth of accurate information about a person than most other types of records.
While your IT Security team may be up to date on the latest compliance rules, without specific training to address not only HIPAA’s guidelines, but also the issues at stake, and the various ways security can be breached, your average employee will not know how to protect against determined hackers. Taking a glimpse at the anatomy of a cyberattack, in more than one major data breach in 2015, hackers targeted employees with low-level password access to gain higher-and-higher levels of access to point where their goals could easily be achieved – ultimately causing the most possible damage.
Compliance Means Training
Experts tend to debate the effectiveness of any Security Training Plan. But the penalty structures built into HIPAA are a pretty solid indicator that ignorance, or lack of training, is not an excuse for loss of secure data.
There are two levels of training that any good plan should encompass. The first is general training, aimed at all employees or BAs with system access. General training should include basics like how to identify and avoid phishing attempts and forms of social engineering, what to do when the employees think they may have been targeted, and what the impact of a data breach will be. The second level of training is group-specific training, which targets specific areas of responsibility. You must implement this higher-level training. IT administrators have different concerns than developers, but they are closer to each other than your average user with ID and password who only can access or change data.
Frequent and Up-to-Date Are the Keys
Like all HIPAA compliance requirements, security training for employees at your business and for any subsequent 3rd party who maintains access to any systems containing or transmitting ePHI is mandatory.
Initial security training is an important part of any new employee onboarding training, but frequency is a major factor in ensuring that employees are aware of current rules and good security hygiene. If possible, quarterly training is a recommended by security experts, as well as training following any security incident.
These periodic training updates need to address not only basic security, but also new tactics and methods employed in other significant security breaches, as well as identifying points of weakness unique to the employee’s role within your organization.
There is Help Out There if You Need it
Your HR department or your internal trainers can manage a comprehensive training plan. If your business doesn’t have internal training, there are several security training companies that provide comprehensive services tailored to fit different needs. We recommend one that not only educates but tests to ensure employee understanding of the material and concepts covered and generates reports to ensure the impact of your training dollars.
Companies like SANS, Stickley on Security, or other security training providers, can provide varying levels of individualized security training for Health Care businesses and BAs wishing to outsource their efforts.
Advanced or group specific training can be provided by either of those methods or by attending conferences or corporate training seminars. Or your internal personnel can design their own security training based on your particular environment.
But no matter how you approach it, training is an essential part of the HIPAA compliance process. The stakes are very high if you cannot document the fact that your employees have received appropriate training as part of your organization’s compliance efforts. Awareness is the key to making sure your employees have some defense against external attacks that lead to breaches.
All new employees will require basic security and awareness training. You will need to provide regular assessment and updated training for the more specific IT needs to identify the attack vectors hackers may be exploiting–and to be certain they are being managed adequately.
If you haven’t already addressed this vital element to HIPAA compliance? Now is the time.
Additional Resources on This Topic:
HIPAA Compliance Knowledge Growing Amongst Healthcare Pros
2015 Internet Security Threat Report
Wombat Security Launches Healthcare Security Awareness and Training Program for Healthcare Industry as Data Breach Threat Escalates
End-user Compliance: Creating a security awareness training program