Security Awareness Training and Policy: Have you implemented one?
August 31, 2018
HIPAA Security Rule (45 CFR 164.300 et seq.) applies to electronic protected health information or more commonly known as ePHI. There are three security safeguards that are mandated under this rule namely: Administrative Safeguards, Physical Safeguards, and Technical Safeguards.
One of the critical Administrative Safeguard a healthcare organization must implement is the Security Awareness and Training. Statistics prove that an organization’s people are often the largest threat to the security of protected health information and ePHI mainly because they are not equipped with the right and adequate knowledge how to combat these cyber threats.
Your Security Awareness and Training policies and procedures must encompass all workforce members such as full-time and part-time employees, on-the-job trainees, volunteers, subcontractors, casual or temporary workers, and everybody who has access to PHI and ePHI.
In the awareness training, personnel must know why these security policies and procedures matters. Let them be aware of the possible sanctions that might be implemented against an employee who will not follow these security policies and procedures.
These kinds of training are and should be an on-going and progressing activity within the organization. Ensure that your workforce is updated with the latest threats in cybersecurity such as computer viruses, phishing, scams, malware, and others. They must be equipped with enough know-how that will help in identifying, reporting and preventing potential security breaches and threats. It is the Security Officer’s and the ITC Officer’s responsibility to determine how often these training should be given and in what forms or methods e.g. via flyers, posters in the pantry, email reminders and/or verbal updates during team meetings. The basic updates on everyone’s computer which relates to Windows updates, anti-virus updates and the like must also be well oriented to every employee that they themselves has some basic knowledge on how they can spot unusual activity that might indicate cyber threats like phishing, malware or computer virus. Do not take password management for granted as well, inform everyone how the password should be reset i.e. how many characters and how often passwords should be changed.
Having this basic security awareness and training can give the organization a much better chance of fighting and preventing cybercriminals from conducting impermissible access to ePHI and PHI. Moreover, having these safeguards in place does not only allow your organization to be compliant with HIPAA rules but more importantly, it allows strengthening the shield that protects your patients’ protected health information.
