Blog

Sean Smith, Systems and Security Manager: Security Training. It’s not just for compliance anymore!

|

You’ve spent significant time and dollars putting together a set of policies and procedures that address the HIPAA Privacy and Security Administrative, Physical and Technical safeguards. You are aware that all covered entities and Business Associates are required by 45 CFR 164.530 and 45 CFR 164.308 to perform HIPAA Training that covers both Privacy and Security. You’ve developed a program that satisfies these requirements and are ready to train all existing and new employees. And then this happens:

  • “Oh, this again.”
  •  “How long is this going to take?”
  •  “What a waste of time!”
  • “We know this already!”

Just some of the comments from the last few ‘Annual HIPAA Training’ sessions I’ve given. You’d like to think that end users are putting the training to good use in their jobs. But not everyone in your medical group will have the same sense of ownership as the physician(s)/physician extenders. Most people only engage security awareness if they see a personal gain.
You just identified the largest exposure to HIPAA violations and Protected Health Information (PHI) breaches. End users! The best technical safeguards, policies and procedures not used or followed are not worth the paper they are written on. An employee violation of your policies and procedures will not get you off the hook with CMS if a breach occurs.
The latest Verizon Data Breach Investigations Report (DBIR) shows the top three categories account for 73% of all healthcare data security incident:

  • Physical theft and loss – 32%
  • Privilege misuse – 23%
  • Miscellaneous errors – 18%

Physical theft and loss involves a device that is lost or stolen. Privilege misuse means users gaining access to data they are not authorized to see, sharing credentials between users, malicious employee hacking, etc. Miscellaneous errors are things such as e-mailing PHI without encryption, throwing written PHI in a trash can instead of a shred bin, faxes to the wrong number, etc.
These categories can be eliminated with good end user practices. Which means training end users (including contractors that access your systems) is extremely important to LTPAC Medical Groups to create the security awareness culture required today. You can have the best technical layers of protection available, but if the end user clicks on that “Free Starbucks” Phishing e-mail the entire system can be compromised.
Phishing is a form of fraud in which the attacker tries to learn information such as login credentials, or plants suspicious malware code that steals important credential or account information. If an end user clicks on one of these e-mails (DBIR reports 12% click on that link – rising each year) your entire system may be vulnerable to a coordinated attack. These new attacks come with three prongs:

  • Phishing e-mail (end user clicks on link)
  • Malware installed by phishing e-mail and learns credentials on your system
  • Compromises systems

The latest ransomware attacks all occurred in this manner. The new breed of hacker is not the ‘kid in the basement’ but organized crime syndicates who are making a lot of money off these coordinated attacks.

How do you get end users engaged and using security awareness as part of their jobs? Turn your HIPAA Training into a multi-phased approach:

  •  Make the HIPAA Documentation available for all to see and review (and satisfy your compliance requirement).
  •  Schedule multiple training sessions throughout the year.
  •  Run a Phishing assessment and then train end users on the results. You can do Phishing Assessments for no cost (https://insight.duo.com/).
  • Use the valuable time to train end users on things that will have a direct benefit (phishing, shred bins, encryption, etc.).
  • Explain why security awareness is needed in each training session.
  • Make the training sessions targeted to just one or two topics.
  • Explain how the training topic applies to the end user’s PERSONAL information, so they take ownership of the topic and use it in all situations.

Every LTPAC Medical Group must empower their end users to become more security conscious all day every day. They are your first, and often, last line of defense when it comes to protecting your PHI.

Top