Cybersecurity Training For Healthcare Organizations

The introduction to healthcare cybersecurity training explains that, although the provision of training is a regulatory requirement, its objectives are to reduce the likelihood of data breaches and the real consequences of data breaches. To encourage staff participation, the introduction suggests benefits of being more cybersecurity aware – such as enhanced job satisfaction and the avoidance of sanctions. Staff are also invited to apply best practices learned in the training to their personal online activities, and advised to seek advice from a person in authority if they have any questions about the training or how it applies to their roles.

This module sets the tone for the training inasmuch as it acknowledge that different staff members have different levels of cybersecurity awareness, different levels of HIPAA knowledge, and different ideas about the consequences of HIPAA violations and data breaches. To address some of the imbalances, the module explains why it is important staff understand and apply security best practices, provides examples of the difference between a HIPAA violation and a data breach, and summarizes the consequences of cybersecurity failures for patients, healthcare organizations, and staff.

This module is included to educate staff members whose roles do not ordinarily involve uses and disclosures of Protected Health Information, and to refresh the memories of those that use and disclose it every day. It recaps HIPAA and the main HIPAA Rules, and explains why some organizations implement more stringent requirements than HIPAA. It also explains why cybersecurity awareness has to be provided in the context of HIPAA. The module concludes with clarification of what is considered Protected Health Information under HIPAA, as this will be relevant to understanding several compliance concepts in later training modules.

This module starts by explaining that although HIPAA Security Officers are responsible for ensuring physical safeguards are implemented that comply with the requirements of the Security Rule’s Physical Safeguards, staff members are responsible for using the safeguards in compliance with HIPAA. The module focuses on the security of workstations, carts, and connected system accessories, application security, and using a personal device to create, receive, store, or transmit Protected Health Information. Additional advice is provided on the security risks of USB drives, and why it is important that any USB drive that has been used to store PHI is purged before being disposed of.

This module discusses why staff members are issued with unique passwords, and why it is important to keep passwords secure in the context of tracking user activities and tracing interactions with electronic PHI back to specific individuals. The discussion helps explain why passwords should never be shared, and primes staff members for later modules relating to phishing emails and social engineering. There are also lessons dedicated to how staff members should respond when they believe their password has been compromised – including one for staff members who re-use work-issued passwords to protect personal online accounts.

This module explains what phishing is, why it is a major threat to organizations in the healthcare industry, and the options available to cybercriminals once they have accessed PHI via a phishing attack. The module also explains why stolen PHI has a high value and a long shelf life in terms of what it can be misused for, and the length of time it can take before the misuse of PHI is identified. Specific lessons focus on misusing PHI to commit medical identity theft, tax fraud, and Medicare fraud; and it is noted that the same medical records can be resold – and misused – many times over to maximize profit and harm.

This module helps staff members better understand the different types of social engineering by explaining the difference between widespread phishing attacks, spear phishing attacks, and business email compromise attacks. The objective of the module is to raise staff awareness of how socially engineered communications can be delivered so they do not fall into common traps set by cybercriminals. Sections of the module also discuss how to recognize socially engineered communications, adopting a zero-trust approach for out-of-band requests from trusted sources, and what to do if they receive suspicious communications and are unable to verify the authenticity of the communication.

This module discusses the safe use of popular communication tools to ensure that, when staff members use an authorized channel of communication, they do so safely. Best practices for using email cover disclosures of PHI in email subject lines, maintaining a tidy inbox, and ensuring emails are sent to the correct recipients. The section on messaging services explains that not all messaging services are HIPAA compliant and that even when they are, it is still necessary for a Business Associate Agreement to be in place before a service can be used to transmit PHI. Social media best practices include never interacting with a patient via social media and being careful about what is included in personal social media profiles.

This module is designed to help staff members better understand the rationale behind certain security policies. For example, many organizations have policies stating PHI should not be stored in contact lists. This module explains why, and provides examples of what information can be stored in contact lists when it is necessary to add identifying information to distinguish between contacts with the same name. The objective of this module is to encourage staff members to be more thoughtful when creating emails, documents, and contacts, or performing other administrative activities in which the risk exists that Protected Health Information may be exposed impermissibly or in violation of a security policy.

This module emphasizes that all staff members must comply with security policies developed to comply with the HIPAA Security Rule Technical Safeguards by explaining how cybercriminals can remotely elevate account access permissions to move laterally through healthcare networks. It also cautions against providing malicious insiders with access to login credentials, and suggests best practices for password security, manually logging out of systems, and paying attention to security pop-ups. The module concludes with a warning that staff members who undermine the Technical Safeguards – or who disclose login credentials through carelessness – will be sanctioned for violating a security policy.

This module explains that staff members’ compliance responsibilities extend beyond complying with security policies, and that they have to be conscious of any activity that could threaten the security of PHI – in any format. The module discusses why 80 percent of healthcare data breaches involve a human element, and covers topics such as over-eagerness, carelessness, negligence, and snooping. It also reminds staff members that their responsibilities for data security and HIPAA compliance do not end when they leave the workplace, and that these responsibilities still exist in interactions with friends, family members, and online communities.

This module focuses on the threats from brute force attacks on passwords, malicious emails, and malware deployments – highlighting that some threats of this nature can avoid detection by front line defenses. The module explains that a threat does not necessarily need to be successful in order to qualify as a HIPAA security incident, and provides advice on how staff members can recognize attempted security incidents that are yet to breach front line defenses. It also notes that different reporting procedures may apply depending on whether a security incident is suspected, or whether it is known to have been responsible for a data breach.

This module explains that HIPAA violations and data breaches have consequences, even if the HHS Office for Civil Rights declines to take enforcement action. Common consequences discussed in the module that affect patients include risks to patients’ health during and following a cyberattack, a loss of trust in healthcare providers, and medical identity theft. The consequences for organizations discussed in the module include indirect remediation costs and reductions in revenue – which can have an impact on the resources available for patient care. Staff members are also alerted to mandatory internal sanctions and the risk of external penalties, plus the risk that the consequences of HIPAA violations and data breaches can result in staff burnout and a reduction in workforce numbers.

This module provides case studies from multiple events that resulted in consequences for patients, healthcare organizations, or staff members. The case studies include the consequences for patients both during and following a cyberattack, and when a patient’s medical record is corrupted due to medical identity theft. There are also examples of when organizations are subject to state penalties and civil lawsuits – despite HHS Office for Civil Rights declining to take enforcement action – and the indirect impact cyberattacks can have on organizations’ finances. The module concludes with examples of professional, criminal, and employment consequences for staff members who carelessly disclosed PHI, or who misused it to commit theft and fraud.

The summary module contains a combination of key security takeaways from preceding modules and reminders of topics such as the purposes of the HIPAA Rules, staff responsibility for security, and the consequences of HIPAA violations and data breaches. The module concludes with a brief selection of statistics intended to focus staff members on absorbing and applying the information provided in the cybersecurity training.