HIPAA security awareness training is a requirement of the HIPAA Security Rule, which calls for HIPAA covered entities and their business associates to “implement a security awareness and training program for all members of its workforce (including management).”
Security awareness training is a critical element of cybersecurity defenses and it is vital for all individuals in the company to receive training, from the CEO down. Technical measures such as firewalls, spam filters, and antivirus software can be effective and will help to block the majority of cyber threats, but even the most sophisticated technical cybersecurity measures will not be sufficient to block all threats.
Hackers know all too well that employees are the weakest link in the security chain. It is far easier to get an employee to disclose their login credentials and provide the hacker with access to a healthcare network than it is to identify and exploit a vulnerability in software. Cybercriminals actively target healthcare employees with phishing emails and use social engineering to trick employees into disclosing sensitive information such as their login credentials.
Employees need to be provided with HIPAA security awareness training to make them aware of the threats they are likely to encounter, which will allow them to recognize and avoid those threats. It is also important to teach cybersecurity best practices to the workforce to mitigate the risk of human error. Through training it is possible to eradicate risky practices that could easily open the door for hackers and lead to a malware/ransomware infection and data breach.
HIPAA Security Rule Training Requirements
HIPAA Security awareness training, like training on the requirements of the HIPAA Privacy Rule, must be provided “to each new member of the workforce within a reasonable period of time after the person joins the Covered Entity’s workforce.” Ideally, HIPAA Security awareness training should be part of the onboarding process, with training provided within a few days or weeks of a person commencing employment. Training must also be provided periodically thereafter.
Security awareness training is vital, but very little text of the HIPAA Security Rule covers training for the workforce. The Security Rule only specifies security reminders/periodic security updates, protection from malicious software, log-in monitoring, and password management be provided. There is no mention of training to prevent phishing attacks in in the HIPAA text, even though phishing is one of the leading causes of healthcare data breaches.
The reason for the lack of specifics about topics to cover in training is technology and cybersecurity best practices are constantly evolving, as are the tactics, techniques, and procedures (TTPs) used by hackers to breach healthcare defenses. HIPAA is deliberately light on technical information to ensure it remains relevant, although this can make it hard for covered entities and business associates to determine what they need to do to ensure compliance.
How Often Must HIPAA Security Awareness Training be Provided?
The number of cyberattacks now being conducted on healthcare organizations is greater than ever before. A couple of years ago, data breaches were being reported at a rate of one per day, on average. So far in 2021, there have been several months where healthcare data breaches have been reported at a rate of more than two per day!
Given the extent to which hackers are targeting healthcare organizations and their business associates, and the number of data breaches caused by human error, cyber education needs to significantly improve. The best practice used to be to provide HIPAA security awareness training for the workforce annually but given the huge volume of attacks being conducted this is no longer sufficient to counter the threat.
In 2017, the HHS’ Office for Civil Rights, the main enforcer of HIPAA compliance, reminded HIPAA covered entities and their business associates about the importance of security awareness training for the workforce and confirmed it was a key element of HIPAA compliance.
The HIPAA Security Rule only requires periodic training to be provided, but OCR confirmed that security awareness training needs to be an ongoing and evolving process and suggested many covered entities had successfully implemented a bi-annual training program, which was also supplemented with monthly security updates for the workforce.
In addition to providing regular security awareness training, security updates and reminders allow IT security teams to rapidly communicate new and emerging cybersecurity threats to the workforce to raise awareness of new scams and TTPs. This helps to ensure employees are prepared should a threat be encountered. These reminders could include new social engineering techniques such as fake tech support scams, phishing scams, or malicious email attachments to watch out for.
OCR suggested computer-based training should be considered, although classroom training may also be appropriate. Posters, email alerts, and monthly newsletters can also be used to good effect and will help to create a security culture in an organization.