The Department of Health and Human Services’ Office for Civil Rights has reminded HIPAA-covered entities why security awareness training for healthcare employees is so important in its July Cybersecurity Newsletter.
PHI security is not only about technological solutions. While spam filters, web filters, firewalls and intrusion detection systems will undoubtedly improve an organization’s security posture, phishing emails often make it past those defenses and reach the inboxes of healthcare employees.
It is far easier to get a healthcare worker to install malware or hand over their login details than to attempt to bypass security defenses in other ways. Phishing campaigns can be created in minutes, huge numbers of emails can be sent to healthcare workers, and the campaigns are highly effective. However, that need not be the case. Provide security awareness training for healthcare employees and they can be transformed from a security liability into a resilient human firewall.
This is not just a recommendation. Security awareness training for healthcare employees is a requirement of the HIPAA Security Rule. A failure to implement a security awareness training program for all members of the workforce is a violation of HIPAA Rules and could attract a financial penalty.
As OCR explained, “All workforce members can either be guardians of the entity’s PHI or can, knowingly or unknowingly, be the cause of HIPAA violations or data breaches.”
OCR investigates all breaches involving the exposure or theft of more than 500 records. If OCR discovers that an organization has failed to provide security awareness training to its workforce, a HIPAA violation penalty could be issued.
OCR explained that security awareness training for healthcare employees cannot be a onetime event. An annual training session is no longer sufficient. Security awareness training must be an ongoing process. Training must also evolve, just as the threat landscape is constantly changing.
HIPAA does not specify how frequently training should be provided, but OCR suggests that many healthcare organizations conduct biannual training sessions combined with monthly security bulletins. However, the frequency of training and security bulletins should be dictated by the findings of organizations’ risk analyses. It may be necessary for training to be provided more frequently.
OCR has developed a library of training materials which are available via the HHS website. Covered entities should also use their own training materials or those developed by third-party security awareness training vendors. OCR suggests security awareness training for healthcare employees should involve a combination of CBT training, classroom sessions, email alerts, posters, monthly newsletters and team discussions.
Covered entities should also document all training efforts, including obtaining attestations from employees that they have received training. Those documents will need to be provided to OCR during audits and investigations of data breaches.