Employees are forgetful. Training helps them remember important security practices.
|By: Tod Ferran|
I submit that your greatest liability and security challenge are your very own employees.
Watch this video to learn 60 seconds of workforce member training basics.
Why should I train my workforce members on HIPAA compliance?Most workforce members aren’t malicious. They’re just forgetful. People may have a fragmented view of what is required of them, or may never have been trained in the first place. Or, their previous employer may not have held them at the higher standard you require.
If you don’t give your workforce members specific rules and train them on those rules, they won’t be able to keep protected health information (PHI) secure. Workforce member training and education will remind them that security is important, and squash any bad security behaviors. Remember that ‘common sense’ is not very common, and what may seem obvious to you may never have crossed the minds of your staff!
According to the Experian Data Breach Industry Forecast, “Workforce members and negligence will continue to be the leading cause of security incidents in the next year.”
Another reason HIPAA workforce member training is so important is to keep workforce members aware of the most up-to-date security policies and practices. Threats to the healthcare industry are constantly changing, which means security practices should follow. If workforce members are only trained once a year, that may not be enough to keep up to date with your constantly changing security best practices and certainly won’t keep up with the threats.
What do HIPAA requirements say about training?The HIPAA Privacy Rule (section 164.530) states: A covered entity must train all members of its workforce on the policies and procedures with respect to PHI…as necessary and appropriate for the members of the workforce to carry out their function…
The HIPAA Security Rule (section 164.308) states: …Implement a security awareness and training program for all members of [your] workforce (including management).
SEE ALSO: What Are My HIPAA Security Requirements?
HIPAA rules give a small list of workforce member training ideas, but I recommend including the following in your program:
- Password management
- Social engineering
- Social media compliance
- Security updates/reminders
- Log-in monitoring
- Physical workstation security
- HIPAA privacy and security rules
- Disposal of data, media and equipment
Our adviceThe cool thing about workforce member training is that you can conduct it in the manner that works best for your organization. As you set up your training plan, here are some tips to consider:
- Provide training as a mandatory part of new hire orientation
- Require monthly or quarterly training of all staff members or develop a weekly educational program (annual isn’t enough)
- Keep a repository of policies and procedures (keep these updated and inform staff of updates)
- Develop a verification process to ensure training completion
- Document dates and times when workforce members complete their training
- Evaluate your training program effectiveness each quarter
- Reduce costs by making training part of your comprehensive educational program
Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.