How to Improve HIPAA Training

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/blogs/how-to-improve-hipaa-training-p-1595

It's important to pay more attention to HIPAA training. A huge portion of
health data breaches occur because staff members lack knowledge, make
mistakes or act out of malicious intent. Organizations can effectively
mitigate the first two factors, and impact the third, with effective
training and ongoing awareness.

Many executives express the flawed opinion that implementing information
safeguards is just basic common sense, and so minimal resources need to be
dedicated to such education. If this were true, we would have a fraction of
the privacy breaches that we see reported (see: Far More Health Breach
Victims in 2013). Simply applying common sense is not so common -
especially with all the new and increasingly complex technologies being
used (some lacking security and privacy controls), the increasing types of
mobile devices being used, and the many locations outside of the
organization's walls, and outside its network, from which information is
accessed.Each employee and contractor who has been authorized to have
access to patient information literally has the security of that
information under their control. Remember these three points:

People are not born knowing how to effectively safeguard information.

Most people have a tendency to want to share information and to be helpful
by providing information to anyone who asks. Each person who is given
access to protected health information must be provided with education
about how to protect that information appropriately, and share it
appropriately, in all situations in which they have access to it.

Technology alone cannot secure information.

Computer systems and applications must be built with more robust and more
transparent security capabilities. But when it comes to effective
information security and privacy protection, you cannot create a computer
technology so secure that no training is necessary for those using the
computers. It's like saying you can build a car so secure that you don't
need to teach people how to drive safely. Who wants to be on the road with
those folks? And then there are the millions of paper documents that
absolutely depend upon staff taking proper precautions.

Last, but not least, many legal requirements exist for information security
and privacy awareness and training.

A growing number of laws and regulations, HIPAA included, contain
requirements for organizations to provide some type of information security
and/or privacy awareness and training to not only their personnel, but
also, in some instances, to their customers.

Common Weak Spots

Too many covered entities and most (practically all that I've seen)
business associates think training means simply regurgitating verbatim the
HIPAA regulatory text to employees, or boiling down HIPAA into a few
sketchy, incomplete and non-specific statements. They usually fail to
actually explain what the workers must do within their everyday work
activities to effectively protect information. The weakest spots I've seen
over the years are:

No targeted training for the IT staff;
No targeted training for those in customer service areas who communicate
directly with patients;
No training tied to the use of new and emerging technologies, such as
social media, cloud computing and big data analytics; and
No targeted training for executive management. Too many executives have
stated that they don't need training - even though a huge chunk of breaches
occur as a result of executives doing things out of security ignorance.

Online Training vs. In-Person Classes

So what is more effective: online training or in-person classes? The answer
depends upon the topic of the training, the target audience, the
availability of the target audience and the risks associated with the topic.

Organizations must determine the best method of training based upon those
four considerations. Remember, one type of training will not be most
effective for all audiences, nor for all topics. Here is what I recommend
for most:

Provide initial training for information security and privacy basics to all
employees. This can be done with well-constructed online training modules.
Provide additional training of various types to targeted groups - such as
customer service reps, nurses and doctors, and IT staff - with specialized
education on their particular job responsibilities. Often videos can be
effective for these targeted groups of learners. Classroom training is also
effective because it allows them to ask questions, practice using role
playing and have group discussions about the topics with their peers.
Provide ongoing in-person awareness activities as well as awareness message
updates using a variety of media. You can't expect training to stick with
your personnel forever after training. That's why it's important to provide
ongoing reminders to keep information security and privacy tips top-of-mind
during their everyday job activities.

By building a multi-layered, varied-delivery and targeted training
approach, healthcare organizations can help build a culture of information
security and privacy awareness that results in employees safeguarding PHI
as a part of their daily job responsibilities.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.