HIPAA Security and Awareness Training

When it comes to implementing a robust security protocol, employee training is one of the most critical, and often overlooked, aspects of a solid plan. Security and awareness training is also an integral part of HIPAA compliance.

But, according to a recent HealthITSecurity.com review of NueMD’s HIPAA Survey Update: “Healthcare organizations are also falling behind on annual HIPAA training. Currently, 58 percent of organizations provide annual HIPAA training for their staff, while 62 percent of organizations did so back in 2014.”

According to MediaPro’s State of Privacy and Security Awareness Report, 78 percent of healthcare employees showed some lack of preparedness with common privacy and security threat scenarios. Improved data security and patient privacy employee training would help to reduce cybersecurity risk, and benefit healthcare organizations as they work to keep pace against evolving data breaches.

As Strong as Your Weakest Link

Like any good thief, hackers approach your security measures and go for the weakest point in your defenses. There are primarily two types of hackers: those with little skill that perform exploits in bulk, hoping for easy prey to come along, and those with substantial skills, taking a targeted approach to achieve a set goal. Today’s breaches are mostly done by the second type hacker because healthcare data has become incredibly lucrative on the black market. The reason for this? Healthcare data contains a greater depth and breadth of accurate information about a person than most other types of records.

While your IT Security team may be up to date on the latest compliance rules, without specific training to address not only HIPAA’s guidelines, but also the issues at stake, and the various ways security can be breached, your average employee will not know how to protect against determined hackers.

About 32 million patient records have already been breached during the first half of 2019. This is twice as many as the total for all of 2018, according to the 2019 Mid-Year Breach Barometer Report from IT security firm Protenus.

In 2018, the healthcare sector saw 15 million patient records compromised in 503 breaches, three times the amount seen in 2017, according to the Protenus Breach Barometer. To put his into perspective, just between January and June of 2019, 1,611,235 patient records were breached. The same report notes that hacking was the cause of 60 percent of the total number of breaches throughout the first half of the year.

As Sean Curran, West Monroe Partners’ senior director of its security and infrastructure practice recently told HealthITSecurity.com, these major hacks prove the entire sector needs to adjust its security approach to keep pace with hackers.

Compliance Means Training

Experts tend to debate the effectiveness of any Security Training Plan. But the penalty structures built into HIPAA are a pretty solid indicator that ignorance, or lack of training, is not an excuse for loss of secure data.

There are two levels of training that any good plan should encompass. The first is general training, aimed at all employees or business associates with system access. General training should include basics like how to identify and avoid phishing attempts and forms of social engineering, what to do when the employees think they may have been targeted, and what the impact of a data breach will be.

The second level of training is group-specific training, which targets specific areas of responsibility. You must implement this higher-level training. IT administrators have different concerns than developers, but they are closer to each other than your average user with ID and password who only can access or change data.

Frequent and Up-to-Date Are the Keys

Like all HIPAA compliance requirements, security training for employees at your business and for any subsequent third party who maintains access to any systems containing or transmitting electronic patient health information (ePHI) is mandatory.

Initial security training is an important part of any new employee onboarding training, but frequency is a major factor in ensuring that employees are aware of current rules and good security hygiene. If possible, quarterly training is a recommended by security experts, as well as training following any security incident.

These periodic training updates need to address not only basic security, but also new tactics and methods employed in other significant security breaches, as well as identifying points of weakness unique to the employee’s role within your organization.

There is Help Out There if You Need it

Your HR department or your internal trainers can manage a comprehensive training plan. If your business does not have internal training, there are several security training companies that provide comprehensive services tailored to fit different needs. LightEdge recommends one that not only educates but tests to ensure employee understanding of the material and concepts covered and generates reports to ensure the impact of your training dollars.

Companies like SANS, Stickley on Security, or other security training providers can provide varying levels of individualized security training for Health Care businesses and business associates wishing to outsource their efforts.

Advanced or group specific training can be provided by either of those methods or by attending conferences or corporate training seminars. Or your internal personnel can design their own security training based on your particular environment.

But no matter how you approach it, training is an essential part of the HIPAA compliance process. The stakes are very high if you cannot document the fact that your employees have received appropriate training as part of your organization’s compliance efforts. Awareness is the key to making sure your employees have some defense against external attacks that lead to breaches.

All new employees will require basic security and awareness training. You will need to provide regular assessment and updated training for the more specific IT needs to identify the attack vectors hackers may be exploiting–and to be certain they are being managed adequately.

If you haven’t already addressed this vital element to HIPAA compliance? Now is the time.

Go a Step Above the Competition with LightEdge’s HIPAA Compliant Colocation Services

LightEdge has HIPAA secure data center locations at our Des MoinesKansas CityOmaha, Austin, and Raleigh data center facilities. With LightEdge, you can achieve auditable HIPAA compliance. With a specific background working with healthcare organizations, our data center and hosting solutions provide you with confidence you need to meet HIPAA requirements.

LightEdge offers a free risk assessment from our Chief Security Officer and Chief Compliance Officer as a free resource to all of our customers. Compliance and security are top priorities to guarantee that your data is protected. While there is no certification for HIPAA, LightEdge has successfully undergone a third-party examination against the HIPAA Security Rule and has been issued a Type 1 AT 101 letter of attestation confirming our alignment with HIPAA safeguards. LightEdge is compliant with:

If you are interested in getting a risk free assessment from our healthcare compliance experts, a tour of any of our HIPAA compliant data centers or to learn more about LightEdge’s compliance offers, contact us here. We have cloud hosting security and compliance experts standing by to answer any of your questions.

If you want to learn more about HIPAA compliance download our two e-books, Patient Privacy and Data Security: Utilizing IT Vendors to Meet HIPAA Compliance and Avoid, and How to Deploy a Secure Compliant Cloud for Healthcare.

Related Posts

Share This Article
director of compliance
Michael Hannan

Michael has eleven years of information systems, IT, consulting, and compliance experience. His expertise includes identifying and implementing general IT systems, applications, and business controls in conjunction with external compliance audits.

Michael is currently the Director of Compliance at LightEdge, helping to establish, maintain and, enforce the information security policies and procedures that keep LightEdge customers protected at all times.

See Full Bio