A recent article at HealthITSecurity.com discussed some disappointing stats regarding cybersecurity training in Healthcare. The article “24% of US Health Employees Never Received Cybersecurity Training” highlighted an alarming number of workers in Healthcare are undereducated or lack basic cybersecurity knowledge.
They found 24% of US employees had not received any cybersecurity training and 40% were unfamiliar with their own organization’s security measures. As an organization focused on Healthcare cybersecurity, our team at Loricca does see the lack of training and the resulting security problems.
So how should organizations train their employees to be HIPAA compliant and keep their environments secure? The good news is HIPAA training is pretty straight forward, especially when compared to the other training requirements in Healthcare. A HIPAA training program should include 3 types of training.
Recommendation 1: New Hire & Annual Training
First, there should be a training curriculum used for new hire and annual training. This content should include a general overview of HIPAA Privacy and Security requirements, cybersecurity, policy, and procedures for the organization. We recommend the program be role-based and tailored for the person’s job role; for example, people in IT should receive more technical information but everyone in the organization gets information on avoiding ransomware and incident reporting. Create a training plan which outlines the roles in your organization; everything from the executives to managers and clinical staff. Decide what type of training each role should have and deliver the content to them.
If this sounds too complicated, the same training can be used for all employees as long as it contains the necessary elements. It’s important to document the training for each employee and store the records centrally (like their employee file). Documentation should include a simple test to verify comprehension and a written acknowledgment by the employee. This annual training meets the requirement for compliance and will probably help protect the organization in the event of a breach, but we don’t see high retention rates of the information. While the annual training is required, we’ve found the second type of required training, Security Awareness training, as the content which really provides knowledge transfer and changes employee behavior.
Recommendation 2: Monthly Security Awareness
Security awareness training is the informal messages sent monthly which people can digest quickly and move on with their day. We suggest keeping these messages fun, light and able to be read in about 15 seconds to encourage people to read them. Keep your team engaged with this type of training and even those who aren’t interested in Cybersecurity will soon learn good security practices. The current trends of dangerous phishing and ransomware attacks are recommended subjects but any cybersecurity topic is fair game. Putting these awareness messages on the bulletin boards, emails, or internal websites keeps security topics fresh in peoples minds. They know how to handle their passwords, locking their computer or how to recognize a phishing email when they receive it and take appropriate action. Security awareness training is really the key to changing employees behavior which is a critical component to keeping your organization secure.
Recommendation 3: Skill Training for Security Team
The last type of training we recommend usually makes the security teams happy but that’s not why we recommend it. Cybersecurity is a constantly changing field with new threats and technologies coming out on a daily basis. Your team needs to receive formal training on an annual basis to keep their skills fresh. This will pay dividends as the technologies and processes used in your organization stay current with best practices.
A long time ago a boss was once asked “aren’t you afraid you’ll train people and they’ll leave?” to which he responded, “no, I’m afraid I won’t train them, and they’ll stay.”
Contact us today for a review of your training program to ensure it meets the requirements for HIPAA.