Get Everyone on the Same Page
If you operate as a HIPAA regulated Covered Entity or Business Associate or you are subject to PCI requirements, you know that security training is a key component of compliance. Making the necessary training a regular and effective part of the organization’s procedures can be difficult for any organization.
To remain compliant and safeguard your organization’s security, however, awareness and training must become ingrained within the organizational culture. In general, your training process should include:
- Annual training for every employee.
- Monthly security awareness reminders and tips distributed company-wide:
- To keep awareness top of mind;
- To convey the importance and seriousness of security processes; and
- To supplement full training with updates to process or tips for security.
- New employee training before access is given to any critical or protected data.
- Remediation training and, if necessary, disciplinary action when processes are not followed.
- Refresher and updated training given periodically or when significant process changes occur.
Understanding what is required, and why, can help management focus on making it happen and getting everyone on the same page.
What Security and Compliance Training is Needed?
The HIPAA Security Rule requires Covered Entities to “implement a security awareness and training program for all members of its workforce (including management).” The Omnibus Rule effective September 2013 extended the requirement to include Business Associates.
PCI-DSSv2 12.6 requires companies to “implement a formal security awareness program to make all personnel aware of the importance of cardholder data security.”
HHS.gov offers helpful training materials for HIPAA CEs and BAs but the content of training that is presented to employees varies from one organization to the next because the goal is to ensure that employees understand the particular policies and procedures they are expected to adhere to within the organization, at their location, and for their particular role. The HIPAA Security Awareness and Training standard has four implementation specifications:
1. Security Reminders
2. Protection from Malicious Software
3. Log-in Monitoring
4. Password Management
It is important that training policies and procedures be documented and that evidence of training completion is tracked and retained for each employee.
When is Security and Compliance Training Needed?
Annual Security Awareness and Compliance Training
Regular annual training should be conducted for all employees. The level of training required may vary by department and function. Changes to systems, tools, regulations, and/or policies should be highlighted but this training should be comprehensive.
Monthly Security Awareness Tips and Reminders
One annual training is not enough to emphasize the importance of security procedures. To keep your employees focused on good security habits, keep an open dialogue going year round. An easy way to do this is to provide short, fun reminders by email, in your internal employee newsletter, or even posted on the break room wall.
To help you, Loricca publishes a monthly security tip that is ready for you to share. Click here to subscribe to receive the monthly tip by email.
Orientation Security Training for New Hires
HIPAA and PCI regulations both require new hires to be trained. PCI-DSSv2 12.6.1 states that companies are to “educate personnel upon hire and at least annually.”
As an organization-wide policy, no new employee should be given access to protected information until they have received security awareness and procedures training, and also signed a training acknowledgement form to be kept in their personnel file, to reduce corporate risk of litigation in the future. Given the changing nature of security, and inevitable changes that occur within an organization, updated training should be scheduled at least annually for all employees and more often (as needed) for employees who are directly responsible for sensitive data, IT systems, or incident response.
Interim Training When Significant Changes are Made to Policies or Systems
In addition to requirements for training of all new staff, retraining should be conducted whenever environmental or operational changes affect the security of ePHI. Changes may include: new or updated policies and procedures; new or upgraded software or hardware; new security technology; or even changes in the Security Rule. (From HHS.gov HIPAA Security Series, 2007)
Why is Security and Compliance Training Needed?
Specifically, the Security Rule requires awareness training for all personnel. Regardless of the safeguards a CE implements, those safeguards will not protect the ePHI if the workforce is unaware of its role in adhering to and enforcing them. Many CEs’ security risks and vulnerabilities, as identified and analyzed in their risk assessments, are internal threats, both accidental and malicious. This is why security awareness training is so important. (From the CMS Compliance Review Analysis and Summary of Results, p. 9)
IBM released interesting information that breaks down the types of healthcare breaches reported to the HHS Office of Civil Rights which oversees HIPAA requirements. Illustrated below, the data shows that:
Since 2009, EPHI of nearly 21 million individuals has been compromised in large medical-record breaches, defined as breaches that affect 500 or more people. Of the large breaches, 21 percent affected a BA. Additionally, tens of thousands of breaches involving fewer than 500 records have been reported to the OCR.
The most common cause of large-scale breaches was theft (55 percent), followed by unauthorized access to or disclosure of EPHI (20 percent), loss of information (11 percent), hacking (6 percent), improper disposal (5 percent), and unknown/other (3 percent).
(For the full report, go to IBM.com.)
It is important to note that “theft” in the pie chart above includes theft of equipment like laptops. “Loss of information” could mean the loss of a hard drive or flash drive. We have seen many examples of lost or stolen laptops costing companies millions in fines and remediation costs. Not all data breaches or security incidents can be prevented by training. But many can. If clear policies and consistent training can avoid a costly or even devastating breach, it is more than just a compliance requirement; it’s good business.
You can read more about Loricca’s Security Awareness Training services or contact us today to create a plan to build a culture of security and get everyone in your organization on the same page.