No one can deny that technology has been a boon to the healthcare sector enabling better care for patients and convenience for providers. Smart devices of all types connect with medical record and billing systems and various applications through cloud computing. Unfortunately, all this interconnectedness has created opportunities for hacking and other illegal activity. A 2017 KPMG Cyber Healthcare & Life Sciences survey found that there was a 10% increase in the number of providers and health plans that reported HIPAA data breaches or cyber-attacks from 2015 to 2017. (https://healthitsecurity.com/news/hipaa-data-breaches-cyber-attacks-reported-by-47-of-orgs)
With great power comes great responsibility. ~ Ben Parker (Stan Lee)
Many of these breaches could have been prevented by an informed workforce trained to detect and properly respond to cyber-attacks. Data security training is so essential for protecting an organization against cyber-attacks, it is required by the HIPAA Security Rule 45 C.F.R. § 164.308(a)(5)(i) which specifically requires covered entities and business associates to “implement a security awareness and training program for all members of its workforce (including management).”
Note the emphasis on all members of the workforce, because every employee can either be guardians of the entity’s PHI or can, knowingly or unknowingly, be the cause of HIPAA violations or data breaches. An organization’s training program should be ongoing and evolving to keep the workforce knowledgeable about new and emerging cybersecurity threats such as social engineering ploys, phishing scams, malicious software attacks and new ransomware variants.
A good training program for covered entities and business associates should have guidelines and documentation for frequency, method and type of training. Use your organizations risk analysis to help determine how often to train. Many CEs have determined that bi-annual training, and monthly security updates are necessary. Computer-based training, classroom training, monthly newsletters, posters, email alerts, and team discussions are all tools that different organizations use to fulfill their training requirements.
Document all training provided including dates and types of training, training materials, and proof of employee workforce participation. Any investigator or auditor can ask for this documentation to verify compliance with the HIPAA Rules. See 45 C.F.R. §§ 164.316(b) and 164.530(j).
The OCR has training materials available online as well as guidance about the Security Rules.
https://www.hhs.gov/hipaa/for-professionals/training/index.html
https://www.hhs.gov/hipaa/for-professionals/security/guidance.