Large-scale healthcare data breaches have already impacted millions of individuals in 2017 alone. As organizations rely more and more heavily on a growing number of technologies, the need for preparing for healthcare data security threats is stronger than ever.
Training healthcare employees in proper data security practices should be a top priority for all covered entities. Employee training is an important component of creating and implementing an applicable cybersecurity approach. But this is often an area in which covered entities are not confident.
Eighty percent of health IT executives and professionals said that employee security awareness is their greatest data security concern, according to a survey conducted by HIMSS Analytics and sponsored by Level 3 Communications, Inc.
Employee awareness training was also listed as one of the top five barriers to adopting a comprehensive security program. However, 85 percent of respondents said their organization does use an internal/employee security awareness program.
“My interpretation of the findings is that healthcare organizations must remain vigilant against cybersecurity threats and leverage all of their resources effectively to ensure every individual knows their role,” HIMSS Analytics Senior Director of Research Services Bryan Fiekers said in a statement.
A current and comprehensive employee training program can better prepare healthcare organizations against ever-evolving cybersecurity threats.
But what are the federal requirements with regard to employee training? What are essentials every organization should consider when creating and implementing employee training?
HealthITSecurity.com will review the basics of healthcare employee training, and give examples of what can go wrong if there are gaps in education.
HIPAA requirements for employee training
Workforce training and management is a requirement for all covered entities under the HIPAA Security Rule.
“A covered entity must provide for appropriate authorization and supervision of workforce members who work with e-PHI,” the Security Rule says. “A covered entity must train all workforce members regarding its security policies and procedures, and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.”
HIPAA was designed to be flexible and scalable, HHS states on its website, meaning that entities are not required to adhere to one standardized training program. Organizations are able to design an education and training program that fits their individual needs.
OCR explained in its July 2017 Cybersecurity Newsletter that the employee training program needs to be an ongoing and evolving process. Cybersecurity threats are continuously evolving and becoming more sophisticated. Organizations cannot afford to have stagnant policies or training programs.
“Using security updates and reminders to quickly communicate new and emerging cybersecurity threats to workforce members such as new social engineering ploys (e.g., fake tech support requests and new phishing scams) and malicious software attacks including new ransomware variants [should be considered],” OCR said.
A covered entity must train all workforce members regarding its security policies and procedures, and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.
Risk analyses have shown that bi-annual training and monthly security updates are beneficial for employee training, the agency added. Computer-based training, classroom training, monthly newsletters, posters, email alerts, and team discussions are also top OCR recommendations for strong employee training programs.
Organizations must also remember to document their workforce training process, “including dates and types of training, training materials, and evidence of workforce participation,” OCR advised. This is important because HIPAA regulations require documentation to ensure HIPAA compliance. Should an organization be investigated or audited for a potential healthcare data breach, all such documentation will be requested.
ONC also coordinated with OCR to create a guide on how entities can integrate privacy and security into their organization. One chapter specifically addressed implementing a security management process, which covered entities can also use for assistance in creating an employee training program.
The seven steps include the following:
- Lead your culture, select your team, and learn
- Document your process, findings, and actions
- Review existing security of ePHI (perform security risk analysis)
- Develop an action plan
- Manage and mitigate risks
- Attest for meaningful use security-related objective
- Monitor, audit, and update security on an ongoing basis
The first step, creating a team to lead a culture of security, will be especially important for healthcare organizations as they create and implement workforce training measures. For example, this step can include designating a security officer.
“Your security officer will be responsible for developing and maintaining your security practices to meet HIPAA requirements,” the ONC guide explains. “This person could be part of your EHR adoption team and should be able to work effectively with others.”
The first step also discusses how organizations should promote a culture of protecting patient privacy and securing patient information. ONC advised that an organization’s culture do the following:
- Consistently communicate your expectations that all members of your workforce protect patients’ health information
- Guide your workforce’s efforts to comply with, implement, and enforce your privacy and security policies and procedures
- Remind staff why securing patient information is important to patients and the medical practice
St. Luke’s University Health Network is one organization that recently found success with its employee training program by sending out a scenario-based presentation on a quarterly basis.
The health system was part of the American Hospital Association’s Hospital & Health Networks (H&HN) Most Wired rankings for 2017.
St. Luke’s Director of Information Security David Finkelstein told HealthITSecurity.com that the presentations focus on numerous data security areas, including phishing, malware, and URL defense.
Employees must understand that these are things they need to look for and pay attention to, he said.
“Back in March we did a full-fledged phishing attack to see how people were doing,” Finkelstein recalled. “We had less than 9 percent of our organization click the link. An organization our size of over 12,000 – not to include all the non-affiliated providers, contractors, consultants – that's a significant win.”
“We still had people that clicked on it, so we're focusing on those individuals to help them understand what to do and what not to do,” he continued. “But the other 11,000 to 11,500 individuals are definitely understanding what they're looking at.”
Working to avoid employee errors and maintain data security
Employee training must occur at all levels, from the C-suite down. Organizations must also take into consideration that the different workforce levels might have different amounts of knowledge of cybersecurity issues, according to HIMSS Director of Privacy and Security Lee Kim.
“More people are interested in learning about healthcare cybersecurity (and cybersecurity generally),” Kim wrote in a 2017 blog post. “However, I have also found that the ‘depth’ to which they want to learn may vary. Getting too technical with jargon may lose many people. Cybersecurity information (and education) must be communicated in a way in which anyone can understand it.”
She explained that organizations must reduce the human element risk and “stay ahead of the threat.” Showing enthusiasm for learning about healthcare cybersecurity will help that process.
“While not everyone may want to be in the trenches of cybersecurity, people want to learn more about how cyberattacks occur and how they can do their part to protect their organization and its assets,” Kim said. “This is a great development. It used to be that people really did not care about cybersecurity (or the hidden dangers).”
Cybersecurity information (and education) must be communicated in a way in which anyone can understand it.
When healthcare employees either do not understand how their actions may impact cybersecurity, or have lackluster data security training, it can potentially create a healthcare data breach.
For example, Ohio-based Wood County Hospital experienced a ransomware attack after an employee clicked on a website that she goes to on a frequent basis for her job, Wood County CIO Joanne White told HealthITSecurity.com.
“From the logs that we were able to locate through [our managed security services provider], we saw the timestamp on the ransomware file,” White explained. “We looked for that timeframe and we were able to pinpoint exactly where the ransomware came in the system.”
Wood County was able to isolate the affected device and ensure that its entire system was not compromised. But since the incident, Wood County has stepped up its security, White said.
The organization sends out email reminders to employees with real-time examples. Staff members were also informed that Wood County had detected a vulnerability that was instigated by a user clicking on a link on a website.
Lackluster employee training could also lead to a lawsuit for a healthcare organization. A Lincare Holdings data breach was caused by an employee sending unencrypted employee personally identifiable information (PII) in an email to a third-party who claimed to be “a Lincare senior-level executive.”
Former Lincare employees have since filed a lawsuit against the organization, claiming negligence with their PII.
“The Lincare employee did not bother to confirm or authenticate the validity of the request prior to sending the highly sensitive and confidential PII of Plaintiffs and the Class Members to the thirdparty,” the lawsuit read. “Indeed, despite being placed on ample notice of the risks of such data breaches, Lincare failed to implement the most basic security precautions or checks before releasing its own employees’ PII.”
Lincare stated it “had retrained and re-educated its HR and Payroll staff, including the HR employee involved in the information release, on the importance of remaining vigilant about these types of criminal attacks.”
Even so, plaintiffs claimed that Lincare either knew or should have known that it could be vulnerable to such an attack, especially with other large-scale data breaches being reported around the same time.
Furthermore, plaintiffs stated better information security training could have potentially prevented the data breach. Lincare should also have implemented a better review of the policies and procedures dictating HR employee access to PII.
Basic ‘Dos’ and ‘Don’ts’ of employee training
No healthcare organization can guarantee that it will never experience a data breach or a cybersecurity incident. But creating and implementing a comprehensive workforce training and education program that is regularly updated can help lessen the chances of an incident occurring.
Here are key things to keep in mind when creating an employee training program:
- Do implement various types of training tools, such as computer-based training, classroom training, monthly newsletters, posters, email alerts, and team discussions.
- Do document all training materials presented to staff and volunteers, including any associated certificates of completion.
- Do conduct regular training, such as bi-annual training and/or monthly security updates.
- Don’t have a “one size fits all approach.” Implement training at all levels, and understand that different people will have different knowledge when it comes to cybersecurity.
- Don’t ignore HIPAA regulations. The Security Rule requires workforce training and management, but organizations can create one for their unique needs.
Healthcare organizations must remain prepared for potential cybersecurity threats. Having a HIPAA compliant employee training program that evolves with the changing threats is a key aspect to that preparation.