- Sitting in on a lecture-type class once per year has never been an ideal training method in general and that principle applies even more so to health IT security training. According to Mac McMillan, CEO of CynergisTek, Inc., a healthcare information security services and consultant, the healthcare industry needs greater awareness among users dealing with protected health information and a different training model because the current “class” model isn’t working.
McMillan, who recently talked with HealthITSecurity.com about health data breach trends, maintains that problem with security training is many of the techniques are focused on orientation training or an annual refresher or computer-based training (CBT) module. For the most part, one-time or yearly training isn’t very effective in changing workforce behavior on a day-to-day basis. McMillan argued that users don’t tend to learn in a one-time scenarios and instead incorporate best practices into their habits or workflow when they see the learning points on an ongoing basis or in come continuous way.
HIPAA includes points about periodic training or offering security best practice reminders and that’s why the Office for Civil Rights (OCR) focuses on what kind of training organizations are doing. OCR says that annual training that shows documentation [is good]. But if you really want to make a difference in your organization in terms of the human errors that people make or how people think about security as part of their workflow. And that comes down to providing a constant stream of security awareness and reminders throughout the year so that it becomes second nature.
And this can be done without much effort, McMillan said, as ideas such as banners being put on computer screens so every time a user logs in, there’s a different security message for them to read and remember, such as one of the 15 golden rules of security. Seeing those messages each time can help users avoid the human error issues that plague healthcare organizations. Furthermore, management-level users need to be on board to help improve organizational culture.
Another part of this is giving your management level folks better security training in managing their department. That way, it’s not coming from just the IT, security or compliance departments, it’s managers taking an active interest in areas such as where systems and data are, how users are handling it or whether the shred bin is locked.
Nothing McMillan said was necessarily new or out of the ordinary, but his points resonate because all too often these healthcare organizations that suffer through data breaches aren’t taking the time to provide security training more than once per year. With OCR audits in the near-distant future, hopefully many organizations reevaluate their training practices and decide to offer continuous, flexible training for employees.