- The need for wholesale data security training changes in healthcare evident, irrespective of whether it’s educating non-IT clinical staff members on HIPAA basics or further education for IT professionals. Most healthcare pros will agree that the usual methods, such as annual training classes, aren’t well-suited for current technologies and compliance requirements.
There isn’t a proverbial silver bullet to fix the security gaps within healthcare organizations, but there are some success stories that experts have shared with HealthITSecurity.com over the past few months. These five lessons learned can be helpful for those looking to just tweak or even revamp their security training procedures.
To ensure that her staff abides by required protocols and procedures, Lynda Martel, Executive Director of Government and Enterprise Business Relations at DriveSavers Data Recovery, recommends regularly educating and updating staff members on the importance of appropriate BYOD practices. And the seriousness of safeguarding sensitive data needs to be conveyed from the top down:
Maybe on a quarterly basis, roll out the program again, remind people what the protocols are that they should be following, and reward people for improving procedures in their departments but making it a visible part of the organization so that everybody knows that the company takes security very seriously so they should, too.
Having an educated workforce that’s aware of cybersecurity risks is critical to mitigating risk. Since getting that awareness and education out there is incredibly important, Kobza said that NH-ISAC is developing a national healthcare and public health cybersecurity education framework that will provide training and education. It’s using the National Institute of Standards and Technology (NIST) cybersecurity framework as a foundation to help define healthcare, role-based cybersecurity education. Regardless of whether you’re an informatics nurse or an X-ray technician, you make the security roles and responsibilities relevant to their jobs instead of a broad approach.
Another aspect in helping staff members in a healthcare organization avoid human error is consistent engagement, according to Lance Spitzner, Training Director of the SANS Securing the Human Program.
SANS is a 200-person organization that teaches security professionals how to be better security professionals, but Spitzner’s Securing the Human team consists of about 20 individuals and focuses on educating non-IT people such as doctors and nurses. “We work with a lot of healthcare organizations and in many ways, healthcare has it the worst when it comes to securing data,” said Spitzner. “In healthcare, so many different people have access for so many varying reasons to protected health information (PHI) from various locations.”
According to Mac McMillan, CEO of CynergisTek, Inc., a healthcare information security services and consultant, the healthcare industry needs greater awareness among users dealing with protected health information and a different training model because the current “class” model isn’t working.
McMillan maintains that problem with security training is many of the techniques are focused on orientation training or an annual refresher or computer-based training (CBT) module. For the most part, one-time or yearly training isn’t very effective in changing workforce behavior on a day-to-day basis. McMillan argued that users don’t tend to learn in a one-time scenarios and instead incorporate best practices into their habits or workflow when they see the learning points on an ongoing basis or in come continuous way.
HIPAA includes points about periodic training or offering security best practice reminders and that’s why the Office for Civil Rights (OCR) focuses on what kind of training organizations are doing. OCR says that annual training that shows documentation [is good]. But if you really want to make a difference in your organization in terms of the human errors that people make or how people think about security as part of their workflow. And that comes down to providing a constant stream of security awareness and reminders throughout the year so that it becomes second nature.
Sacred Heart University (SHU) will offer a 36-credit cybersecurity program on a full- or part-time basis this fall.
Greg Kyrytschenko, associate director of the new program and has worked in the cybersecurity industry for 13 years, holding positions in security management and security architecture. Kyrytschenko went on to say the university is focusing on is the talent shortage out there and trying to find a good way to train and teach people security basics – not only from an end user perspective, but how to take all these different controls and put them into practice. When asked what the cybersecurity education core pieces are as they relate to healthcare, Kyrytschenko said there are a few different focuses.
We cover healthcare and the regulations, which is part of it, but we also teach how to create the next generation of workforce to ensure these [cybersecurity students] understand the technology and how it actually works so they can make judgment calls when they use a risk-based approach and are more effectively securing critical infrastructure fall all types of industries [such as healthcare]. We want everyone to know what’s going on in the industry.