- The need for strong employee training only increases as the healthcare risk landscape grows and threatens PHI security, according to the recent OCR cybersecurity newsletter.
Data security training is necessary for combatting threats such as ransomware attacks and other cybersecurity incidents, and is also required under the HIPAA Security Rule, OCR noted.
“The Security Rule specifically requires covered entities and business associates to ‘implement a security awareness and training program for all members of its workforce (including management),’” OCR wrote. “Note the emphasis on all members of the workforce, because all workforce members can either be guardians of the entity’s PHI or can, knowingly or unknowingly, be the cause of HIPAA violations or data breaches.”
The employee training program needs to be an ongoing and evolving process, the agency added. Periodic security updates – or reasonable equivalents – are required under HIPAA regulations, and covered entities should also remain flexible in educating staff members to properly meet new threats.
Organizations should consider how often to train employees, OCR said. This is especially important “given the risks and threats to their enterprises, and how often to send security updates to their workforce members.” Bi-annual training and monthly security updates have been successfully implemented by entities, the agency wrote. This has often been discovered through the organizations’ risk analyses.
“Using security updates and reminders to quickly communicate new and emerging cybersecurity threats to workforce members such as new social engineering ploys (e.g., fake tech support requests and new phishing scams) and malicious software attacks including new ransomware variants [should be considered],” the newsletter stated.
OCR also highlighted the following areas to benefit workforce member security training:
- Computer-based training
- Classroom training
- Monthly newsletters
- Email alerts
- Team discussions
Healthcare organizations should also properly document all workforce training methods, including dates and types of training, training materials, and evidence of workforce participation. This is especially important because documentation is required under HIPAA regulations, and any auditor or investigator will ask for such documentation.
OCR has numerous training materials available online, the agency pointed out.
“OCR has launched a video training module for health care providers on patients’ right of access under the HIPAA Privacy Rule,” OCR states on its website. “The video module provides an in-depth review of the components of the HIPAA right of access and ways in which it enables individuals to be more involved in their own care.”
“The module provides helpful suggestions about how health care providers can integrate aspects of the HIPAA access right into medical practice.”
ONC and Medscape training materials were also listed as potential tools for entities. State Attorneys General also provide comprehensive HIPAA compliance guidance, OCR said.
Having a stronger cybersecurity workforce is a critical area that numerous federal agencies are working to improve.
The Department of Homeland Security’s (DHS) United States Computer Emergency Readiness Team (US-CERT) recently stressed an improved workforce “for the Nation’s long term ability to strengthen its cyber protections and capabilities.”
“On the cyber workforce front, Federal Workforce Development subject matter experts from DHS, Commerce, DoD, the Department of Labor, the Department of Education, and the Office of Personnel Management are working on a joint assessment on how to support the growth and sustainment of the Nation’s cybersecurity workforce,” DHS explained in recent cybersecurity updates.
NIST is also developing a Request for Information (RFI) for public comment on developing a stronger cybersecurity workforce, DHS added. The public can submit comments following the RFI’s release.
“Additionally, work is underway by ODNI, in consultation with other agencies, to review and report on workforce development efforts of potential foreign cyber peers to identify foreign workforce development practices likely to affect U.S. cybersecurity competitiveness,” DHS explained.