The year 2020 is (finally!) over, but the numerous COVID-19 cybersecurity threats it gave us are still with us, making life difficult for organizations large and small.
These threats are especially worrisome for healthcare providers, which are required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
In fact, 3,705 healthcare data breaches of 500 or more records were reported to the HHS’ Office for Civil Rights between 2009 and 2020, resulting in the loss, theft, exposure, or impermissible disclosure of 268,189,693 healthcare records.
The Need for Better Cybersecurity Training
The biggest cause of healthcare data breaches? Insufficient cybersecurity training resulting in employees not adhering to cybersecurity best practices.
When employees are not trained to protect their data, avoid malicious emails and websites, use strong passwords, and exercise other fundamental security practices, cybercriminals have many opportunities to circumvent the organization’s defenses and steal valuable patient data.
That’s why 80 percent of health IT executives and professionals surveyed by HIMSS said that employee security awareness is their greatest data security concern. Unfortunately, many healthcare employees have only a basic understanding of the threats they face.
Understanding HIPAA Training Requirements
HIPAA requires all employees who have access to sensitive patient health information, better known as Protected Health Information (PHI), to receive cybersecurity training upon hire and annually.
The training needs to include periodic security updates, procedures for guarding against, detecting and reporting malicious software, procedures for monitoring login attempts and reporting discrepancies, and procedures for creating, changing and safeguarding passwords, as explained in the HIPAA Privacy Rule Administrative Safeguards.
The problem is that many healthcare providers see the above-listed requirements as a bureaucratic annoyance—not a critically important cybersecurity practice. As such, they often simply let their employees sign a piece of paper to confirm they received some training, not realizing how severe the consequences of their irresponsible approach can be.
Creating an Effective HIPAA Training Program
For any HIPAA training program to be effective, it needs to reflect the needs of healthcare professionals, take into consideration the latest cybersecurity threats, and be performed on a regular basis multiple times a year.
What does reflecting the needs of healthcare professionals mean? It means tailoring the cybersecurity training program in such a way so that it covers the situations they experience when doing their work, including day to day security best practices, use and disclosure of PHI, social engineering recognition, and personal workspace protection, just to give a few examples.
With the right cybersecurity training approach, healthcare providers can ensure HIPPA compliance and, most importantly, address the biggest cause of data breaches: the human factor.
We at Spectrum Technology Solutions are ready to offer on-demand web-based cybersecurity awareness training with specific HIPAA compliance modules. With our help, you can easily create an effective HIPAA training program to address security gaps and be ready to face ever-evolving cybersecurity threats.