Data security is becoming an increasing concern as technology becomes more embedded in our healthcare systems. Data breaches put patients' and hospitals' privacy at risk and force hospitals to spend significant amounts of money compensating affected patients and creating new defensive systems. Even big name hospitals like Beth Israel Deaconess in Boston have had breaches, and recently, Brigham and Women's Hospital in Boston reported a possible data breach. As healthcare organizations implement electronic health records and health insurance exchanges, data security training should be a priority. Brian Lapidus, COO of the fraud solutions division of risk and security management company Kroll, shares his top 10 tips for a successful data security training program.
1. Train all employees. Both HIPAA and the HITECH Act require training for all new and current employees, including contract workers and volunteers. "Not only is it smart business, it's also the law," Mr. Lapidus says.
2. Integrate data security training with overall employee education. "Incorporating data security training into your company's overall employee education program is vital to its proper documentation and implementation," Mr. Lapidus says. "If training is scheduled too close to other educational programs, employees might suffer from training overload and not get the maximum benefits of the session. If training isn't promoted in a way consistent with other educational programs, employees might ignore it altogether."
3. Use role-based training. Mr. Lapidus says it is important for employees to receive the appropriate training based on their role in the organization and what information they have access to. He suggests studying employees' job descriptions, access logs and other records to determine what level of training each employee needs. "The best practice is to develop a basic training program for all employees with tailored elements for different employee tiers/categories," Mr. Lapidus says.
4. Make data security training an ongoing activity. Healthcare organizations should provide ongoing or refresher training to update employees on any new policies, procedures or other information.
5. Verify and document all training to maintain compliance. Hospitals can verify training through certification forms, sign-in sheets for in-person training or audit logs for online programs, Mr. Lapidus says.
6. Ensure business associate training. Although a hospital will probably not provide training directly to its business associate's employees, it has a responsibility to include training requirements in the business associate agreement, according to Mr. Lapidus. "It's your responsibility to make sure the [business associate's] training plan meets your requirements," he says.
7. Build job-specific scenario exercises into training. Employees may benefit from training that includes possible job-specific scenarios. "For instance, front desk
employees that directly contact patients will have different experiences from the administrative assistant handling [business associate] contracts or the researcher working with aggregated data. Make sure that the role-based training addressed in [tip] number three includes exercises that challenge employees to think about how they might handle a given situation likely to arise in their current roles," Mr. Lapidus says.
8. Incorporate breach detection and escalation in training. Organizations' notifications of data breaches are due no later than 60 days after the breach occurred. Mr. Lapidus suggests training employees to recognize potential breaches and "escalate information to key administrators that are designated first responders."
9. Include data security wisdom in all employee communications channels. Mr. Lapidus says healthcare organizations should maintain employees' awareness of privacy and security issues by communicating through newsletters, emails or other internal channels. "This could take the form of general reminders ('Always log out when leaving a workstation.') to more specific ('This is an open workstation; do not access restricted documents from it.'). Reminders are a great way to reinforce key data security teachings in between an organization's regular training sessions."
10. Create a cultural shift within the organization. "To be truly effective, training and education should be part of the culture rather than just the required act of signing an agreement," Mr. Lapidus says. He says organizations' leaders should demonstrate commitment to data security by modeling best practices, incorporating security requirements into employee assessments and rewarding employees for data security success.
Learn more about Kroll.
Health Net's Data Breach Affects 6,300 More Customers Than Originally Thought
Omnibus HIPAA Final Rule Will Not Mandate Encryption of Personal Health Information
1. Train all employees. Both HIPAA and the HITECH Act require training for all new and current employees, including contract workers and volunteers. "Not only is it smart business, it's also the law," Mr. Lapidus says.
2. Integrate data security training with overall employee education. "Incorporating data security training into your company's overall employee education program is vital to its proper documentation and implementation," Mr. Lapidus says. "If training is scheduled too close to other educational programs, employees might suffer from training overload and not get the maximum benefits of the session. If training isn't promoted in a way consistent with other educational programs, employees might ignore it altogether."
3. Use role-based training. Mr. Lapidus says it is important for employees to receive the appropriate training based on their role in the organization and what information they have access to. He suggests studying employees' job descriptions, access logs and other records to determine what level of training each employee needs. "The best practice is to develop a basic training program for all employees with tailored elements for different employee tiers/categories," Mr. Lapidus says.
4. Make data security training an ongoing activity. Healthcare organizations should provide ongoing or refresher training to update employees on any new policies, procedures or other information.
5. Verify and document all training to maintain compliance. Hospitals can verify training through certification forms, sign-in sheets for in-person training or audit logs for online programs, Mr. Lapidus says.
6. Ensure business associate training. Although a hospital will probably not provide training directly to its business associate's employees, it has a responsibility to include training requirements in the business associate agreement, according to Mr. Lapidus. "It's your responsibility to make sure the [business associate's] training plan meets your requirements," he says.
7. Build job-specific scenario exercises into training. Employees may benefit from training that includes possible job-specific scenarios. "For instance, front desk
employees that directly contact patients will have different experiences from the administrative assistant handling [business associate] contracts or the researcher working with aggregated data. Make sure that the role-based training addressed in [tip] number three includes exercises that challenge employees to think about how they might handle a given situation likely to arise in their current roles," Mr. Lapidus says.
8. Incorporate breach detection and escalation in training. Organizations' notifications of data breaches are due no later than 60 days after the breach occurred. Mr. Lapidus suggests training employees to recognize potential breaches and "escalate information to key administrators that are designated first responders."
9. Include data security wisdom in all employee communications channels. Mr. Lapidus says healthcare organizations should maintain employees' awareness of privacy and security issues by communicating through newsletters, emails or other internal channels. "This could take the form of general reminders ('Always log out when leaving a workstation.') to more specific ('This is an open workstation; do not access restricted documents from it.'). Reminders are a great way to reinforce key data security teachings in between an organization's regular training sessions."
10. Create a cultural shift within the organization. "To be truly effective, training and education should be part of the culture rather than just the required act of signing an agreement," Mr. Lapidus says. He says organizations' leaders should demonstrate commitment to data security by modeling best practices, incorporating security requirements into employee assessments and rewarding employees for data security success.
Learn more about Kroll.
Related Articles on Healthcare Data Security:
3 Strategies for Securing Health DataHealth Net's Data Breach Affects 6,300 More Customers Than Originally Thought
Omnibus HIPAA Final Rule Will Not Mandate Encryption of Personal Health Information