How to implement a cybersecurity awareness program
October 1, 2016
With all the security requirements of the Health Insurance Portability and Accountability Act (HIPAA), it may seem redundant to consider setting up a security awareness program at a medical practice. But, such a program—to educate employees about security challenges and safe practices—could help prevent any security mishaps.
When staff members understand why security is important and are able to recognize vulnerabilities, the practice is safer. Dan Lohrmann, chief security officer at training agency Security Mentor, Inc., says people make up 80% of the security challenges most organizations face. Security vulnerabilities and challenges evolve, as well, so on-going education is important.
For cash-strapped medical practices, there may be very real budgetary concerns and constraints, but a security awareness program does not need to be expensive. A little creativity can go a long way. For example, setting up a test workstation—unconnected to any real personal health information or practice systems—with security vulnerabilities and asking employees to identify them could be a low-cost, but useful activity.
Some programs use gamification techniques, or adding typical elements of game playing such as point scoring or competition, to increase employee engagement. For instance, adding a small prize, such as a piece of chocolate or other token of appreciation, to the workstation activity could serve as a motivational tool, while also keeping costs minimal. “Having an ongoing security awareness program is an inexpensive way to strengthen security while meeting compliance mandates,” Lohrmann says.
There are two other cost-related points to consider, says Lohrmann. First, a security awareness program is likely to be significantly less expensive than other security measures, such as upgrading software or hiring an outside firm to conduct security training. Second, Lohrmann says, “Note that a data breach will cost much more than training employees proactively.”
Putting together your program
Thanks to one of the requirements of HIPAA, medical practices should already have someone in a position to design and implement a security awareness program: the security officer. Since each practice is unique, the content of the program should be tailored to the needs of the practice. The security officer crafts the policies and procedures and is positioned to know what staff members need to learn regarding security.
There are a few things that are common across the board, though. Having specific, measurable goals from the outset should guide the program, as well as serve as an indicator of success. Security assessments are a requirement of HIPAA and may be a good place to begin designing a security awareness program.
As with any practice-wide initiative, having top-down approval makes all the difference. If the physicians and practice administrators are not supportive of the security awareness program, it’s unlikely to be successful.
Opinions vary as to how long a formal security training program should last. Many are one year in length, with a different topic addressed each month. Planning may be easier with that structure, but efficacy may suffer. A 90-day program could be more flexible and allow for adjustments if necessary. Either way, having an endpoint in mind before beginning will lend structure to the planning and to the program overall.
Whatever the length of the program, Lohrmann suggests annual evaluation, saying, “If a major overhaul has occurred, the annual look may be less comprehensive during the implementation of your plan.” The security awareness program is only one piece of the larger security puzzle and there may be years or months when other parts are more dominant.
With daily reports of healthcare ransomware attacks, settlements due to past data breaches and new cybersecurity threats, there is every reason to consider additional staff education, particularly if it can be done with little expense.
“Your staff and practice will benefit if you help them solve real challenges they are experiencing online at home and work,” Lohrmann says.