The need for
wholesale data security training changes in healthcare evident, irrespective of
whether it’s educating non-IT clinical staff members on HIPAA basics or further
education for IT professionals. Most healthcare pros will agree that the usual
methods, such as annual training classes, aren’t well-suited for current
technologies and compliance requirements. There isn’t a
proverbial silver bullet to fix the security gaps within healthcare
organizations, but there are some success stories that experts have shared.
These five lessons learned can be helpful for those looking to just tweak or
even revamp their security training procedures.
1. Top-down
approach improves user awareness
To ensure
that her staff abides by required protocols and procedures regularly educating
and updating staff members on the importance of appropriate BYOD practices. And
the seriousness of safeguarding sensitive data needs to be conveyed from the
top down:
Maybe on a quarterly basis, roll out the program again, remind people
what the protocols are that they should be following, and reward people for
improving procedures in their departments but making it a visible part of the
organization so that everybody knows that the company takes security very
seriously so they should, too.
2. Have
a training model in place
Having an
educated workforce that’s aware of cybersecurity risks is critical to
mitigating risk. Since getting that awareness and education out there is
incredibly important NH-ISAC is developing a national healthcare and public
health cybersecurity education framework that will provide training and
education. It’s using the National Institute of Standards and Technology
(NIST) cybersecurity framework as a foundation to help define healthcare,
role-based cybersecurity education. Regardless of whether you’re an informatics
nurse or an X-ray technician, you make the security roles and responsibilities
relevant to their jobs instead of a broad approach.
3. Engage
the user to help avoid human error
Another
aspect in helping staff members in a healthcare organization avoid human error
is consistent engagement. Focus on
educating non-IT people such as doctors and nurses as healthcare has it the
worst when it comes to securing data. In
healthcare, so many different people have access for so many varying reasons to
protected health information (PHI) from various locations.
4. Continual
training is necessary
The
healthcare industry needs greater awareness among users dealing
with protected health information and a different training model
because the current “class” model isn’t working.
The problem
with security training is many of the techniques are focused on orientation
training or an annual refresher or computer-based training (CBT) module. For
the most part, one-time or yearly training isn’t very effective in changing
workforce behavior on a day-to-day basis. Users don’t tend to learn in a one-time
scenarios and instead incorporate best practices into their habits or workflow
when they see the learning points on an ongoing basis or in some continuous
way.
HIPAA
includes points about periodic training or offering security best practice
reminders and that’s why the Office for Civil Rights (OCR) focuses on what kind
of training organizations are doing. OCR says that annual training that shows
documentation [is good]. But if you really want to make a difference in your
organization in terms of the human errors that people make or how people think
about security as part of their workflow. And that comes down to providing a
constant stream of security awareness and reminders throughout the year so that
it becomes second nature.
5. Train
the security pros early on
Universities
need to focus on is the talent shortage out there and trying to find a good way
to train and teach people security basics – not only from an end user
perspective, but how to take all these different controls and put them into
practice. As cybersecurity education core pieces as they relate to healthcare there
are a few different focuses. Cover
healthcare and the regulations, which is part of it, but we also teach how to
create the next generation of workforce to ensure these cybersecurity students
understand the technology and how it actually works so they can make judgment
calls when they use a risk-based approach and are more effectively securing
critical infrastructure fall all types of industries such as healthcare. Everyone
needs to know what’s going on in the industry.
No comments:
Post a Comment