Why Security Awareness Training in Healthcare Must be Part of Your Security Strategy #3

3. Who Are the Stakeholders Involved in the Training?

Security is about people. The human touch point is often the weak link in the chain. Cyber-threats take advantage of this by utilizing social engineering, as seen in the rise of phishing as a vector for attack. Security awareness is your tool in the fight against social engineering. But security awareness is also much more than this. It creates a level playing ground for your entire workforce and beyond, creating a ‘culture of security’.

With the addition of HITECH Section 13407, the number of stakeholders that need to be incorporated into a security-aware environment has been extended to cover all business associates that may have an interaction with personal data and PHI. This creates a highly diverse group, or eco-system, of stakeholders who are required to have a good understanding of the healthcare security landscape. This knowledgebase then allows adherence to the tenets of HIPPA and HITECH security rules. The end result of a security awareness program that encompasses all the possible players is an umbrella of security and privacy respect that will have positive outcomes across the entire eco-system.

Identifying who your key stakeholders are is the first part of the exercise in security awareness training. As mentioned previously, this has become a highly extended eco-system of players, brought into place by changes in the legislation governing information security in healthcare. Setting out your store in terms of who is a player will help guide your training exercise. However, the following list gives you an overview of the types of people involved in training:

• Front desk workers
• Administrators
• IT and tech staff
• Medics, including nurses, consultants and related roles such as social workers
• Transcriptionists
• Healthcare call center workers and managers
• Medical claims handlers
• Laboratory technicians
• Researchers

Don’t forget: There needs to be a specific plan for bringing new employees on board, rather than waiting for the next security awareness training exercise. This will get them quickly up to speed and create a mind-set of security and privacy as they enter their post.

Why Security Awareness Training in Healthcare Must be Part of Your Security Strategy #2

2. Why Do You Need Security Awareness Training in Healthcare?

Security and privacy cut across a number of legal frameworks within the USA. There is a good deal of general legislation and guidelines that cover data protection and privacy and some that are more focused on healthcare. The USA has a mosaic approach to data protection with no overarching federal law to cover the security issues surrounding personal information. There are two main areas of healthcare legislation that cover the protection of personal data or protected health information (PHI): the Health Insurance Portability and Accountability Act (HIPPA), and Health Information Technology for Economic and Clinical Health (HITECH). The two acts work in unison to cover the security expectations of the whole healthcare eco-system, extending outwards to healthcare providers business associates. Together, the acts set requirements to disclose data breaches, which are:

HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414: The rule requires that any breach of PHI must be disclosed to both patients and the government (breach meaning unauthorized data being used or disclosed). There are some nuances around the formal classification of a breach, but with the introduction of the HIPPA “omnibus rule,” which requires a risk assessment to set a breach as “low probability” for exposure, the chances are you have to declare the breach.

HITECH, Section 13407 is enforced by the Federal Trade Commission (FTC). The act allows the data protection rules to be extended to all entities not specifically covered by HIPPA: for example, extended business associates of healthcare providers, business associates being anyone, such as contractors and sub-contractors who are involved in any health-related data handling.

Security awareness in healthcare cuts across many layers. As well as the legislative drivers that demand security awareness, a healthcare team approach to security is driven by:

Ethics: Healthcare has by definition a layer of ethics attached to the practice. Healthcare data and in particular PHI are part of the ethical layer that all of us expect to be respected. We all, at some point, share health information with medical practitioners, so there is a personal element to the ethics of data protection as well as an organizational benefit.

Risky behavior is very common: A study by Cisco found that risky security behavior was almost the norm in an organization, with many respondents admitting to putting data at risk at work. Improvement of behavior towards security as an issue is a key selling point, especially to C-level executives who need to oversee a company-wide security strategy.

Benefits of security awareness: The whole organization and individuals benefit from being security-aware. Individuals workers can “do their bit” by thwarting cyber-attacks. As cyber-threats against healthcare become more prevalent, the inclusion of all into the security equation is ever more important.

The climate of increasing threats against healthcare coupled with the need for legislative compliance makes healthcare a key industry for security awareness training. Creating an educated workforce that understands the implications of cyber-security on them and the industry is part of the overall healthcare security strategy. This is only compounded by the human element present in the most successful security threats, which are based on social engineering, e.g., phishing.