Why Security Awareness Training in Healthcare Must be Part of Your Security Strategy #2

2. Why Do You Need Security Awareness Training in Healthcare?

Security and privacy cut across a number of legal frameworks within the USA. There is a good deal of general legislation and guidelines that cover data protection and privacy and some that are more focused on healthcare. The USA has a mosaic approach to data protection with no overarching federal law to cover the security issues surrounding personal information. There are two main areas of healthcare legislation that cover the protection of personal data or protected health information (PHI): the Health Insurance Portability and Accountability Act (HIPPA), and Health Information Technology for Economic and Clinical Health (HITECH). The two acts work in unison to cover the security expectations of the whole healthcare eco-system, extending outwards to healthcare providers business associates. Together, the acts set requirements to disclose data breaches, which are:

HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414: The rule requires that any breach of PHI must be disclosed to both patients and the government (breach meaning unauthorized data being used or disclosed). There are some nuances around the formal classification of a breach, but with the introduction of the HIPPA “omnibus rule,” which requires a risk assessment to set a breach as “low probability” for exposure, the chances are you have to declare the breach.

HITECH, Section 13407 is enforced by the Federal Trade Commission (FTC). The act allows the data protection rules to be extended to all entities not specifically covered by HIPPA: for example, extended business associates of healthcare providers, business associates being anyone, such as contractors and sub-contractors who are involved in any health-related data handling.

Security awareness in healthcare cuts across many layers. As well as the legislative drivers that demand security awareness, a healthcare team approach to security is driven by:

Ethics: Healthcare has by definition a layer of ethics attached to the practice. Healthcare data and in particular PHI are part of the ethical layer that all of us expect to be respected. We all, at some point, share health information with medical practitioners, so there is a personal element to the ethics of data protection as well as an organizational benefit.

Risky behavior is very common: A study by Cisco found that risky security behavior was almost the norm in an organization, with many respondents admitting to putting data at risk at work. Improvement of behavior towards security as an issue is a key selling point, especially to C-level executives who need to oversee a company-wide security strategy.

Benefits of security awareness: The whole organization and individuals benefit from being security-aware. Individuals workers can “do their bit” by thwarting cyber-attacks. As cyber-threats against healthcare become more prevalent, the inclusion of all into the security equation is ever more important.

The climate of increasing threats against healthcare coupled with the need for legislative compliance makes healthcare a key industry for security awareness training. Creating an educated workforce that understands the implications of cyber-security on them and the industry is part of the overall healthcare security strategy. This is only compounded by the human element present in the most successful security threats, which are based on social engineering, e.g., phishing.