Workforce Security Awareness Training–Creating a Culture of Compliance

An organization’s workforce is the weakest link in the chain of security. Well-intentioned employees can easily fall prey to social engineering tactics.
Security & Privacy Staffing
Mark McLaughlin, Owner, Mark McLaughlin Consulting, LLC

Mark McLaughlin is the owner of Mark McLaughlin Consulting, LLC. He has held many positions in the healthcare industry, including as a member of the Board of Directors for healthcare associations, and C-level executive roles in charge of development, IT, and Regulatory Affairs. He is widely considered an industry expert with regard to HIPAA and HITECH. Mr. McLaughlin is a former Commissioner with the Electronic Healthcare Network Accreditation Commission (EHNAC), served as the Chairman of the Criteria Committee and Senior Site Reviewer. Mr. McLaughlin has served on the Board of Directors of several healthcare industry associations including the Workgroup for Electronic Data Interchange (WEDI) where he served as Chairman, led key work groups and acted as primary author on white papers utilized by Covered Entities across the United States.

Security awareness training is a multi-faceted and critically important part of employee education in any healthcare organization. An organization’s workforce is the weakest link in the chain of security. Employees, although well intentioned, can easily fall prey to social engineering tactics. Therefore, it is imperative that training occurs on a consistent schedule and that the message is accurate and supports the organization’s policies and procedures. There are two very important aspects of any security awareness training program: methodology and contents.

Training Methodology

Methodology is just as important as the contents of the actual training because it reinforces key messages and empowers employees to handle threats coming their way. Methodology components are:

  • Timing: Training of workforce members is an ongoing effort. Security awareness training should be conducted for all new hires during their first week on the job and should occur at least annually for existing workforce members after that.
  • Testing: Once a training session has concluded, it is critical to test for comprehension. If an employee is not able to display an adequate understanding of the material (i.e., an 80% pass-rate), they must re-take the training. If a workforce member is unable to pass the test, the organization should set up a corrective action.
  • Audit: In order to ensure training is completed from the top down, employers should track training details for all employees, including dates and completion rates.
  • Security reminders:Security reminders should be posted at least once per quarter on an organization’s intranet or sent via e-mail to reinforce material provided during the training.

Training Contents

In addition to a thorough review of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) security safeguards, it’s critical that privacy and security training also covers other aspects, as outlined here:

  • Definitions: Review key terms, topics and legislative guidelines at the beginning of training sessions in order to ensure employees are up to speed with all relevant material and industry standards, such as the 18 identifiers that are considered protected health information.
  • Breach reporting procedures: What exactly constitutes a breach and what should the workforce do in the event of one? This is an integral part of the training that should also include a review of penalty violations. Identification of Privacy and Security Officers and backup workforce members – Breach reporting requires knowing who to contact if an incident occurs, so it’s important that all employees are familiar with their organization’s Privacy and Security Officers, backup personnel and the appropriate contact information for them.
  • HIPAA safeguards: Administrative, physical and logical safeguards not only define the policies and procedures in place but actually how the organization implements those policies.
  • Social engineering tactics: Finally, it is imperative that the organization address the weakest link in the security chain by training workforce members to avoid falling into traps such as phishing e-mails, which allow threats to enter an organization from the inside. By clicking on falsified links or opening tainted attachments, employees may be introducing chaos into the organization.

Today, security and privacy challenges are almost inevitable for healthcare groups. Fortunately, applying consistent, standardized training that reflects the policies and procedures of the organization allows both employers and their employees to be better equipped to handle any attacks that come their way. And they will come their way, eventually.