Improving Cybersecurity Awareness in Healthcare

Understanding the Need of Improving Cybersecurity Awareness in Healthcare

Many cyberattacks succeed due to mistakes by employees and a lack of awareness of basic aspects of cybersecurity. According to the 2022 Verizon Data Breach Investigations Report, 82% of data breaches in 2021 involved the human element. Improving security awareness of the workforce by focusing on key behaviors will go a long way toward improving security and preventing data breaches.

HIPAA and Security Awareness

Security awareness training is a requirement for compliance with the HIPAA Security Rule. The administrative safeguards of the HIPAA Security Rule require all HIPAA-regulated entities to train workforce members on internal security policies and procedures, with the 45 CFR § 164.308 (a)(5)(i) standard requiring “a security awareness and training program for all members of its workforce (including management).”

HIPAA-regulated entities should adopt a risk-based approach when developing training courses and should teach cybersecurity basics and focus on the most important behaviors that can reduce risk. The HHS’ Office for Civil Rights (OCR) has issued guidance on aspects of cybersecurity to include in security awareness training programs and raises awareness of important themes in its quarterly cybersecurity newsletters.

“The Security Rule requires regulated entities to implement a security awareness and training program for all workforce members,” explained OCR in its Q1, 2022 cybersecurity newsletter. “A regulated entity’s training program should be an ongoing, evolving process and be flexible enough to educate workforce members on new and current cybersecurity threats (e.g., ransomware, phishing) and how to respond.” OCR also stressed the need for training to be provided to all members of the workforce, which includes management personnel and senior executives.

What Should be Included in HIPAA Awareness Training?

Training should be followed up with regular security reminders that are an addressable specification of the HIPAA Security Rule. OCR suggests security reminders can include cybersecurity newsletters, but also phishing simulations to members of the workforce to gauge the effectiveness of the security awareness and training program, and to provide additional, targeted training to employees who are fooled by the simulations. 

Multifactor authentication is an effective additional safeguard for improving access controls to prevent stolen credentials from being used to access accounts. Brute force attacks often succeed due to employees setting weak passwords or reusing passwords on multiple accounts. HIPAA-regulated entities should enforce their password policies, but also make compliance with those policies easier for employees by supplying a business password manager. Password managers can suggest truly random, complex passwords, and greatly improve password security and management.

We’re Here to Help

It is easy to focus on technical defenses for protecting ePHI and preventing unauthorized access, but the importance of training cannot be overstated. Wilson Consulting Group will help your company ensure that all employees are aware of key behaviors and that practicing good cyber hygiene will go a long way toward improving the cybersecurity posture of the entire organization.