Is HIPAA Employee Awareness Training Enough?
by Kapua Iao
Several puzzle pieces must fit together for a healthcare organization to achieve HIPAA compliance. And one such piece is HIPAA compliance training, which must include cybersecurity employee awareness training.
The best cybersecurity strategy is not foolproof without proper employee awareness training. At the same time, training is not enough on its own.
So what is HIPAA employee awareness training? What are the best approaches to HIPAA compliance and strong cybersecurity?
What is HIPAA employee awareness training?
Under the HIPAA Privacy Rule, healthcare organizations must provide employees with HIPAA compliance training on “privacy policies and procedures, as necessary and appropriate for them to carry out their functions.”
Such training must include an explanation of what HIPAA is and why it is necessary to safeguard protected health information (PHI).
RELATED: Is a Name PHI?
Anyone within an organization that handles PHI must have this training. It can empower employees to protect themselves as well as the organization and any of its patients.
And according to both Rules, training is a periodic requirement though no detailed list exists of what to include. Rather, HIPAA rules are flexible.
Generally, cybersecurity training should educate employees on the safe use of computers, and teach them:
- A company’s cyber policies and procedures
- Physical, administrative, and technological safeguards
- What to do in case of a data breach
- Current threats and defenses
- How to recognize and block malicious cyberattacks
What measures to include in employee awareness training depends on each organization. What is important is setting expectations upfront and ensuring employees follow them.
Why is employee awareness training necessary?
The number of healthcare organizations breached by the end of 2020 increased dramatically with cybercriminals taking advantage of two things:
The best-laid cybersecurity plan means nothing if employees don’t follow it. Employees, especially within healthcare, are the weakest cybersecurity link of any organization.
Your employees may be tired or stressed, especially within the current climate. They may also be distracted or just not care about cybersecurity.
Moreover, email is the most accessible threat vector (or entry point) into any computer/network. In fact, the Paubox HIPAA Breach Report for April 2021 tallied email breaches as affecting 520,059 individuals.
No matter the cybersecurity measures in place, without employee awareness training employees may easily let a cybercriminal into any organization.
But is HIPAA employee training enough?
HIPAA employee awareness training should not be the only tactic utilized for cybersecurity. Rather, a layered approach is necessary for complete HIPAA cybersecurity compliance.
It is through a HIPAA risk assessment that an organization will understand its best approach to cybersecurity. Typically, a layered cybersecurity program should include:
- Employee awareness training
- Access controls and physical safeguards
- Encryption and antivirus software
- Policies and procedures
- Separate backups
- Strong password policies
- Patched and up-to-date devices
And of course, email security.
If a breach does occur and the subsequent U.S. Health and Human Services investigation takes place, having key safeguards in place ensures that no HIPAA violation took place.
RELATED: What to Do After You Violate HIPAA
But if found negligent, the organization will more than likely be fined and held accountable for the breach.
Always include strong email security
Given the vulnerability of employees, it is necessary to include strong email security along with employee awareness training.
Enabling HIPAA compliant email with strong inbound and outbound email security is crucial to strengthening any organization’s cybersecurity program.
Paubox Email Suite Premium provides this needed protection and requires no change in email behavior. No extra logins, passwords, or portals. With our HITRUST CSF certified solution, all emails are encrypted directly from your existing email platform (such as Microsoft 365 and Google Workspace).
Malicious inbound emails are blocked even before reaching an employee’s inbox. Our Plus and Premium packages also come with ExecProtect, built to stop display name spoofing emails from reaching the inbox in the first place. Our Premium level also comes with data loss prevention (DLP), which stops unauthorized employees from transmitting sensitive data outside an organization.
So is employee awareness training enough on its own? No, though that doesn’t mean organizations shouldn’t take it seriously. Rather, a combination of measures, including training and email security, work together to stop data breaches.
Don’t leave your employees out in the open. Protect them while showing them how to protect themselves.