How to implement a cybersecurity awareness program
With all the security requirements of the Health Insurance Portability and Accountability Act (HIPAA), it may seem redundant to consider setting up a security awareness program at a medical practice. But, such a program—to educate employees about security challenges and safe practices—could help prevent any security mishaps.
When staff members understand why security is important and are able to recognize vulnerabilities, the practice is safer. Dan Lohrmann, chief security officer at training agency Security Mentor, Inc., says people make up 80% of the security challenges most organizations face. Security vulnerabilities and challenges evolve, as well, so on-going education is important.
For cash-strapped medical practices, there may be very real budgetary concerns and constraints, but a security awareness program does not need to be expensive. A little creativity can go a long way. For example, setting up a test workstation—unconnected to any real personal health information or practice systems—with security vulnerabilities and asking employees to identify them could be a low-cost, but useful activity.
Some programs use gamification techniques, or adding typical elements of game playing such as point scoring or competition, to increase employee engagement. For instance, adding a small prize, such as a piece of chocolate or other token of appreciation, to the workstation activity could serve as a motivational tool, while also keeping costs minimal. “Having an ongoing security awareness program is an inexpensive way to strengthen security while meeting compliance mandates,” Lohrmann says.
There are two other cost-related points to consider, says Lohrmann. First, a security awareness program is likely to be significantly less expensive than other security measures, such as upgrading software or hiring an outside firm to conduct security training. Second, Lohrmann says, “Note that a data breach will cost much more than training employees proactively.”