Insights

HIPAA Security Awareness Training

HIPAA security awareness training should not only cover best practices to protect the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI), the training should also explain why there are more cybersecurity threats in healthcare than in most other industries, the nature of the threats, and how workforce members can avoid impermissibly disclosing ePHI or providing unauthorized access to ePHI.

The provision of HIPAA security awareness training to all members of a covered entity’s or business associate’s workforce is a requirements of the HIPAA Security Rule’s Administrative Safeguards (§164.308(a)(5)). However, rather than requiring “generic” cybersecurity training, HIPAA security awareness training must be provided in the context of the General Security Rules (§164.306). These require covered entities and business associates to:

(1) Ensure the confidentiality, integrity, and availability of all ePHI the covered entity or business associate creates, receives, maintains, or transmits.

(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part [the HIPAA Privacy Rule].

HIPAA compliance with the first two requirements can mostly be achieved via a combination of technical safeguards and generic cybersecurity training. HIPAA compliance with the third requirements requires all workforce members to have an understanding of what ePHI is, why it is important to protect it, what the most common dangers to the security of ePHI are, and how they can avoid impermissibly disclosing or providing unauthorized access to ePHI.

What is ePHI and Why is it Important to Protect It?

ePHI is individually identifiable health information relating to an individual’s health condition, treatment for the health condition, or payment for the treatment, that is created, received, stored, or transmitted electronically by a HIPAA covered entity or business associate. Any non-health information that could identify the individual is also classified as ePHI when it is maintained in the same designated record set as ePHI.

The reason it is important to protect ePHI more than data maintained in most other industries is that ePHI can be used to obtain healthcare, prescription drugs, and medical equipment under false pretenses. Furthermore, compared to (for example) stolen credit card data, the fraudulent use of ePHI may go undetected for years until a victim of identity theft checks their Explanation of Benefits statement or receives an unexpected medical bill.

As well as the financial costs of healthcare fraud to healthcare providers and insurance companies, there can also be personal costs for the victims of medical identity theft . If a victim’s health information has been fraudulently used to treat somebody else, the victim’s health record will be corrupted with the fraudulent user’s information. This could result in misdiagnoses, ineffective treatments, and adverse reactions to medications.

The Nature of Cybersecurity Threats in Healthcare

Because of the value of ePHI and the length of time until its misuse is detected, cybercriminals make more sophisticated attempts to steal it – either for their own use or to sell on the dark web. However, research shows that cybercriminals don’t necessarily head straight for members of the workforce with access to ePHI (who may be better trained on cybersecurity and have better security defenses implemented) when attempting to steal it.

In many cases, cybercriminals will attempt to trick workforce members with less cybersecurity training and fewer security defenses into revealing system login credentials. With these credentials, can move laterally through the system until they locate an unprotected database, or use the workforce member’s credentials to send emails from an apparently safe source to trick colleagues with more permissions into revealing their credentials.

It is for this reason that HIPAA security awareness training must be provided for all members of the workforce regardless of their permission status or access to ePHI. As well as training members of the workforce on the standard best practices to protect the confidentiality, integrity, and availability of ePHI (i.e., phishing prevention, password management, etc.), it is also necessary to explain what workforce members can do to avoid errors.

What Can Workforce Members do to Avoid Errors?  

A 2023 study of reported data breaches in the healthcare industry found that 71% of data breaches were attributable to employee actions. Excluding malicious insiders (25%), two-thirds of the data breaches were attributable to susceptibility to phishing emails, while the remaining third (calculated at 11,465 data breaches based on HHS data) were attributable to “misdelivery” of emails, loss/theft of device, or other avoidable “gaffe”.

Other studies have attributed these inadvertent actions to tiredness, stress, rushing, or burnout. Therefore, it is important that members of the workforce are told in HIPAA security awareness training to “take a minute” before clicking send or leaving a laptop in the back seat of a car to ensure they are not impermissibly disclosing ePHI by sending it to the wrong recipient, or providing unauthorized access to ePHI via an unattended device.

It is also important that workforce members are reminded of the sanctions for inadvertently inviting cybercriminals to steal ePHI and not reporting security incidents. While the threat of sanctions alone will not necessarily prevent a tired or stressed member of the workforce from taking greater care before sending an email, it might make them pay greater attention to HIPAA security awareness training!

Summary of the HIPAA Security Awareness Training Requirements

While generic cybersecurity training can be part of HIPAA security awareness training, it is not sufficient by itself to meet the HIPAA security awareness training requirements.

Covered entities and business associates must develop a HIPAA security awareness training program based on the requirements of the HIPAA General Security Rules.

This means all members of the workforce understand what ePHI and why it is important to protect it – including workforce members with no access to ePHI.

It should be explained to workforce members that an email from an apparently safe source is not necessarily safe and should be treated with caution if it contains an unusual request.

It should also be explained to workforce members that inadvertent actions are more likely when they are tired, stressed, rushed, or burnt out, but that being tired, stressed, rushed, or burnt out is not an excuse for impermissibly disclosing ePHI or providing unauthorized access to ePHI.

Twitter Facebook LinkedIn Reddit Link copied to clipboard

Posted by

Daniel Lopez

Daniel Lopez is the HIPAA trainer behind HIPAA Coach and the HIPAA subject matter expert for NetSec.news. Daniel has over 10 years experience as a HIPAA coach. Daniel provides his HIPAA expertise on several publications including Healthcare IT Journal and The HIPAA Guide. Daniel has studied Health Information Management before focusing his career on HIPAA compliance and protecting patient privacy. You can follow Daniel on Twitter / X https://twitter.com/DanielLHIPAA

Related News

Zero day vulnerability exploited in FortiManager

First HIPAA Risk Analysis Enforcement Initiative Financial Penalty Issued by OCR