Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Kroll Top 10 Tips For Avoiding Security Breach
1. Published on Healthcare Finance News (http://www.healthcarefinancenews.com)
Home > Top 10 tips for avoiding a costly security breach
Top 10 tips for avoiding a costly security
breach
By rletourneau
Created 07/26/2011
NEW YORK – Given the significant financial and reputational costs that result from security
breaches, healthcare providers must understand the importance of expanding and
enhancing employee data security training before a breach event occurs, said Brian Lapidus,
COO of the Fraud Solutions division of Kroll, a New York City-based risk mitigation company.
“Strong data security policies and procedures are only as effective as the employees who
implement them. For that reason, it is critical that companies train their employees to be
privacy advocates for the organization,” said Lapidus. “The best training programs show
employees how to take an active and personal role in the data security of your organization,
while demonstrating whatʼs at stake, from an organizational and regulatory standpoint, when
a security gap occurs.”
Here are Lapidusʼ top 10 tips for securing what is arguably the most sensitive data your
organization possesses – medical records:
1. Make sure all employees are trained. HIPAA and HITECH both set forth requirements
for training all new and current workforce members, including contract workers, temporary
workers and volunteers. Itʼs smart business, and itʼs also the law.
2. Plan your data security employee training in lockstep with overall employee
education. Incorporating data security training into your companyʼs overall employee
education program is vital to its proper documentation and implementation. Making data
security training part of your official employee education program also ensures that courses
get evaluated and refreshed periodically, and that program effectiveness is monitored
regularly.
3. Use roles-based training. Everyone needs training, but not everyone needs the same
program. Training should be tailored and weighted per the volume and sensitivity of the
patient healthcare information and personal identifiable information to which each individual
has access. The best practice is to develop a basic training program for all employees with
tailored elements for different employee tiers and categories.
4. Donʼt make data security training a one-off. It is critical that organizations make data
security training an ongoing activity. HIPAA and HITECH have provisions for initial training of
new and current employees, as well as incorporating ongoing training in instances where
policies or procedures may have changed or for the dissemination of new information.
2. 5. Verify and document all training to maintain compliance. HIPAA requires a covered
entity to be able to verify training through specific documentation requirements. These
records need to be retained for a period of six years.
6. Pay special attention to business associate training. Itʼs likely that you wonʼt be
providing training directly to your business associate (BA) employees; however, it will be the
covered entityʼs responsibility to include this in the BAA (Business Associate Agreement) as
part of your requirements for doing business. Further, itʼs your responsibility to make sure
the BAʼs training plan meets your requirements and provides proper documentation.
7. Build job-specific scenario exercises into training. Beyond the minimum requirements
of HIPAA privacy and security rules, covered organizations should take into consideration
job-specific scenarios that employees are most likely to encounter. Make sure that the
roles-based training addressed in tip 3 (above) includes exercises that challenge employees
to think about how they might handle situations likely to arise in their current roles.
8. Donʼt forget breach detection and escalation. For covered entities, the 60-day
stopwatch starts when the organization knew or “reasonably should have known” that a
breach occurred. Itʼs important to train employees to recognize a potential breach and
escalate information to key administrators who are designated first responders.
9. Include data security wisdom in all your employee communications channels. To
keep privacy and security top of mind, engage in ongoing communication with employees via
newsletters, emails, login reminders, notices posted in conspicuous areas or other internal
channels.
10. Create a cultural shift within the organization. To be truly effective, training and
education should be part of the culture rather than just the “required” act of signing an
agreement. Organizations must demonstrate a top-down commitment to understanding
privacy and security requirements and to keeping data safe.
Source URL: http://www.healthcarefinancenews.com/news/top-10-tips-avoiding-costly-security-breach