Do your employees and/or co-workers have all the training to protect patient information and other data you handle? Do you have procedures to discover if there are any gaps in that training?
HIPAA training and other mandated trainings are a great start, but there are lots of other opportunities for training and professional development to give everyone a complete grasp of their responsibilities.
Office Policies and Procedures
Most companies have policies and procedures for employees on day to day operations. If yours doesn’t, make sure to put one together! If you do, is there a system in place for employees to learn and periodically review them? Other questions to consider:
- How are policies, like your password policy, enforced?
- Are consequences of not following policies clearly communicated to employees?
- Do you revise your policies and procedures, or are they still referencing Windows 95?
Phishing, Ransomware, Etc.
As we’ve discussed in previous blogs, phishing and other digital attacks are common. They are becoming more sophisticated; it’s important to stay on top of the new methods of attack. Can you answer these questions with a definitive yes?
- Can all employees identify common scams?
- Do employees know what emails, websites, texts to ignore?
- Is there a procedure in place to verify unusual requests from vendors or even other members of the organization?
- Do employees know what to do if they think they may have received malicious messages or been a victim of a cyberattack?
Director Roger Severino with The Office for Civil Rights talked at the NIST Conference about the methods they use to test employee training. They frequently send fake phishing emails to employees to see if they can identify the emails and follow procedures afterwards. Consider implementing some kind of testing in your own office.
Role Based Training
Most training conducted by organizations tends to be broad overviews of company policies and procedures. Consider going a step further with role based training. This means that each role, or category (sales, IT, management, etc.), gets training tailored to the responsibilities and procedures of their position. Data security and HIPAA responsibilities are important to everyone at the company – use role based training to highlight how each position contributes to securing (e)PHI.
The Office of the Chief Information Officer at HHS has some role based training resources to get you started!