8 Steps to Developing a Health IT Security Training Program

November 14, 2016

Avoid having problems with data protection. Here are eight steps to take to develop and support an effective IT security training program.

This year, Verizon released a "Data Breach Investigations Report" and noted that healthcare data breaches were most likely to be caused by human error. In its analysis of 2015 breaches, Verizon identified the following as significant contributors:

• Lost and stolen assets, such as laptops and smartphones;

• Sending sensitive information to the wrong person;

• Use of weak, default or stolen passwords; and

• Opening malicious attachments or nefarious links in an email.

In a press release, the executive director of global security services for Verizon Enterprise Solutions, said, "You might say our findings boil down to one common theme - the human element."

While your staff members are likely your practice's top source of vulnerability when it comes to your falling victim to a cyberattack or data breach, they also represent your first line of defense. That's why it's critical to make data security a priority for your practice, if it's not already. To do so requires development of an IT security training program that keeps data security high on your staff's list of responsibilities.

Here are eight steps to take to develop and support an effective IT security training program.

1. Define IT training program goals. This vital step in planning your training will specify what you want your staff to learn and reduce the likelihood of omitting critical information to cover during training. Outline the specific aspects of IT security your staff needs to learn to be smart, compliant users of technology. These goals will serve as a framework to create your training and help identify different mediums you will use to deliver training.

2. Secure leadership support. To develop an effective training program will require substantial work up front. Executing and maintaining the program will require ongoing work. Leadership must be educated on the importance of IT security training and support efforts in this area. Poor support could lead to a lack or reallocation of resources, which is likely to contribute to an incomplete program that leaves a practice more vulnerable to security threats.

3. Identify gaps and opportunities. You likely have some components of IT security already in place at your practice, such as assigning passwords to access computers and the use of anti-virus software. Perform a risk assessment to identify where security gaps exist, which should include analysis of any IT training you provide and opportunities for improvement.

4. Understand staff roles and their vulnerabilities. Depending upon how your staff members' IT privileges and roles are established, they likely can access some programs used by your practice, and may have restrictions on their ability to access other programs. It is important to understand which of your staff members can access your programs, define their roles in using these programs and then identify associated vulnerabilities. For example, if a staff member with access to the EHR has his account breached, it could lead to theft of protected health information. Your training program should include guidance specifically related to staff roles and vulnerabilities.

5. Deliver education on security policies and procedures. It's not enough to just have security policies and procedures. Staff members need to receive education on your policies and procedures when they start working at your practice. They should also receive re-education as part of annual training and whenever policies or procedures undergo changes. Also consider including IT discussions during all staff meetings. This will help keep security at the front of staff members' minds.

6. Focus on ramifications. Within your training, it's important to teach staff what to do and not to do. Hit home the importance of following these rules by including discussion of the ramifications of their failure to follow instructions, such as the penalties associated with HIPAA violations.

7. Implement cross-training. It's great to have IT "superusers" at your practice - staff members with the most knowledge about your programs and technology, and people that other staff can approach with questions. But one potential downside of superusers is a practice that relies heavily on these individual(s) is often left scrambling to replace knowledge lost when superusers leave a practice. Help overcome this obstacle by making cross-training part of your training program. Cross-training can help develop more superusers, or at least more knowledgeable technology users. This will reduce the likelihood of IT-related errors and make a practice less vulnerable if employment of a superuser ends.

8. Keep current. Cybercriminals work around the clock to find new ways to breach IT systems and steal data. Practices must stay abreast of new threats and the processes that keep technology and data safe and secure. As you come across news and resources on IT security, share the information with your staff (via email, newsletter, bulletin board, etc.), and then discuss the most significant developments during staff meetings.

The more informed you are about cybersecurity, the better prepared your practice will be to protect itself from threats and respond effectively and appropriately to cyberattacks.

Nelson Gomes is the president and CEO of PriorityOne Group, a New Jersey-based healthcare IT consulting firm. Gomes has more than 25 years experience in IT, including 20 specifically in health IT, providing services to medical practices, ambulatory surgery centers, and clinics.