One of the most important elements of the administrative safeguards is the provision of training on HIPAA Security and Privacy Rules, not only for the staff that is granted access to ePHI or may otherwise come into contact with it, but all members of the workforce, including management. Even the most robust security policies can be easily compromised due to poor or non-existent staff training. Security Awareness and Training includes four implementation specifications:
Security Reminders (Addressable)
The provision of training ensures that the workforce is fully aware of HIPAA Privacy and Security Rules; however policies frequently need to be updated and these changes must be communicated to the staff. It is also important to provide the workforce with reminders of the importance of data security and PHI policies and procedures. All reminders must be documented and a record maintained, while the procedures must govern the issuing of reminders, such as via electronic bulletins, the posting of security reminders on notice boards and the creation of agendas for periodic staff meetings etc.
Protection from Malicious Software (Addressable)
Covered entities must put procedures into place which guard against, detect and report malicious software, including computer viruses such as Trojans, worms, key loggers and malware. Viruses and malware can be used by external parties to gain access to data or to convince authorized personnel to divulge their login credentials and security keys. It can also damage, delete or otherwise alter data.
All members of the workforce must receive training to help them identify potentially dangerous software and training also provided to ensure all staff know how, and to whom, to report malicious software. This includes developing policies which restrict how the internet is used and what can be downloaded.
Log-in Monitoring (Addressable)
Procedures must be developed for monitoring log-in attempts and reporting discrepancies. A system must be in place that can log access attempts, such as multiple attempts to gain access to ePHI using incorrect passwords or user-names. Systems can be configured to log these attempts and generate security reports, or even to block access for a particular user or device. One measure which can be employed is the blocking of a login after a set number of access attempts have failed.
Password Management (Addressable)
Procedures must be developed to cover creating, changing and safeguarding passwords used to access ePHI.
If passwords are not automatically assigned, training must be provided on creating secure passwords, such as not using dates of birth, children’s names or passwords that can easily be guessed (password,123456).
Policies should be developed that require users to change their passwords at regular intervals and the staff should be advised about how passwords can be safeguarded.