Risk: Lack of security awareness and training.
Explanation: The security of your practice’s ePHI might be at risk if your workforce members don’t comply with the standard security protocols, either due to the lack of awareness or due to the lack of training. Several factors that may contribute to such behavior may include:
- Workforce members not really knowing what security really is and why is it so important when it comes to ePHI.
- Lack of sanction policies and procedures that make it crystal clear to the workplace members their respective duties to uphold the integrity of ePHI or lack of compliance on the part of workers to the sanctioned policies and procedures.
- Security awareness and training programs being non-interactive and inappropriate.
- A person not having the right skills, qualities and knowledge running the process of security awareness and training.
- Not having enough metrics on whether all your arrangements are actually improving security awareness among your workplace members.
- Unrealistic expectations.
- Conducting once a year training exercise only.
Mitigation: You can strengthen security awareness and training among your workplace members and thereby improve the security of your practice’s ePHI by taking following steps:
- Make the sanction policies and procedures as explanatory as possible.
- Apply appropriate sanctions against members who fail to comply with the security protocols and policies.
- Make security awareness and training programs more interactive and periodic.
- Appoint the right person with the perfect skill set, heading this process.
- Collect metrics on periodic basis to see the progress of your training activities.
- While it is important that you collect metrics to know if your efforts are actually producing enough results, but in the meantime, you’ve to be realistic. Promoting awareness is not a one day process, it takes time and patience.
Success Criteria: Improved awareness and better compliance on part of the workplace members leading to strengthened security.