For healthcare organizations, knowing what should be included in staff training can present its fair share of challenges. Finding the time to complete training, making sure the training is comprehensive, effective and easy to understand are just a few examples of challenges healthcare organizations face when assigning staff training.
Including compliance topics in staff training is crucial for healthcare organizations. Compliance training – among other things, addresses legal and regulatory compliance requirements, protects patient privacy and confidentiality, improves patient care and maintains organizational reputation.
Compliance isn’t something that is once and done or something to address if needed. Compliance training requires constant reminders especially as the threat of cyberattacks is at an all-time high. While there are several topics that can be included, the five topics listed below should be included in staff training to ensure they understand their legal obligations and reduce the likelihood of a cyberattack or violations that could result in penalties.
- Training on policies and procedures. Training and periodic review of policies and procedures is often forgotten. It is easy to think of policies and procedures as something that is there if needed, or something to reference as needed. Just because your policies and procedures are created, doesn’t mean you are “in compliance.” Any staff impacted by policies and procedures should receive training on them and review them periodically – at least once per year or as updates occur.
- Strong passwords. Year after year reports indicate that weak login credentials, including passwords, are among the top causes of data breaches last year. It is estimated over 75% of attacks on corporate networks involved weak passwords. All staff should understand the importance of having a strong password (e.g., at least eight characters in length, a combination of alphabetic, mixed case, numeric and punctuation characters and most important, a password that is difficult for hackers to guess).
- Cybersecurity Awareness. Cybersecurity awareness training is essential for any organization, including healthcare organizations, to protect against cyber threats and attacks. According to the U.S. Department of Health and Human Services (HHS) Office of Information Security’s updated cybersecurity guidance, the top five threats include: social engineering, ransomware, loss or theft of equipment, insider, accidental, or intentional data loss and attacks against network connected medical devices. Because effective cybersecurity is the responsibility of the entire workforce is important for staff to receive cybersecurity awareness training that is up to date with the current threats impacting the healthcare industry.
- Ensure proper safeguards are in place before communicating electronically. Everyone in your organization has a responsibility to ensure health information is protected. Likewise, everyone in your organization has a responsibility to ensure only minimal necessary information is shared electronically to the intended recipient. All staff should be trained on the importance of including a disclaimer on emails and faxes that notifies the recipient of the insecurity of email or facsimile and provides a contact to whom the recipient can report a misdirected message. Staff should also understand how communications involving protected health information (PHI) or other sensitive information is to be handled in your organization.
- How to properly dispose of, or store, PHI when not in use. The HIPAA Privacy Rule requires healthcare organizations to apply appropriate administrative, technical and physical safeguards to protect the privacy of health information of PHI, in any form. This means, having implemented and reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, in connection with the disposal or storage of such information. Under HIPAA when destroying PHI in paper records, shredding, burning, pulping or pulverizing the record is required so that PHI is rendered essentially unreadable, indecipherable and otherwise cannot be reconstructed. Some healthcare organizations maintain PHI for disposal in a secure area that has limited access and is not accessible by the general public. All employees must understand how to properly dispose of PHI, and not placing documents containing PHI in the trash can.
In summary, staff training including compliance is an ongoing process. Compliance and cybersecurity are a shared responsibility. Staff training at the time of hire and periodically thereafter (e.g., annually or as there are updates) helps ensure very member of a healthcare organization’s workforce can prevent a cyberattack, protect privacy and confidentially and maintain the safety and security of PHI and other sensitive information.
For more information, please contact your Fuel Regional Manager or complete the form fill on the right side of this page.