We are reading a HealthIT article this morning that quotes Kaspersky's claim 24% of US health employees receive no cybersecurity training. That's an obvious shame if true. Training is a HIPAA requirement, both in the Privacy Rule (§164.530(b)(2)) and the Security Rule (§164.308(a)(5)); the latter spells out three specific subjects AND "...periodic security updates...". For the criticism that we read about HIPAA not being adequate, we think training is pretty clearly stated.
What is not in the article is the dated approach to HIPAA Security that continues to permeate the healthcare industry and we blame all of the "one size fits all" mandatory annual HIPAA training modules floating out there for turning people off from wanting to learn more and for the ease that cyber criminals are able to exploit a workforce.
We've got a great solution for HIPAA training. It's adult oriented, which means it's broken up into small chunks and each chunk is meant for a particular piece of your workforce. We don't think that the information technology workers get much from learning about Notice of Privacy Practices any more than a nurse or doctor would understand what HIPAA says about a disaster recovery plan.
Give us a shout if your HIPAA based cybersecurity training is lackluster or non-existent.