From our "Keys to Preventing a Breach 2.19" article on this page.
Effective workforce training doesn’t mean every employee annually checking off their hour-long HIPAA Privacy module developed 10 years ago, supplemented by a couple of periodic staff meeting reminders. The HIPAA Security Rule specifies that a Covered Entity:
Implement a security awareness and training program for all members of its workforce (including management).
Worth repeating is that to begin with, the entire workforce needs to be trained to recognize and report security incidents, violations of administrative policy, and potential (e)PHI breaches. The entire workforce should also receive regular short-interval training that teaches protection from malicious software and credential monitoring and management (e.g. logins, passwords, etc.), based on policy, procedure and current information services accepted practices.
Additionally, we wrote about phishing extensively on our website’s blog page. Every CE should run a quarterly phishing campaign until the number of workforce members “lured” is reduced. Once responses have plateaued, quarterly testing can be relaxed to an annual or semi-annual periodicity.
All CE should already be developing, assigning, and documenting training to learn the HIPAA Security Rule’s citations to those workforce members entrusted with each citations’ related policies, procedures, and processes. Quarterly phishing training should be budgeted and executed.
Link to complete whitepaper: https://docs.wixstatic.com/ugd/6be7c6_2865b729fd434ec98b8d94332267e82c.pdf