Start educating staff on security now

Training staff on IT security will be a key component for protecting your electronic health record integrity in 2011, according to a new Kroll survey on the top data security trends for 2011. Most important: Privacy awareness training for all employees, from the c-suite down to the janitorial staff, Brian Lapidus, Kroll's COO tells FierceEMR. "It's really a mantra [at Kroll]--privacy awareness training is the cornerstone of any data security program," he says.

Think it's not a top priority? As part of its work for HIMSS Security of Patient Data report, Kroll surveyed healthcare providers who had experienced a breach. Nearly 80 percent said the first task they had to undertake was additional staff security training. And staff training is increasingly being required in the voluntary compliance plans hospitals have to create after a breach, so you know it's something regulators want.

Not all employees need the same training, of course, and CIOs should start by evaluating all employees' job functions, roles and data access. Once you've determined who has the most frequent--or broadest--access, you can determine the level of education they'll need.

Everyone needs to understand the basic security environment, such as HIPAA laws and regs, Lapidus notes. For example, any breach should be reported as soon as it's found. A "60-day stopwatch" starts, and time is ticking for the organization to respond. Staff with more access to protected data will need more in-depth training on security tools and protocols, breach identification and response, and more.

A good training program should have two primary components:

1. Education. Regular training sessions are needed to define basic privacy and security, and provide real-world strategies for implementing the hospital's security policies.

2. Culture change. Employees need regular, firm reminders that security is crucial for patient care. For example, explaining that even when staff are extremely busy, they can't lapse into shortcuts such as sharing passwords or access badges for convenience. "It's just so easy to do if you're not given a reason not to," Lapidus says.

Be sure your top-level execs don't excuse themselves from training. To create a culture of privacy protection, employees need to see managers taking the time to learn and implement security procedures, he indicates. - Sara