Thank you for joining us as we continue our HIPAA compliance series. This week, we will discuss the importance of Security Education, Training, and Awareness (SETA) programs. HIPAA section 164.308(a)(5) states that covered entities must “implement a security awareness and training program for all members of its workforce (including management).” The most expensive security technologies can be thwarted by people who lack sufficient training. You don’t have to spend thousands of dollars sending your staff to elaborate security training classes, but you should outline some responsibilities, and set policies governing staff behavior.

This section has four implementation specifications: security reminders, protection from malicious software, log-in monitoring, and password management. Security reminders are simply a mechanism to make sure employees are aware of security risks, policies, and their responsibilities. The reminders can take any form, but you must document the reminder, its message, and the date it was sent.

Anti-virus and anti-spyware software usually provides protection from malicious software. Your staff should understand how it works, and should check each morning to make sure it scanned and updated overnight. Your staff should also know how malicious software infects computers – usually through fraudulent or infected websites, email attachments, or open firewalls. Train your staff be on the lookout for these threats.

Login monitoring can be handled through Windows – providing you are using the professional and not the home version. You can use the local security policy setting to record login attempts and lock users out after a specified number of failed attempts.

Password management is a critical and difficult issue. Your practice should have policies and procedures for “creating, changing, and safeguarding passwords.” You should set minimum standards for creating passwords, such as number of characters, using numbers, capital letters, and special characters. You should also set policies for changing passwords. You can set password policies under Windows to expire after a certain time, and prevent employees from using the same password over again.

However, the third criteria should balance the first two. You should have policies that forbid employees from sharing or writing down their passwords. You do want your employees to choose good passwords, but you also want them to remember their passwords without writing them down. Otherwise anyone can look through their desk and find the passwords, and if that happens, they have circumvented your entire security system.

The take-home message is that your staff needs to be aware of security. They should understand the consequences your practice will face if it is found to be non-compliant with HIPAA or worse, loses or discloses sensitive patient information. Finally, they should know their responsibilities and how to keep your systems safe.

Ryan Ricks
Security Officer