Implement a security awareness and training program for all workforce members
Human error and social engineering are the leading causes of healthcare data breaches. HIPAA requires covered entities to train all workforce members on security policies and procedures. Training must cover security reminders, protection from malicious software, monitoring of login attempts, and password management. This is not a one-time event: the regulation requires an ongoing program with periodic reminders as the threat landscape and your policies evolve.
Implementation steps
- 1
Develop and deliver security awareness training
Create or procure security awareness training that covers HIPAA requirements, common threats like phishing and ransomware, acceptable use of systems containing ePHI, and the organization's security policies. Deliver training to all workforce members upon hire and at least annually thereafter. Track completion and follow up with non-completers.
knowbe4 proofpoint-security-awareness confluence - 2
Conduct phishing simulations and security reminders
Send periodic security reminders to keep security top of mind. Conduct phishing simulation campaigns to test and reinforce awareness. When simulated phishing emails are clicked, automatically route those individuals to targeted training. Track click rates over time to measure program effectiveness.
knowbe4 proofpoint-security-awareness - 3
Train on malicious software and log-in monitoring
Ensure workforce members understand how malicious software spreads (email attachments, malicious links, removable media) and what to do if they suspect infection. Train staff to recognize suspicious login attempts and report them to IT. Educate users on the importance of logging out of systems and not sharing credentials.
knowbe4 confluence - 4
Enforce password management training
Train workforce members on password best practices: using strong unique passwords, not reusing passwords across systems, using a password manager, and enabling MFA where available. Reinforce that passwords protecting ePHI systems must never be shared. Align training with the organization's password policy.
knowbe4 confluence
Evidence required
Training completion records
Records showing all workforce members have completed required security training.
- - Training platform completion reports
- - Training attendance logs
- - Annual training completion certificates
Training content documentation
Evidence of what the training covers.
- - Training curriculum or course outline
- - Security awareness program documentation
Phishing simulation results
Evidence of ongoing security awareness testing.
- - Phishing campaign result reports
- - Click rate trends over time
Related controls
Implement a security management process to prevent, detect, contain, and correct security violations
Security Management Process
Designate a security official responsible for developing and implementing security policies and procedures
Assigned Security Responsibility
Implement procedures to ensure workforce members have appropriate access to ePHI and prevent unauthorized access
Workforce Security
Implement policies and procedures for authorizing access to ePHI
Information Access Management