“,” written by Daniel Solove, brings to light many worrying statistics regarding the first round of the HITECH-mandated audits back in 2011-2012. If you remember, The Health Information Technology for Economic and Clinical Health Act or HITECH, is a companion act to the Health Insurance Portability and Accountability Act (HIPAA), meant to address security and privacy concerns. Here are a few of those statistics that really caught our eye.
Of what OCR kindly termed the “findings and observations,” most involved the Security Rule. Of the total pilot audit findings, 60% were based on the Security Rule, 30% on the Privacy Rule, and 10% on the Breach Notification Rule.
Of the Privacy Rule findings, 44% involved uses and disclosures of PHI, 20% on lack of notice of privacy practices for PHI, 18% on administrative requirements, 16% on access of individuals to PHI, and the remaining 2% on right to request protection for PHI.
Possibly the worst statistic of all:
Of the Privacy Rule administrative requirements findings, 26% involved lack of or inadequate training.
These observations have inspired us to revisit a blog we published in early 2013 called “Why Security and Privacy Training Fail”. Whether you’re part of the 26% whose training was deemed inadequate, or your turn at being audited hasn’t come around yet, getting your Security and Privacy Training up to snuff should be a priority.
Time to Re-think Security and Privacy Training
The problem with Security and Privacy Training, and awareness training in general, is it’s usually missing two major components:
- The “So, what does this mean to me?” component
- And, the policies and procedures required for employees to effectively adhere to the requirements
It is not enough to just be aware of privacy requirements. Simply stating a long list of thou-shalt-not’s and expecting employees to walk away understanding the subtleties of how to apply their learning to their part of the business is flawed thinking at best. I’ve seen this thinking lead many organizations straight into disaster. I liken it to telling your kid, “Look both ways.” Without context for that instruction (before you cross the street), it’s unlikely the child will remember your advice when he needs it most.
I’ve worked for many companies where security and privacy training is required for all employees. And without exception, every one of these companies failed in the application of the principles describe in the training. It is for this reason I am suggesting not only corporate-level awareness training but the addition of role-based security and privacy training.
Three Typical Role-based Awareness Issues that Can be Resolved with Improved Security and Privacy Training
Below I’ve described three typical role-based awareness issues. Your list of roles may look different depending on your line of business but the general principles still apply.
IT Professional
IT professionals are always falling victim to the “can you” trick question. For IT professionals, anything is possible (you gotta love that about them). But the problem is when most business people ask “can you” what they really mean is “do you?”
There’s a big difference between “Can we encrypt data in transit?” and “Do we encrypt data in transit?” This is where training and education comes in. For IT professionals, it’s important when answering compliance related questions, particularly those coming from clients, to answer in terms of your current capabilities, not what is possible to do technically.
Additionally the level of detail you reveal to 3rd parties when answering these questions needs to be managed closely. In many cases, when clients are reviewing your security capabilities, they will ask for a level of technical detail which, if provided by an over-accommodating IT pro, would violate most security best practices. Don’t reveal sensitive technical details simply because a client asks you to. IT training should include specifics on how to answer client and business questions pertaining to your company’s privacy and security stance.
Sales Executive
Sales executives are the official askers of the “can you” question. Once you start changing the way you ask the question, be ready to get the truth. You may feel like the IT organization is standing between you and your next million dollar deal, but misstating your security and compliance capabilities in a client contract is not only unethical, but will put you in breach of contract the second you sign it.
This is where supporting policy and procedures come into play. There must be a mechanism in place where client security and privacy requirements are reviewed by technical experts to ensure that IT’s current capabilities meet the contractual obligations you are about to commit to. The review process needs to be free from internal coercion and should be overseen by legal counsel.
Read: “The ‘right’ policies and procedures will make us compliant”
Sales executive training should include how to identify and communicate critical data privacy and security requirements in the sales cycle. Sales training should also include guidance on how to successfully engage in client discussions regarding security and privacy. For example: You could say, “My IT department is refusing to provide that information.” Or you could say, “Providing the level of detail requested would be in violation of our security policy. In order to protect you and our other customers, we are unable to release that information to you. Is there another way we might satisfy the underlying objectives of this requirement?”
Business Manager/Project Manager/Analyst
Hmm. Has something changed here? It’s the people in the middle of your day-to-day operations who are in the best position to identify change. You may have started a client project or a vendor relationship with the intention of never exchanging Protected Health Information, but business relationships evolve over time. For example, your relationship may start with handling non-protected health care information or de-identified data sets for a healthcare customer. Over time you get a second set of data and the client asks if you can combine the two sets of data into one master set for analysis. The simple act of combining multiple sets of data may cause the new data set to have protected status.
Education for this type of employee would go into additional detail on identifying protected health data, and identifying changes in data status. In addition, procedures need to be in place for communicating changes in data status, and flagging data for special handling and storage.
Summary
Whether your security and privacy training is for the Health Insurance Portability and Accountability Act (HIPAA) or Sarbanes Oxley (SOX), training is not something to merely tick off the compliance check list.
Read: “Smart-SOX…Deciphering the Tongue Twister“
The intent of raising awareness in your organization is for the express purpose of equipping employees to identify, mitigate, communicate, and prevent unnecessary risks. If your security and data privacy training program does not result in an employee’s ability to apply their learning to daily operations, you’re missing not only the spirit of the requirement but also the intended benefits and protections.
In our next blog(s), we’ll address more of Daniel Solove’s points regarding risk assessments and the factors you should be thinking about as you launch or improve your organization’s approach to risk assessments.
