Is Your Healthcare Privacy and Security Training Ineffective?

Healthcare workers are being empowered with more and more information power tools including apps, smartphones, tablets, social media, wearables and Internet of Things. These tools are fast evolving with new software capabilities appearing daily, and refresh rates on hardware much shorter than seen in the past with PCs.

With each of these information power tools comes new privacy and security risks. While existing security safeguards help, they only partly mitigate risk, and significant residual risk remains even after application of MDM or other safeguards, as evidenced by the range of risky actions users can still perform even with these safeguards in place. Effective training is direly needed to address this and help healthcare workers understand privacy and security risks of their actions and alternatives available to them to engage while reducing risk.

2014 HIMSS Analytics global research on healthcare privacy and security reveals most organizations provide security awareness training annually 70 percent or during new employee orientation 55 percent, with less than 40 percent providing such training on demand as needed.

David Graphic.jpg

Given new risks appearing daily with the fast evolving information power tools landscape, this highlights a gap. Even in a best case where a healthcare organization fully comprehends all privacy and security risks, and training is completely up to date at time of delivery, six months down the line the information power tools healthcare workers are using is very different, exposing completely new privacy and security risks.

To enable healthcare to embrace and realize the benefits of new technology, including information power tools, we need a near realtime way of engaging healthcare workers with on the job privacy and security training that tracks the evolving risk landscape, fits into their workflow and context, highlights privacy and security risks of their specific actions in teachable moments, and helps them understand safer alternatives available to both engage while reducing risk.

For example a healthcare worker may take a picture of a patient with their smartphone and initiate sharing with coworkers using a file transfer app. While convenient this can expose new risks to confidentiality, integrity, availability, and trans-border data flow. What if the healthcare organization privacy and security team could reach that healthcare worker in the teachable moment of this use case, highlight the risks, and viable alternatives available for them to achieve their goals while reducing risks?

This would effectively empower the healthcare workers with the privacy and security savvy they need to counterbalance the new risks they are exposed to with the new information power tools at hand, and enable healthcare organizations to embrace and realize benefits of new technologies for better patient care, while keeping risks of privacy and security incidents such as breaches manageable.

What approach are you using for effective privacy and security training of your healthcare workers?

David Houlding, MSc, CISSP, CIPP is a senior privacy researcher with Intel Labs and a frequent blog contributor.

Find him on LinkedIn

Keep up with him on Twitter (@davidhoulding)

Check out his previous posts