Skip to main content

Training your new practice staff on cybersecurity

Healthcare Cybersecurity

In the world of healthcare technology, cybersecurity is one of the most important aspects of protecting patient data. Training your new practice staff on cybersecurity steps can mean the difference in your ability to keep your patients’ information safe and secure.

When considering cybersecurity, obvious electronic devices come to mind, including interconnected computer systems. However, there are other devices comprising the Internet of Things that also must be protected. Smart devices such as heating systems, elevators, ventilation and air conditioning (HVAC), and remote patient monitoring devices must be included in cybersecurity training for your new practice staff.

Lisa J. Pino, Director, Office for Civil Rights, U.S. Department of Health and Human Services (HHS), wrote recently that, “All too often, we see that risk analyses only cover the electronic health record. I cannot underscore enough the importance of enterprise-wide risk analysis. Risk management strategies need to be comprehensive in scope.” Pino adds that, as an independent practice, “You should fully understand where all electronic protected health information (ePHI) exists across your organization – from software, to connected devices, legacy systems, and elsewhere across your network.

Pino points that risk management policies and procedures best practices should include:

  • Maintaining offline, encrypted backups of data and regularly test your backups
  • Conducting regular scans to identify and address vulnerabilities, especially those on internet-facing devices, to limit the attack surface
  • Regular patches and updates of software and Operating Systems
  • Training your employees regarding phishing and other common IT attacks.

Cybersecurity training in the healthcare field is lacking, according to some research. One recent study found that while over half (55%) of the participants who worked in healthcare reported their employer consistently provided security and privacy training, 24% said their employer has never provided such training. The study also found that employees were not sure whether their employer was required to comply with major privacy regulations.

In terms of HIPAA compliance, 61% of the study participants knew that it was required for their organization and 19% were unsure. Another 20% knew, or at least believed, that their organization was not a covered entity under the regulation. In the study, which included other sectors, those in the healthcare sector were the least aware of social engineering threats such as phishing. Only 16% of healthcare employees participating reported that they understood such social engineering threats very well.

Some useful cybersecurity training and materials for your new practice staff are available through the:

In considering how and what to train your new practice staff on regarding cybersecurity, consider that you should tie the objectives to patient care and safety primarily. It is important for you to define clear and concise objectives for your training based on the current threats you are facing as well as on the knowledge gap of your team. Tailor your message to address those objectives.

For example, you might need to:

  • Explain how attempting to download unauthorized software on an office computer or medical device can take down crucial devices and prevent them from being used securely in patient care.
  • Provide practice advice on the appropriate way to confirm patient consent and transmit information in a secure manner, if your team is releasing medical information over the phone without properly confirming the patient’s permission.

Your cybersecurity training program’s specific content will vary based on your practice’s needs, and the content should continuously evolve to reflect the most current threat potential. Stay informed about cybersecurity issues and use that information to keep your awareness campaigns fresh and relevant to your new independent practice staff.