Malware Awareness: A Powerful Ally in Promoting Security
The HIPAA Security rule and its focus on the safeguarding of electronic Protected Health Information (ePHI) is a critical area that Covered Entities and Business Associates must focus upon to promote their respective compliance efforts in protecting the privacy and security of ePHI. This is why the Security Risk Analysis (SRA) that was discussed in my previous blog is such a pivotal aspect given that it prompts organizations to identify those assets that create, maintain, receive, or transmit ePHI. Now, given the ever increasing threat of malware, which is the term used to describe computer programs that can disrupt computer systems, HIPAA compliance professionals are turning their efforts to raising the awareness of their workforce members in how to recognize situations that may represent a malware attack.
Increase Front Line Defense – Lower Risk
By raising awareness of the presence and threats of malware and providing education and training to workforce members on how to respond if they should encounter a potential malware related situation, organizations are creating an effective front-line defense regarding the privacy and security of their computer systems. In turn, this also decreases the likelihood that an organization may be the target of a successful malware attack which could result in a possible breach of ePHI.
So what are some of the ways that organizations are accomplishing a heighted level of awareness among the workforce about malware? There are a several options that are commonly used and often organizations may use a combination of options based on their experience in how the workforce receives and processes requests related to training and education. Also, realize that these efforts to raise awareness about malware attacks also represent an organization’s compliance in meeting the security reminder implementation specification found in the HIPAA Security Rule.
Use Multiple Communications Methods
Some organizations send out a newsletter or other email-based communication as an “all hands” message so that everyone with an email account receives the communication. Those individuals that do not have an email account or do not use it regularly will often have their managers print out the email and post it in a common area such as a breakroom. Another option is to send a link to the workforce members either by email or through the organization’s learning management system or post the link on the organization’s intranet page which is associated to a multimedia message about malware such as a brief training video.
Keeping ahead of issues that may compromise the security or privacy of ePHI is an ongoing process. By keeping up-to-date on current trends and challenges and responding in effective ways to inform the workforce about malware can significantly increase the overall effectiveness of an organization’s compliance with the HIPAA Security Rule.