Core security and privacy training content often falls short of good practice. Sometimes, the information security officer and privacy officer do not have the resources to create robust content. Furthermore, organizations often limit training time to avoid any impact on productivity. However, providing incomplete information is short-sighted. An inadequately trained workforce is more likely to directly or indirectly cause regulatory violations and breaches.
Completing a risk analysis can be a tall order for most organizations. A significant amount of work is required before the risk analysis can even be started—and more work must be done afterward to address the vulnerabilities identified by the risk analysis.
Healthcare organizations are facing challenging times. Shifting reimbursement models and the uncertainty surrounding federal programs may cause organizations to tighten their spending. Every department—from clinical to security—can feel the pinch as leadership prepares to weather the bumpy road ahead.
Auditing of technical controls is increasingly important as both the level of use and technical sophistication of applications, hardware, and networking increase.
If your organization is regulated by HIPAA, either as a covered entity (CE) or as a business associate (BA), you probably started a HIPAA training program years ago when the privacy and security rules mandating training were published. Whether old or recently created, your training program may not have met reasonable expectations to begin with. Now may be a good time to review, refresh, and refine that program to take it to a new level.
As healthcare organizations navigate an increasingly complex regulatory environment, leaders at various levels—particularly HIM, release of information (ROI), compliance, finance, health information technology (HIT), privacy, and security—face unprecedented challenges.
