DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Introduction
This article discusses the HIPAA Security Rule's "Security Awareness and Training" standard, an administrative safeguard requirement. Training details are provided below.
What Does the Security Rule Security Awareness and Training Standard Require?
The HIPAA Security Rule requires covered entities and business associates to implement a series of administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI. The administrative safeguards contain a series of standards that covered entities and business associates must meet. One of these standards is called the Security Awareness and Training standard.
The Security Awareness and Training standard requires covered entities and business associates to Implement a security awareness and training program for all members of its workforce (including management).
Here is the standard:
(i) Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management).
(ii) Implementation specifications. Implement:
(A) Security reminders (Addressable). Periodic security updates.
(B) Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software.
(C) Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies.
(D) Password management (Addressable). Procedures for creating, changing, and safeguarding passwords.
To meet the security awareness and training standard, covered entities and business associates must implement a security awareness and training program for all members of their workforce (including management). The security awareness and training standard requires covered entities and business associates to implement security reminders (in the form of periodic security updates); protection from malicious software (in the form of procedures for guarding against, detecting, and reporting malicious software); log-in monitoring (in the form of procedures for monitoring log-in attempts and reporting discrepancies); and password management (in the form of procedures for creating, changing, and safeguarding passwords). All of these implementations are known as "implementation specifications."
What is the "Security Reminders - Periodic Security Updates Specification?
Where this implementation specification is a reasonable and appropriate safeguard for a covered entity or business associate, the entity must implement periodic security updates. According to HHS guidance, types of security reminders that covered entities may choose to implement may include (this list is not exhaustive):
1. Notices in printed or electronic form
2. Agenda items and specific discussion topics at monthly meetings
3. Focused reminders posted in affected areas
4. Formal retraining on security policies and procedures.
Covered entities and business associates should look at how they currently remind the workforce of current policies and procedures, and then decide whether these practices are reasonable and appropriate or if other forms of security reminders are needed.
What is the "Protection from Malicious Software. Procedures for guarding against, detecting, and reporting malicious software" Specification?
One important security measure that employees may need to be reminded of is security software that is used to protect against malicious software. Where this implementation specification is a reasonable and appropriate safeguard for a covered entity or business associate, covered entities and business associates must implement: “Procedures for guarding against, detecting, and reporting malicious software.”
According to HHS guidance, Malicious software can be thought of as any program that harms information systems, such as viruses, Trojan horses or worms. As a result of an unauthorized infiltration, ePHI and other data can be damaged or destroyed, or at a minimum, require expensive and time-consuming repairs. Malicious software is frequently brought into an organization through email attachments, and programs that are downloaded from the Internet. Under the Security Awareness and Training standard, the workforce must also be trained regarding its role in protecting against malicious software, and system protection capabilities. It is important to note that training must be an ongoing process for all organizations.
What is the "Log-in Monitoring - Procedures for monitoring log-in attempts and reporting discrepancies" Specification?
Security awareness and training should also address how users log onto systems and how they are supposed to manage their passwords. Where the Log-in Monitoring implementation specification is a reasonable and appropriate safeguard for a covered entity or business associate, the covered entity or business associate must implement: “Procedures for monitoring log-in attempts and reporting discrepancies.”
According to HHS guidance, typically, an inappropriate or attempted log-in is when someone enters multiple combinations of usernames and/or passwords to attempt to access an information system. Fortunately, many information systems can be set to identify multiple unsuccessful attempts to log in. Other systems might record the attempts in a log or audit trail. Still others might require resetting of a password after a specified number of unsuccessful log in attempts. If smaller covered entities or business associates are not using, or are not familiar with, their systems capabilities for these types of log-in attempts, they should contact their system vendor or read their application software manuals for more information. Once capabilities are established the workforce must be made aware of how to use and monitor them.
What is the "Password Management - Procedures for creating, changing, and safeguarding passwords" Specification?
The last addressable specification in this standard is Password Management. Where this implementation specification is a reasonable and appropriate safeguard for a covered entity or a business associate, the covered entity or business associate must implement: “Procedures for creating, changing, and safeguarding passwords.”
According to HHS guidance, in addition to providing a password for access, entities must ensure that workforce members are trained on how to safeguard the information. Covered entities and business associates must train all users and establish guidelines for creating passwords and changing them during periodic change cycles.
What is the NIST Password Guidance?
- Use a minimum of eight (8) characters, with longer passwords being more secure
- Disallow or do not use sequences or repetitive characters, such as “12345” or “aaaaa”
- Disallow or do not use context-specific passwords, like the name of the site or company
- Disallow or do not use commonly used passwords, such as “password123” and “12345678”
- Disallow or do not use single dictionary words
- Disallow or do not use passwords that have been compromised previously
Additional measures include:
- Do not share passwords with others
- If you suspect that your password has been compromised, change your password immediately and report the incident
- Do not reveal passwords over the phone or via email
- Do not provide password hints
- Do not use another user’s username and password
- Do not write down usernames and passwords
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article