PRIVACY + SECURITY BLOG

News, Developments, and Insights

high-tech technology background with eyes on computer display

6 Reasons to Visit the TeachPrivacy Booth at the IAPP Summit 2016

TeachPrivacy privacy and security awareness training 03 IAPP

Please stop by the TeachPrivacy booth at the expo at the IAPP Summit.

 

1. Play our new game. 

See if you can spot all the privacy and data security risks in this scene.  Pick up a copy of the scene, see our poster, and try out our interactive module.

Continue Reading

New Privacy and Security Awareness Training Programs

security awareness training

I created some new training programs last year, and here are some of the highlights:

Security Training Malware -- Ransomware Attack

The Ransomware Attack (~5 mins)

This short program (~5 minutes) consists of an interactive cartoon vignette about malware.  The program is highly interactive, and trainees engage with a scenario involving ransomware. Although this program involves ransomware, the lessons it teaches apply broadly to all malware.  The program focuses on how to avoid having malware installed on one’s computer and what to do (and not to do) if this ever happens.

Module Lifecycle of Personal Data 01

The Life Cycle of Personal Data (~ 15 mins)

This privacy awareness training course (~ 15 minutes) is a highly-interactive overview of privacy responsibilities and protections regarding the collection, use, and sharing of personal data.  The course has 8 quiz questions. The course tracks the life cycle of personal data, starting from when it is collected or created. The course concludes with a discussion of data retention and destruction.

Continue Reading

3 Types of Incidents Account for 86% of HIPAA Data Breaches

HIPAA Data BreachA new report by Verizon, the PHI Data Breach report, analyzes 1,931 data breaches of protected health information (PHI) under HIPAA,  The incidents occurred between 1994 and 2014, with most occurring from 2004-2014.  An article from Computer World sums up the findings of the report.

Verizon 2016 Healthcare ReportOne interesting statistic is that 392 million PHI records were compromised in these breaches, more than the entire population of the United States.

The report notes that 3 types of incident account for 86% of the data breaches:

(1) Lost or stolen portable electronic devices

(2) Sending records to the wrong individual

(3) Improper access to PHI by employees

What do these things have in common?

These are problems that deal with the human factor.  The problems are preventable, and the risk of them can be significantly reduced through training.

To train on these things, organizations must do more then merely say: “Be careful” or “Do not do.”  The training must have an impact on people.  And education is most effective with repetition. People must be repeatedly educated, over and over again.

Continue Reading

Is HIPAA Enforcement Too Lax?

title

By Daniel J. Solove

ProPublica has been running a series of lengthy articles about HHS Office for Civil Rights (OCR) enforcement that are worth reading.

A Sustained and Vigorous Critique of OCR HIPAA Enforcement

A ProPublica article from early in 2015 noted that HIPAA fines were quite rare. The article noted that from 2009 through 2014, more than 1,140 large data breaches were reported to OCR, affecting 41 million people. Another 120,000 HIPAA violations were reported affecting fewer than 500 people. “Yet, over that time span,” the article notes, “the Office for Civil Rights has fined health care organizations just 22 times. . . . By comparison, the California Department of Public Health . . . imposed 22 penalties last year alone.”

Continue Reading

The Value of HIPAA Training

HIPAA Training

HIPAA expert Rebecca Herold offers a very compelling explanation of the value of HIPAA training.  She writes:

Information security and privacy education is more important than ever because new gadgets and technologies enable more healthcare workers to collect and share data.

In September 2015, Cancer Care Group agreed to settle HIPAA violations by paying a $750,000 fine and adopting a “robust corrective action plan to correct deficiencies in its HIPAA compliance program.” One of the major requirements for Cancer Care Group was to review and revise its training program, because the breach was caused by an easily preventable employee action (leaving a laptop with clear text files of 55,000 patients in an unsecured car).

Training needs to be more than once a year, and as soon as, or prior to, the start of employment. There also need to be ongoing awareness communications and activities, as required by HIPAA.

Every organization of every size needs to invest some time and resources into regular training and ongoing awareness communications. Besides being a wise business decision, it’s also a requirement in most data protection laws and regulations to provide such education.

To this, all I can say is: Amen.

Rebecca is the author of several great resources on HIPAA, including The Practical Guide to HIPAA Privacy and Security Compliance.

Rebecca Herold Practical Guide to HIPAA

Continue Reading