The Security Scrutinizer with Howard Anderson

Training: A Powerful Breach Preventer

Checking How Business Associates Train Staff

The Department of Defense, perhaps in reaction to the recent TRICARE military health program breach, has issued, in conjunction with two other agencies, a proposed rule that spells out requirements for contractors' employees to receive training on privacy protections. And it's time for all healthcare organizations to follow DoD's lead and check on the privacy training their business associates offer.

A lack of training seems to be one of the causes of many healthcare information breaches involving business associates. In the TRICARE incident, unencrypted computer backup tapes containing information on 4.9 million beneficiaries were stolen from the car of an employee of a contractor, Science Applications International Corp. Perhaps a refresher course on HIPAA compliance could have helped avert the mistake.

So when's the last time you asked your business associates for proof that they've trained their staff members on how to protect patient information? And do you know the details of their training programs, including how frequently refresher courses are offered?

The Department of Defense and two other agencies want to ensure that their contractors' employees are getting training on such issues as:

  • The handling and safeguarding of personally identifiable information;
  • Restrictions on the use of personally owned equipment to process, access or store personally identifiable information;
  • The prohibition against access by unauthorized users;
  • Breach notification procedures.

When it comes to the "handling" of personally identifiable information, training is desperately needed on how to safely transport backup tapes and other computer media to a secure storage location. After all, the TRICARE incident is one of several examples of tapes or hard drives being removed from a vehicle. In another major breach, New York City Health and Hospitals Corp. reported computer backup tapes with information on 1.7 million patients were stolen from a business associate's unlocked truck.

Of course, transporting backup tapes would be less worrisome if the tapes were routinely encrypted.



About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.