The Security Scrutinizer with Howard Anderson

Training: A Powerful Breach Preventer Checking How Business Associates Train Staff

A lack of training seems to be one of the causes of many healthcare information breaches involving business associates. In the TRICARE incident, unencrypted computer backup tapes containing information on 4.9 million beneficiaries were stolen from the car of an employee of a contractor, Science Applications International Corp. Perhaps a refresher course on HIPAA compliance could have helped avert the mistake.

So when's the last time you asked your business associates for proof that they've trained their staff members on how to protect patient information? And do you know the details of their training programs, including how frequently refresher courses are offered?

So when's the last time you asked your business associates for proof that they've trained their staff members on how to protect patient information? 

The Department of Defense and two other agencies want to ensure that their contractors' employees are getting training on such issues as:

  • The handling and safeguarding of personally identifiable information;
  • Restrictions on the use of personally owned equipment to process, access or store personally identifiable information;
  • The prohibition against access by unauthorized users;
  • Breach notification procedures.

When it comes to the "handling" of personally identifiable information, training is desperately needed on how to safely transport backup tapes and other computer media to a secure storage location. After all, the TRICARE incident is one of several examples of tapes or hard drives being removed from a vehicle. In another major breach, New York City Health and Hospitals Corp. reported computer backup tapes with information on 1.7 million patients were stolen from a business associate's unlocked truck.

Of course, transporting backup tapes would be less worrisome if the tapes were routinely encrypted.



About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network