Untitled design-1

Are you missing this crucial HIPAA compliance measure?

By The Glatfelter Team on September 6, 2019

Help protect your organization and your patients’ data with cybersecurity training

The Health Insurance Portability and Accountability Act (HIPAA) impacts nearly every healthcare provider, insurer and business associate in the country. In the early days of the HIPPA, compliance measures were largely covered by manual actions: privacy agreements, office policies and lots of paperwork. But in the twenty-three years since its inception, HIPAA compliance has become trickier.

As more healthcare agencies turn to technology to store and manage medical information, threats to patient privacy has grown. Already the number of patients affected by data breaches in 2019 has doubled last year’s record high.

As cyber criminals have been stepping up their activity, the Office of Civil Rights (OCR) has been stepping up enforcement. OCR reported an all-time record for HIPPA enforcement in 2018. Between the threat of a data breach and the threat of enforcement, healthcare organizations are bolstering digital defenses, spending more money on cybersecurity than any other industry.

But Business Insider reports that “cybersecurity is no longer the top priority for industry leaders.” Many providers simply can’t keep up with the technology and tactics used by criminals, or the rising costs cybersecurity firms charge. Yet, one of the most cost-effective solutions might also be the simplest: training.


Why is cybersecurity training important in the healthcare industry?

Traditionally the focus of HIPAA compliance training has been to prevent internal breaches – employees releasing confidential patient information. As cyberattacks cause more than 60% of all data leaks, the focus needs to shift to external breaches. A recent report in Security Magazine found that nearly a quarter of healthcare workers in the U.S. have “never received cybersecurity training from their workplace.”

Cybersecurity training cannot protect against all threats, but when combined with other reasonable measures, it can help reduce your risk of a data breach and keep your facility HIPAA compliant. Training equips your staff with the knowledge to help identify threats, while HIPAA’s Security Rule also sets Security Awareness and Training as one of its standards.


Areas of focus for cybersecurity training



Cyber criminals rely heavily on email fraud. The number of phishing attacks and fraudulent emails targeting the healthcare industry has increased over 470% in the past two years. Often these emails seem to be from a legitimate source requesting sensitive information. Criminals have even sent emails claiming to be the OCR asking recipients to click on a potentially harmful link.

There are technical measures your company can take to help prevent these dangerous emails from reaching office inboxes. But ultimately it takes only one message to pass through these defenses to put your network at risk.

If an employee opens an email and clicks on a link, downloads an attachment, or replies with sensitive information, your patients’ data could be compromised. Cybersecurity training can help your staff better identify fraudulent emails and know what actions to take when confronted with an attack.

Train staff to scrutinize suspicious emails by looking for these common red flags:

  • Misspelled domain names
  • Urgent requests for patient information, money or gift cards
  • Threatening language
  • Unexpected attachments, links

    Download these tips for spotting phishing emails>>>


The Security Rule specifically calls out password management as an area of focus for cybersecurity training. Weak passwords can make your patients’ data and your network vulnerable to cyberattacks. Train employees on password best practices including:

  • Never sharing passwords with others
  • Committing passwords to memory instead of writing them down
  • Changing passwords every six months
  • Using a combination of letters, numbers and symbols



The modern healthcare office relies on portable technology such as PDAs, laptops and tablets. Each device could be a gateway into your network, and therefore a target for cyber criminals. Train your employees on how to keep these devices safe. This can include signing off properly and managing inventory. USB flash drives have become popular means for criminals to enter networks, so educate staff to be aware of thumb drives that come from unknown sources, and to avoid plugging them in.


Keep training all year long

To be the most effective, training, like risk assessment, needs to be done on a continual basis. In hectic environments, employees can forget or forgo best practices, and cyber criminals are always fine-tuning their tactics. Consider providing ongoing training to keep cybersecurity top-of-mind for employees and encourage adaptation to new scammer techniques.


Take the Cyber Self Assessment>>>


Cybersecurity can’t drop from administrators’ radars. Data breaches and HIPAA compliance continue to threaten both small and large healthcare organizations, and neither one is going away any time soon. Be sure that your staff has the resources and tools needed to identify threats by providing up-to-date cybersecurity training to every member of your team.

Even with the best defenses, data breaches can happen. In the event that your healthcare agency is attacked, be sure that you are protected with cybersecurity liability insurance.


New call-to-action

The Glatfelter Team

When this team of rockstars isn't immersed in the process of researching how to reduce the risks your organization faces, we share stories of our pets, kids and favorite pizza toppings—on the daily.


The information contained in this blog post is intended for educational purposes only and is not intended to replace expert advice in connection with the topics presented. Glatfelter specifically disclaims any liability for any act or omission by any person or entity in connection with the preparation, use or implementation of plans, principles, concepts or information contained in this publication.

Glatfelter does not make any representation or warranty, expressed or implied, with respect to the results obtained by the use, adherence or implementation of the material contained in this publication. The implementation of the plans, principles, concepts or materials contained in this publication is not a guarantee that you will achieve a certain desired result. It is strongly recommended that you consult with a professional advisor, architect or other expert prior to the implementation of plans, principles, concepts or materials contained in this publication.

This blog post may contain the content of third parties and links to third party websites. Third party content and websites are owned and operated by an independent party over which Glatfelter has no control. Glatfelter makes no representation, warranty, or guarantee as to the accuracy, completeness, timeliness or reliability of any third party content. References to third party services, processes, products, or other information does not constitute or imply any endorsement, sponsorship or recommendation by Glatfelter, unless expressly stated otherwise.

Related posts

How you can help protect your most important asset: your people, and how to help them set up their insurance benefits so that they reflect their wishes.

Continue Reading

8 Ways to Help Protect Your Healthcare Organization from a Cybersecurity Attack

Continue Reading

Submit a Comment