Buck Bond Group
Building a security culture for HIPAA-regulated entities

Building a security culture for HIPAA-regulated entities

by and Tags:

Threats to the security and privacy of health-related data are greater than ever today. Malicious actors are always finding new ways to steal data and break into computer systems, while the basic level of security awareness among employees has not kept pace. Many organizations are diligent about conducting security training, but according to a recent ProofPoint survey, these initiatives don’t reach every employee.

In order to keep up with cyber threats and comply with HIPAA security rules, the following key practices can help your organization address some the most pressing online dangers your employees may face:


The most important thing you can do is educate your employees on proper security and privacy practices. It doesn’t matter how wonderful your technology and security tools are, if your employees are untrained and don’t know how to use them, data will be lost, remain unencrypted, and possibly sent to the wrong people and places. And don’t forget about phishing training – deliberate anti-phishing exercises should be included in all comprehensive employee security training programs.


This is how you, your participants, clients, and business partners electronically identify themselves and prove their identity. Recently the Office of Civil Rights highlighted the importance of authentication. Most data theft starts out with someone sneaking into a protected electronic system by stealing or guessing a password, or tricking an employee to reveal a password through a phishing email.

If you’re not using it already, you need to seriously consider using multi-factor authentication (MFA) to protect your data and systems. Multi-factor authentication is widely used today and is available in many forms. With MFA, a malicious actor has to know a password and also have control of a second device to get into your systems. Implementing MFA gives you a vastly more secure level of protection than passwords alone.


Encryption is another technology that is not new, not very expensive, and provides great protection when laptops, disks, mobile phones, or thumb-drives are lost or stolen, as they inevitably will be. Encryption is challenging for some people to use, and takes a little extra time, so unfortunately some organizations do not properly or completely implement it. However, you can’t afford not to encrypt and the rule is simple – “if it is sensitive, encrypt it.”

Taking security and privacy seriously

Since HIPPA’s inception, the Office for Civil Rights (OCR) has investigated and resolved over 30,000 cases of HIPAA infractions and settled or imposed civil monetary penalties amounting to over $135 million. If you read the details, the penalties were levied primarily because organizations did not take HIPAA seriously.

Hire professionals – getting outside advice can often make a huge difference. In writing about the HIPAA Risk Assessment, Steve Alder of the HIPAA Journal states: “Reasonably anticipated threats are any threats to HIPAA compliance that are foreseeable. These not only include threats from external bad actors, but also threats originating from human error or a lack of knowledge due to a lack of training.”

The Journal points out that HIPAA consultants are useful “sometimes just to review policies and strategies in order to identify any gaps or areas in which compliance efforts could be improved. The Privacy and Security Rules are particularly complex, and a fresh pair of eyes can often see things that a team of legal experts overlooks.”

Prudent organizations would do well to work with a trusted partner to obtain an operational review to verify that security policies and procedures as written are being followed, employees with access to Protected Health Information/electronic Protected Health Information (PHI/ePHI) are following the “dos and don’ts” of their security training, and that your organization has the safeguards in place and these are functioning as intended.

A growing concern

Healthcare cybersecurity is a growing concern. IT security incidents are on the rise, making it imperative for HIPAA-regulated entities to defend their networks and keep malicious actors at bay. The best approach is to foster a security culture within your organization that includes robust training, security tools, and a security infrastructure that protects your data.