Healthcare information security

Security Awareness for Healthcare Facilities

Aroosa Ashraf
September 27, 2016 by
Aroosa Ashraf

Every day cyber-attackers are compromising our digital identity. The threats are getting more sophisticated with every passing day and new ways of stealing health information are evolving. Each year, millions of records are getting exposed through cyber-crimes and the cyber-criminals are using them in various illegal activities. Medical information has been given particular attention by these cyber-criminals as the lifespan of such data is more compared to other information, such as credit card details. 


Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

A health care data breach not only affects the organization through reputational as well as financial effects but also poses a dramatic threat to the patients whose data were disclosed (primarily because of the nature of the information).

The identity of patients can be stolen directly from health care organizations or insurance companies related to health care industries or from any other organizations involved in managing medical information. The breach report published by Redspin, a cyber-security company, revealed that since 2009 over 30 million Americans have suffered from health care data breach either accidentally or intentionally. The number of incidences of major medical record data breaches (also known as PHI, for protected health information) has affected more than 113 million records of patients.

If we consider the process of migration that has taken place in recent years from paper-based medical records to electronic health records, these figures are not astounding. More and more health care organizations are adopting the electronic health record systems, as the government has encouraged the transition by providing attractive and advantageous options to adopt such systems.

In these contexts, the strategy of preventing crime is a key concept of the healthcare protection system. Involvement and participation of employees in security awareness activities can be one of the most cost-effective components of the healthcare protection program. The protection level of a medical care facility is directly related to the extent to which employees participate in the security effort. A primary function of any protection system is to educate, stimulate, and motivate the first-line protection resource: employees, physicians and volunteers. Using input from the healthcare staff, physicians, visitors, and patients, an employee-involved security awareness program adds eyes and ears to the security effort.


Security Awareness and Employee Training Essential to Healthcare Professionals

A primary responsibility of any protection system is to educate, stimulate, and motivate the first line of security resource: employees, physicians and volunteers. The security level of a medical care facility is directly related to the extent to which employees participate in the security effort.

The entire staff of an organization must understand their roles as a part of providing a safe and secure environment. They must actively practice good security awareness and appropriate security actions every day. This requires that the staff be given clear direction and sufficient training and education. Security training should begin the first day on the job and continue throughout the individual’s employment at regular intervals.

A comprehensive security program includes a process of education, training, and motivating persons to be security aware. Being security aware and adhering to good security practices can prevent and reduce security problems. While much of this educational effort is directed to staff, all employees should be aware of their responsibilities regarding providing the various educational activities. For example, the security department may be responsible for new employee security training, or it may be the human resources department or safety officer. Another example is the requirement for staff training relative to security in designated security sensitive areas. Is this training the responsibility of the area supervisor or is it accomplished by the security department? Who develops training material? Where and how are the training records maintained?

The typical security program will involve a variety of departments in employee security training. The security department should provide the coordination, education, and consulting to blend all these efforts into the overall unified security training program.

Security Training Programs Specific to Departments 

Healthcare organizations are traditionally heavily involved in a continuous program of in-service education. Security administrators should take advantage of every opportunity to involve protection services in these educational programs, through departmental meetings or small group discussions. At one medical center, the entire workforce is exposed to a general in-service program on a quarterly basis.

Security training for general staff can be provided by various entities, including human resources, security administrators, clinical/nonclinical education departments, safety, emergency preparedness, or risk management personnel. The local police department can also be a good resource for smaller healthcare facilities.

Personal Safety Classes

Special classes provide another opportunity to tell the protection story. Because medical care facilities employ a high female population, personal safety and self-defense classes remain popular. A broad range of security information can easily be included in special classes. Hosting a regular series of such programs can help employees become aware of the security concerns and possible way out.

Employee awareness activities for crime prevention

Professional security administrators must seek new ways and new opportunities to communicate with employees. This activity yields a high return for the time and money expended. There are various methodologies, outside of direct education, that the healthcare security program can use to solicit the assistance of staff members as well as increase their awareness of security-related issues. These components include healthcare facility newsletter submissions, security handouts and pamphlet distribution, departmental websites and seasonal and time sensitive e-mail broadcasts, security fairs, “Be on the Lookout” communications, and other methods to communicate the security awareness/employee involvement message.


Using Websites and E-Mails 

Security events or information relevant to the entire campus can be shared via a link to the healthcare organization’s internal website or via an e-mail distribution list. A dedicated protection program website can be used to:

  • Remind employees how to report a security incident or suspicious activity.
  • Keep the healthcare community abreast of new developments/improvements made in the security program.
  • Help prepare employees for upcoming joint commission surveys and potential security-based questions frequently asked by surveyors.
  • Identify and report on specific security department performance standards, goals and improvement initiatives.
  • Provide answers to frequently asked questions in the security program.
  • Present status reports on security initiatives that are being carried out in the facility.
  • Describe the role and responsibility of each employee with the hospital in respect to maintaining a safe and secure environment.
  • Provide a calendar of security-awareness education programs offered and when.
  • Establish links to community resources related to security and crime prevention, and other criminal justice-related agencies and materials.
  • Make the employees understand the necessity of data protection and the consequences of data breach.

Use of Social Media

Security programs are beginning to realize the benefits of social media platforms such as Twitter, FaceBook, and LinkedIn. Just as many of the organizations they serve have embraced these mediums as vehicles for staff, industry, and community engagement, so too have the programs and services within the organizations.

Other Considerations to Spread Security Awareness

Other methods used to keep security issues front and center in the healthcare environment include town hall meetings organized by administrative or nursing leadership. Participating in these meeting allows security leadership an opportunity to highlight specific information and address issues directly.

Employee Attitudes and Safety Perception 

Healthcare organizations have found it extremely important to determine employee attitudes that concern their work environment. A positive attitude of support and appreciation of the security effort is essential to providing a safe and secure environment. A common method to assess such employee attitudes is to hire an outside firm that specializes in employee surveys. These firms generally use standard questions, but allow the organization being surveyed to develop some specific attitude questions. When security questions are used in these surveys, they should be very specific. If a survey produces a slightly positive or a neutral response, it should be considered good, because many employees have been victims of events or have a general disregard for the authority security represents.

How Often Health Workers Should Be Trained

Security awareness is an ongoing process and every employee should go through the security awareness programs before performing any duties. The employees should be updated regularly about the new threats and security concerns. The security awareness program ideally should never be considered done and thorough awareness programs must be repeated at regular intervals.


Surveying the attitudes of employees and providing them with security awareness must be an ongoing endeavor. Security awareness programs for healthcare employees should be completed with security incident reports and security condition reports for later utilization as well as survey forms for those who experienced a specific service or incident.

The healthcare security concern should, however, never disrupt the primary function of the hospitals, which is treatment of patients. The security solution should be customizable and proactive. Before checking out the security solutions, the health care organizations must consider providing knowledge to the security providers regarding the hospital facilities, working environment, neighboring environment, visitor and patient profiles, and other related aspects. This information is important to have for successful implementation of a cyber-security plan involving the training of staffs, access point locations, physical security, visitor procedures, and integration of technologies.


Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

Aroosa Ashraf
Aroosa Ashraf

Aroosa Ashraf is a trained and registered pharmacist from the Government College University of Faisalabad (GCUF). She completed her graduation in 2013. She is an experienced researcher and technical writer and for the last 4 years, she is working as a writer on different platforms. Currently, she is writing many technical and non-technical articles for her national and international clients.