Security Awareness & Training: Training

Goal: Describes elements of the organizational program for regularly providing appropriate security training and awareness to its employees.

The purpose of this policy is to ensure that an adequate information security awareness training program is developed and administered by the Security Manager.

Procedure: All employees are provided security training regarding the vulnerabilities of the health information to ensure the protection of that information. Employees are trained to understand their privacy and security responsibilities and make security a part of their day-to-day activities. Privacy and security of health information is provided as a part of general orientation with periodic user reminders. Employees are educated regarding confidentiality policies and password management.

• All members of the workforce, including temporary staff, students and volunteers, will receive training in the policies and procedures that apply to their jobs, including maintenance of the privacy and security of ePHI. Training sessions will include the following:
  • Awareness training: threats to the privacy and security of ePHI, how failure to protect against these threats can harm individuals, and the importance of each member of the workforce in the privacy and security posture of the organization.
  • Details of applicable policies and procedures: how privacy and security policies affect the job of each member of the workforce, and how they define what is expected of each of these workers.
  • Periodic reminders about current security trends or issues such as computer viruses.
  • Timely information about changes in policies and procedures.
  • Importance of timely application of system patches.
  • Testing: to measure comprehension and retention of the material.
  • In-house training resources.
• New members of the workforce will receive training as part of orientation to their jobs within 10 days of joining the workforce.
• All members of the workforce will receive additional training as policies and procedures are changed, to the extent that the changes affect their jobs. Continuing education programs shall include annual formal class sessions, and periodic reminders, alerts, and distribution of other written materials.
• Attendance at training sessions will be documented to demonstrate that each member of the workforce has received training in accordance with this policy. The documentation must be retained for seven years.
• Initial and continuing education programs are evaluated for learner achievement, relevancy of content, and effectiveness of instructional delivery.
• Security user manual is distributed and policies explained to all employees.
• All system users are instructed in the proper use of information systems according to their job tasks.
• Each system user is required to sign a confidentiality agreement and a statement that they have read, understand, and agree to comply with the security policies and procedures.
• Confidentiality agreements are updated and signed on an as needed basis.
• Security topics shall be reinforced during routine staff meetings.