Security Awareness Training

Security awareness training is required under both HIPAA and the Payment Card Industry Data Security Standard, the PCI-DSS. Yay, acronym. I'll put the exact citations in the notes because I see no reason to bore you with them and in a spoken section, but I digress. Any employee, including dentists, should know how to handle protected health information, should know how to recognize signs of suspicious communications, should know how to identify people who should not be in the office space, as well as what steps to take in response, and what information should or should not be given to a caller. Now remember, compliance is a great starting point, but it's not enough to fully protect your network. If you're in compliance, that's great. You still don't want to get hit. Even if you're in compliance, but still get hit, that's bad. So the goal here is secure repeatable procedures.


That's what's critical. And security awareness training can be helpful because then everyone knows what they're supposed to do and that way the processes, procedures, whatever it is, will be done consistently because everybody knows what to do. Typical methods of doing this might be a class and this could be in person, which is always preferable, if possible. With videos, try and keep it to an hour or less just because even if it's as fun, as exciting as I tend to be, not everyone's going to really hold their attention for three hours talking about security. It doesn't matter if you have Robin Williams back from the dead delivering it. Eventually they're just going to run out of attention. You can also get articles, newsletters and security posters. There are sources where you can get that. You're obviously probably not going to want to generate that inside your office, but they should be easy to get either free or very inexpensively.


There's also what you'd call anti phishing or social engineering training. I mentioned a bit earlier the idea of pentesting. That often is a related concept where they're trying to trick their way into the network and then you can train your people on how to react to these things and what to look for. One thing to always remember: you're training people, not robots. So make sure this stuff is actually interesting, as opposed to somebody looking down and reading from a sheet in monotone. So what are the areas you want to cover? There's really no particular set standard of "must cover these," but I'll give you a few generally which are a good idea to handle a dental office setting. First and foremost, proper handling, of PHI, phishing and spear phishing, other types of social engineering attacks, malware, what do if there's a data breach, passwords, effectively, how to use them, how to secure them, etc., how to secure mobile devices, how to properly use encryption, physical security for your office and for their individual devices. And finally, proper data disposal because, once again, it should be done properly because that's a great way to get breached. And again, you can also bring in an outside vendor to do that for you. Just make sure it's recorded and you have a written contract detailing exactly what they're doing, so you can make sure it's done properly.

Security awareness training is required under:

    • The HIPAA Privacy Rule – 45 CFR § 164.530(b)(1)
    • The HIPAA Security Rule – 45 CFR § 164.308(a)(5)
  • Payment Card Industry Data Security Standard (PCI-DSS)
    • PCI-DSS 12.6

Employees (including dentists) should know:

  • How to handle PHI
  • How to recognize signs of suspicious communications
  • How to identify people who should not be in the office space, as well as what steps to take in response
  • What information should or shouldn’t be given to a caller, or shared in an email or online