What are healthcare organizations doing with new employees to safeguard data?
Many workplaces today are subject either governmental or industry regulation – or both. For some industries, such as healthcare, there are legal obligations that require new employees to be informed about and trained on information security.
HIPAA section 164.308 requires that every organisation in the US healthcare industry implement a security awareness and training program for all members of its workforce, including management. In the UK, similar policies exist separately for England, Scotland and Wales – so it was surprising to see in our research that 29% of healthcare professionals in the US and 48% in the UK did not receive any security training.
To take the standard of security training beyond the base level in on-boarding staff, it is sensible to include adherence to security policies within employee contracts. This ensures a level of responsibility on the part of the employee, providing a line of culpability in the event that they take action to subvert a policy. However, the research showed that only 57% (US) and 50% (UK) of healthcare professionals had formal agreements to security policies in their contracts.
Of course presenting a security policy at all to new starters is another fundamental. About 56% (US) saw a security policy upon starting their job but only 31% (UK) admitted seeing one. Similar numbers said that they were asked to sign it suggesting that if you were shown a security policy, you were expected to formally agree to it. Formal agreement to a policy is a requirement in NHS England and Scotland, as well as for HIPAA.
Another recommended additional step to take with new staff is to perform background checks before employment. When our respondents were asked about whether their employers performed background checks on prospective employees, it seems this practice is more common in the US healthcare organisations, 60% compared to 49% in the UK.