[Transcript] Episode 428: How to Manage Security Reminders for Your Team

 

Evan Dumas

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co host, Evan Dumas.

 

Liath Dalton 

And I’m Liath Dalton and we are Person Centered Tech.

 

Liath Dalton 

This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and Electronic Health Record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments, and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user, go to therapynotes.com and use promo code PCT.

 

Evan Dumas 

Hello, and welcome to Episode 428: How to Manage Security Reminders for Your Team.

 

Liath Dalton 

This is going to hopefully be a really helpful episode for folks, because one of the administrative standards under the HIPAA Security Rule is not just that you have to train your workforce on your policies and procedures. And as we’ve talked about in other PCT podcast episodes, it’s very supportive to have those foundational conceptual framework trainings as well to to assist with folks understanding the why and the what of your specific policy and procedure contents.

 

Liath Dalton 

But in addition to that, there is this requirement that you be providing periodic security reminders to your team, and that it doesn’t actually provide a huge amount of specificity as to what these reminders need to consist of, or what the best sources for them are. So this is a question that we field not infrequently.

 

Liath Dalton 

And so we thought, let’s tackle this directly and provide a good collection of resources to assist you in meeting this standard in a way that’s not onerous. And is just generally supportive of of optimizing your practices, overall security and risk management program and processes.

 

Liath Dalton 

So the kind of primary resources that we ourselves utilize, are the OCR, that’s the Office of Civil Rights, who are the HIPAA regulators, their listserv. And that provides for kind of current topical updates about the HIPAA compliance and regulatory landscape changes to any HIPAA rules, as well, as you know, sometimes breach updates. If there’s a large breach, they’ll include a notice about what that breach was and kind of lessons learned from it, which then becomes very useful. So in the shownotes, we will be linking to where you can sign up for the OCR’s listserv.

 

Liath Dalton 

And then another resource that’s really fantastic is Health IT Securities newsletter, and they have an entire kind of news feed thread around HIPAA compliance and regulation and cybersecurity in general. And so that will contain issues or notices and guidance around kind of current cybersecurity risks and developments in this space that folks should be aware of. So those are kind of two I would identify primary, as as primary sources for security reminders to draw on.

 

Evan Dumas 

Oh yeah.

 

Liath Dalton 

And then we also have created and curated some security reminder resources for you that are intended to draw on the foundational clinical staff and admin staff HIPAA and privacy ethics trainings. And the way we formatted them is in the meme form. I like to call them mememinders. But basically, it’s a fun and engaging way to highlight an important topic or concept or behavioral practice.

 

Liath Dalton 

Like, how to avoid phishing attempts or the importance of strong and unique passwords or let lending out your device, that sort of thing. And basically, we’ve set it up to be as easy and streamlined as possible for you, or whoever is wearing the security officer hat in your practice. What does that look like Evan?

 

Evan Dumas 

Yeah, well, you sign up for our little security reminders, and you say if you’re a solo practice or group practice, because they’re a little bit tailored. And then, is it like every few weeks or so like, what’s the duration? Yeah, they come out about every few weeks, and you get a little selection of cute memes. And they’re little static images with a bit of text, and you can freely use them to send out to your team to act as a security reminder without having to come up with something clever, we do it for you. And they are just like little snippets that, you know, might as might as well try to make HIPPA less officious and bureaucratic and a little bit more fun.

 

Liath Dalton 

Exactly. And with that, basically, you will receive those in your inbox or your security officer, if you’re delegating that role, can sign up for them. And then when they are received, they can then be forwarded to your team and then right there in your inbox, and sent message history, you have the documentation of having provided security reminders and complying with the standard.

 

Liath Dalton 

Because one of the important notes about security reminders is that covered entities have to document the security reminders that they implement. So it should include, or could include, the type of reminder, its message and date it was implemented.

 

Liath Dalton 

For folks who are utilizing PCT’s HIPAA security policies and procedures and manuals and forums and logs and such that’s provided in the group practice materials set, one of the logs includes a spot, your workforce management log, includes a spot for documenting the security reminders, as well. So just note that part.

 

Liath Dalton 

And then we in addition to those meme reminders, we also have some security awareness training posters, digital posters, that you can utilize, and those specifically correspond to the content and topics of our sort of three mini course security awareness training, which is also assignable to staff and provides a good basis for for folks to be aware of kind of the most consistently present and risky cybersecurity attacks that we see where vulnerabilities are present, around like phishing, social engineering, which we’re seeing more and more in the news every day, I don’t think I’ve visited any of my financial institutions websites recently, without there being a big pop up or banner alerting to current spoofing or phishing notices. So that’s just kind of the reality of the modern landscape.

 

Liath Dalton 

And so something that folks need to be aware of, how to recognize, how to respond, and those are included in those posters, like the distilled version. So we’ll be adding links to both the the posters and the memes in in the show notes as well. And then Evan, for folks who really want to do an even deeper dive, and maybe geek out a little bit about security considerations, who is our go to there?

 

Evan Dumas 

Yeah, so a classic in the field has been this fellow named Bruce Schneier. And he runs a blog called Schneier on Security and writes wonderfully about security trends, about current topics. And you know, it isn’t a corporation. It’s just this guy, and who’s who’s spoken at many conferences, and given so many talks, and is generally recognized as a great impartial expert on cybersecurity. So really, really trustworthy.

 

Liath Dalton 

Exactly, and it’s not specifically focused on the healthcare sector, its general cybersecurity and privacy guidance, but there are a lot of really important and relevant pieces and blog posts that he includes in his newsletter, that are absolutely applicable, and can be used as security reminders, too.

 

Liath Dalton 

So now you have kind of a whole handful of options for being able to manage the standard, and do so without having to generate these reminders on your own or be a health information system or cybersecurity expert, or just trawling the news and researching it every time it comes up in your security activity task calendar that a reminder needs to be sent out.

 

Evan Dumas 

Definitely, definitely.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

So hopefully that is helpful. Are there any bits of guidance that you would share, Evan, about how useful security reminders actually are in practice?

 

Evan Dumas 

Yeah, security reminders are so much more useful than annual trainings, because if you’ve ever taken an annual training and then asked a couple months afterwards, do you remember anything from it? It’ll probably be a hazy memory. Whereas a security reminder can be topical, it can be you’re in reaction to things people are bringing up to you, or have happened at your group, or that you read a maybe fearmongering article of, you want to actually say okay, no, you don’t need to be afraid, just do these things. And they are a better way that we learn than the general yearly training.

 

Liath Dalton 

Exactly, it’s about being able to be kind of continually actively engaged in this security mindset, and be providing kind of bite sized actionable, chunks of of information and guidance to people which really equips and empowers them to take a more direct role in safeguarding client information, and adhering to the practice’s, policies and procedures.

 

Liath Dalton 

And the reminders can also be serving just to highlight the importance of this, particularly if reminders include, on a periodic basis, you know, a news story about where something has gone awry, so that we’re taking things out of the realm of things just seeming like, you know, an arbitrary requirement or something that is a theoretical possibility, and just bringing that into the kind of level of conscious awareness on an ongoing basis.

 

Liath Dalton 

So yep, that’s the the nitty gritty of security awareness reminders. And do of course, check out the show notes for all those helpful links being directly shared with you. And please join us next time.

 

Evan Dumas 

Yeah, talk to you next time, everybody.

 

Liath Dalton 

This has been Group Practice Tech, you can find us at personcenteredtech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast or click podcast on the menu bar.