You know the saying: to a hammer, everything looks like a nail.
Well, I’m no different. I’m an “Awareness Professional,” so I scan the world looking for stories about ways we can educate employees about their role in protecting information and contributing to a risk-aware culture.
I found plenty such stories at last week’s annual International Association of Privacy Professionals (IAPP) Global Privacy Summit, held in Washington, DC, April 4-6. The summit brought a multitude of classes, workshops, speakers, and breakout sessions focusing on data privacy, risk management, and even some information security topics.
Here are three key issues that caught my attention at the conference:
HIPAA Audits Focus Attention on Security and Privacy Best Practices
The healthcare industry has been the focus of a great deal of attention related to security and privacy of late:
- Ransomware attacks have made big headlines
- Data breaches involving protected health information (PHI) are increasing
- Regulators are about to begin Phase 2 audits of both covered entities and business associates (for more on that, see this bulletin from Davis Wright Tremaine).
In this context, the presentation on The Changing Face of Healthcare Privacy was quite fitting and drew an overflow crowd. Wiley Bein partner Kirk Nahra and Deven McGraw, the Deputy Director for Health Information Privacy at the Health and Human Services Office for Civil Rights, provided surprisingly straight talk about the issues facing those businesses in and around healthcare. Here’s what’s important, as seen through the filter of awareness programs:
- Audits are coming to many businesses that haven’t experienced them yet, and auditors will be looking for evidence of solid security and privacy programs. To paraphrase Deputy Director McGraw: “The day you face an audit and can’t document your adherence to best practices is going to be a very tough day.” Now is the time to start creating an effective program to comply—including steps to educate all employees in security and privacy basics.
- Covered entities have to get better at security! That means more than just basic HIPAA training, but includes a real focus on training and reinforcement around basic security practices, including encryption, malware, phishing, and more. Those looking for guidance might consult this crosswalk document drawing clear connections between the NIST Cybersecurity Framework and HIPAA.
Nahra ended the session with some engaging speculation about the future of healthcare privacy. As tracking devices and other technology get more integrated into healthcare, differentiating HIPAA healthcare data from non-HIPAA data becomes that much harder. So what’s the purpose of having one set of laws and regulatory agencies for PHI, and another for other types of Personal Information? Nahra pondered the possible emergence of a single overarching American privacy law and regulatory body—but concluded that the political climate makes that unlikely to happen anytime soon. See his article: “Moving Toward a New Health Care Privacy Paradigm” for more.
GDPR Brings Big Changes for Some—But Not for Awareness Programs
The EU’s General Data Protection Regulation (GDPR) was a major topic of discussion at the conference, both in all-day workshops, single sessions, and in conversation. If the GDPR is indeed a “political statement of intent that aims to promulgate European fundamental rights and data protection principles across the globe” (as the presenters of one session justifiably proclaimed), then privacy professionals in countries outside the EU probably had a lot of work to do, right?
Turns out the answer is “It depends.” For those bigger companies who already have a mature, globally-oriented privacy program in place, the work may not be that great (arguments abounded on this topic). But for those smaller companies or companies who have lagged behind in the development of a privacy program, there’s a lot of work to do (no arguments here).
No matter the company, however, the consensus was that the GDPR forces a careful examination of practices inside the privacy office. Immature organizations will have to step up their game.
But what does the GDPR mean for employee awareness programs, targeted at the general employee? I asked a number of attendees—including several existing MediaPro customers—this question very directly, and their answer, without fail, was that the general employee wouldn’t see much change.
BUT, this answer came from organizations that were already communicating regularly to employees about the importance of protecting personal information and reporting potential data breaches (among other elements of their privacy awareness program). Many had incorporated “Privacy by Design” into their organization and communicated the importance of privacy to the board. These kinds of practices should be the norm for companies doing business in Europe—so if they are not in your organization, perhaps it’s time to get serious about creating a privacy-aware culture.
Make It Short, Make It Sticky
I always make it a point to ask people what they want most out of the privacy training and reinforcement they offer to employees, and the answer I got this year is easy to sum up: short and sticky.
Short, because there are so many pressures limiting the time and attention that employees have available to focus on training. Sticky, because it’s critical that people remember how to protect personal information and incorporate these principles into their daily work.
There is a real appetite for engaging, impactful communications that focus attention directly on the key work of privacy, and it’s up to us to create ways of communicating to employees that are concise and meaningful (and easy to customize to align with unique policies and company culture). That’s our mission here at MediaPro, and I for one always come away from conferences recommitted to this mission.
Reach out to us to discuss how our dedication to instilling risk-aware cultures can help you achieve your employee awareness training goals.