Security Awareness Training.

Read this brief below from SmartTech explaining security awareness before proceeding to ​Project Submission Steps​:

The most basic thing that every organization needs is security awareness training. Security awareness training is all about teaching your colleagues and employees to understand the risks and threats around the ever evolving cyber world. The main purpose is to ensure that these people realise that hackers within organized gangs of cyber criminals will try to deliberately attack, steal, damage or misuse your organization’s systems and information, and that therefore everyone within the organization needs to be aware of the associated risk, and thus work to adequately protect the organization against these risks.

Security awareness training also ensures that employees are fully awake to the consequences of failing to protect the organisation from outside attackers. Such consequences span from criminal penalties to large scale economic damage to the company and the loss of employment. Finally, when the employees are fully aware of why securing data is important, and what systems they need to protect, your security awareness training program should highlight the key ways in which attackers can gain entry to your network, and the necessary steps to curtail these risks.

(Raluca Saceanu. (2016, November 14). ​The Importance of Security Awareness Training – Smarttech​.

Smarttech247. https://www.smarttech247.com/news/importance-security-awareness-training/.)

Project Submission Steps

You are the Cybersecurity lead for a large hospital in Texas. A recent audit has found that the security awareness training program is woefully deficient. As you might expect, the hospital is subject to HIPAA (​Health Insurance Portability and Accountability Act) requirements. The

specific HIPAA Rule is ​§164.308.(a).(5).(i) – Implement a security awareness and training program for all members of its workforce (including management).

In addition, Texas’s Health Privacy Law, ​H.B. No. 300 § 181.101​, requires employees to be trained about both the state’s law and HIPAA.​ ​Texas is one of the few states that mandates training about Texas’s own health privacy law. Additionally, it requires training about HIPAA. Penalties for violating the Texas law are quite high, equivalent to HIPAA.

You have been asked to address this audit finding by completely throwing out the old training and starting over. ​To this end, you have been asked to supply the following​:

1. A security awareness program framework, an explanation of why it is needed, and the potential cost in terms of noncompliance. Note: the cost of not complying is not always limited to fines and penalties!
2. Specific items that need to be addressed in the training per HIPAA and/or Texas statutory requirements.
3. List of internal groups or departments that should be consulted before the awareness training is submitted to management for final approval.