Cost-effective HIPAA cybersecurity training for medical practices

According to the Medical Group Management Association (MGMA), 72% of medical practices increased spending on cybersecurity measures in 2024 — and it’s not surprising why. Cyberattacks continue to affect covered entities, including medical practices of all sizes and specialties. In fact, 42% of medical practices have experienced a ransomware attack, and of those, 48% say it impacted patient data. 

Understanding and complying with the Health Insurance Portability and Accountability Act's (HIPAA’s) cybersecurity requirements — including proposed changes — is critical. However, employee cybersecurity training can be expensive, potentially costing medical practices thousands of dollars each year.

Fortunately, there are a variety of low- or no-cost HIPAA cybersecurity resources to promote cybersecurity on a limited budget. Consider the following cost-effective resources.

It's important to conduct a compliant risk analysis to determine your practice's potential risks and vulnerabilities. Failing to do so can result in serious penalties; it cost one surgical group $10,000 in 2023.

The Office of the National Coordinator for Health Information Technology (ONC) provides a free Security Risk Assessment Tool designed to help covered entities comply with HIPAA’s administrative, physical, and technical safeguards and identify areas where electronic protected health information (ePHI) could be at risk. 

A quick Google search reveals many free HIPAA cybersecurity resources and tools to help medical practices comply. For example, these tools can do tasks such as: 

A couple of tools worth mentioning are GoPhish and KnowBe4. Note that proposed HIPAA changes require vulnerability scanning at least every 6 months and penetration testing at least once every 12 months.

There are free or low-cost identity access management tools and multi-factor authentication solutions, as well as built-in encryption features in operating systems, budget-friendly encrypted email services or secure messaging apps, and free TLS/SSL certificates for secure communication. Again, Google can help. 

This is all good news considering proposed HIPAA changes require encryption of ePHI at rest and in transit with limited exceptions. The same is true for the use of multi-factor authentication.

Here are some free training options to consider:

In addition, your practice’s outsource revenue cycle vendor may provide low-cost or free cybersecurity training. The same is true for industry associations like the Healthcare Information and Management Systems Society (HIMSS) or MGMA where medical practices may be able to leverage member discounts or bulk licensing for team training. 

Your practice may be able to partner with local colleges or IT students looking for internship projects who can help with free cybersecurity training and developing HIPAA cybersecurity resources, materials, simulations, or workshops. If so, it’s a win-win situation. Your staff receive valuable information, and students gain exposure working in a live healthcare environment. 

To reduce risk, consider making cybersecurity and HIPAA training part of the standard onboarding process for new employees. Record a training video and then reuse it as needed. 

HIPAA noncompliance is not something to take lightly. One orthopedic clinic had to pay $1.5 million back in 2016 to settle systemic noncompliance with HIPAA rules.

There are plenty of other ways to keep staff "in the know" with cybersecurity without investing a lot of money. 

Consider using posters or visual reminders in break rooms or at the front desk with topics like "Think Before You Click" or "Healthy Cyber Habits."  

Click here and scroll down to "Cyber Posters" for some examples. Infosec offers some additional examples as well. 

Practices can also send a daily or weekly cybersecurity tip (here’s some inspiration) as a standalone email to keep the topic fresh in employees’ minds. 

There are many lessons to learn from costly mistakes other practices have made. Simply being aware of resolution agreements and civil monetary penalties can help your practice focus its efforts to identify and mitigate vulnerabilities in the most cost-effective ways. 

In addition, as OCR continues its 2024-2025 HIPAA audits, best practices will continue to surface. OCR will also publish an industry report summarizing their findings after the 2024-2025 HIPAA audits are completed. Here's a link to the findings after its most recent audits. 

Many of the low-cost or free cybersecurity training opportunities referenced in this article can substantially enhance compliance, risk mitigation, and the capability to maintain the privacy and security of ePHI. By using these cost-effective strategies, your practice and other covered entities not only meet your obligations under HIPAA, but also act in the best interests of patients and providers. 

There are numerous resources available for review, and the earlier your practice begins preparing for current and forthcoming cybersecurity requirements, the more successful you’ll be.