Creating employee buy-in to the security of the practice

Creating Employee Buy-In to increase security in your business


I have heard it said at various Information Security trainings and conferences that “Your greatest vulnerability as an organization is the employee.”  From an IT security standpoint I cannot argue with that statement in the broad sense. What with unauthorized surfing habits, phishing emails that are opened, malware brought into the system via “Coupon” applications and other bad user habits.

But what if I told you that you can turn each membertransition them from a vulnerability to an asset? What if I told you it was extremely inexpensive to do so, and that the Return-On-Investment would be measured in hours or days and not in years?

Sound too good to be true? It isn’t, in fact it requires only two things.


Proper Policy and Procedure at the management level

Good, practical Security Awareness Training for the entire practice.


Having a comprehensive set of policy and procedure for the organization is extremely important, having said policy and procedure in place to protect PHI is doubly so, and in fact mandated by HIPAA/HITECH and Meaningful Use.

To develop a solid IT security Policy/Procedure set you should work with a trusted Information Security Vendor, this vendor should not only be able to provide strong framework for policy but also work with the practice manager/s and staff to explain the definitions and acronyms contained therein.

Some of the Policies you should have in place:

Network and equipment use


Email use

Phone Use


Remote access

Having the strong policy procedure set in place provides a firm set of boundaries and actions for employees and management to operate within.

Building on the Policy/Procedure framework is Employee Security Awareness training. Education of the staff in the proper actions to take and perhaps more importantly, things to look out for and actions NOT to take!

Empowering staff with knowledge is without a doubt the most bang-for-the-buck you will ever get. Training, such as the Employee Security Awareness program available from HealthSecureIT will present your staff with pertinent, timely and real examples of threats and vulnerabilities that can lead to increased risk and data breaches.

The simple know-how gained from good staff education, such as phishing email awareness or proper scrutiny of vendors can prevent hundreds or even thousands of dollars in lost time, repair fee’s, lost reimbursements or even HIPAA/HITECH fines.

More importantly by helping thwart attacks and attackers it might preserve your practices reputation amongst the most important group,  YOUR PATIENTS.


Russell Howell JR. is a Certified Information Systems Security Professional with over twenty years in Healthcare Informatics. He has also managed IT departments for Fortune 500 companies.


Comments are closed.