Project Planning
Violations of data privacy by health workers involve not only the nursing fraternity but also every personnel working in the hospital. The most effective solution would be employee training on data breaches and cybersecurity (Kim & Han, 2019). All healthcare entities covered by HIPAA must prioritize comprehensive training of health workers and other staff on proper practices involving data security (Mbonihankuye et al., 2019). The intended outcome is to increase knowledge and create awareness of data security violations involving patient information through a comprehensive training plan adaptable by every healthcare entity.
Implementation Plan
Measuring Change
The improvement goal is to impact data security knowledge and increase awareness of privacy issues involving patient information violations. Since cybersecurity issues are dynamic and become more sophisticated with time, the employee training program must evolve continuously (Gundu et al., 2019). Therefore, measuring impacted change must also be constant and advanced to match the program. The program will have monthly security updates and semi-annual full training sessions. Content delivery methods will include online courses, newsletters, classroom gatherings, team discussions, email alerts, scenario-based examples, and posters (Gundu et al., 2019). The method utilized to deliver learning can influence the change measuring technique.
Several methods will be used to measure whether a change has been impacted and for how long it lasts. Improvement will be measured through post-training tests administered immediately after the session, 30 days, and three months later. A second way will be workforce participation records that show who attended and completed the training (Kim & Han, 2019). A third technique will be quarterly attack drills that test employee alertness and response to threats (Gundu et al., 2019). A fourth measurement includes behavioral indicators, such as password resetting, reported downtime, reinstallations due to threats, and frequency of reports involving suspicious activity. Other subjective measurements include comments, discussions, changes in perception, and surveys.
Outcomes and their Assignees
The outcomes of the training program are to develop a data privacy vision and culture for the healthcare center, establish outcome-driven metrics to shape behavior, and link information security to patient wellbeing and organizational success. Instead of assigning each outcome to a specific team member, tasks are allocated to teams within the healthcare organization. Creating the vision and culture around data privacy is best handled by management. Establishing outcome-driven metrics is assigned to the IT team. Linking data security to patient safety is allotted to the operations department.
Outcome Actions
Development of a data privacy vision and culture for the healthcare center:
- Identify information security practices to embed in daily operations
- Establish a cross-functional team to create the vision from the practices identified above
- Align vision to patient wellbeing and organizational objectives
- Articulate signature behaviors that would result from the vision
- Create a culture charter on data security that combines all the above aspects
Establishment of outcome-driven metrics to shape behavior:
- Track completion rates of mandatory and voluntary training
- Monitor behavioral change
- Perform pre and post-training assessments
Linking information security to patient wellbeing and organizational success:
- Record data breaches as they occur
- Assess the impact of violations on care delivery and hospital productivity
- Record financial costs associated with breaches
- Compare trends of the above statistics over time
Budget, Roles, and Responsibilities
The budget of the training program will depend on many factors, including the size of the healthcare entity, use of internal or external trainers, thoroughness of the program, implementation timeframe, and goals. Although more expensive than internal ones, external trainers are often more effective in delivering value due to specialization. Therefore, this program will use an outside company for the training. TrustNet training company charges $1,000 per year for every 50 trainees to offer over 50 courses through the cloud and on-premise delivery, interactive sessions, Multilanguage manuals, HIPAA, PCI, and Privacy specialties (Security awareness training cost). The IT department will do budgeting, organizing training schedules by human resources, and financing by the management. The IT department will remain in charge of the whole program’s implementation, overseeing the rest of the involved offices. Therefore, the hospital’s health information manager (HIM) will act as the project manager for the training program.
Monitoring Progress
Project management tools will become handy during this monitoring period, such as the Gantt chart, project evaluation and review technique (PERT), and the work breakdown schedule (WBS). Gantt charts visually represent all the tasks in a project, including their duration, assignees, and connections or dependencies between them (Varajão et al., 2020). PERT supports realistic estimations of task duration by establishing the project’s critical path. WBS presents the project’s scope through its deliverables, making it more manageable.
Evidence-Based Practice (EBP) Model
The knowledge to action (KTA) process framework will create and integrate knowledge around data security. It involves five phases: first, identifying problems that require solutions, and searching for evidence (Toomey & Jalbert, 2021). The first step has been completed, and the issue of information violations identified among healthcare centers. The next steps include adapting knowledge to the local context, identifying knowledge utilization barriers, selecting and implementing interventions, monitoring knowledge use, evaluating outcomes, and sustaining results (Toomey & Jalbert, 2021). KTA will ensure continued vigilance in training and cybersecurity awareness in the hospital.
Evaluation Plan
Short-term measurable outcomes:
- Percentage of employees who attended and completed voluntary and mandatory training
- Fail or pass rate on post-training tests and quizzes
- Knowledge retention tests
- Changes in perception of cybersecurity
- Employee interest in the training
Long-term measurable outcomes:
- Behavioral change indicators like password reset frequency, a reporting rate of suspicious activity, reinstallation rate of systems following virus attacks or threats
- Number of attacks in a year
- Compliance level ratings from HIPAA (Kim & Han, 2019)
- Cultural change across the organization
Data Collection and Evaluation Points
Measurable outcomes will involve gathering data from the trainers, trainees, and coordinating teams. Attendance records can be submitted online during in-person or cloud-based sessions through Google forms or other electronic media. At the end of every session, trainees will take online quizzes and tests, which are repeated after 30 days and three months to assess knowledge retention. Data on perception changes and interest in training will be assessed through surveys immediately when training sessions end. Behavioral change indicators will be recorded and reported by the computer systems used by employees every month. The IT department avails the number of attacks per year, while HIPAA ratings are often given to the management (Mbonihankuye et al., 2019). Finally, HR can gather cultural change data through quarterly workforce surveys.
Evaluation points can only be placed at the onset of the next training sessions after six months or during the monthly security updates. Therefore, any changes that need immediate attention will be implemented every month, while those that can wait will be handled semi-annually. Nevertheless, email alerts, posters, and team discussions can address urgent and critical adjustments. For example, the HIM should send email alerts and post discussion forums on the company’s intranet when a new phishing threat emerges that was not covered in previous training. Failure to act quickly might expose the organization to attacks.
References
Gundu, T., Flowerday, S., & Renaud, K. (2019, March). Deliver security awareness training, then repeat: {Deliver; Measure Efficacy}. In 2019 conference on information communications technology and society (ICTAS) (pp. 1-6). IEEE.
Kim, D. W., & Han, K. H. (2019). Curriculum study of information security awareness for medical institutions. Convergence Security Journal, 19(4), 151-163. Web.
Mbonihankuye, S., Nkunzimana, A., & Ndagijimana, A. (2019). Healthcare data security technology: HIPAA compliance. Wireless Communications and Mobile Computing, 2019. Web.
Security awareness training cost. (n.d.). TrustNet. Web.
Toomey, M., & Jalbert, I. (2021). Knowledge translation for the everyday optometrist. Clinical and Experimental Optometry, 1-12. Web.
VarajĂŁo, J., Fernandes, G., & Silva, H. (2020). Most used project management tools and techniques in information systems projects. Journal of Systems and Information Technology, 22(3), 225-242. Web.