The HIPAA Journal Launches the Gold Standard in HIPAA Training for Employees

Posted by Ian

The HIPAA Journal is launching a new HIPAA  employee training program designed to be the gold standard in HIPAA education by combining accurate HIPAA content, practical guidance for employees, and behavior-focused learning. The HIPAA Journal’s mission is to promote patient privacy and data security. Every single member of the team is deeply committed to this mission. There was a lengthy thought process behind the design and content of the training that took over a year and ended up involving dozens of HIPAA experts and hundreds of contributors (privacy officers, compliance officers, IT security managers, practice managers) via surveys.

What Prompted The HIPAA Journal to Publish its Own Online HIPAA Training? 

We report on HIPAA violations and breaches every week and they are increasing every year. We have noticed that many of the HIPAA violations are preventable staff errors. We wondered why this is happening considering everyone in the healthcare sector must be aware of HIPAA. That led us to focus on staff training. We found that existing training is factually inaccurate. Put simply, a lot of HIPAA training is just factually wrong about HIPAA. In many cases, existing training is factually incorrect because it is out-of-date regarding new rules or new guidelines from HHS. But what concerned us most was that so much of the HIPAA training on sale at the moment was incomplete.

We set out to design comprehensive HIPAA training that produces employees that are more confident in their responses to common work scenarios that are HIPAA violations, which in turn reduces risk of costly breaches and penalties.

Our Training Content 

The topics covered in our training are based on feedback from surveys about what compliance officers and managers want their staff to know, but also how they want their staff to behave. Our core HIPAA training is complete, and we still have several more suggestions for specialist topics. If this training seems longer than other training available online, it may help to put this in perspective: we think a new HIPAA privacy officer or compliance officer needs at least 30 hours of training to cover everything.

We do not expect learners to take the entire course in one session, and we do not expect learners to remember everything. So our training is an annual subscription, and employees can always return to the training at any time for clarification or a refresher on any aspect of the training. We know that some HIPAA training providers restrict access after a number of months, but we think that defeats the purpose.

The core HIPAA training covers the full HIPAA rule set from an employee perspective. We also provide a number of additional modules. The training also addresses state privacy laws that add an extra compliance layer, specifically Texas and California, which both have multiple laws that employees must comply with.  

Motivating Better Employee Behavior

Many HIPAA courses recite regulations (what we call internally “rulebook training”) but do not explain what employees need to actually do in their day-to-day work activities. Our training is designed for employees. The training is focused on motivating better employee behavior rather than overall HIPAA-covered entity compliance.

Too often, HIPAA education is a HIPAA rules recital when it should be a practical playbook. We designed the course to be theory-light and practice-heavy. That translates into not only explaining in practical terms what to do in order to comply with the HIPAA rules, but also how to do it. More importantly, it encourages employees to be responsible for their personal compliance.

Promoting Employee Personal Responsibility

The training emphasizes the personal nature of staff security responsibilities and explains how to recognize and report security incidents. The training highlights that every employee plays a direct role in protecting medical data, whether by following proper procedures, securing physical devices, or remaining alert to suspicious activity. The training explains the consequences of HIPAA violations and data breaches.

Emphasizing the Consequences for Employees of HIPAA Violations

The format of the training is to explain the HIPAA rules and compliance requirements, explain how employees must follow those HIPAA rules in their day-to-day activities, and then explain the negative personal consequences for not complying with HIPAA. Employees learn that if they do not follow HIPAA rules, they can face disciplinary action, termination, personal fines, loss of professional licenses, and even criminal charges in serious cases.

New HIPAA Compliance Challenges: Social Media and Artificial Intelligence Tools

Many everyday tools, email, messaging, social media, and now AI, emerged or evolved after HIPAA’s original rules, so staff need additional, targeted training to stay compliant. We have added modules that address these new HIPAA compliance challenges. We’re aware that it’s a fast-evolving problem and that we have to constantly update the training.

The Special Circumstances of Small Medical Practices Employees

One interesting new development in HIPAA training is that we have developed modules for staff working in small medical practices. People working in larger hospitals may not often encounter family or friends, but staff in small medical practices are much more likely to be locally based and under constant strain to resist inappropriate requests or pressure related to patient information.

Small medical practices also have fewer compliance resources compared with larger HIPAA-covered entities that have full-time HIPAA Compliance Officers, HIPAA Privacy Officers, and HIPAA Security Officers. In small facilities, a staff member with other duties may also be assigned the role of ensuring HIPAA compliance.

Specialized HIPAA Training for Business Associate Employees

HIPAA compliance for employees in HIPAA Business Associates can be particularly challenging because of the physical and perhaps mental distance between these employees and the patients. The extra training for Business Associate staff therefore focuses on explaining why HIPAA applies to them and motivating them to take responsibility for their personal HIPAA compliance.

How Our Online Training Works ADD MORE IN HERE

The training is delivered online. 

The relevant modules have random quiz tests with a question bank of over 700 questions.  The quizzes force the learners to pay attention to the training and reflect on the quiz answers. The learners can take the quiz as many times as required to get all of the questions correct. A certificate is issued at the end of the course.

The training is an annual subscription and learners have access to the modules whenever they want a refresher on any aspect of the training.

There are separate courses for HIPAA Business Associates and Small Medical Practices.

Training manager with access to all trainee records. 

Team Effort with Expert Input

Everyone on The HIPAA Journal team involved in the training content has over 10 years of experience in HIPAA. This was heavily supplemented by the input of over 200 contributors who responded to our surveys about HIPAA training. And finally, I need to thank the privacy and compliance officers who reviewed our training and provided their expert feedback that resulted in several additional modules being added to the originally planned core modules.

One little-understood aspect of HIPAA compliance is the role of IT staff and managers, who make up about one-fifth of our readership and are particularly focused on the HIPAA Security Rule and HIPAA Privacy Rule. Their concerns resulted in a decision to develop cybersecurity training as a complement to the HIPAA training that delivers security awareness training.

Feedback Request: We Welcome Your Feedback and Requirements

We’re committed to continuously improving our HIPAA training, enhancing existing modules and adding new modules, so we both welcome and rely on your feedback.

Your feedback directly shapes future modules and updates. Please take a moment to complete our short feedback form and tell us what would make this training even more useful for your organization.

 

The post The HIPAA Journal Launches the Gold Standard in HIPAA Training for Employees appeared first on The HIPAA Journal.

Compromised VPN Credentials Leading Attack Vector in Ransomware Campaigns

Posted by Steve Alder

Several cybersecurity firms have tracked a surge in ransomware attacks in Q3, 2025, as groups such as Akira, Qilin, and Inc Ransom have stepped up their attacks. According to Beazley Security, a subsidiary of Beazley Insurance, those three groups accounted for 65% of all ransomware attacks in the quarter. Akira had a surge in attacks, conducting 39% of all attacks in the quarter, over 20% more than the second most active group, Qilin, with 18%, and Inc Ransom with 8%.

The Beazley Security Quarterly Threat Report for Q3, 2025, shows an 11% increase in additions to dark web data leak sites compared to Q2, 2025. The biggest increase in attacks came in August, which accounted for 26% of all publicly disclosed attacks in the past six months, with high levels of ransomware activity continuing in September, which accounted for 19% of all disclosed ransomware attacks in the previous six months.

While attacks are up overall, there has not been much change in the rate of attacks on the healthcare sector, which has remained fairly constant, accounting for 12% of attacks in Q2, 2025, and 11% of attacks in Q3, making it the 4th most targeted sector. In Q3, there was a significant increase in attacks targeting the business services sector, which accounted for 28% of attacks, up from 19% in Q2. Professional services & associations was the second most targeted sector, accounting for 18% of attacks in Q3.

Beazley identified some interesting attack trends, including the continuing preference for using compromised credentials for initial access, most commonly compromised credentials for publicly accessible VPN solutions. Compromised VPN credentials were the initial access vector in 48% of attacks in Q3, up from 38% in Q2, 2025, with external services the next most common attack vector, accounting for 23% of attacks.

Compromised credentials for remote desktop services took third spot, followed by supply chain attacks and social engineering, with each of those attack vectors accounting for around 6% of all attacks in the quarter. While the top three attack vectors remain the same as in Q2, 2025, there was an increase in exploits of vulnerabilities in external services, which overtook compromised credentials to take second spot. The supply of valid credentials primarily comes from infostealer campaigns, and while there was a significant law enforcement action – Operation ENDGAME – targeting Lumma Stealer infrastructure, there was a subsequent spike in Rhadamanthys information activity, indicating the strong demand for credentials.

Akira typically targets VPNs for initial access, and in Q3, most attacks involved credential stuffing and brute force attempts to guess weak passwords, demonstrating the importance of implementing and enforcing password policies and ensuring that multifactor authentication is used. Any accounts that cannot be protected by MFA should have compensating controls. Akira also targeted vulnerabilities in SonicWall devices, where organizations were slow to patch vulnerabilities.

Qilin likewise targeted VPNs using brute force tactics to exploit weak passwords, and also abused valid compromised credentials. INC Ransom also appears to favor compromised valid credentials, gaining access to victims’ environments via VPNs and remote desktop services.

While accounting for a relatively small number of attacks, Beazley warns that several attacks started with downloads of trojanized software installers, including popular productivity and administrative tools such as PDF editors.  Ransomware actors use SEO poisoning to get their malicious download sites appearing at the top of the search engine results, along with malicious adverts (malvertising) that direct users to malicious sites.

Executing the downloaded installer may install the desired software, but it also installs malware. This technique was a common initial access vector in Rhysida ransomware attacks that Beazley investigated. Beazley suggests that organizations should consider security tools such as web filters for protecting against these attack vectors, and should ensure that they cover these techniques in organizational security awareness training programs.

The post Compromised VPN Credentials Leading Attack Vector in Ransomware Campaigns appeared first on The HIPAA Journal.

I’m a HIPAA Privacy Manager. What’s That Mean?

Posted by Amy Schultz

The Privacy Department is led by the HIPAA Privacy Manager, but who is the Department? For some small organizations, it’s just the Privacy Officer. For others, there is a team of people who work diligently to keep the Privacy Officer informed and the organization compliant. When someone asks what you do for a living, how would you explain it? If I say to staff that I’m a Privacy Manager, I typically get blank stares. I then mention HIPAA or Patient Rights, and that’s when I get a head nod or two.

Privacy Officer sounds official, but honestly, what I do every day is way more involved in privacy operations than your typical privacy officer. This is the time to learn and soak up everything you can. Having a team is so important, even if it’s just one extra person. The Privacy Officer is limited without the people who make the department functional every day. Whether you’re a specialist just starting out or a manager like me with years of experience, the daily grind is tackled by us. We are diligent and timely in keeping our patients’ PHI safeguarded, giving our colleagues guidance, and keeping our organization compliant. It really falls to the department team. With that said, credit is due to the unicorns of the privacy world who work for smaller organizations and run the whole privacy office by themselves. I know they are out there, and I applaud you all.

The daily operations are our bread and butter. From handling the daily investigations and incident reports to addressing patients’ requests and helping our colleagues with privacy concerns/questions. All the daily tasks add up to enable us to be the privacy subject matter experts for our company. But is it enough? How many years of experience or certifications does it take to rise to the privacy officer title? What other traits are required?

I’m fortunate to work in a multifunctional healthcare organization that has allowed me to experience a variety of privacy scenarios over my time, from occupational health to continued care, urgent care, and hospitals. I think it’s important to experience as much as you can to really feel confident in your decisions and take accountability for the department. This can be the difference between a team member and a department leader. I think a lot can be said about being not only a sponge for information but also motivational. A positive mindset has always been a strong trait I would encourage any leader to possess. We should be thinking of this as we continue to strengthen our craft.

In the healthcare privacy space, where do you see yourself in five or ten years? For me, it’s always been as a Privacy Officer, the end game. But what does it take to get there? I have spent over 13 years in the healthcare compliance/privacy industry and still feel like I’m learning something new every day. The policies, rules, and laws change, so we adapt. This industry keeps evolving and growing, so my advice is to do the same. 

Helping people must be a big part of this journey, personally and professionally. Learning and becoming an expert in the healthcare privacy field can make it possible to help fellow colleagues and patients every day. As I continue my role, I hope to never forget this. What we do as privacy experts is important. We may be behind the scenes, but we keep our company compliant and lawful. We keep striving to be better than we were yesterday and help those who need it. Continue to do the work, keep your company HIPAA compliant, and never stop learning. One day, you might be a Privacy Officer. 



The post I’m a HIPAA Privacy Manager. What’s That Mean? appeared first on The HIPAA Journal.