500.19 - Security Compliance Training, Education, and Awareness

Purpose

Security awareness training helps educate Workforce Members to better detect threats and suspicious activity. Increasing awareness around common security threats helps reduce the likelihood of a breach of Weill Cornell Medicine (WCM) data. The content within these training courses is designed to comply with legal and regulatory standards, including but not limited to the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS).

Scope

This policy applies to all WCM Workforce Members who utilize WCM information technology resources as well as those responsible for managing and safeguarding WCM data.

Policy

WCM is required to train and/or educate all Workforce Members on security policies and best practices. Training content will address WCM policies and procedures, safeguards to comply with regulatory requirements, and other industry best practices to reduce the likelihood of a breach of confidentiality, integrity, or availability of information assets.

Definitions

Health Insurance Portability and Accountability Act (HIPAA): Health Insurance Portability and Accountability Act of 1996.

High Risk Data: Refer to WCM Policy ITS-500.03 – Data Classification.

Protected Health Information: Under HIPAA, PHI is "individually identifiable health information” held, created, or transmitted by a covered entity, or its BA, in any form or media, whether electronic, paper, or verbal.  

A. PHI is information, including demographic data, related to: 

    a. The provision of health care to an individual; or 

    b. An individual’s past, present, or future:   

1. physical or mental health condition; or
2. payment for the provision of health care to an individual; and 

B. The information identifies the individual or there is a reasonable basis to believe the information can be used to identify the individual by the presence of one or more (depending on the context) of the following 18 individual identifiers:                 

1. Names;  
2. Geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of a ZIP code in certain situations; 
3. All elements of date (except year) for dates directly related to an individual, including birth date, discharge date, date of death; and all ages over 89 and all elements of dates indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older; 
4. Telephone numbers;  
5. Fax numbers;  
6. Electronic mail addresses; 
7. Social Security numbers; 
8. Medical record numbers; 
9. Health plan beneficiary numbers; 
10. Account numbers; 
11. Certificate/license numbers;  
12. Vehicle identifiers and serial numbers, including license plate numbers;  
13. Medical device identifiers and serial numbers; 
14. Web Universal Resource Locators (URLs); 
15. Internet Protocol (IP) address numbers; 
16. Biometric identifiers, including finger and voice prints; 
17. Full face photographic images and any comparable images; and 
18. Any other unique identifying number, characteristic, or code unless otherwise permitted by this Policy for re-identification (§164.514(b)(2)). 

Workforce Members: Any Faculty; Staff; Students; Volunteers; Trainees; and other persons whose conduct, in the performance of work for WCM, is under the direction and control of WCM, whether or not they are paid by WCM.

Procedure

1. Required Training Courses

1.01.1 Individual Responsibilities

All WCM Workforce Members are expected to comply with the mandatory training requirements defined in this policy. Department Administrators, including Chief Administrative Officers, are expected to ensure that no Workforce Member is delinquent with mandatory security awareness training.

2. High Risk Attestation Requirement 

This attestation records if Workforce Members work with, or could reasonably be exposed to, protected or regulated data, including protected health information (PHI), personally identifiable information (PII), and other High Risk Data pursuant to WCM Policy ITS 500.03 – Data Classification. These data are termed High Risk because of the harm that loss of the data could cause to the subject of the data, to Workforce Members, and to the institution if it not protected adequately. 

Workforce Members are asked to provide an inventory of the devices they use for regularly storing or accessing WCM High Risk Data. Based on their level of exposure to High Risk Data, Workforce Members are asked to attest to a series of statements about safeguarding this data in compliance with WCM policies and procedures.

The ITS High Risk Attestation must be completed within forty-five (45) calendar days of hire or affiliation (e.g., students, volunteers, etc.) and annually thereafter. Access to WCM systems may be impacted if the course is not completed within this period. The course is accessible at https://attest.weill.cornell.edu.

2.01 ITS Phishing Awareness Training Course

This phishing awareness training course tests the ability to identify, analyze, and detect suspicious email messages. The course includes a series of exercises to test proficiency and informs workforce members on how to report suspicious messages to ITS.

This course must be completed within forty-five (45) calendar days of hire or affiliation. Access to WCM systems may be impacted if the course is not completed within this period. This course is accessible in Weill Business Gateway (WBG) using the Learning Tile.

2.02 HIPAA Training

The WCM Privacy Office maintains an annual HIPAA Compliance Training course that all WCM community members are required to complete.

3. Training Frequency & Delivery Methods 

3.01 Upon Hire or Affiliation 

All newly recruited WCM Workforce Members are required to complete security awareness training courses within forty-five (45) calendar days of hire. In addition to the courses identified in the previous section, an overview of security topics is provided at new employee orientation and in the HIPAA training courses administered by the Office of Compliance. Access to WCM systems may be impacted if the course is not completed within this period.

3.02 Annual Update Training 

All WCM Workforce Members must complete required “update” courses on an annual basis to keep current and ensure compliance with relevant requirements. Access to WCM systems may also be impacted if mandatory “update” courses are not completed within the deadline.

3.03 Phishing Exercises 

The ITS Security team may conduct phishing awareness campaigns to measure the effectiveness of the WCM community in identifying phishing attempts and to assist with developing additional training content. These phishing awareness campaigns may be conducted at any time throughout the year. 

3.04 Ad Hoc Training 

Additional security awareness training may be required at the discretion of the Chief Information Security Officer, in response to a security incident or audit, or in response to new policies, processes, procedures, and/or technologies.

Upon request of department administration, additional training may be delivered by the ITS Security team to a department, division, office, or site, and this training will be customized to topics of interest.

4. Non-Compliance with Security Awareness Training 

ITS Security reserves the right to restrict access of any WCM Workforce Member who fails to complete mandatory security awareness training requirements within the required period. The following sanctions may be imposed:

• The Workforce Member’s access to WCM systems, including Epic, may be disabled.
• The Workforce Member’s access to WCM email may be disabled.
• The Workforce Member’s supervisor, Department Administrator, Dean, or chairperson may be notified.

Human Resources (HR), Office of General Counsel (OGC), Office of Compliance (OOC), or any other relevant administrative unit may be involved for correction action, if necessary.

Upon satisfactory completion of mandatory security awareness training courses, all access will be restored.

Compliance with this Policy

All WCM Workforce Members are responsible for adhering to this policy. Failure to comply will be evaluated on a case-by-case basis and could lead to corrective action, up to and including termination, consistent with other relevant WCM and University Policies.  Instances of non-compliance that potentially involve a lapse of professionalism may lead to engagement of the Office of Professionalism for evaluation and intervention.

Contact Information

Direct any questions about this policy, ITS-500.19 – Security Compliance Training, Education, and Awareness, to the Office of the Chief Information Security Officer, using one of the methods below:

• Office: (646) 962-3609
• Email: ciso@med.cornell.edu 

References

• WCM Policy ITS-500.03 – Data Classification
• WCM Policy OOC-410.06 – Safeguarding Patient Information
• Cornell University Policy 3.17 - Accepting Credit Cards to Conduct University Business
• Health Insurance Portability and Accountability Act (HIPAA)
• Payment Card Industry Data Security Standard (PCI DSS)

Policy Approval

This policy was reviewed and approved by:

• Information Security and Privacy Advisory Committee (ISPAC) on July 17, 2025.
• WCM-Executive Policy Review Group (WCM-EPRG) on September 23, 2025.