How to Create a Culture of Privacy and Security Awareness Within Your Healthcare Organization
_{December 18, 2017}

Last year, Forbes has sited the Healthcare Industry to be the top industry at risk of Cyber attacks. The industry has been tested big time with this Ransomware Attack that exposed UK’s National Health Services in the beginning of this year. Cybercrime is on the rise — and no corporation or government agency is immune to data breaches. So, it is true that Technology is both an opportunity and a risk maker.

The process of creating a culture of Privacy and Security Awareness has been but the only solution to these threats but it is like a journey where everyone is committed to undertake and one that is dynamic and ongoing. To become effective, the strategy is to implement a top-to-bottom approach where the Executive starts the initiative to follow the policies and procedures in regards to Privacy and Security measures within the organization. It must also be something that is to be engaging rather than punitive e.g. having employment termination as course of actions if staff fails to follow the rules, as this might create mistrust and fear. That sense of accountability and responsibility is better formed naturally within everyone to make these efforts meaningful.

Get everyone informed

Equipping all members of the organization of the importance of privacy and security awareness; the risks involved; and the ways to reduce risks of privacy and security breaches in the organizations shall be the first steps an organization must take in this journey. Dissemination of newsletters and bulletins to inform and update clinicians, operations, and administrative staff as well as provision of regular (e.g. annual) trainings relating to privacy and security awareness will definitely help the company management and rank-and-file employees get knowledge on how these privacy and security policies and procedures come together in attaining organizational goals. Groups who are better informed and have undergone the relevant trainings can develop and initiate best practices within the organization then implement them on a daily basis. More importantly on occasions where explicit guidance was not provided, personnel must be able to use their best judgment to apply the principles set forth in the knowledgebase and trainings for ethical, practical, and sound conduct of their decisions and actions.

Put a system in place and get organize

The ultimate goal of the healthcare organization’s efforts in this Privacy and Security Awareness is to prevent, detect, and protect the stakeholders and just about everyone in the threats and attacks on protected health information (PHI), company data, cybersecurity, network, social engineering, IT and medical equipment and devices as well as social media. Healthcare organization should go beyond mere HIPAA Compliance rather focus on mitigating these global organizational business risks. Needless to say, healthcare organization should also include business continuity planning and disaster recovery planning in their efforts to prepare, prevent, stop and mitigate the effects and risks of these threats and attacks.

In putting a program and a system in place, an organization should:

• Set A Goal
• Form Team
• Determine Roles and Responsibilities
• Disseminate Awareness
• Identify Communication Tools and Media
• Identify Documentation and Reporting
• Set Metrics, Assessments and Audits

Further discussion of the above will be provided in the succeeding articles.

Form task force or group allies or influencers

Promoting privacy and security awareness is a team effort and is not to be regarded as a sole responsibility of the privacy and security team, which is often understaffed and time constrained. The healthcare organization must get other departments or operating centers engaged in the program. Patient education is also crucial. They help play the part of active advocates as they are the ones directly and heavily affected by these programs. They must know their rights and their responsibilities as well in terms of privacy and HIPAA. This comprehensive approach from all levels within the organization will facilitate if not eradicate but at least mitigate and prevent the risks of being exposed to these evolving attacks and threats.

Know how to motivate people

Not only in the workplace, the concern about security is as crucial as it is applied in our own personal lives. In this technology-driven industry and society, people are routinely exposed to phishing, password challenges, data theft and other social engineering tactics. Raise awareness on privacy and security concerns on a wider context to your personnel, such as how to better protect their families and personal finances, then your employees will be more willing to get involved and be advocates of this interest.

Public Recognition

Publicly recognize initiatives of your organization’s members in promulgating the privacy and security awareness campaigns. Valued employees are the most engaged employees. This may be announced via company newsletters, internal correspondences, internal campaign materials and similar medium.

Seek Feedback

Similar to giving public recognition to your staff, getting their feedback from them create that sense of pride and boost in their morale that their thoughts are being valued by management and by the organization as a whole. Send out surveys or polls and even during career track meetings with employees and their supervisors.

One key note here is that we wish to partake is what has been shared in HR Zone’s article that “Behavioral change is often viewed as a painful and difficult process with an uncertain chance of success. By understanding how people react to the need to behave differently, changing new behaviors can become more automatic, requiring less effort to practice and a part of our new routine.“