15 Ways Healthcare Organizations Can Build a Strong Security Culture

Laura M. Cascella, MA, CPHRM

In healthcare, the term “culture of safety” or “safety culture” is familiar. It refers to organizational values, attitudes, and goals related to providing a safe environment and safe patient care. Although perhaps not as common, the term “security culture” is conceptually very similar to safety culture. An organization’s security culture focuses on beliefs, values, and behaviors related to protecting health information, other sensitive data, and patient and employee privacy.

Establishing a sound and prominent security culture is absolutely crucial in healthcare, particularly as health technology continues to rapidly advance, the volume of health information that is shared increases, and cyberattacks become more numerous and sophisticated. Failing to make security a priority, or adopting an apathetic attitude about it, can increase the risks of patient harm, data breaches, fines, sanctions, loss of reputation, and liability exposure.

Methods for building a robust security culture are broad and look at security through an enterprise-wide lens rather than merely addressing specific security risks. These methods tend to focus on organizational approach, communication, policies/procedures, and human resources. The 15 recommendations that follow offer healthcare facilities guidance on how to build, enhance, and/or sustain a strong security culture.

1. Include physical security and cybersecurity as key components of your organization’s overall strategic planning, budget, and enterprise risk management initiatives.
2. Cultivate leadership awareness of, and engagement in, the organization’s security planning and decision-making. Leadership’s consistent support of security culture sets the tone for the entire organization. A strong security culture “means an ongoing process that is driven not from the IT department but from the top of the organization down.”¹
3. Embrace a culture in which organizational leaders and managers lead by example, rather than fostering a “do as I say, not as I do” approach. Ask leaders and managers to share with employees the ways in which they participate in the organization’s security culture (e.g., through trainings, advocating for resources, and helping identify solutions).
4. Appoint a qualified chief information security officer and adequate and competent personnel to implement security processes and address security issues.
5. Ensure that responsibility and accountability for security are core values of the organization, and verify that all personnel are aware of their responsibilities for maintaining these values.
6. Develop written policies that clearly explain the organization’s expectations related to confidentiality, privacy, and information security; policies should include possible consequences for violating organizational standards.
7. Conduct a security culture survey of employees to assess their feelings, beliefs, behaviors, and knowledge about security issues, policies, and procedures. The results of the survey can serve as a benchmark and help inform improvement efforts.
8. Ensure that security is a top priority when acquiring and implementing new technology and determining methods for sharing health information and other confidential data.
9. Perform due diligence of business associates to determine whether their security standards align with your organization’s security culture and are adequate to ensure compliance with federal and state privacy and security laws.
10. Periodically conduct risk assessments to determine potential security vulnerabilities in organizational systems and processes. Work with facility leaders, security personnel, providers, and staff to address these weaknesses and devise practical solutions.
11. Devise and implement physical safeguards and technology-based safeguards to prevent security breaches.
12. Consider both human and systems factors that can lead to security incidents when devising strategies to support your organization’s security culture. An article from Healthcare IT News notes that although cybercrimes make headlines, “internal cultural and technological vulnerabilities are often more to blame for an ongoing cycle of healthcare data breaches.”²
13. Implement corrective procedures, including an incident response plan, related to security incidents, data breaches, and cyberattacks.
14. Provide frequent training and reminders to administrators, healthcare practitioners, staff, volunteers, vendors, etc., about security issues and the organization’s security policies and standards. Consider various training formats and activities — such as online learning, workshops, role-playing, etc. — to keep individuals engaged and aware.
15. Tailor educational approaches and outreach to address individual employee needs, knowledge gaps, and risky behaviors. Security magazine notes that “Sharing consistent, relevant touchpoints directly to an individual will lead to positive changes in behavior over time, ultimately protecting the broader organization.”³

For more information and resources about addressing security concerns and building a security culture, see MedPro’s Risk Resources: Cybersecurity, the American Hospital Association’s Cybersecurity & Risk Advisory, and HealthIT.gov’s Privacy, Security, and HIPAA webpage.

Endnotes

¹ Carpenter, P. (2021, May 27). The importance of a strong security culture and how to build one. Forbes. Retrieved from www.forbes.com/councils/forbesbusinesscouncil/2021/05/27/the-importance-of-a-strong-security-culture-and-how-to-build-one/

² Ford, P. (2019, October 8). Changing the cybersecurity culture. Healthcare IT News. Retrieved from www.healthcareitnews.com/news/emea/changing-cybersecurity-culture

³ Venkataraman, S. (2021, August 11). Health leaders, it’s time to prioritize cybersecurity culture and employee awareness. Security. Retrieved from www.securitymagazine.com/articles/95820-health-leaders-its-time-to-prioritize-cybersecurity-culture-and-employee-awareness

---

Prevention & Education Center home