Privacy & security

Cultural change is needed, but is healthcare ready?
By Mac McMillan
03:17 PM

This past December, Healthcare IT News and HIMSS Media sponsored the Privacy & Security Forum in Boston, hosting more than 200 folks from all sectors of the industry to present ideas around and discuss various topics related to privacy and security.

I had the pleasure of moderating one of the breakout sessions on the subject of cultural change. There is no doubt the importance of the role culture plays in an organization, and how it impacts behavior. Culture  -  according to at least one definition  -  is the keeper of the principles that are valued by the organization, shape priorities and guide how members of the workforce behave and make decisions.

The Department of Health and Human Services' Office for Civil Rights (OCR) for quite a while suggested that the industry needed to adopt a culture of compliance. During the summit, OCR Director Leon Rodriguez amended that position by saying the OCR was embracing a "culture of enforcement," appropriate for an organization with its mission.

I've always contended that compliance is a byproduct or outcome of doing things right and enforcement is an influencing agent for accountability, while the culture we need is one that meshes with and supports our core mission.


Therefore, I contend that what healthcare needs is a culture that respects and values privacy and security of patient information as a part of the care mission. That was the thesis we explored together in our breakout session in Boston. At the beginning of the session we posed two questions to those in attendance. This article, as promised, reports back and analyzes the answers to those questions.

Question 1: Does your organization currently have a culture that values privacy and security?

Fifty-eight percent of respondents answered no, or said adoption of a culture of privacy and security was inconsistent in their organization. 

Further analysis showed those that responded yes pointed to leadership, the type of organization they belonged to (government/military) or critical events (incidents/breaches) as influencers of their culture. Those that said no cited a lack of understanding, lack of education, lack of resources and other factors such as new technologies creating new risks.

Two observations made by those answering that adoption was inconsistent were also interesting. First, they said that "how" a workforce member viewed or prioritized privacy and security was based on the individual's role  -  meaning those that perceived or had privacy and security as part of their assigned responsibilities placed a higher priority on those aspects of their job.

The second observation dealt with the generational effects on culture. Several answered that there was a marked deviation in attitudes towards privacy and security and overall willingness to accept change between senior and junior workforce members. More senior workforce members were perceived as resistant to change or as not seeing the need for it. Workforce members at the midpoint in their careers were generally more receptive to change and accepting of responsibility, while junior workforce members were described as much more tech savvy but seemed to care less.

Much of this is consistent with descriptions of the various generations we currently see in the workplace today. Those younger members who appear to care less may instead just be reflecting a difference in how their generation perceives what is personal and therefore private, and the effects of a social media upbringing.

Question 2: What are the two most important factors to creating a culture of privacy and security?

Respondents' answers to this question also varied, but the top three were consistent with how they answered the first question and included leadership, training and education and awareness and communication at the top. However, several other factors were identified that helped explain why some organizations have not adopted a culture of privacy and security just yet. The chart above shows all of the responses received.

Sixty-six percent of respondents identified leadership as the most important factor in establishing or changing culture. Nearly half said training and education were important and 23 percent saw awareness and communications as contributors.

All of these speak to the message that workforce members receive, which is largely the responsibility of organizational leadership. What normally gets communicated, gets taught, is reflective of what leadership and the organization feels is important. If culture is a product of principles and priorities, as our definition suggests, and those are the domains of leadership, then the examples set by leadership affect establishment or change to organizational culture.

Some respondents cited a lack of resources as an impediment to changing culture; others said an intransigent culture was hard to move. There is no doubt that resource challenges can make change seem difficult at best and human nature has taught us that some find it easier to accept the unacceptable rather than try to change "what has always been this way."

Thirty-one percent of respondents cited fear of negative outcomes as motivators for change. They identified individual accountability, risk of audit or the actual experience of a breach or audit as factors that had led to change in their organizations.

Accountability was also listed as a detractor to change when its absence or inconsistent application created a negative. While fear can be a great motivator for action, it is not as powerful as a belief system that sees privacy and security as important principles that define who the organization is and how it acts. Truly valuing something affects what we do even when the watchers are not watching.


Clearly, privacy and security is not yet a dominant culture throughout healthcare and many still struggle with change. Leadership, education, experience, technology awareness and willingness to change are important contributing factors. Resources, intransigence and the lack of accountability contribute to the challenge.

I would suggest that these are more side effects than factors  -  meaning resources, attitude, and responsibility generally follow what is considered a priority. Leadership is considered the most important factor for organizational culture change, and decides what is or isn't a priority. n