What if every organization was required to disclose how many days have gone by since their last accident? The industrial sector is required to do just that. It’s not uncommon to walk through a building and see signs that say something like, “100 days since last accident.” It reflects on the company’s safety standards. Fewer accidents also mean an avoidance of loss of productivity.
So, what if healthcare organizations that handle PHI had to do the same thing? What if they were required to post on the walls of their offices and on their website how many days have gone by since the last time that information was compromised? What would their clients think?
Sounds crazy, right? But we can learn a thing or two from those hard-working, steel-toe boot wearing workers, and that’s creating a culture of safety. For the healthcare industry, it’s something that must go well beyond technological advances and hacker-blocking software.
The unfortunate truth is that the healthcare sector is an easy target for cyber criminals because of its vast ecosystem. There are so many interconnected individuals that have access to medical and billing records – patients, dependents, specialists, physicians, hospitals, billing service providers, health insurers… the list goes on and on. Not to mention medical records are the highest valued credentials on the dark web at $20-$50 per record – that’s at least 90% higher than the value of someone’s credit card information. Because the significant rise in data theft incidents leading to litigation, our country is really facing a ransomware epidemic.
Discover more about healthcare cybersecurity and infrastructure services.
Protecting PHI must go well beyond security tools. It’s about people. Often times there are wide variations in perception of safety across a single organization. It may be high among executives but low in another unit, or vice versa. Your company may have the most intuitive healthcare cybersecurity software and direct safety processes set in place, but at the end of the day, your safety culture won’t shift until every single employee consciously decides to make the change. It requires leadership and commitment. There are certain steps you can take to create a culture of security awareness at work.
Tip 1 - Make Healthcare Cybersecurity Personal
In my opinion, this is the best tip because it hits home for many and creates motivation. Security awareness really affects all aspects of life, it’s not just about work. We live in an always-online culture. People are sharing a wide array of personal information online, even if they post a photo on Facebook. We’re exposed on a daily basis to data theft, phishing attempts, and all kinds of social engineering tactics and most people don’t realize it. By raising awareness of security issues in broader context, employees are more engaged and will be more interested if their emotions are sparked. For example, I led an employee presentation with our SEO Manager a few months ago on protecting your personal information from hackers on websites and social media. When employees realize that not practicing good safety habits could affect their finances or even their families, that concern carries over to the workplace.
Tip 2 - Don't Play the Blame Game
It's easy to point fingers, but individual blame is very much a road block to the advancement of creating a safety culture. However, there still remains the issue of accountability because some errors may seem blameworthy. To reconcile the two, try the concept of “Just Culture”, a widely used approach that focuses on identifying and addressing systems issues that lead employees to engage in unsafe behavior (such as leaving a computer unlocked, or downloading sensitive information to a USB drive) while still maintaining individual accountability by establishing zero tolerance towards recklessness, i.e. no one gets special treatment. A “Just Culture”, distinguishes between accidents, at-risk behavior (taking shortcuts) and reckless behavior (ignoring safety protocol). The response to an error is dependent on the type of behavior associated with the error, not the severity of the issue. So, regardless of whether or not someone else was put in harm’s way, the employee is treated the same way no matter what.
Tip 3 - Appoint Security Officers to Enforce Your Privacy Policy
Promoting safety standards isn’t just IT’s job. Try appointing a security officer within each department to help promote good practices. That way, you have more eyes and ears dedicated to the cause and spread awareness on a more granular level.
Tip 4 - Protect your Healthcare Data through Gamification
A little healthy competition never hurt anyone, especially when it comes to healthcare cybersecurity. When departments are encouraged to compete against each other towards a particular goal, you’ll raise a lot more interest in keeping data safe. For example, what department will catch the highest amount of phishing emails over the course of a week?
Tip 5 - Use the KISS Approach
My music instructor in college used to say this to me when I overcomplicated a piece of music I was trying to play. It stands for “Keep It Simple Silly.” Silly it may sound, but it’s absolutely applicable to creating a safety culture. Try to keep your approach simple and aligned with business goals. There should always be an underlying goal to practice safety protocol no matter what you’re doing, but try to achieve incremental goals instead of attempting to achieve everything at once. Identify what behaviors and processes you want to achieve, then align them with your business goals. This will help employees understand why creating a safety culture will benefit the company as a whole.