1. Establish a Security Culture
Security professionals are unanimous: The weakest link in any computer system is the user.
Researchers who study the psychology and sociology of Information Technology (IT) users have demonstrated time and again how very difficult it is to raise people’s awareness about threats and vulnerabilities that can jeopardize the information they work with daily. The tips in this document describe some ways to reduce the risk, decreasing the likelihood that patients’ personal health information will be exposed to unauthorized disclosure, alteration, and destruction or denial of access. But none of these measures can be effective unless the health care practice is willing and able to implement them, to enforce policies that require these safeguards to be used, and to effectively and proactively train all users so that they are sensitized to the importance of information security. In short, each health care practice must instill and support a security-minded organizational culture.
One of the most challenging aspects of instilling a security focus among users is overcoming the perception that “it can’t happen to me.” People, regardless of their level of education or IT sophistication, are alike in believing that they “will never succumb to sloppy practices or place patient information at risk. That only happens to other people.”
The checklists included in this document are one proven way to overcome the human blind spot with respect to information security. By following a set of prescribed practices and checking them each time, at least some of the errors due to overconfidence can be avoided. But checklists alone are not enough. It is incumbent on any organization where lives are at stake to support proper information security through establishing a culture of security. Every person in the organization must subscribe to a shared vision of information security so that habits and practices are automatic.
Security practices must be built in, not bolted on.
No checklist can adequately describe all that must be done to establish an organization’s security culture, but there are some obvious steps that must be taken:
• Education and training must be frequent and ongoing.
• Those who manage and direct the work of others must set a good example and resist the temptation to indulge in exceptionalism.
• Accountability and taking responsibility for information security must be among the organization’s core values.
Protecting patients through good information security practices should be as second nature to the health care organization as sanitary practices.