Tips For Building A Privacy CultureNo Good Idea is Too Small to Try
No one wants to get into trouble with the boss. That's why many data breaches are reported late or, even worse, unreported altogether. But creating a positive workplace culture that supports privacy and security - and eliminates some of that fear of reporting - can go far in breach prevention and response.
See Also: Stopping BEC and EAC
At least that's the message I got from attendees of a "privacy culture" workshop at a recent HIMSS privacy and security forum in Boston. During the session, a few dozen healthcare privacy and security professionals candidly (and anonymously) shared their experiences about what it takes to get a workforce proactive in protecting the privacy and security of patient health information.
Tell people 'we want to help you get to a better state of security rather than hiding your non-compliance.'
One of the clear messages: Sometimes HIPAA training alone is just not enough to drill into peoples' heads why and how patient information needs to be protected. So, how are organizations getting doctors, nurses and other staff to do the right thing? (see: How a Breach Led to Change in Culture.)
Here are a few of what I think were some of the more clever suggestions shared among the group:
- Have a Single Point of Contact: "We see the biggest issue with security and privacy is getting the word out that there is someone to call for privacy issues, and that's a big start," said one attendee. Of course, organizations also first need to designate who that privacy leader is. That might not be a mystery at a larger entity that has someone with an official privacy and/or security title. But at smaller organizations, the role might be a little less defined. Hang up signs if you have to, but let people know who's in charge of handling breach questions.
- Offer an Amnesty Period: Staffers are often afraid they'll get in trouble if they admit they've lost a laptop or messed up in some other way that puts critical data at risk. That fear causes delay in breaches being reported. "Eliminate fear," one individual said. "Tell people 'we want to help you get to a better state of security rather than hiding your non-compliance.'"
- Show the Numbers: Privacy and security programs are sometimes a hard-sell for doctors, so have data ready about how an investment in compliance efforts can greatly offset the potential cost of breaches, said one attendee. "Educate doctors about why we're doing these programs," he said. "Keep in mind that doctors are scientists; they're receptive to data."
- Remember Clinicians are Motivated by Trust: "The loss of good will when the privacy of one of your patients is breached hits home," said one attendee. At that person's organization, primary care doctors are the designated barriers of bad news to patients about breaches, even if it's not the doctors' fault. "The primary care doctor is the face of our organization," he said. The dread of having to contact patients about breaches is also motivation for the doctors to keep their staff in line with privacy and security policies.
- Be Mindful of Social Media: "You can block Facebook access from your network, but that doesn't stop people from discussing patients when they log in at home," said another attendee. "People need to understand concepts and policies about patient confidentiality as they communicate on social media on their own time."
- Be Careful at Home: If you have a clinician who's not too tech-savvy, but their spouse is, make sure they're mindful of patient privacy at home. If you bring home a mobile device to access patient information, but ask your techie spouse to straighten out a computer problem while looking at patient charts, that's not cool.
- Make Policies User-Friendly: One pharmaceutical company in its clinical trial facilities hangs from the ceilings cartoon character "privacy and security superheroes" to remind workers of policies, said workshop participant Aaron Stevens, a corporate alliance consultant at the International Association of Privacy Professionals. "The superheroes have messages like 'don't talk about clinical trials' and 'keep patient info private,'" he said. "It might seem silly, but it stops people from being stupid."
I spoke with Stevens after the session, and he told me the IAPP is "kicking the tires" on modular video games that teach two hours of privacy and security lessons in 20-minute increments, designed for the needs of various organizations. The games might also cover privacy and security laws of various states. IAPP isn't planning to sell the third-party games, but could let members know they're available to help their privacy and security efforts, he said.
In fact, the folks over at the Department of Health and Human Services also apparently feel electronic games are a good way to build privacy and security awareness among healthcare professionals. The department makes available for free a game, CyberSecure: Your Medical Practice, to teach about protecting patient information. (see: An Entertaining Approach to Training.)
"The new generation [of workers] coming up are gamers, and I think it's a great teaching tool," Stevens said.
As for me, I think that any decent idea that could help improve the privacy and security of patient information is worth a shot.