Synopsis: As the number of breaches in healthcare continues to rise, organizations must shift focus from only investing in tools that check compliance boxes to also adopting effective strategies that allow them to embed a data protection and privacy culture within its workforce that promotes compassion for end users and encourages good security hygiene.
The number of security and privacy breaches in healthcare continues to rise each year, even as the organizations continue to spend more on governance and compliance tools. The sad reality is that a focus on tooling alone just to check compliance boxes is unlikely to be effective if the organization is ignoring the most important weapon it has in its fight against cyber attacks: its people. When an organization focuses on instilling a culture of data protection, they will naturally find themselves staying ahead of the compliance requirements and can carry the day.
Effective strategies that organizations can adopt to embed a data protection and privacy culture include paying appropriate attention to employee training, promoting compassion to protect end users, and recognizing good behavior and practices.
Start with Employees: Make Trainings Great Again
Industry statistics point to the fact that most breaches start with mistakes made or suspicious events ignored by employees. Trained employees are more likely to fend off phishing attacks, and to watch for indications of compromise in their surroundings, such as insider threats. Better still, they are less likely to make errors in judgment that can make the difference between disclosures that end up being data breaches under the law (such as HIPAA Privacy Rule), and those that do not.
However, training is unlikely to be effective if it is treated as a checkbox exercise. Training and education must be embedded as part of the company culture so that they can deliver measurable results. When employees find these trainings drab and boring, their effectiveness will be limited as well. A training will be more effective if it is customized to the unique needs of the organization. For example, training for a hospital staff should have a different focus than the training for a healthcare IT staff. When delivered in person, such a training would be even more effective than if taken online. Also, no exceptions should be made for teams based on whether or not they directly come in contact with sensitive data. This ensures that there is a common and consistent baseline of data protection and privacy concepts that everyone in the company understands.
Protect End Users: Build Trust via Compassion
Promoting a culture of compassion for end users goes a long way in helping to achieve an organization’s data protection goals, while also enhancing user trust. Compassion can manifest itself in many ways in the product and business decisions that an organization can take. For example, embedding privacy and security in the design process and carefully balancing the need to collect and retain sensitive data with the principle of “data minimization” can reduce the risk of inappropriate information disclosure. Choosing not to offer patient data up for sale in exchange for advertising dollars, and not abusing user consent where they have no bargaining power to opt-out are other ways organizations can manifest compassion in their business decisions. These decisions can also encompass enforcing secure settings by default such as encryption in transit or strong passwords so that the user is always protected. In other words, compassion necessarily dictates that the application should be designed with the goal of protecting the end user in mind.
Encourage Good Behavior: Recognition, not Restrictions
A well-rounded data protection culture is one that encourages and rewards good behavior. While accountability has its role in the enforcement of security and privacy policies, the power of recognition is more than restrictions. An organization should create incentives for employees to participate in activities that promote the organization’s data protection culture. For example, it can use gamification strategy to track positive behavior by employees, either as individuals or teams, and reward them on a weekly or quarterly basis. The awards may be given out as stickers or trophies that become a symbol of positive behavior. The behaviors can be as simple as taking their required training on time, or more advanced such as alerting the security or privacy team to a potential risk or violation of the organization’s policies. The idea is to make your workforce your eyes and ears, and instill in them a sense that security is a responsibility shared by everyone.
Learn what you can do take security and privacy of user information very seriously and embed data protection in your company’s culture as an important pillar of your security and privacy program. Register here for our event: Designing a Culture of Data Privacy to hear more.
Author: Rafae Bhatti