Risk Management Tools & Resources


15 Ways Healthcare Organizations Can Build a Strong Security Culture


Laura M. Cascella, MA, CPHRM

In healthcare, the term “safety culture” or “culture of safety” is familiar. It refers to organizational values, attitudes, and goals related to providing a safe environment and safe patient care. Although perhaps not as common, the term “security culture” is conceptually very similar to safety culture. An organization’s security culture focuses on beliefs, values, and behaviors related to protecting health information, other sensitive data, and patient and employee privacy.

Establishing a sound and prominent security culture is absolutely crucial in healthcare, particularly as health technology continues to expand, the volume of health information-sharing and transfer increases, and cyberattacks becoming more numerous and sophisticated. Failing to make security a priority, or adopting an apathetic attitude about it, can increase the risks of patient harm, data breaches, fines, sanctions, and liability exposure.

Escalating Concerns

The COVID-19 pandemic has exacerbated security concerns due to remote and hybrid work models as well as a surge in cyberthreats to healthcare organizations.1 In 2020, more than 18 million patient records were affected by cyberattacks, which was a 470 percent increase from 2019. These attacks also cost the healthcare industry more than $20 billion in downtime.2 Additionally, in the past few years, the first patient fatalities allegedly linked to cyberattacks occurred in the United States and abroad.3

Unlike strategies that address specific security risks (e.g., phishing) through targeted interventions, methods for building a robust security culture are broad and look at security through an enterprise-wide lens. These strategies tend to focus on organizational approach, communication, policies/procedures, and human resources.

The 15 recommendations that follow offer healthcare facilities guidance on how to build, enhance, and/or sustain a strong security culture.

  1. Include physical security and cybersecurity as key components of your organization’s overall strategic planning, budget, and enterprise risk management initiatives.
  2. Cultivate leadership awareness of, and engagement in, the organization’s security planning and decision-making. Leadership’s consistent support of security culture sets the tone for the entire organization. A strong security culture “means an ongoing process that is driven not from the IT department but from the top of the organization down.”4
  3. Embrace a culture in which organizational leaders and managers lead by example, rather than fostering a “do as I say, not as I do” approach. Ask leaders and managers to share with employees the ways in which they participate in the organization’s security culture (e.g., through trainings, advocating for resources, and helping identify solutions).
  4. Appoint a qualified chief information security officer and adequate and competent personnel to address security issues.
  5. Ensure that responsibility and accountability for security are core values of the organization, and verify that all personnel are aware of their responsibilities for maintaining these values.
  6. Develop written policies that clearly explain the organization’s expectations related to confidentiality, privacy, and information security; policies should include possible consequences for violating organizational standards.
  7. Conduct a security culture survey of employees to assess their feelings, beliefs, behaviors, and knowledge about security issues, policies, and procedures. The results of the survey can serve as a benchmark and help inform improvement efforts.
  8. Ensure that security is a top priority when acquiring and implementing new technology and determining methods for sharing health information and other confidential data.
  9. Perform due diligence of business associates to determine whether their security standards align with your organization’s security culture.
  10. Periodically conduct risk assessments to determine potential security vulnerabilities in organizational systems and processes. Work with facility leaders, security personnel, providers, and staff to address these weaknesses and devise practical solutions.
  11. Devise and implement physical safeguards and technology-based safeguards to prevent security breaches.
  12. Consider both human and systems factors that can lead to security incidents when devising strategies to support your organization’s security culture. An article in Healthcare IT News notes that although cybercrimes make headlines, “internal cultural and technological vulnerabilities are often more to blame for an ongoing cycle of healthcare data breaches.”5
  13. Implement corrective procedures, including an incident response plan, related to security incidents, data breaches, and cyberattacks.
  14. Provide frequent training and reminders to administrators, healthcare practitioners, staff, volunteers, vendors, etc., about security issues and the organization’s security policies and standards. Consider various training formats and activities, such as online learning or role-playing, to keep individuals engaged and aware.
  15. Tailor educational approaches and outreach to address individual employee needs, knowledge gaps, and risky behaviors. Security magazine notes that “Sharing consistent, relevant touchpoints directly to an individual will lead to positive changes in behavior over time, ultimately protecting the broader organization.”6

For more information and resources about addressing security concerns and building a security culture, see MedPro’s Risk Resources: Cybersecurity, the American Hospital Association’s Cybersecurity & Risk Advisory Services, and HealthIT.gov’s Privacy and Security website for healthcare providers and professionals.


1 Andersen, J. (2021, April 27). The hybrid office will create great opportunities—for companies and cybercriminals. Fortune. Retrieved from https://fortune.com/2021/04/27/hybrid-office-cybersecurity-hackers-remote-work-from-home-cybercrime-malware/; Skahill, E., & West, D. M. (2021, August 9). Why hospitals and healthcare organizations need to take cybersecurity more seriously. The Brookings Institute. Retrieved from www.brookings.edu/blog/techtank/2021/08/09/why-hospitals-and-healthcare-organizations-need-to-take-cybersecurity-more-seriously/

2 Horowitz, B. T. (2021, March 26). 2020 offered a 'perfect storm' for cybercriminals with ransomware attacks costing the industry $21B. Fierce Healthcare. Retrieved from www.fiercehealthcare.com/tech/ransomware-attacks-cost-healthcare-industry-21b-2020-here-s-how-many-attacks-hit-providers

3 Ralston, W. (2020, November 11). The untold story of a cyberattack, a hospital and a dying woman. Wired. Retrieved from www.wired.co.uk/article/ransomware-hospital-death-germany; Miliard, M. (2021, October 1). Hospital ransomware attack led to infant's death, lawsuit alleges. Healthcare IT News. Retrieved from www.healthcareitnews.com/news/hospital-ransomware-attack-led-infants-death-lawsuit-alleges

4 Carpenter, P. (2021, May 27). The importance of a strong security culture and how to build one. Forbes. Retrieved from www.forbes.com/sites/forbesbusinesscouncil/2021/05/27/the-importance-of-a-strong-security-culture-and-how-to-build-one/?sh=60c7e9ee6d49

5 Ford, P. (2019, October 8). Changing the cybersecurity culture. Healthcare IT News. Retrieved from www.healthcareitnews.com/news/emea/changing-cybersecurity-culture

6 Venkataraman, S. (2021, August 11). Health leaders, it’s time to prioritize cybersecurity culture and employee awareness. Security. Retrieved from www.securitymagazine.com/articles/95820-health-leaders-its-time-to-prioritize-cybersecurity-culture-and-employee-awareness

MedPro Twitter


View more on Twitter