Risk Management Tools & Resources



10 Ways to Establish a Security Culture at Your Healthcare Organization


Laura M. Cascella, MA

10 Ways to Establish a Security Culture at Your Healthcare Organization

In healthcare, the term "safety culture" or "culture of safety" is familiar. It refers to organizational values, attitudes, and goals related to providing a safe environment and safe patient care. Although perhaps not as common, the term "security culture" is conceptually very similar to safety culture. An organization's security culture focuses on beliefs, values, and behaviors related to the privacy and security of protected health information (PHI) and other sensitive data.

As healthcare technology and information-sharing continue to rapidly expand — and as cybercriminals become increasingly sophisticated and savvy — the need for healthcare organizations to establish a sound and prominent security culture is of paramount importance. Failing to make security a priority, or adopting an apathetic attitude about it, can increase the risk of data breaches, fines, sanctions, and liability exposure.

Although healthcare organizations can use various targeted strategies to address specific security risks (e.g., mobile device theft or ransomware), strategies related to building a robust security culture more broadly focus on organizational approach, policies and procedures, and human resources. The 10 recommendations below offer healthcare facilities guidance on how to build, enhance, and/or sustain a strong security culture.

  1. Include security as a key component of the organization’s overall strategic planning, budget, and enterprise risk management initiatives.
  2. Cultivate leadership awareness of, and involvement in, the organization’s security planning and decision-making.
  3. Embrace a culture in which organizational leaders and managers lead by example, rather than fostering a “do as I say, not as I do” approach.
  4. Appoint a qualified chief information security officer and adequate personnel to address security issues.
  5. Ensure that responsibility and accountability for security are core values of the organization and all personnel are aware of their role in maintaining these values.
  6. Develop written policies that clearly explain the organization’s expectations related to information security, as well as possible consequences for violating organizational standards.
  7. Ensure that security is a top priority when acquiring and implementing new technology systems and determining methods for sharing PHI and other confidential information.
  8. Periodically conduct risk assessments to determine potential security gaps in organizational systems and processes, and work with facility leaders, security personnel, providers, and staff to address these gaps.
  9. Establish both preventive and corrective protocols related to  security breaches and cyberattacks.
  10. Provide frequent training and reminders to healthcare practitioners, staff, volunteers, vendors, etc., about the organization’s security policies and standards. Consider various training formats and activities, such as online learning or role-playing, to keep individuals engaged and aware.

For more information and resources about addressing security concerns, see the American Hospital Association’s Cybersecurity Resources, and visit HealthIT.gov’s Privacy and Security website for healthcare providers and professionals.

MedPro Twitter


View more on Twitter