Members of the healthcare C-suite must be able to understand the privacy and security risks their organizations face and properly communicate those risks to their workforce, law professor Daniel Solove told a packed ballroom at the 23rd National HIPAA Summit on Tuesday in the District of Columbia.
To effectively prevent incidents from happening, healthcare executives must understand the risks, the law and the importance of compliance, said Solove, the John Marshall Harlan Research Professor of Law at the George Washington University Law School.
In addition, he said, the workforce must be aware and know what to do in the event of a hack, especially because employees are the leading sources of incidents. "It really just takes one person to make a big mess of things," he said.
Education is the key to making sure employees are doing everything they can to keep data safe, Solove said.
"Teach them, teach them, teach them. You can't force them to do the right thing, but you can teach them to do the right thing," he stressed.
Trainers, he added, must educate through stories and by making an emotional connection with employees. It's important for employees to see that their actions impact not only patients throughout the system, but also their own personal work and reputation, he said.
"The C-suite must care, the workforce must be aware. This is a very simple recipe, and if you follow this recipe, it will be tremendous improvement on protecting privacy and data security," Solove said. "Data protection must be felt in the bones of an organization, it must be part of the organization's culture. It can't be something that's an afterthought or tacked on."