Sue Schade: 4 traits of hospitals with a 'security culture'

A key piece of any healthcare organization's IT security program has to include creating a security culture, writes Sue Schade, chief information officer at University of Michigan Hospitals and Health Centers, in her most recent blog post.

Among the characteristics of an organization with a security culture, writes Schade, who also serves on FierceHealthIT's Editorial Advisory Board:

  1. Security is discussed and decisions made at the senior executive level
  2. The organization has a CISO, positioned to influence organizational activities, and who operates independent of conflicts of interest
  3. Security is a defined budgetary item, with security spending sufficient to address identified risks
  4. Workers are aware of their roles and responsibilities with respect to IT security and are held accountable to meeting them

UMHS recently rolled out a mobile device management (MDM) plan that requires encryption, though it raised some concerns among faculty and staff.

Though the organization stressed its obligation to honor the privacy of patient information, it also had to reassure the work force that the MDM solution would not be, among other things, tracking their web browsing history or tracking telephone numbers, texts, or the content of those communications.

"In an organization with a strong security culture, the workforce would be more security aware already, and more ready to deploy needed solutions. And resources are able to focus on deploying solutions rather than preventing user efforts to work around needed security," Schade writes.

To effectively prevent incidents from happening, healthcare executives must understand the risks and effectively communicate those risks to their workforce, law professor Daniel Solove said at the National HIPAA Summit last week. Workers also need to know what to do should event occur.

Joseph Smith, who retired from his post as CIO of Arkansas Blue Cross and Blue Shield last year, says that poor data habits from company employees are cause for concern.

"It's always unintentional or innocent, but your biggest risk is your own employees," Smith recently said.

To learn more:
- find the blog post