This past December, Healthcare IT News and HIMSS Media sponsored the Privacy & Security Forum in Boston, hosting more than 200 folks from all sectors of the industry to present ideas around and discuss various topics related to privacy and security.

I had the pleasure of moderating one of the breakout sessions on the subject of cultural change. There is no doubt the importance of the role culture plays in an organization, and how it impacts behavior. Culture  -  according to at least one definition  -  is the keeper of the principles that are valued by the organization, shape priorities and guide how members of the workforce behave and make decisions.

The Department of Health and Human Services' Office for Civil Rights (OCR) for quite a while suggested that the industry needed to adopt a culture of compliance. During the summit, OCR Director Leon Rodriguez amended that position by saying the OCR was embracing a "culture of enforcement," appropriate for an organization with its mission.

I've always contended that compliance is a byproduct or outcome of doing things right and enforcement is an influencing agent for accountability, while the culture we need is one that meshes with and supports our core mission.

Therefore, I contend that what healthcare needs is a culture that respects and values privacy and security of patient information as a part of the care mission. That was the thesis we explored together in our breakout session in Boston. At the beginning of the session we posed two questions to those in attendance. This article, as promised, reports back and analyzes the answers to those questions.

Question 1: Does your organization currently have a culture that values privacy and security?

Fifty-eight percent of respondents answered no, or said adoption of a culture of privacy and security was inconsistent in their organization. 

Further analysis showed those that responded yes pointed to leadership, the type of organization they belonged to (government/military) or critical events (incidents/breaches) as influencers of their culture. Those that said no cited a lack of understanding, lack of education, lack of resources and other factors such as new technologies creating new risks.

Two observations made by those answering that adoption was inconsistent were also interesting. First, they said that "how" a workforce member viewed or prioritized privacy and security was based on the individual's role  -  meaning those that perceived or had privacy and security as part of their assigned responsibilities placed a higher priority on those aspects of their job.

The second observation dealt with the generational effects on culture. Several answered that there was a marked deviation in attitudes towards privacy and security and overall willingness to accept change between senior and junior workforce members. More senior workforce members were perceived as resistant to change or as not seeing the need for it. Workforce members at the midpoint in their careers were generally more receptive to change and accepting of responsibility, while junior workforce members were described as much more tech savvy but seemed to care less.