Much of this is consistent with descriptions of the various generations we currently see in the workplace today. Those younger members who appear to care less may instead just be reflecting a difference in how their generation perceives what is personal and therefore private, and the effects of a social media upbringing.

Question 2: What are the two most important factors to creating a culture of privacy and security?

Respondents' answers to this question also varied, but the top three were consistent with how they answered the first question and included leadership, training and education and awareness and communication at the top. However, several other factors were identified that helped explain why some organizations have not adopted a culture of privacy and security just yet. The chart above shows all of the responses received.

Sixty-six percent of respondents identified leadership as the most important factor in establishing or changing culture. Nearly half said training and education were important and 23 percent saw awareness and communications as contributors.

All of these speak to the message that workforce members receive, which is largely the responsibility of organizational leadership. What normally gets communicated, gets taught, is reflective of what leadership and the organization feels is important. If culture is a product of principles and priorities, as our definition suggests, and those are the domains of leadership, then the examples set by leadership affect establishment or change to organizational culture.

Some respondents cited a lack of resources as an impediment to changing culture; others said an intransigent culture was hard to move. There is no doubt that resource challenges can make change seem difficult at best and human nature has taught us that some find it easier to accept the unacceptable rather than try to change "what has always been this way."

Thirty-one percent of respondents cited fear of negative outcomes as motivators for change. They identified individual accountability, risk of audit or the actual experience of a breach or audit as factors that had led to change in their organizations.

Accountability was also listed as a detractor to change when its absence or inconsistent application created a negative. While fear can be a great motivator for action, it is not as powerful as a belief system that sees privacy and security as important principles that define who the organization is and how it acts. Truly valuing something affects what we do even when the watchers are not watching.

Conclusion

Clearly, privacy and security is not yet a dominant culture throughout healthcare and many still struggle with change. Leadership, education, experience, technology awareness and willingness to change are important contributing factors. Resources, intransigence and the lack of accountability contribute to the challenge.

I would suggest that these are more side effects than factors  -  meaning resources, attitude, and responsibility generally follow what is considered a priority. Leadership is considered the most important factor for organizational culture change, and decides what is or isn't a priority. n