Developing A Privacy Culture In Health Care Oganizations


Published on

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Developing A Privacy Culture In Health Care Oganizations

    1. 1. Developing a Privacy Culture in Health Care Organizations” The Experiences of eHealth Ontario
    2. 2. Notes <ul><li>eHealth Ontario formed by regulation in September 2008 </li></ul><ul><li>The transition of SSHA into eHealth Ontario has commenced. </li></ul><ul><li>Comments today reflect experiences of SSHA and not new Agency. </li></ul>
    3. 4. Canada: Privacy & Healthcare <ul><li>2007 Canada Health Infoway survey </li></ul><ul><li>Canadians reasonably confident that responsible stewardship of personal health data exists. </li></ul><ul><ul><ul><li>79% considers the health information that exists about them to be at least moderately secure. </li></ul></ul></ul><ul><ul><ul><li>Trust in health professionals (e.g., doctors, nurses, pharmacists) is very high; but slightly lower for other groups (e.g., administrators, government departments). </li></ul></ul></ul><ul><ul><ul><li>Trust levels are more mixed outside the realm of immediate health care providers (e.g., computer technicians, insurance companies, researchers). </li></ul></ul></ul><ul><li>“ If you can protect my privacy, I am okay with [electronic health records].” </li></ul>
    4. 5. United States: Privacy & Healthcare <ul><li>May 2008 CDT report on privacy and healthcare cites 2006 survey </li></ul><ul><li>When Americans were asked about the benefits of and concerns about online health information: </li></ul><ul><ul><ul><li>80% said they are very concerned about identity theft or fraud; </li></ul></ul></ul><ul><ul><ul><li>77% reported being very concerned about their medical information being used for marketing purposes; </li></ul></ul></ul><ul><ul><ul><li>56% were concerned about employers having access to their health information; and </li></ul></ul></ul><ul><ul><ul><li>53% were concerned about insurers gaining access to this information. </li></ul></ul></ul>
    5. 6. The Problem is Not External <ul><li>Gartner Group: </li></ul><ul><ul><ul><li>Employees commit 70% of data breaches. </li></ul></ul></ul><ul><li>2006 CSI/FBI survey: </li></ul><ul><ul><ul><li>92% of insider data thieves had negative work evaluations before breach. </li></ul></ul></ul><ul><li>Univ. of Washington research: </li></ul><ul><ul><ul><li>31% of data breaches between 1980 and 2006 were committed by external parties (e.g. “hackers”). </li></ul></ul></ul>
    6. 7. What to Do? <ul><li>In building a culture of privacy, an organization must: </li></ul><ul><ul><ul><li>clearly articulate privacy as an organizational priority; </li></ul></ul></ul><ul><ul><ul><li>communicate key privacy and security messages; </li></ul></ul></ul><ul><ul><ul><li>educate across the organization; </li></ul></ul></ul><ul><ul><ul><li>raise awareness of the importance of registering privacy incidents and breaches; </li></ul></ul></ul><ul><ul><ul><li>build privacy into the fabric of the organization’s activities; and </li></ul></ul></ul><ul><ul><ul><li>make privacy information and guidance readily accessible. </li></ul></ul></ul><ul><li>Think Training AND Awareness </li></ul>
    7. 8. Management Communication <ul><li>Management must have effective messaging: </li></ul><ul><ul><ul><li>Information protection isn’t solely a technical or policy issue; it also involves behavior. </li></ul></ul></ul><ul><ul><ul><li>The protection of personal information is a personal responsible for each staff member. </li></ul></ul></ul><ul><ul><ul><li>Information protection is an ongoing initiative, not a short-term project or goal. </li></ul></ul></ul><ul><ul><ul><li>Objective is to change organizational behavior to develop a “culture of privacy”. </li></ul></ul></ul>
    8. 9. Use Marketing Approach <ul><li>Brand “privacy awareness,” </li></ul><ul><ul><ul><li>Integrate all the materials into a coherent, consistent, and instantly recognizable campaign. </li></ul></ul></ul><ul><ul><ul><li>Strategy should be to continuously inform and motivate staff and managers. </li></ul></ul></ul><ul><li>SSHA adopted its own theme </li></ul><ul><ul><ul><li>“Get Caught! Doing the Right Thing.” </li></ul></ul></ul>
    9. 10. SSHA Awareness Campaigns <ul><li>Objectives: </li></ul><ul><ul><ul><li>Tie campaign to: </li></ul></ul></ul><ul><ul><ul><ul><ul><li>Updated Privacy and Security Standard of Conduct. </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Mandatory staff training. </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Enterprise Security and Privacy Incident Management. </li></ul></ul></ul></ul></ul><ul><ul><ul><li>Raise profile of Privacy and Security: </li></ul></ul></ul><ul><ul><ul><ul><ul><li>“Desk tour” </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Poster campaign </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Telephone hotline and central e-mail </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>“Jeopardy” sessions </li></ul></ul></ul></ul></ul>
    10. 13. <ul><li>GET CAUGHT! won the following International Association of Business Communicators (IABC) awards: </li></ul><ul><li>An international Gold Quill Award of Merit in the Other Graphic Design category; </li></ul><ul><li>A Canadian Silver Leaf Award of Merit in the Other Graphic Design category </li></ul><ul><li>A Toronto chapter Ovation Award of Excellence for Other Graphic Design; and </li></ul><ul><li>A Toronto chapter Ovation Award of Merit for Employee/Member Communications </li></ul>
    11. 15. Privacy Training @ SSHA <ul><li>Online Learning Management System (LMS) with two modules for Privacy and Information Security. </li></ul><ul><li>Mandatory for new employees: to be completed within 30 days of on-boarding date. </li></ul><ul><li>Compliance monitoring done by PS from HR data. </li></ul><ul><li>Non-compliance with requirement results in system lockout. </li></ul>
    12. 16. Privacy Training
    13. 17. Privacy Training
    14. 18. Privacy Training
    15. 19. Conclusion <ul><li>A “culture of privacy” is privacy-aware conduct in day-to-day business activities. </li></ul><ul><li>Developing a “culture of privacy” </li></ul><ul><ul><ul><li>Is a long-term exercise; </li></ul></ul></ul><ul><ul><ul><li>Intended to create environment in which personnel automatically behave appropriately with respect to privacy requirements. </li></ul></ul></ul><ul><li>A “culture of privacy” fosters greater confidence among stakeholders in your organization’s information-handling practices. </li></ul><ul><li>A “culture of privacy” requires committed leadership to promote active participation by all staff. </li></ul>
    16. 20.
    17. 21. Questions <ul><li>Michael Power </li></ul><ul><li>Vice President, Privacy and Security </li></ul><ul><li>eHealth Ontario </li></ul><ul><li>[email_address] </li></ul>