15 Ways Chiropractic Practices Can Build a Strong Security Culture
In chiropractic practices, the term “safety culture” or “culture of safety” is familiar. It refers to practice values, attitudes, and goals related to providing a safe environment and safe patient care. Although perhaps not as common, the term “security culture” is conceptually very similar to safety culture. A practice’s security culture focuses on beliefs, values, and behaviors related to protecting health information, other sensitive data, and patient and employee privacy.
The COVID-19 pandemic has exacerbated security concerns due to remote and hybrid work models as well as a surge in cyberthreats to healthcare organizations.1 In 2020, more than 18 million patient records were affected by cyberattacks, which was a 470 percent increase from 2019. These attacks also cost the healthcare industry more than $20 billion in downtime.2 Additionally, in the past few years, the first patient fatalities allegedly linked to cyberattacks occurred in the United States and abroad.3
Establishing a sound and prominent security culture is absolutely crucial in chiropractic practices, particularly as health technology continues to expand, the volume of health information-sharing and transfer increases, and cyberattacks become more numerous and sophisticated. Failing to make security a priority, or adopting an apathetic attitude about it, can increase the risks of patient harm, data breaches, fines, sanctions, and liability exposure.
Unlike strategies that address specific security risks (e.g., phishing) through targeted interventions, methods for building a robust security culture are broad and look at security through an enterprise-wide lens. These strategies tend to focus on the practice’s approach, communication, policies/procedures, and human resources.
The 15 recommendations that follow offer chiropractic practices guidance on how to build, enhance, and/or sustain a strong security culture.
- Include physical security and cybersecurity as key components of your practice’s overall strategic planning, budget, and enterprise risk management initiatives.
- Cultivate leadership awareness of, and engagement in, the practice’s security planning and decision-making. Leadership’s consistent support of security culture sets the tone for the entire practice. A strong security culture “means an ongoing process that is driven not from the IT department but from the top of the organization down.”4
- Embrace a culture in which organizational leaders and managers lead by example, rather than fostering a “do as I say, not as I do” approach. Ask leaders and managers to share with employees the ways in which they participate in the practice’s security culture (e.g., through trainings, advocating for resources, and helping identify solutions).
- Appoint a qualified chief information security officer and adequate and competent personnel to address security issues.
- Ensure that responsibility and accountability for security are core values of the practice, and verify that all personnel are aware of their responsibilities for maintaining these values.
- Develop written policies that clearly explain the practice’s expectations related to confidentiality, privacy, and information security; policies should include possible consequences for violating organizational standards.
- Conduct a security culture survey of employees to assess their feelings, beliefs, behaviors, and knowledge about security issues, policies, and procedures. The results of the survey can serve as a benchmark and help inform improvement efforts.
- Ensure that security is a top priority when acquiring and implementing new technology and determining methods for sharing health information and other confidential data.
- Perform due diligence of business associates to determine whether their security standards align with your practice’s security culture.
- Periodically conduct risk assessments to determine potential security vulnerabilities in organizational systems and processes. Work with facility leaders, security personnel, chiropractors, and staff to address these weaknesses and devise practical solutions.
- Devise and implement physical safeguards and technology-based safeguards to prevent security breaches.
- Consider both human and systems factors that can lead to security incidents when devising strategies to support your practice’s security culture. An article in Healthcare IT News notes that although cybercrimes make headlines, “internal cultural and technological vulnerabilities are often more to blame for an ongoing cycle of healthcare data breaches.”5
- Implement corrective procedures, including an incident response plan, related to security incidents, data breaches, and cyberattacks.
- Provide frequent training and reminders to administrators, chiropractors, staff, volunteers, vendors, etc., about security issues and the practice’s security policies and standards. Consider various training formats and activities, such as online learning or role-playing, to keep individuals engaged and aware.
- Tailor educational approaches and outreach to address individual employee needs, knowledge gaps, and risky behaviors. Security magazine notes that “Sharing consistent, relevant touchpoints directly to an individual will lead to positive changes in behavior over time, ultimately protecting the broader organization.”6
For more information and resources about addressing security concerns and building a security culture, see ChiroPreferred by MedPro’s Risk Resources: Cybersecurity, the American Hospital Association’s Cybersecurity & Risk Advisory Services, and HealthIT.gov’s Privacy and Security website for healthcare providers and professionals.
This document does not constitute legal or medical advice and should not be construed as rules or establishing a standard of care. Because the facts applicable to your situation may vary, or the laws applicable in your jurisdiction may differ, please contact your attorney or other professional advisors if you have any questions related to your legal or medical obligations or rights, state or federal laws, contract interpretation, or other legal questions.
1 Andersen, J. (2021, April 27). The hybrid office will create great opportunities—for companies and cybercriminals. Fortune. Retrieved from https://fortune.com/2021/04/27/hybrid-office-cybersecurity-hackers-remote-work-from-home-cybercrime-malware/; Skahill, E., & West, D. M. (2021, August 9). Why hospitals and healthcare organizations need to take cybersecurity more seriously. The Brookings Institute. Retrieved from www.brookings.edu/blog/techtank/2021/08/09/why-hospitals-and-healthcare-organizations-need-to-take-cybersecurity-more-seriously/
2 Horowitz, B. T. (2021, March 26). 2020 offered a ‘perfect storm’ for cybercriminals with ransomware attacks costing the industry $21B. Fierce Healthcare. Retrieved from www.fiercehealthcare.com/tech/ransomware-attacks-cost-healthcare-industry-21b-2020-here-s-how-many-attacks-hit-providers
3 Ralston, W. (2020, November 11). The untold story of a cyberattack, a hospital and a dying woman. Wired. Retrieved from www.wired.co.uk/article/ransomware-hospital-death-germany; Miliard, M. (2021, October 1). Hospital ransomware attack led to infant’s death, lawsuit alleges. Healthcare IT News. Retrieved from www.healthcareitnews.com/news/hospital-ransomware-attack-led-infants-death-lawsuit-alleges
4 Carpenter, P. (2021, May 27). The importance of a strong security culture and how to build one. Forbes. Retrieved from www.forbes.com/sites/forbesbusinesscouncil/2021/05/27/the-importance-of-a-strong-security-culture-and-how-to-build-one/?sh=60c7e9ee6d49
5 Ford, P. (2019, October 8). Changing the cybersecurity culture. Healthcare IT News. Retrieved from www.healthcareitnews.com/news/emea/changing-cybersecurity-culture