Abstract
Although it is sometimes tempting to treat information security as a domain of its own, this approach will inevitably yield failures of information security and failures for the organization. This occurs because serious breaches may originate from organizational conditions not obviously related to information security policies, procedures or practices and because information security practices operate in, and are affected by the context of their parent organization. For these reasons, healthcare leaders must comply with but look beyond good industry practices alone while planning, implementing, and evaluating information security programs. In this chapter, we demonstrate that a consensus exists on key good information security measures that all healthcare leaders should, and often do use in designing their information security programs. We follow this analysis with two case studies that demonstrate the limitations of focusing only on good information security practices. These case studies help explain the mutual interaction between health information security programs and their wider organizational context by introducing key concepts about organizational performance, including “practical action,” “practical resistance,” “sponsored social movement,” and “mindfulness” and examining them at the individual, group, organizational, and cross domain levels of organizational life.
TopResearch Design And Methods
We designed this project to illustrate the necessity for evaluating broad organizational conditions as well as industrial guidelines for good practice in information security planning. Thus, we begin by analyzing current surveys in English of information security practice and comparing them with two important information security initiatives of the United States (US), the Federal Information Security Management Act (FISMA) of 2002 and Security Standard of the Health Insurance Portability and Accountability Act (HIPAA)of 1996 (HHS 2003). This analysis demonstrates that a consensus exists on key good information security measures that all healthcare leaders should, and often do use in designing their information security programs. We follow this analysis with two case studies in the design and implementation of good information security practices across two large organizations, the United Kingdom National Health Service and the US Military Health System. These case studies introduce concepts for and demonstrate the importance of understanding the organizational context for implementing good information security practice. Drawing from the work of Scott Snook (2000), we consider efforts to reform healthcare information security practice at the individual, group and organizational levels of action as well as across levels in the case studies.
Key Terms in this Chapter
Mindfulness: An organizational process that attends to small deviations from expected behavior and, thus, prevents small errors or failures from escalating into major catastrophes.
Normal Accident: A component or system failure that occurs because of the design and routine operation of the system itself rather than poor performance of individual operators.
Practical Action: Behavior that enables people to accomplish their tasks efficiently, is learned on the job and goes unquestioned because it generally works without incident.
Information Security Breach: A violation of organizational policies, procedures and established practices for protecting the confidentiality, integrity and availability of information.
Practical Resistance: Behavior through which people resist changing locally efficient practices developed with experience, potentially subvert compliance efforts in daily practice, and tacitly or explicitly protest against proposed changes to their standard way of doing business.
Sponsored Social Movement: A reform process that combines “top down” with “grassroots” efforts to change an existing organizational system.
Information Security: An established body of good practices developed to protect the confidentiality, integrity and availability of information.