Exploring Organizational Culture for Information Security in Healthcare Organizations: A Literature Review

The healthcare sector has generally been a late adopter of information technology solutions. As a result of the American Recovery and Reinvestment Act of 2009, the Centers for Medicare and Medicaid Services implemented a program whereby financial incentives were made available for eligible healthcare entities and healthcare providers implementing health information technology solutions. These healthcare entities and providers were required to attest to "meaningful use" (e.g. electronic data capture of clinical data, provision of electronic health records to patients) in order to receive the financial incentives. This program, more than any other key driver, has transformed the utilization of health information technology (HIT) in clinical settings. Health IT is now ubiquitous. With the advent of these HIT solutions has come large caches of private and protected health information which must be guarded from both accidental disclosure and nefarious criminal activity. Compliance monitoring efforts by the Department of Health and Human Service's Office for Civil Rights have increased dramatically in recent years with multi-million dollar fines being levied across the country for security gaps. As a result of this increased risk, many healthcare organization are revisiting their information security position and culture in the age of electronic medical records. This paper will review the current state of that culture.