Building a security capable organization: a workshop

This paper presents general principles and case examples of how health care providers might prepare themselves to become data security capable organizations; that is, organizations in which ensuring the security and confidentiality of medical information becomes incorporated into the every day working routines of all staff. Building a security capable organization requires institutionalizing a security surveillance process, not just implementing security measures. Implementing a security surveillance process requires several steps, including: monitoring the changing legal and regulatory environment; enhancing patient understanding of the organization´s data security efforts; and continuously updating data security policies, procedures and practices in light of changing mission. Case examples from KP Online, an interactional patient tool from Kaiser Permanente Health Care and Project Phoenix, a telemedicine project from Georgetown University Medical Center illustrate the general points