I’m Kate Dewhirst.

I’m a lawyer who writes about legal issues affecting healthcare in Canada

Kate Dewhirst Health Law - bringing the law to life. Meet Kate (in 13 seconds)

3 steps to influence organizational culture in health care

Posted by

What is culture? According to the Merriam-Webster dictionary, culture is the set of shared attitudes, values, goals, and practices that characterizes an institution or organization.

As a health leader you influence your organizational culture both intentionally and unintentionally.  The impact is happening whether you mean for it happen or not.

So, how do you intentionally and positively impact your organizational culture?

Last week, I was asked to speak to a group of security and information technology specialists in health care.  They were learning the latest information about cyber security and how to protect their workplaces.  I was asked to talk about “front-line staff cyber vigilance education” training. Also known as “how do we train our front-line staff to care about cyber security”?

That is a culture question.

Fact is, very few front-line health care workers would say they want to learn about cyber security.  It’s hard to get clinicians and administrators to focus on a topic that does not have automatic resonance with their day-to-day activities. It’s a topic that sounds both boring and complicated.  Many culture topics can initially appear boring and complicated. So, as a leader, how do you convey messages that your front-line staff can both understand and want to implement?

You follow a three-step process.  You can use this process for any culture topic.

Reinforcing culture on the front-lines is about:

  1. Storytelling
  2. Instructions
  3. Artifacts

Storytelling

Stories connect us to a topic in a way nothing else can. You need to tell a story as close to your team as possible.  For cyber security, you want to share examples of incidents that happened to your team or to your type of organization or to the health sector at large. The closer to your team – the more impact the story will have.

In cyber security, there are many stories you can use to engage your team.  Use the worldwide WannaCry virus story from May 2017. In my storytelling, I explain that the attack did not target health care providers – that helps the audience get over their initial objection that no one is interested in them.  I explain that it was a world-wide attack that targeted computers running Microsoft Windows by encrypting data and demanding ransom payments in Bitcoin. While health care was not an intended target, health care providers in the National Health Service in England and Scotland were a group that was hit hard. Up to 70,000 devices, including computers, MRI scanners, blood-storage refrigerators and theatre equipment were shut down as a result. The NHS had to turn away some non-critical emergencies.

I then explain that there was a local hospital in Ontario hit by that Wanncry virus. Having myself heard representatives from that hospital speak at a conference, I tell their stories of how they were negatively impacted for weeks by that attack. While patient health records were not accessed by malicious hackers, their electronic systems were shut down in order to contain the impact.

I then explain that Ontario health providers have experienced additional attacks after the 2017 Wannacry virus. I include stories such as the 2018 home medical services company that was hacked. The continuation of story shows that ransomware threats are ongoing and that the Wannacry virus was not an isolated incident.

I also share stories of malicious actions against health care organizations attempted through LinkedIn or infected USB keys or public WiFi.

Storytelling explains to the front-line staff:

  1. The language we need to share
  2. How a problem presents in health care teams
  3. The problem has impacted teams just like ours
  4. The impact on patients, caregivers and providers – with specific emphasis on how the issue impacts staff

Instructions

After storytelling, you need to move into instruction mode.  To positively impact culture, you need to provide clear action items. What specifically does your team need to do and not do?

For cyber security culture reinforcement there are organizational activities beyond what front-line staff do such as IT system upgrades, software patches, IT security audits, physical security reviews and action. In the instruction phase it is essential not to muddy the waters with too much detail. Leaders with responsibility for culture topic implementation need to review all the relevant documentation. But front-line staff do not.

Instead, make a practical list of of do’s and don’ts for online activities for front-line staff such as:

  1. Do have hard to guess passwords
  2. Do not share your password
  3. Do know about “ransomware”
  4. Do not open or click on strange links sent by email or LinkedIn
  5. Do lock your computer when you leave your desk
  6. Do hover over a link before you click on it
  7. Do report strange incidents of email requests, online activity and in person queries

Then, share these instructions through announcements, policies and training.

Artifacts

After the instruction phase, you need public persistent reminders to positively impact culture.  These I call “artifacts”.  Sprinkled around your organization these symbols, images, and abbreviations remind your team of your stories and instructions.

Artifacts can include posters, signs, and catch-phrases.

For cyber security, one of the catch-phrases I use is “Digital Hygiene Saves Lives!”  In the storytelling and instruction phases I include this phrase and explain what it means. Digital hygiene is like hand hygiene.  Where hand hygiene requires vigilance in handwashing as a key component of patient safety – digital hygiene requires vigilance in following the do’s and don’ts for online activities as a key component of patient safety. Without that digital hygiene, the organization is exposed to malicious attacks which can negatively impact patient care (such as the WannaCry virus or other malicious activity).  That catch-phrase can be used in posters, email reminders, newsletters and team meetings to reinforce the cultural shift.

Culture is crafted and reinforced. By using storytelling, instructions and artifacts you can have a positive impact shaping your organizational culture.


If you enjoyed this article please share it:


Previous and next posts from Kate:

Some of Kate’s recent and upcoming events

Team Privacy Training Events

September 17, September 24, October 16, October 24 and November 21

For Primary Care clinics, Children’s Aid and FHTs

Kate trains health professionals from many more primary care organizations how being privacy-respectful can improve therapeutic relationships. more details...

Speaking event

October 23, 2019

Osgoode Professional Development – Mental health Certificate

Kate joins the faculty for this training event. More details...

Primary care webinars: Contracts & Communications

September 5 and October 3, 2019, 12 noon

Part of Kate’s monthly webinar series.

Our September webinar is about understanding contracts you may be asked to sign, and in Octber our title is Managing incapacity in the workplace.

Full details of the 2019 webinar series and registration here.

Privacy Officer training

November 5, 11, 18, 25 & December 2, 2019

Kate is the program chair for the Osgoode Certificate in Privacy in Healthcare.

This program explores the range of privacy interests that must be protected in the day-to-day treatment of patients, the development of information systems and the creation of institutional policies.More details ...

Advanced Privacy Officer training

December 10, 2019

For experienced Privacy Officers within healthcare organisations.

This one day training course focuses on how to handle difficult privacy situations using real-life (but anonymized) case studies and role-play. Full details and registration here...

Free healthcare privacy webinar - ask me anything!

August 7 and September 4, 2019, 10-11am EST

Free webinars - advance registration needed

Whether you're an experience privacy officer or new in the field, pick Kate’s brain for free for an hour, in this live webinar. No charge, but you’ll need to register in advance.

Kate Dewhirst Health Law

Kate says:

My mission is bringing the law to life. I make legal theory understandable, accessible and fun! I’m available and love to work for all organizations in the healthcare sector across Ontario and beyond.

Subscribe to my mailing list and keep up to date with news:

Latest Tweets

Webinar recording now available! Topics covered: - Health privacy law update - When do children make their own info… https://t.co/IN3OPtYePb

about 16 hours ago

Have you witnessed a bad situation where the organization’s response or lack of response made things worse?… https://t.co/m887F6v81U

12:00 PM Jul 15th

One of the key privacy messages every healthcare organization needs to know is a patient has a right to access thei… https://t.co/ogGXOVTf5A

12:01 PM Jul 14th

contact details

901 King Street West Suite 400 East Tower
Toronto Ontario M5V 3H5

(416) 855 9557

.