International Journal of Medical Informatics 60 (2000) 151 – 157

www.elsevier.com/locate/ijmedinf

Practical approaches to creating a security culture

Nicholas Gaunt
Plymouth Hospitals NHS Trust, Derriford Road, Plymouth, De6on PL6 8DH, UK

Abstract

Security of information in the health care environment depends not so much on technical controls as on compliance
with policy by all those who use the information. Awareness of policy and observance of a code of conduct, whilst
important, do not itself ensure that staff respect confidentiality, let alone follow other measures to secure records. A
culture of security must be developed throughout the health care community. This demands clear policy with practical
procedures that are relevant in the workplace, a long-term programme in which changes can be introduced in a
managed way that is sensitive to the tensions between security and other working practises, commitment from senior
management to achieve change, and strong leadership from within the health care professions. The UK National
Health Service has begun such a process with the endorsement of the ‘Caldicott Committee Report on the review of
patient-identifiable information’ and its recommendation that all health organisations appoint a senior health care
professional to be responsible for confidentiality of patient information. Raising the political profile of patient
confidentiality has served to change the rate of change up a gear. The response of one health care community to this
initiative will be discussed and lessons drawn regarding cultural change and information security. © 2000 Elsevier
Science Ireland Ltd. All rights reserved.

Keywords: Computer; Security; Policy; Confidentiality; Patient records

1. Introduction records about their patients. Data controllers,

Maintaining the security of health care
data is not merely a matter of application of
technical controls and procedures. Various
tensions between data subject, data user and
data controller preclude such a simplistic ap-
proach. Health care professionals require ac-
cess to health care data to fulfil their duties to
the patient and most would like unfettered
access to the entire collection of clinical
E-mail address: nick.gaunt@phnt.swest.nhs.uk (N. Gaunt).
whose responsibility is to prevent unautho-
rised access and to ensure the integrity and
availability of the information, would like to
impose constraints on the use of personal
data, in line with regulatory frameworks.
Data subjects want their personal details kept
confidential and accurate but also want to
receive the best possible care, which in mod-
ern medical practice implies the sharing of
their information between many different
professional care groups. Health insurers, ad-
ministrators, government departments and

1386-5056/00/$ - see front matter © 2000 Elsevier Science Ireland Ltd. All rights reserved.
PII: S 1 3 8 6 - 5 0 5 6 ( 0 0 ) 0 0 1 1 5 - 5
152 N. Gaunt / International Journal of Medical Informatics 60 (2000) 151–157
professional regulatory bodies are demanding
greater detail about care delivery and clinical
performance, putting in jeopardy the privacy
of the patient and clinician alike. Human
rights groups are campaigning for personal
privacy and the right of the individual to
have access to the data recorded about them.
Balancing these many and often conflicting
expectations is the greatest challenge to those
attempting to develop a culture in which
personal health care information is processed
securely. This paper considers some of the
impediments to change towards a security
culture and how they may be overcome, us-
ing one health care community as an
example.
2. Impediments to change
2.1. Attitudes
The most significant threat to the security
of information in an organisation is its staff.
It follows that an important measure of suc-
cess in implementing a security policy is that
all groups of staff are aware of, agree with
and observe procedures aimed at preserving
security of information. However, this is by
no means easy to achieve since it requires
significant change in behaviour of staff. In-
deed, many health care professionals are still
reluctant to use computers at all and to be
asked, for instance, to remember a new pass-
word every month only hardens their atti-
tude. Health care organisations have
knowingly compromised information security
through less than satisfactory access controls
simply in order to encourage all staff to use
the computer systems. Once such compro-
mise has been adopted, it is subsequently
very difficult to convince users of the need to
strengthen access control.
Reluctance to change working practices in
order to make information more secure is
widespread amongst health care profession-
als. Despite their general acceptance of the
principle of patient confidentiality, health
care professionals tend not to accept respon-
sibility for information security.
2.2. Ignorance
This reluctance is due in part to a poor
understanding of the measures necessary to
achieve security (many of which are very
simple and easy to observe). Doctors are a
particularly difficult group to teach about
information security since they often believe
they know all about confidentiality (through
the Hippocratic Oath) and that other aspects
of security are not their problem. Unfortu-
nately, whilst they know about the principle
of confidentiality, doctors’ knowledge of the
potential threats to computer systems and
how they can best be prevented may be poor.
Information security, data protection and hu-
man rights should be a prominent part of
medical informatics courses during under-
graduate training and in postgraduate educa-
tion. It is unfortunate that an ever-expanding
medical curriculum has resulted in informat-
ics being omitted completely from many
courses.
2.3. Conflicting demands
It is not only in the medical curriculum
that information security has been sup-
pressed. The attitude that protection of pa-
tient information is less important than direct
patient care pervades planning and provision
of clinical services in general. Obtaining ade-
quate funding for information security in an
environment of limited resources, therefore,
becomes a significant challenge. Indeed, the
expense of installation and maintenance of
 N. Gaunt / International Journal of Medical Informatics 60 (2000) 151–157
additional security controls is often cited as a
reason for failure to adopt them.
In addition to financial constraints, there
are increasing demands for access to personal
health care data for the purposes of monitor-
ing, regulation, audit and research. Managed
care organisations, insurance companies and
health authorities contracting services are
seeking access to patient records to substanti-
ate claims or detect fraud. Investigations un-
der the aegis of clinical governance or
medical audit gather patient data to examine
the performance against criteria of health
care workers. Surveillance, epidemiology and
research programmes systematically gather
the patient clinical data to monitor health
care practices and understand distribution,
spread and control of diseases. The police
seek information from medical sources that
may lead to the identification of criminals or
to the prevention of crime. It is the ready
availability of large quantities of clinical in-
formation on computer systems that has
made such investigations possible and of ap-
peal to regulators and the public. The laud-
able aims of greater efficiency, accountability,
liability and knowledge achieved through
such systematic data processing are, however,
putting at risk the fundamental principle of
patient confidentiality [1]. The balance be-
tween openness and confidentiality is the sub-
ject of much debate, which, while it remains
unresolved, prevents application of a consis-
tent approach to the protection of clinical
information.
2.4. Inadequate systems
Given the availability of many good tech-
nical solutions to achieving secure systems, it
is disappointing that few of the commercial
health care computer systems currently on
the market have more than the most basic
security features. Either there is no commer-
153
cial gain in incorporating more stringent con-
trols, or the purchasers have been unwilling
to pay for, or to implement, more secure
systems. Poorly designed security controls of-
ten impose constraints or impediments to
access that are unacceptable to clinical staff.
Even passwords are considered by many to
be awkward and unnecessary, particularly
when enforced expiry is imposed. Re-estab-
lishing network connections can take so long
that busy clinical staff avoid logging off be-
tween transactions on network workstations.
Security measures must be practical, accept-
able to staff and cause minimal disruption to
the processes of care. Few commercial sys-
tems at present achieve these ideals. How-
ever, once appropriate access control and
auditing is installed, staff scepticism soon
turns to acceptance as they come to realise
their importance and benefit [2].
2.5. Inconsistent policies
The extent, to which individual health care
facilities apply security controls to their own
computer systems, can vary markedly. Incon-
sistent policies and procedures can lead to
frustration, confusion and potentially even
harm to patients. This is exemplified by dif-
ferences in organisation’s policy towards
transmission of patient information by fac-
simile. Whereas best practice is to send pa-
tient-identifiable information by facsimile
machine only in emergencies and according
to agreed protocols, the convenience of such
means of communication has led many or-
ganisations to allow their routine and uncon-
trolled use. An organisation attempting to
apply more restricted use of facsimile trans-
missions is then faced with complaints from
other organisations with more lenient policies
whose staff are frustrated that they cannot
send or receive patient information by that
means.
154 N. Gaunt / International Journal of Medical Informatics 60 (2000) 151–157
Many similar inconsistencies in security
policies are becoming evident the more that
patient-identifiable information is being com-
municated across organisational boundaries.
There is a growing need for commonality in
security policies and negotiated agreements
between agencies that are sharing patient
information.
Without a clear framework of responsibil-
ity and accountability, such agreements will
be difficult to achieve.
3. Effecting cultural change
Each health care facility should have a
clear information security policy. The success
of such a policy in effecting change of culture
in the organisation depends on its appropri-
ateness, practicality and acceptance by all
staff [3]. The most important influence on
staff attitude is a demonstration of the com-
mitment to security by key opinion formers
in each staff group. With their support and
involvement introduction of policy and pro-
cedures is generally straight-forward whereas
without them, the task is much more difficult.
Sensitivity to the opinion of staff and the
impact of security controls on their working
environment is essential during policy devel-
opment and implementation, and can be
gained through user participation [4]. As a
minimum, there should be representation
from the main staff groups on the committee
responsible for development and implementa-
tion of the organisation’s information secu-
rity policy.
The installation of an information security
policy in Plymouth Hospitals NHS Trust has
been described elsewhere [5]. Despite a grad-
ual rising awareness of security, its effective
implementation has remained a challenge, for
several reasons.
1. However much the organisation accepts
the principles of security, it is continually
faced with competing demands for re-
sources and attention, often from external
sources and frequently with a political
imperative, resulting in security initiatives
being postponed, abandoned or compro-
mised. Only with similar external pressure
to implement security policy can we hope
to sustain these initiatives locally.
2. Training 3500 staff in information secu-
rity on joining the organisation and
through annual update has been very de-
manding and has failed to reach some
sectors, most notably medical staff.
Greater emphasis on security is needed
during medical training, and continued
responsibility for security should be pro-
moted through clinical governance.
3. It has not yet been possible to instigate a
process whereby staff are formally re-ac-
credited and re-affirm their commitment
to confidentiality and security on an an-
nual basis. Instead, reliance is placed
upon contractual clauses and codes of
conduct.
4. Differences of security policy in organisa-
tions, with which we share patient infor-
mation, such as the problem of facsimile
transmission described earlier, have made
it difficult to implement our own
procedures.
It became evident that without clear na-
tional direction and a framework of account-
ability for information security, it would be
difficult to progress further with these aspects
of our local policy.
4. Caldicott committee
In recognition of increasing concern about
the ways in which the information is used in
the National Health Service (NHS) in Eng-
 N. Gaunt / International Journal of Medical Informatics 60 (2000) 151–157
Table 1
Recommendations of Caldicott committee
1 Every dataflow, current or proposed, should
be tested against basic principles of good
practice. Continuing flows should be
re-tested regularly
2 A programme of work should be
established to reinforce awareness of
confidentiality and information security
requirements amongst all staff within the
NHS
3 A senior person, preferably a health
professional, should be nominated in each
health organisation to act as a guardian,
responsible for safeguarding the
confidentiality of patient information
4 Clear guidance should be provided for
those individuals/bodies responsible for
approving uses of patient-identifiable
information
5 Protocols should be developed to protect
the exchange of patient-identifiable
information between NHS and non-NHS
bodies
6 The identity of those responsible for
monitoring the sharing and transfer of
information within agreed local protocols
should be communicated clearly
7 An accreditation system which recognises
the organisations following good practices
with respect to confidentiality should be
considered
8 The NHS number should replace other
identifiers wherever practicable, taking
account of the consequences of errors and
particular requirements for other specific
identifiers
9 Strict protocols should define who is
authorised to gain access to patient identity
where the NHS number or other coded
identifier is used
10 Where particularly sensitive information is
transferred, privacy enhancing technologies
(e.g. encrypting identifiers or ‘patient
identifying information’) must be explored
11 Those involved in developing health
information systems should ensure that best
practice principles are incorporated during
the design stage
155
Table 1 (Continued)
12 Where practicable, the internal structure and
administration of databases holding patient
identifiable information should reflect the
principles developed in this report
13 The NHS number should replace the
patient’s name on Items of Service Claims
made by General Practitioners as soon as
practically possible
14 The design of new systems for the transfer of
prescription data should incorporate the
principles developed in this report
15 Future negotiations on pay and conditions
for General Practitioners should, where
possible, avoid systems of payment which
require patient identifying details to be
transmitted
16 Consideration should be given to procedures
for General Practice claims and payments,
which do not require patient-identifying
information to be transferred, which can
then be piloted
land and Wales, and the need to ensure that
confidentiality is not undermined, the Chief
Medical Officer of England commissioned a
review of the use of patient-identifiable infor-
mation, the findings of which were published
in December 1997 [6]. The review examined
patient-identifiable information, which passes
from NHS organisations to other NHS or
non-NHS bodies for purposes other than di-
rect care, medical research, or where there is
a statutory requirement for the information.
Its purpose was to ensure that patient-iden-
tifiable information is only transferred for
justified purposes and that only the minimum
necessary information is transferred in each
case. To this end, 86 flows of information were
mapped relating to a wide range of planning,
operational or monitoring purposes.
Sixteen recommendations were made (see
Table 1), of which perhaps the most signifi-
156 N. Gaunt / International Journal of Medical Informatics 60 (2000) 151–157
cant was the support for professional respon-
sibility for safeguarding the confidentiality of
patient information. Specifically, this entailed
the nomination in each health organisation of
a senior person, preferably a health profes-
sional, to act as a guardian. This was a
welcome ratification of our local security pol-
icy, which identified medical responsibility
for clinical information security, and served
to raise the priority of information security in
the organisation. Guidance to ‘Caldicott
Guardians’ was subsequently issued and a
brief national training programme was
delivered.
Caldicott Guardians have been given a
substantial agenda with requirements to con-
duct management audits and deliver annual
plans and out-turn reports to the NHS execu-
tive. They are responsible for achieving
agreement with respect to, and reviewing in-
ternal protocols governing the protection and
use of patient-identifiable information by the
staff of their organisation and for the disclo-
sure of patient information across organisa-
tional boundaries. They also have a strategic
role, developing security and confidentiality
policy, representing confidentiality require-
ments and issues at Board level, advising on
annual improvement plans, and agreeing and
presenting annual outcome reports. Tasks in-
clude the review of data flows in their own
organisations; negotiation of confidentiality
agreements with organisations with which pa-
tient-identifiable information is shared;
preparation of codes of conduct for all staff
groups; and determining appropriate levels of
access to patient information.
Given that Guardians are generally health
care professionals without prior knowledge
of, or training in information security, they
need education, advice and technical support.
There is presently no regional or national
framework to which Caldicott Guardians can
turn for such support and advice.
5. Community-wide initiative
The local health care community of South
and West Devon serves a population of
650 000. It comprises three NHS Trusts,
which provide secondary and tertiary care in
two District General Hospitals and also men-
tal health and other community services; five
general practice Primary Care Groups, which
provide primary care to the community; a
Health Authority, which co-ordinates provi-
sion of health care; an out-of-hours general
practice service; an ambulance service; and
three Local Authorities, which provide social
services to the local population.
Recognising that many of the tasks facing
Guardians are common to all health care
organisations, including the development of
agreements between agencies, we have estab-
lished a community-wide Guardians Group.
The Group includes the Caldicott Guardians
from all the above health care organisations
and representatives from the three Local Au-
thority Social Services Departments, who are
not currently subject to the Caldicott Report
but, nevertheless, share patient information.
The Group has become the focal point for
preparation of many common policies and
protocols on the use and transfer of patient
information, and has considered amongst
others protocols for the disclosure of infor-
mation to the police under the Crime and
Disorder Act and for the safe use of facsimile
machines and electronic mail for patient-
identifiable information.
The Group provides mutual support
through sharing of documents and discussion
of issues of common concern. This is leading
to a gradual convergence of policies and is
setting the framework for information
sharing within the community. It will be re-
sponsible for developing the security policy
for the shared Electronic Health Record soon
to be developed in the community as a part
of the NHS strategy ‘Information for Health’
 N. Gaunt / International Journal of Medical Informatics 60 (2000) 151–157
[7]. Similar groups are now being formed in
other communities in England.
6. Conclusion
Whereas local attempts had been only par-
tially successful, application of a regulatory
framework, clear lines of accountability, and
defined clinical responsibility are leading to a
greater awareness of information security,
greater willingness to invest in change and to
co-ordinate between all facilities in a commu-
nity. Nevertheless, a genuine security culture in
which the time-honoured principle of the
confidential patient-doctor consultation is
honoured without preventing modern day re-
quirements for multi-disciplinary, inter-agency
co-ordinated health care, incorporating ac-
countability, clinical governance, audit, re-
search and external monitoring by regulatory
bodies and insurers, is still a long way off.
157
References
[1] P.S. Appelbaum, Threats to the confidentiality of
medical records — no place to hide, J. Am. Med.
Assoc. 283 (2000) 795 – 797.
[2] I. Denley, S. Weston Smith, Privacy in clinical
information systems in secondary care, Br. Med. J.
318 (1999) 1328 – 1331.
[3] S.M. Furnell, P.N. Gaunt, R.F. Holben, P.W.
Sanders, M.T. Stockel, M.T. Warren, Assessing
staff attitudes towards information security in a
European healthcare establishment, Med. Infor-
matics 21 (1996) 105 – 112.
[4] M.J. Warren, P.N. Gaunt, Addressing the impact
of security on a healthcare environment, Int. J.
Biomed. Comput. 35 (1994) 269 – 271.
[5] N. Gaunt, Installing an appropriate information
security policy, Int. J. Med. Informatics 49 (1998)
131 – 134.
[6] The Caldicott Committee: report on the review of
patient-identifiable information, December 1997,
NHS Executive, London.
[7] Information for Health: An Information Strategy
for the NHS, September 1998, NHS Executive,
London.