Practical Action and Mindfulness in Health Information Security

Abstract

Although it is sometimes tempting to treat information security as a domain of its own, this approach will inevitably yield failures of information security and failures for the organization. This occurs because serious breaches may originate from organizational conditions not obviously related to information security policies, procedures or practices and because information security practices operate in, and are affected by the context of their parent organization. For these reasons, healthcare leaders must comply with but look beyond good industry practices alone while planning, implementing, and evaluating information security programs. In this chapter, we demonstrate that a consensus exists on key good information security measures that all healthcare leaders should, and often do use in designing their information security programs. We follow this analysis with two case studies that demonstrate the limitations of focusing only on good information security practices. These case studies help explain the mutual interaction between health information security programs and their wider organizational context by introducing key concepts about organizational performance, including “practical action,” “practical resistance,” “sponsored social movement,” and “mindfulness” and examining them at the individual, group, organizational, and cross domain levels of organizational life.