Changing Organizational Culture through Effective Training, Education, and Awareness

March 11, 2004

Tom Walsh, CISSPPresident, Tom Walsh Consulting, LLC

Copyright © 2004, Tom Walsh Consulting, LLC

2

Protecting Confidential Information

Providing our patients with quality healthcare includes protecting their confidential information.

Copyright © 2004, Tom Walsh Consulting, LLC

3

Tom Walsh, CISSP• President, Tom Walsh Consulting, LLC• Certified Information Systems Security

Professional (CISSP)

• Co-authored a book on HIPAA Security

• Former information security manager for large healthcare system in Kansas City, MO

• DOE-certified safeguards and security instructor

• A little nerdy, but overall, a nice guy

Copyright © 2004, Tom Walsh Consulting, LLC

4

Let’s Get Acquainted!

• Age and Weight• Marital Status• Sexually Transmitted Disease?

– If “Yes” then Names of All Partners

• Drug or Alcohol Problems?• Amount of Money Earned Last

Year

• Name and Job Title

Copyright © 2004, Tom Walsh Consulting, LLC

5

• Discuss how values and organizational culture influence behaviors

• Create positive approaches and methods for cultural and behavioral changes that align individual's goals with organizational goals

• Discuss ideas on how to effectively deliver training, education, and awareness that achieves lasting cultural and behavioral change

Session Objectives

Copyright © 2004, Tom Walsh Consulting, LLC

8

“Implementation of the security and privacy regulations of the Health Insurance and Portability and Accountability Act (HIPAA) is about cultural transformation more than technology and compliance programs.”

June 12, 2001Lauri IngramMETA Group

HIPAA

Copyright © 2004, Tom Walsh Consulting, LLC

9

Culture of Healthcare

“I’m in healthcare, not computers or security. That’s your job.”

“I’ve decided to go back to a paper system so I won’t have to comply.”

“HIPAA will never be enforced.”

“Healthcare has survived for thousands of years without HIPAA.”(HIPAA-critic oath)

Copyright © 2004, Tom Walsh Consulting, LLC

10

Culture of Healthcare

• Slow to adapt standards– Law passed in 1996; still not

compliant

• Cost without benefits– “Full Employment Act for Lawyers”

• Just one more compliance issue• Wait and see attitude

– “The government is fickle.”– “What’s the rush?”

Copyright © 2004, Tom Walsh Consulting, LLC

11

“HIPAA - What, me worry?”

Culture of Healthcare

Copyright © 2004, Tom Walsh Consulting, LLC

12

Culture of Healthcare• Caring is sharing• Humans are curious by nature• In some cases, healthcare workers have

become desensitized to patient privacy• HIPAA requirements alone cannot

change the behaviors of healthcare workers

Copyright © 2004, Tom Walsh Consulting, LLC

13

Father’s Day Card

Dad, there were things that you said when I was growing up that didn’t make sense to me. Now that I have (three teenage) children of my own…

“Because I said so,” makes perfect sense.

Legislation alone will not change behaviors!

Copyright © 2004, Tom Walsh Consulting, LLC

15

Change

“The only people who like change are babies with dirty diapers.”

Kay WeirVolunteer CoordinatorSaint Luke’s Hospital

of Kansas City

Copyright © 2004, Tom Walsh Consulting, LLC

16

Changing Behaviors • The goal of training is to change behavior

• People only adopt new patterns of behavior when... the old are no longer effective

• Three concepts about human behavior to note:

Copyright © 2004, Tom Walsh Consulting, LLC

17

Changing Behaviors1. People’s behavior is based upon their

principles and their values

2. An effective training program helps the workforce adopt the organization’s principles and values

3. A message is persuasive when the addresser selects information that the addressee perceives as relevant in terms of his or her values

Copyright © 2004, Tom Walsh Consulting, LLC

18

Changing Behaviors

Knowledge does not guarantee a change in

behavior.

• “We’ll just create some new policies.”What are the fallacies of policy?

• “We just send everyone to training.”

Copyright © 2004, Tom Walsh Consulting, LLC

19

Changing BehaviorsThe Hawthorne Effect

The Hawthorne Studies were conducted from 1927 to 1932 at the Western Electric Hawthorne Works in Chicago, where Harvard Business School professor Elton Mayo examined productivity and work conditions

Copyright © 2004, Tom Walsh Consulting, LLC

20

Changing Culture

Copyright © 2004, Tom Walsh Consulting, LLC

21

Culture Change

Training, Education, and Awareness

TEA

Copyright © 2004, Tom Walsh Consulting, LLC

23

TEA - What is the Difference?

•Training

•Education

•AwarenessAll work together, but are different.

Copyright © 2004, Tom Walsh Consulting, LLC

24

• Training - “Hands on”

• Education - Imparting Knowledge

• Awareness - “Top of Mind”

TEA - What is the Difference?

The goal of TEA - Changing Behaviors

Copyright © 2004, Tom Walsh Consulting, LLC

25

Building a Training Program

Analyze Design Develop Deliver

Copyright © 2004, Tom Walsh Consulting, LLC

26

Analyze

A Needs Assessment determines:

1. Who needs TEA?(Audience)

2. What TEA do they need?(Content)

3. How will their TEA be served?(Delivery)

Copyright © 2004, Tom Walsh Consulting, LLC

27

Design

•Who? (Audience)

•What? (Content)

•How? (Delivery)

The audience will determine the content, method of delivery and

length.

Copyright © 2004, Tom Walsh Consulting, LLC

28

Training is...

Copyright © 2004, Tom Walsh Consulting, LLC

29

How People Learn•10% by Hearing

•40% by Seeing

•50% by Doing

“What I hear, I forget.What I see, I remember.What I do, I understand.” - Confucius 451 BC

Copyright © 2004, Tom Walsh Consulting, LLC

30

Involvement

• To change culture and behaviors we need involvement from those who will be most impacted by the change

• WII-FM: What’s In It For Me?

• People like to be included

Your ideas for involvement?

Copyright © 2004, Tom Walsh Consulting, LLC

31

Involvement

Uncommon Methods

Copyright © 2004, Tom Walsh Consulting, LLC

32

Involvement Host special events

Look for “teachable moments”

Develop security “champions”

Leverage a “negative event”

Use the “Grapevine”

Copyright © 2004, Tom Walsh Consulting, LLC

33

Deliver

• Think about training classes, seminars or presentations you really liked and ones you disliked.

• What made the classes good or bad?

What do you remember?

Copyright © 2004, Tom Walsh Consulting, LLC

34

Barriers to Effectiveness

Failure to establish a rapport with the audience

Technical material is dry and boring

Efficient versus Effective– The “all-in-one” refresher

training session

Welcome to the Annual...Bloodborne Pathogens, Hazardous Chemicals,

Tuberculosis Prevention,Fire and Electrical Safety,

Sexual Harassment,Ethics,

andPrivacy and Information Security

Training

Copyright © 2004, Tom Walsh Consulting, LLC

36

Barriers to Effectiveness

Failure to establish a rapport with the audience.

Technical material is dry and boring.

Efficient versus Effective– The “all-in-one” refresher

training session.

• Ourselves

Copyright © 2004, Tom Walsh Consulting, LLC

37

Barriers to Effectiveness

• Mission, vision, and goal

• Passion• Perseverance• Character

Much of the overall success of the training program and culture change will depend upon the trainer’s:

Copyright © 2004, Tom Walsh Consulting, LLC

38

Wayne’s World

• 21 Professional seasons• More than 60 NHL records• 4 Stanley Cups• 9 Most Valuable Player

(MVP)• 2-time playoff MVP• 11 Scoring titles• 4 Lady Bling Awards

(for gentlemanly play)

“The Great One”

Copyright © 2004, Tom Walsh Consulting, LLC

41

Conclusion

• Values and organizational culture influence behaviors

• Aligning individuals’ goals with organizational goals will result in cultural changes

• Effectively deliver training, education, and awareness that achieves lasting cultural and behavioral change requires involvement

Copyright © 2004, Tom Walsh Consulting, LLC

42

Tom Walsh, CISSP

twalshconsulting@aol.com

913-696-1573