Installing an appropriate information security policy.

Security of personal health care is of concern to patients, health care staff and informaticians alike. Nevertheless, their awareness of the appropriate measures for protection of such data have been found wanting. The development and implementation of an information and security policy in the health care environment must therefore take into account the attitudes of staff and their educational needs. The approach adopted in one large District General Hospital was to combine risk analysis with surveys of users attitudes to proposed measures and a participational approach to development of security procedures using an adaptation of the ETHICS soft systems methodology. As a result of several years of effort, a 'security culture' has begun to emerge in the organization. However, this can only be sustained by continual promotion of the policy and a willingness to adapt procedures to suit the operating environment.