"People will continue to look to use the simplest ways to share information. . . . It is therefore up to these organizations to provide usable and secure encryption technologies . . . as well as educating employees in best practice."
I agree with all of that. HOWEVER, it is missing something, which is that there must be serious penalties for those found breaking the rules.
Doctors and nurses are already very well-educated in the rules around liability and so forth and what they can and cannot do for a patient and what constitutes consent and so forth and there can be very serious repercussions when these rules are broken. It is therefore not at all unreasonable to extend that existing framework to the use of technology.
One of the big problems with this modern era of 'cloud' and mobile and mobility and smart this and tablet that and internet-of-something-else, is that it carries a risk of control being moved away from IT departments.
Some people argue that this is one of the chief benefits of such a paradigm shift as the mechanisms of IT departments can seem slow and overly bound by red tape and policies and thus are seen to prevent people from working as efficiently as they could without that control.
And that is an understandable stance from a user as they just want to do what they need to as quickly and easily as possible.
The issue is the lack of understanding - or care - as to why IT departments function the way they do. The reason that IT departments have established policies and procedures and frameworks is to ensure that the IT infrastructure and policies meet the established standards that have been set by management to adhere to their goals and the applicable laws.
Unfortunately, you can't stop people taking photos on their phones and sending them via their private e-mail accounts or SMS'ing confidential details (thus producing two unsecured copies).
So. while a safe and easy - and secure - method of transferring such data is certainly desirable, that takes longer to implement so the FIRST step to rectifying this rather serious issue is to educate staff and set out the penalties for not complying as soon as possible.
The most important thing to explain is that convenience does not trump system security and patient confidentiality.
Now, in health care, delays can cost lives but one suspects that in all but the TINIEST fraction of cases, there is no such urgency and information could be procured and exchanged through 'normal' means in a timely fashion. And, when there are frequent enough instances of people dying where medical staff have been unable or unwilling to help due to regulations or fear of lawsuits, such a stance (for privacy) would hardly be exceptional.
Of course, loss of life is tragic and more so when it might have been avoided but doing wrong in an attempt to do right brings to mind something about laying roads at a sharp, downwards gradient.