|
1
|
Information Security Behavior in Health Information Systems: A Review of Research Trends and Antecedent Factors. Healthcare (Basel) 2022; 10:healthcare10122531. [PMID: 36554055 PMCID: PMC9777837 DOI: 10.3390/healthcare10122531] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Figures] [Journal Information] [Subscribe] [Scholar Register] [Received: 10/18/2022] [Revised: 12/09/2022] [Accepted: 12/12/2022] [Indexed: 12/23/2022] Open
Abstract
This study aims to review the literature on antecedent factors of information security related to the protection of health information systems (HISs) in the healthcare organization. We classify those factors into organizational and individual aspects. We followed the Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA) framework. Academic articles were sourced from five online databases (Scopus, PubMed, IEEE, ScienceDirect, and SAGE) using keywords related to information security, behavior, and healthcare facilities. The search yielded 35 studies, in which the three most frequent individual factors were self-efficacy, perceived severity, and attitudes, while the three most frequent organizational factors were management support, cues to action, and organizational culture. Individual factors for patients and medical students are still understudied, as are the organizational factors of academic healthcare facilities. More individual factors have been found to significantly influence security behavior. Previous studies have been dominated by the security compliance behavior of clinical and non-clinical hospital staff. These research gaps highlight the theoretical implications of this study. This study provides insight for managers of healthcare facilities and governments to consider individual factors in establishing information security policies and programs for improving security behavior.
Collapse
|
|
2
|
Yazdanmehr A, Wang J. Can peers help reduce violations of information security policies? The role of peer monitoring. EUR J INFORM SYST 2021. [DOI: 10.1080/0960085x.2021.1980444] [Citation(s) in RCA: 1] [Impact Index Per Article: 0.3] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 10/20/2022]
Affiliation(s)
- Adel Yazdanmehr
- Paul H. Chook Department of Information Systems and Statistics, Zicklin School of Business, Baruch College, The City University of New York, New York, NY, USA
| | - Jingguo Wang
- Department of Information Systems and Operations Management, College of Business, The University of Texas at Arlington, Arlington, TX, USA
| |
Collapse
|
|
3
|
Yeng PK, Szekeres A, Yang B, Snekkenes EA. Mapping the Psychosocialcultural Aspects of Healthcare Professionals' Information Security Practices: Systematic Mapping Study. JMIR Hum Factors 2021; 8:e17604. [PMID: 34106077 PMCID: PMC8235336 DOI: 10.2196/17604] [Citation(s) in RCA: 7] [Impact Index Per Article: 2.3] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Figures] [Journal Information] [Subscribe] [Scholar Register] [Received: 12/24/2019] [Revised: 07/25/2020] [Accepted: 04/04/2021] [Indexed: 11/19/2022] Open
Abstract
Background Data breaches in health care are on the rise, emphasizing the need for a holistic approach to mitigation efforts. Objective The purpose of this study was to develop a comprehensive framework for modeling and analyzing health care professionals’ information security practices related to their individual characteristics, such as their psychological, social, and cultural traits. Methods The study area was a hospital setting under an ongoing project called the Healthcare Security Practice Analysis, Modeling, and Incentivization (HSPAMI) project. A literature review was conducted for relevant theories and information security practices. The theories and security practices were used to develop an ontology and a comprehensive framework consisting of psychological, social, cultural, and demographic variables. Results In the review, a number of psychological, social, and cultural theories were identified, including the health belief model, protection motivation theory, theory of planned behavior, and social control theory, in addition to some social demographic variables, to form a comprehensive set of health care professionals’ characteristics. Furthermore, an ontology was developed from these theories to systematically organize the concepts. The framework, called the psychosociocultural (PSC) framework, was then developed from the various combined psychological and sociocultural attributes of the ontology. The Human Aspect of Information Security Questionnaire was adopted as a comprehensive tool for gathering staff security practices as mediating variables in the framework. Conclusions Data breaches occur often in health care today. This frequency has been attributed to the lack of experience of health care professionals in information security, the lack of development of conscious care security practices, and the lack of motivation to incentivize health care professionals. The frequent data breaches in health care threaten the mutual trust between health care professionals and patients, which implicitly impacts the quality of the health care service. The modeling and analysis of health care professionals’ security practices can be conducted with the PSC framework by combining methods of statistical survey, observations, and interviews in relation to PSC variables, such as perceptions (perceived benefits, perceived threats, and perceived barriers) or psychological traits, social factors, cultural factors, and social demographics.
Collapse
Affiliation(s)
- Prosper Kandabongee Yeng
- Department of Information Security and Communication Technology, Norwegian University of Science and Technology, Gjøvik, Norway
| | - Adam Szekeres
- Department of Information Security and Communication Technology, Norwegian University of Science and Technology, Gjøvik, Norway
| | - Bian Yang
- Department of Information Security and Communication Technology, Norwegian University of Science and Technology, Gjøvik, Norway
| | - Einar Arthur Snekkenes
- Department of Information Security and Communication Technology, Norwegian University of Science and Technology, Gjøvik, Norway
| |
Collapse
|
|
4
|
Solomon G, Brown I. The influence of organisational culture and information security culture on employee compliance behaviour. JOURNAL OF ENTERPRISE INFORMATION MANAGEMENT 2020. [DOI: 10.1108/jeim-08-2019-0217] [Citation(s) in RCA: 6] [Impact Index Per Article: 1.5] [Reference Citation Analysis] [Abstract] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
PurposeOrganisational culture plays an important role in influencing employee compliance with information security policies. Creating a subculture of information security can assist in facilitating compliance. The purpose of this paper is to explain the nature of the combined influence of organisational culture and information security culture on employee information security compliance. This study also aims to explain the influence of organisational culture on information security culture.Design/methodology/approachA theoretical model was developed showing the relationships between organisational culture, information security culture and employee compliance. Using an online survey, data was collected from a sample of individuals who work in organisations having information security policies. The data was analysed with Partial Least Square Structural Equation Modelling (PLS-SEM) to test the model.FindingsOrganisational culture and information security culture have significant, yet similar influences on employee compliance. In addition, organisational culture has a strong causal influence on information security culture.Practical implicationsControl-oriented organisational cultures are conducive to information security compliant behaviour. For an information security subculture to be effectively embedded in an organisation's culture, the dominant organisational culture would have to be considered first.Originality/valueThis research provides empirical evidence that information security subculture is influenced by organisational culture. Compliance is best explained by their joint influence.
Collapse
|
|
5
|
Loi M, Christen M, Kleine N, Weber K. Cybersecurity in health – disentangling value tensions. JOURNAL OF INFORMATION COMMUNICATION & ETHICS IN SOCIETY 2019. [DOI: 10.1108/jices-12-2018-0095] [Citation(s) in RCA: 8] [Impact Index Per Article: 1.6] [Reference Citation Analysis] [Abstract] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
Purpose
Cybersecurity in healthcare has become an urgent matter in recent years due to various malicious attacks on hospitals and other parts of the healthcare infrastructure. The purpose of this paper is to provide an outline of how core values of the health systems, such as the principles of biomedical ethics, are in a supportive or conflicting relation to cybersecurity.
Design/methodology/approach
This paper claims that it is possible to map the desiderata relevant to cybersecurity onto the four principles of medical ethics, i.e. beneficence, non-maleficence, autonomy and justice, and explore value conflicts in that way.
Findings
With respect to the question of how these principles should be balanced, there are reasons to think that the priority of autonomy relative to beneficence and non-maleficence in contemporary medical ethics could be extended to value conflicts in health-related cybersecurity.
Research limitations/implications
However, the tension between autonomy and justice, which relates to the desideratum of usability of information and communication technology systems, cannot be ignored even if one assumes that respect for autonomy should take priority over other moral concerns.
Originality/value
In terms of value conflicts, most discussions in healthcare deal with the conflict of balancing efficiency and privacy given the sensible nature of health information. In this paper, the authors provide a broader and more detailed outline.
Collapse
|
|
6
|
Towards a user-centric theory of value-driven information security compliance. INFORMATION TECHNOLOGY & PEOPLE 2018. [DOI: 10.1108/itp-08-2016-0194] [Citation(s) in RCA: 17] [Impact Index Per Article: 2.8] [Reference Citation Analysis] [Abstract] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
Purpose
The purpose of this paper is to fill a gap in the literature, by investigating the relationship between users’ perceptions of the value of the information that they are handling, and their resultant level of compliance with their organisation’s information security policies. In so doing, the authors seek to develop a theory of value-driven information security compliance.
Design/methodology/approach
An interpretive, grounded theory research approach has been adopted to generate a qualitative data set, based upon the results of 55 interviews with key informants from governmental agencies based within Brunei Darussalam, complemented by the results of seven focus groups. The interviews and focus groups were conducted in two phases, so that the results of the first phase could be used to inform the second phase data collection exercise, and the thematic analysis of the research data was conducted using the NVivo 11-Plus software.
Findings
The findings suggest that, when assigning value to their information, users take into account the views of members of their immediate work-group and the espoused views of their organisation, as well as a variety of contextual factors, relating to culture, ethics and education. Perhaps more importantly, it has been demonstrated that the users’ perception of information value has a marked impact upon their willingness to comply with security policies and protocols.
Research limitations/implications
Although the authors have been able to develop a rich model of information value and security compliance, the qualitative nature of this research means that it has not been tested, in the numerical sense. However, this study still has important implications for both research and practice. Specifically, researchers should consider users’ perceptions of information value, when conducting future studies of information security compliance.
Practical implications
Managers and practitioners will be better able to get their colleagues to comply with information security protocols, if they can take active steps to convince them that the information that they are handling is a valuable organisational resource, which needs to be protected.
Originality/value
The central contribution is a novel model of information security compliance that centre stages the role of the users’ perceptions of information value, as this is a factor which has been largely ignored in contemporary accounts of compliance behaviour. This study is also original, in that it fills a methodological gap, by balancing the voices of both user representatives and senior organisational stakeholders, in a single study.
Collapse
|
|
7
|
Dang-Pham D, Pittayachawan S, Bruno V. Applying network analysis to investigate interpersonal influence of information security behaviours in the workplace. INFORMATION & MANAGEMENT 2017. [DOI: 10.1016/j.im.2016.12.003] [Citation(s) in RCA: 4] [Impact Index Per Article: 0.6] [Reference Citation Analysis] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 10/20/2022]
|
|
8
|
Humaidi N, Balakrishnan V. Indirect effect of management support on users' compliance behaviour towards information security policies. Health Inf Manag 2017; 47:17-27. [PMID: 28537207 DOI: 10.1177/1833358317700255] [Citation(s) in RCA: 13] [Impact Index Per Article: 1.9] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
BACKGROUND Health information systems are innovative products designed to improve the delivery of effective healthcare, but they are also vulnerable to breaches of information security, including unauthorised access, use, disclosure, disruption, modification or destruction, and duplication of passwords. Greater openness and multi-connectedness between heterogeneous stakeholders within health networks increase the security risk. OBJECTIVE The focus of this research was on the indirect effects of management support (MS) on user compliance behaviour (UCB) towards information security policies (ISPs) among health professionals in selected Malaysian public hospitals. The aim was to identify significant factors and provide a clearer understanding of the nature of compliance behaviour in the health sector environment. METHOD Using a survey design and stratified random sampling method, self-administered questionnaires were distributed to 454 healthcare professionals in three hospitals. Drawing on theories of planned behaviour, perceived behavioural control (self-efficacy (SE) and MS components) and the trust factor, an information system security policies compliance model was developed to test three related constructs (MS, SE and perceived trust (PT)) and their relationship to UCB towards ISPs. RESULTS Results showed a 52.8% variation in UCB through significant factors. Partial least squares structural equation modelling demonstrated that all factors were significant and that MS had an indirect effect on UCB through both PT and SE among respondents to this study. CONCLUSION The research model based on the theory of planned behaviour in combination with other human and organisational factors has made a useful contribution towards explaining compliance behaviour in relation to organisational ISPs, with trust being the most significant factor. In adopting a multidimensional approach to management-user interactions via multidisciplinary concepts and theories to evaluate the association between the integrated management-user values and the nature of compliance towards ISPs among selected health professionals, this study has made a unique contribution to the literature.
Collapse
|
|
9
|
Karlsson F, Åström J, Karlsson M. Information security culture – state-of-the-art review between 2000 and 2013. INFORMATION AND COMPUTER SECURITY 2015. [DOI: 10.1108/ics-05-2014-0033] [Citation(s) in RCA: 43] [Impact Index Per Article: 4.8] [Reference Citation Analysis] [Abstract] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
Purpose
– The aim of this paper is to survey existing information security culture research to scrutinise the kind of knowledge that has been developed and the way in which this knowledge has been brought about.
Design/methodology/approach
– Results are based on a literature review of information security culture research published between 2000 and 2013 (December).
Findings
– This paper can conclude that existing research has focused on a broad set of research topics, but with limited depth. It is striking that the effects of different information security cultures have not been part of that focus. Moreover, existing research has used a small repertoire of research methods, a repertoire that is more limited than in information systems research in general. Furthermore, an extensive part of the research is descriptive, philosophical or theoretical – lacking a structured use of empirical data – which means that it is quite immature.
Research limitations/implications
– Findings call for future research that: addresses the effects of different information security cultures; addresses the identified research topics with greater depth; focuses more on generating theories or testing theories to increase the maturity of this subfield of information security research; and uses a broader set of research methods. It would be particularly interesting to see future studies that use intervening or ethnographic approaches because, to date, these have been completely lacking in existing research.
Practical implications
– Findings show that existing research is, to a large extent, descriptive, philosophical or theoretical. Hence, it is difficult for practitioners to adopt these research results, such as frameworks for cultivating or assessment tools, which have not been empirically validated.
Originality/value
– Few state-of-the-art reviews have sought to assess the maturity of existing research on information security culture. Findings on types of research methods used in information security culture research extend beyond the existing knowledge base, which allows for a critical discussion about existing research in this sub-discipline of information security.
Collapse
|
|
10
|
Analysis of health professional security behaviors in a real clinical setting: an empirical study. Int J Med Inform 2015; 84:454-67. [PMID: 25678101 DOI: 10.1016/j.ijmedinf.2015.01.010] [Citation(s) in RCA: 34] [Impact Index Per Article: 3.8] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Received: 02/11/2014] [Revised: 01/13/2015] [Accepted: 01/14/2015] [Indexed: 11/24/2022]
Abstract
OBJECTIVE The objective of this paper is to evaluate the security behavior of healthcare professionals in a real clinical setting. METHOD Standards, guidelines and recommendations on security and privacy best practices for staff personnel were identified using a systematic literature review. After a revision process, a questionnaire consisting of 27 questions was created and responded to by 180 health professionals from a public hospital. RESULTS Weak passwords were reported by 62.2% of the respondents, 31.7% were unaware of the organization's procedures for discarding confidential information, and 19.4% did not carry out these procedures. Half of the respondents (51.7%) did not take measures to ensure that the personal health information on the computer monitor could not be seen by unauthorized individuals, and 57.8% were unaware of the procedure established to report a security violation. The correlation between the number of years in the position and good security practices was not significant (Pearson's r=0.085, P=0.254). Age was weakly correlated with good security practices (Pearson's r=-0.169, P=0.028). A Mann-Whitney test showed no significant difference between the respondents' security behavior as regards gender (U=2536, P=0.792, n=178). The results of the study suggest that more efforts are required to improve security education for health personnel. CONCLUSIONS It was found that both preventive and corrective actions are needed to prevent health staff from causing security incidents. Healthcare organizations should: identify the types of information that require protection, clearly communicate the penalties that will be imposed, promote security training courses, and define what the organization considers improper behavior to be and communicate this to all personnel.
Collapse
|
|
11
|
Humaidi N, Balakrishnan V. Leadership Styles and Information Security Compliance Behavior: The Mediator Effect of Information Security Awareness. ACTA ACUST UNITED AC 2015. [DOI: 10.7763/ijiet.2015.v5.522] [Citation(s) in RCA: 16] [Impact Index Per Article: 1.8] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/01/2022]
|
|
12
|
Information security awareness and behavior: a theory-based literature review. MANAGEMENT RESEARCH REVIEW 2014. [DOI: 10.1108/mrr-04-2013-0085] [Citation(s) in RCA: 100] [Impact Index Per Article: 10.0] [Reference Citation Analysis] [Abstract] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 11/17/2022]
Abstract
Purpose
– This paper aims to provide an overview of theories used in the field of employees’ information systems (IS) security behavior over the past decade. Research gaps and implications for future research are worked out by analyzing and synthesizing existing literature.
Design/methodology/approach
– This paper presents the results of a literature review comprising 113 publications. The literature review was designed to identify applied theories and to understand the cognitive determinants in the research field. A meta-model that explains employees’ IS security behavior is introduced by assembling the core constructs of the used theories.
Findings
– The paper identified 54 used theories, but four behavioral theories were primarily used: Theory of Planned Behavior (TPB), General Deterrence Theory (GDT), Protection Motivation Theory (PMT) and Technology Acceptance Model (TAM). By synthesizing results of empirically tested research models, a survey of factors proven to have a significant influence on employees’ security behavior is presented.
Research limitations/implications
– Some relevant publications might be missing within this literature review due to the selection of search terms and/or databases. However, by conduction a forward and a backward search, this paper has limited this error source to a minimum.
Practical implications
– This study presents an overview of determinants that have been proven to influence employees’ behavioral intention. Based thereon, concrete training and awareness measures can be developed. This is valuable for practitioners in the process of designing Security Education, Training and Awareness (SETA) programs.
Originality/value
– This paper presents a comprehensive up-to-date overview of existing academic literature in the field of employees’ security awareness and behavior research. Based on a developed meta-model, research gaps are identified and implications for future research are worked out.
Collapse
|
|
13
|
Sánchez-Henarejos A, Fernández-Alemán JL, Toval A, Hernández-Hernández I, Sánchez-García AB, Carrillo de Gea JM. [A guide to good practice for information security in the handling of personal health data by health personnel in ambulatory care facilities]. Aten Primaria 2014; 46:214-22. [PMID: 24582808 PMCID: PMC6985630 DOI: 10.1016/j.aprim.2013.10.008] [Citation(s) in RCA: 12] [Impact Index Per Article: 1.2] [Reference Citation Analysis] [Abstract] [Key Words] [MESH Headings] [Track Full Text] [Download PDF] [Journal Information] [Subscribe] [Scholar Register] [Received: 06/01/2013] [Revised: 09/04/2013] [Accepted: 10/19/2013] [Indexed: 11/21/2022] Open
Abstract
Con la introducción de la historia clínica digital surge la necesidad de reforzar la seguridad de los datos personales de salud para garantizar su privacidad. A pesar de la gran cantidad de medidas de seguridad técnicas y de recomendaciones existentes para el ámbito sanitario, hay un aumento en las violaciones de la privacidad de los datos personales de los pacientes en centros sanitarios, en muchos casos como consecuencia de errores o descuidos de los profesionales sanitarios. En este trabajo se presenta una guía de buenas prácticas de seguridad informática en la manipulación de los datos personales de salud por parte del personal sanitario, elaborada a partir de recomendaciones, normativa y estándares nacionales e internacionales. El material presentado en este trabajo puede emplearse tanto en la formación como en auditorías de seguridad informática a trabajadores de los centros de atención primaria.
Collapse
Affiliation(s)
| | | | - Ambrosio Toval
- Departamento de Informática y Sistemas, Universidad de Murcia, Murcia, España
| | | | | | | |
Collapse
|
|
14
|
Jack C, Singh Y, Mars M. Pitfalls in computer housekeeping by doctors and nurses in KwaZulu-Natal: no malicious intent. BMC Med Ethics 2013; 14 Suppl 1:S8. [PMID: 24565043 PMCID: PMC3878337 DOI: 10.1186/1472-6939-14-s1-s8] [Citation(s) in RCA: 3] [Impact Index Per Article: 0.3] [Reference Citation Analysis] [Abstract] [MESH Headings] [Track Full Text] [Download PDF] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/10/2022] Open
Abstract
INTRODUCTION Information and communication technologies are becoming an integral part of medical practice, research and administration and their use will grow as telemedicine and electronic medical record use become part of routine practice. Security in maintaining patient data is important and there is a statuary obligation to do so, but few health professionals have been trained on how to achieve this. There is no information on the use of computers and email by doctors and nurses in South Africa in the workplace and at home, and whether their current computer practices meets legal and ethical requirements. The aims of this study were to determine the use of computers by healthcare practitioners in the workplace and home; the use and approach to data storage, encryption and security of patient data and patient email; and the use of informed consent to transmit data by email. METHODS A self-administered questionnaire was administered to 400 health care providers from the state and private health care sectors. The questionnaire covered computer use in the workplace and at home, sharing of computers, data encryption and storage, email use, encryption of emails and storage, and the use of informed consent for email communication. RESULTS 193 doctors and 207 nurses in the private and public sectors completed the questionnaire. Forty (10%) of participants do not use a computer. A third of health professionals were the only users of computers at work or at home. One hundred and ninety-eight respondents (55%) did not know if the data on the computers were encrypted, 132 (36.7%) knew that the data were not encrypted and 30 (8.3%) individuals knew that the data on the computers they were using were encrypted. Few doctors, 58 (16%), received emails from patients, with doctors more likely to receive emails from patients than nurses (p = 0.0025). Thirty-one percent of individuals did not respond to the emails. Emails were saved by 40 (69%) recipients but only 5 (12.5%) doctors encrypted the messages, 19 (47.5%) individuals knowingly did not encrypt and 16 (40.0%) did not know if they encrypted the data. While 20% of health professionals have emailed patient data, but only 41.7% gained consent to do so. CONCLUSIONS Most health professionals as sampled in South Africa are not compliant with the National Health Act or the Electronic Communications Transactions Act of South Africa or guidelines from regulatory bodies when managing patient data on computers. Many appear ignorant or lack the ability to comply with simple data security procedures.
Collapse
Affiliation(s)
- Caron Jack
- Department of TeleHealth, Nelson R Mandela School of Medicine, University of KwaZulu-Natal, 719 Umbilo Road, Congella, Durban, South Africa
| | | | - Maurice Mars
- Department of TeleHealth, Nelson R Mandela School of Medicine, University of KwaZulu-Natal, 719 Umbilo Road, Congella, Durban, South Africa
| |
Collapse
|
|
15
|
|
|
16
|
Cox J. Information systems user security: A structured model of the knowing–doing gap. COMPUTERS IN HUMAN BEHAVIOR 2012. [DOI: 10.1016/j.chb.2012.05.003] [Citation(s) in RCA: 76] [Impact Index Per Article: 6.3] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/26/2022]
|
|
17
|
Eminağaoğlu M, Uçar E, Eren Ş. The positive outcomes of information security awareness training in companies – A case study. ACTA ACUST UNITED AC 2009. [DOI: 10.1016/j.istr.2010.05.002] [Citation(s) in RCA: 53] [Impact Index Per Article: 3.5] [Reference Citation Analysis] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/27/2022]
|