Information Security Awareness and Behaviors of Health Care Professionals at Public Health Care FacilitiesFunding None.
Objectives This study investigated information security behaviors of professionals working in the public health sector to guide policymakers toward focusing their investments in infrastructure and training on the most vulnerable segments. We sought to answer the following questions: (1) Are certain professional demographics more vulnerable to cybersecurity threats? (2) Do professionals in different institution types (i.e., hospitals vs. primary care clinics) exhibit different cybersecurity behaviors? (3) Can Internet usage behaviors by professionals be indicative of their cybersecurity awareness and the risk they introduce?
Methods A cross-sectional, anonymous, paper-based survey was distributed among professionals working in public health care organizations in Kuwait. Data were collected about each professional's role, experience, work environment, cybersecurity practices, and understanding to calculate a cybersecurity score which indicates their level of compliance to good cybersecurity practices. We also asked about respondents' internet usage and used K-means cluster analysis to segment respondents into three groups based on their internet activities at work. Ordinary least squares regression assessed the association between the collected independent variables in question on the overall cybersecurity behavior.
Results A total of 453/700 (64%) were responded to the survey. The results indicated that professionals with more work experience demonstrated higher compliance with good cybersecurity practices. Interestingly, nurses demonstrate higher cybersecurity aptitude relative to physicians. Professionals that were less inclined to use the internet for personal use during their work demonstrated higher cybersecurity aptitude.
Conclusion Our findings provide some guidance regarding how to target health care professional training to mitigate cybersecurity risks. There is a need for ensuring that physicians receive adequate cybersecurity training, despite the opportunity costs and other issues competing for their attention. Additionally, classifying professionals based on their internet browsing patterns may identify individuals vulnerable to cybersecurity incidents better than more discrete indicators such as age or gender.
Protection of Human and Animal Subjects
The study was conducted in full accordance with the World Medical Association Declaration of Helsinki and commenced after obtaining the necessary ethical approvals from the Medical Research Committee at the Ministry of Health, Kuwait.
Eingereicht: 01. Mai 2021
Angenommen: 29. Juli 2021
29. September 2021 (online)
© 2021. Thieme. All rights reserved.
Georg Thieme Verlag KG
Rüdigerstraße 14, 70469 Stuttgart, Germany
- 1 Blanke SJ, McGrady E. When it comes to securing patient health information from breaches, your best medicine is a dose of prevention: a cybersecurity risk assessment checklist. J Healthc Risk Manag 2016; 36 (01) 14-24
- 2 McIlwraith A. Information Security and Employee Behaviour: How to Reduce Risk through Employee Education, Training and Awareness. 1st ed.. Routledge; 2016
- 3 Jalali MS, Bruckes M, Westmattelmann D, Schewe G. Why employees (still) click on phishing links: investigation in hospitals. J Med Internet Res 2020; 22 (01) e16775
- 4 Kruse CS, Frederick B, Jacobson T, Monticone DK. Cybersecurity in healthcare: a systematic review of modern threats and trends. Technol Health Care 2017; 25 (01) 1-10
- 5 Buntin MB, Burke MF, Hoaglin MC, Blumenthal D. The benefits of health information technology: a review of the recent literature shows predominantly positive results. Health Aff (Millwood) 2011; 30 (03) 464-471
- 6 Feldman SS, Buchalter S, Hayes LW. Health information technology in healthcare quality and patient safety: literature review. JMIR Med Inform 2018; 6 (02) e10264
- 7 Jalali MS, Kaiser JP. Cybersecurity in hospitals: a systematic, organizational perspective. J Med Internet Res 2018; 20 (05) e10059
- 8 Choi SJ, Johnson ME. Understanding the relationship between data breaches and hospital advertising expenditures. Am J Manag Care 2019; 25 (01) e14-e20
- 9 Fernández-Alemán JL, Sánchez-Henarejos A, Toval A, Sánchez-García AB, Hernández-Hernández I, Fernandez-Luque L. Analysis of health professional security behaviors in a real clinical setting: an empirical study. Int J Med Inform 2015; 84 (06) 454-467
- 10 Ondiege B, Clarke M, Mapp G. Exploring a new security framework for remote patient monitoring devices. Computers 2017; 6 (01) 11
- 11 Food and Drug Administration (FDA). Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. Food and Drug Administration (FDA); 2018
- 12 Argaw ST, Troncoso-Pastoriza JR, Lacey D. et al. Cybersecurity of Hospitals: discussing the challenges and working towards mitigating the risks. BMC Med Inform Decis Mak 2020; 20 (01) 146
- 13 Kessler SR, Pindek S, Kleinman G, Andel SA, Spector PE. Information security climate and the assessment of information security risk among healthcare employees. Health Informatics J 2020; 26 (01) 461-473
- 14 Jalali MS, Razak S, Gordon W, Perakslis E, Madnick S. Health care and cybersecurity: bibliometric analysis of the literature. J Med Internet Res 2019; 21 (02) e12644
- 15 Coventry L, Branley D. Cybersecurity in healthcare: a narrative review of trends, threats and ways forward. Maturitas 2018; 113: 48-52
- 16 Gordon WJ, Wright A, Glynn RJ. et al. Evaluation of a mandatory phishing training program for high-risk employees at a US healthcare system. J Am Med Inform Assoc 2019; 26 (06) 547-552
- 17 The Office of the National Coordinator for Health Information Technology. Guide to Privacy and Security of Electronic Health Information. Department of Health and Human Services; 2015
- 18 Anwar M, He W, Ash I, Yuan X, Li L, Xu L. Gender difference and employees' cybersecurity behaviors. Comput Human Behav 2017; 69: 437-443
- 19 Levin KA. Study design III: cross-sectional studies. Evid Based Dent 2006; 7 (01) 24-25
- 20 Regional Health Systems Observatory - EMRO. Health Systems Profile: Kuwait. Cairo, Egypt; 2006. Report No.: Report no. 17297e
- 21 Abu-Taieh E, Alfaries A, Al-Otaibi S, Aldehim G. Cyber security crime and punishment: comparative study of the laws of Jordan, Kuwait, Qatar, Oman, and Saudi Arabia. Int J Cyber Warf Terror IJCWT 2018; 8 (03) 46-59
- 22 Ketchen DJ, Shook CL. The application of cluster analysis in strategic management research: an analysis and critique. Strateg Manage J 1996; 17 (06) 441-458
- 23 Bhuyan SS, Kabir UY, Escareno JM. et al. Transforming healthcare cybersecurity from reactive to proactive: current status and future recommendations. J Med Syst 2020; 44 (05) 98
- 24 Fred Donovan. For ASCs, size matters when it comes to healthcare cybersecurity. HealthITSecurity. Published August 30, 2018. Accessed July 3, 2021 at: https://healthitsecurity.com/news/for-ascs-size-matters-when-it-comes-to-healthcare-cybersecurity
- 25 Gabriel MH, Noblin A, Rutherford A, Walden A, Cortelyou-Ward K. Data breach locations, types, and associated characteristics among US hospitals. Am J Manag Care 2018; 24 (02) 78-84
- 26 Nock O, Starkey J, Angelopoulos CM. Addressing the security gap in IoT: towards an IoT cyber range. Sensors (Basel) 2020; 20 (18) E5439
- 27 Willing M, Dresen C, Haverkamp U, Schinzel S. Analyzing medical device connectivity and its effect on cyber security in german hospitals. BMC Med Inform Decis Mak 2020; 20 (01) 246
- 28 Davis MS. That's interesting: towards a phenomenology of sociology and a sociology of phenomenology. Philos Soc Sci 1971; 1 (02) 309-344
- 29 Kimpe LD, Walrave M, Verdegem P, Ponnet K. What we think we know about cybersecurity: an investigation of the relationship between perceived knowledge, internet trust, and protection motivation in a cybercrime context. Behav Inf Technol 2021; 0 (00) 1-13
- 30 Caudle KE, Gammal RS, Whirl-Carrillo M, Hoffman JM, Relling MV, Klein TE. Evidence and resources to implement pharmacogenetic knowledge for precision medicine. Am J Health Syst Pharm 2016; 73 (23) 1977-1985
- 31 Ko A, Turner J. Online resources to support clinical practice. Home Healthc Now 2018; 36 (02) 114-122
- 32 Hagedorn PA, Kirkendall ES, Spooner SA, Mohan V. Inpatient communication networks: leveraging secure text-messaging platforms to gain insight into inpatient communication systems. Appl Clin Inform 2019; 10 (03) 471-478
- 33 Liu X, Sutton PR, McKenna R. et al. Evaluation of secure messaging applications for a health care system: a case study. Appl Clin Inform 2019; 10 (01) 140-150
- 34 Arain MA, Tarraf R, Ahmad A. Assessing staff awareness and effectiveness of educational training on IT security and privacy in a large healthcare organization. J Multidiscip Healthc 2019; 12: 73-81
- 35 Ayatollahi H, Shagerdi G. Information security risk assessment in hospitals. Open Med Inform J 2017; 11: 37-43
- 36 Zarei J, Sadoughi F. Information security risk management for computerized health information systems in hospitals: a case study of Iran. Risk Manag Healthc Policy 2016; 9: 75-85
- 37 Tsega S, Kalra A, Sevilla CT, Cho HJ. A bottom-up approach to encouraging sustained user adoption of a secure text messaging application. Appl Clin Inform 2019; 10 (02) 326-330
- 38 Rozenblum R, Bates DW. Patient-centred healthcare, social media and the internet: the perfect storm?. BMJ Qual Saf 2013; 22 (03) 183-186
- 39 Tan SS-L, Goonawardene N. Internet health information seeking and the patient-physician relationship: a systematic review. J Med Internet Res 2017; 19 (01) e9
- 40 Sher M-L, Talley PC, Cheng T-J, Kuo K-M. How can hospitals better protect the privacy of electronic medical records? Perspectives from staff members of health information management departments. Health Inf Manag 2017; 46 (02) 87-95
- 41 Humaidi N, Balakrishnan V. Indirect effect of management support on users' compliance behaviour towards information security policies. Health Inf Manag 2018; 47 (01) 17-27
- 42 Hakmeh J. Cybercrime and the digital economy in the GCC countries. The Royal Institute of International Affairs, Chatham House. Accessed 2017 at: https://www.chathamhouse.org/sites/default/files/publications/research/2017-06-30-cybercrime-digital-economy-gcc-hakmeh.pdf
- 43 Kshetri N. Cybersecurity in Gulf Cooperation Council Economies. In: The Quest to Cyber Superiority. 1st ed.. Springer International Publishing; 2016: 183-194