Information Security Awareness and Behaviors of Health Care Professionals at Public Health Care Facilities

 

 Permissions and Reprints

Abstract

Objectives This study investigated information security behaviors of professionals working in the public health sector to guide policymakers toward focusing their investments in infrastructure and training on the most vulnerable segments. We sought to answer the following questions: (1) Are certain professional demographics more vulnerable to cybersecurity threats? (2) Do professionals in different institution types (i.e., hospitals vs. primary care clinics) exhibit different cybersecurity behaviors? (3) Can Internet usage behaviors by professionals be indicative of their cybersecurity awareness and the risk they introduce?

Methods A cross-sectional, anonymous, paper-based survey was distributed among professionals working in public health care organizations in Kuwait. Data were collected about each professional's role, experience, work environment, cybersecurity practices, and understanding to calculate a cybersecurity score which indicates their level of compliance to good cybersecurity practices. We also asked about respondents' internet usage and used K-means cluster analysis to segment respondents into three groups based on their internet activities at work. Ordinary least squares regression assessed the association between the collected independent variables in question on the overall cybersecurity behavior.

Results A total of 453/700 (64%) were responded to the survey. The results indicated that professionals with more work experience demonstrated higher compliance with good cybersecurity practices. Interestingly, nurses demonstrate higher cybersecurity aptitude relative to physicians. Professionals that were less inclined to use the internet for personal use during their work demonstrated higher cybersecurity aptitude.

Conclusion Our findings provide some guidance regarding how to target health care professional training to mitigate cybersecurity risks. There is a need for ensuring that physicians receive adequate cybersecurity training, despite the opportunity costs and other issues competing for their attention. Additionally, classifying professionals based on their internet browsing patterns may identify individuals vulnerable to cybersecurity incidents better than more discrete indicators such as age or gender.

Protection of Human and Animal Subjects

The study was conducted in full accordance with the World Medical Association Declaration of Helsinki and commenced after obtaining the necessary ethical approvals from the Medical Research Committee at the Ministry of Health, Kuwait.

Publication History

Received: 01 May 2021

Accepted: 29 July 2021

Article published online:
29 September 2021

© 2021. Thieme. All rights reserved.

Georg Thieme Verlag KG
Rüdigerstraße 14, 70469 Stuttgart, Germany

• References

• 1 Blanke SJ, McGrady E. When it comes to securing patient health information from breaches, your best medicine is a dose of prevention: a cybersecurity risk assessment checklist. J Healthc Risk Manag 2016; 36 (01) 14-24
  CrossrefPubMedGoogle Scholar
• 2 McIlwraith A. Information Security and Employee Behaviour: How to Reduce Risk through Employee Education, Training and Awareness. 1st ed.. Routledge; 2016
  CrossrefGoogle Scholar
• 3 Jalali MS, Bruckes M, Westmattelmann D, Schewe G. Why employees (still) click on phishing links: investigation in hospitals. J Med Internet Res 2020; 22 (01) e16775
  CrossrefPubMedGoogle Scholar
• 4 Kruse CS, Frederick B, Jacobson T, Monticone DK. Cybersecurity in healthcare: a systematic review of modern threats and trends. Technol Health Care 2017; 25 (01) 1-10
  CrossrefPubMedGoogle Scholar
• 5 Buntin MB, Burke MF, Hoaglin MC, Blumenthal D. The benefits of health information technology: a review of the recent literature shows predominantly positive results. Health Aff (Millwood) 2011; 30 (03) 464-471
  CrossrefPubMedGoogle Scholar
• 6 Feldman SS, Buchalter S, Hayes LW. Health information technology in healthcare quality and patient safety: literature review. JMIR Med Inform 2018; 6 (02) e10264
  CrossrefPubMedGoogle Scholar
• 7 Jalali MS, Kaiser JP. Cybersecurity in hospitals: a systematic, organizational perspective. J Med Internet Res 2018; 20 (05) e10059
  CrossrefPubMedGoogle Scholar
• 8 Choi SJ, Johnson ME. Understanding the relationship between data breaches and hospital advertising expenditures. Am J Manag Care 2019; 25 (01) e14-e20
  PubMedGoogle Scholar
• 9 Fernández-Alemán JL, Sánchez-Henarejos A, Toval A, Sánchez-García AB, Hernández-Hernández I, Fernandez-Luque L. Analysis of health professional security behaviors in a real clinical setting: an empirical study. Int J Med Inform 2015; 84 (06) 454-467
  CrossrefPubMedGoogle Scholar
• 10 Ondiege B, Clarke M, Mapp G. Exploring a new security framework for remote patient monitoring devices. Computers 2017; 6 (01) 11
  CrossrefPubMedGoogle Scholar
• 11 Food and Drug Administration (FDA). Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. Food and Drug Administration (FDA); 2018
  Google Scholar
• 12 Argaw ST, Troncoso-Pastoriza JR, Lacey D. et al. Cybersecurity of Hospitals: discussing the challenges and working towards mitigating the risks. BMC Med Inform Decis Mak 2020; 20 (01) 146
  CrossrefPubMedGoogle Scholar
• 13 Kessler SR, Pindek S, Kleinman G, Andel SA, Spector PE. Information security climate and the assessment of information security risk among healthcare employees. Health Informatics J 2020; 26 (01) 461-473
  CrossrefPubMedGoogle Scholar
• 14 Jalali MS, Razak S, Gordon W, Perakslis E, Madnick S. Health care and cybersecurity: bibliometric analysis of the literature. J Med Internet Res 2019; 21 (02) e12644
  CrossrefPubMedGoogle Scholar
• 15 Coventry L, Branley D. Cybersecurity in healthcare: a narrative review of trends, threats and ways forward. Maturitas 2018; 113: 48-52
  CrossrefPubMedGoogle Scholar
• 16 Gordon WJ, Wright A, Glynn RJ. et al. Evaluation of a mandatory phishing training program for high-risk employees at a US healthcare system. J Am Med Inform Assoc 2019; 26 (06) 547-552
  CrossrefPubMedGoogle Scholar
• 17 The Office of the National Coordinator for Health Information Technology. Guide to Privacy and Security of Electronic Health Information. Department of Health and Human Services; 2015
  Google Scholar
• 18 Anwar M, He W, Ash I, Yuan X, Li L, Xu L. Gender difference and employees' cybersecurity behaviors. Comput Human Behav 2017; 69: 437-443
  CrossrefPubMedGoogle Scholar
• 19 Levin KA. Study design III: cross-sectional studies. Evid Based Dent 2006; 7 (01) 24-25
  CrossrefPubMedGoogle Scholar
• 20 Regional Health Systems Observatory - EMRO. Health Systems Profile: Kuwait. Cairo, Egypt; 2006. Report No.: Report no. 17297e
  PubMedGoogle Scholar
• 21 Abu-Taieh E, Alfaries A, Al-Otaibi S, Aldehim G. Cyber security crime and punishment: comparative study of the laws of Jordan, Kuwait, Qatar, Oman, and Saudi Arabia. Int J Cyber Warf Terror IJCWT 2018; 8 (03) 46-59
  PubMedGoogle Scholar
• 22 Ketchen DJ, Shook CL. The application of cluster analysis in strategic management research: an analysis and critique. Strateg Manage J 1996; 17 (06) 441-458
  CrossrefPubMedGoogle Scholar
• 23 Bhuyan SS, Kabir UY, Escareno JM. et al. Transforming healthcare cybersecurity from reactive to proactive: current status and future recommendations. J Med Syst 2020; 44 (05) 98
  CrossrefPubMedGoogle Scholar
• 24 Fred Donovan. For ASCs, size matters when it comes to healthcare cybersecurity. HealthITSecurity. Published August 30, 2018. Accessed July 3, 2021 at: https://healthitsecurity.com/news/for-ascs-size-matters-when-it-comes-to-healthcare-cybersecurity
  PubMedGoogle Scholar
• 25 Gabriel MH, Noblin A, Rutherford A, Walden A, Cortelyou-Ward K. Data breach locations, types, and associated characteristics among US hospitals. Am J Manag Care 2018; 24 (02) 78-84
  PubMedGoogle Scholar
• 26 Nock O, Starkey J, Angelopoulos CM. Addressing the security gap in IoT: towards an IoT cyber range. Sensors (Basel) 2020; 20 (18) E5439
  CrossrefPubMedGoogle Scholar
• 27 Willing M, Dresen C, Haverkamp U, Schinzel S. Analyzing medical device connectivity and its effect on cyber security in german hospitals. BMC Med Inform Decis Mak 2020; 20 (01) 246
  CrossrefPubMedGoogle Scholar
• 28 Davis MS. That's interesting: towards a phenomenology of sociology and a sociology of phenomenology. Philos Soc Sci 1971; 1 (02) 309-344
  CrossrefPubMedGoogle Scholar
• 29 Kimpe LD, Walrave M, Verdegem P, Ponnet K. What we think we know about cybersecurity: an investigation of the relationship between perceived knowledge, internet trust, and protection motivation in a cybercrime context. Behav Inf Technol 2021; 0 (00) 1-13
  CrossrefPubMedGoogle Scholar
• 30 Caudle KE, Gammal RS, Whirl-Carrillo M, Hoffman JM, Relling MV, Klein TE. Evidence and resources to implement pharmacogenetic knowledge for precision medicine. Am J Health Syst Pharm 2016; 73 (23) 1977-1985
  CrossrefPubMedGoogle Scholar
• 31 Ko A, Turner J. Online resources to support clinical practice. Home Healthc Now 2018; 36 (02) 114-122
  CrossrefPubMedGoogle Scholar
• 32 Hagedorn PA, Kirkendall ES, Spooner SA, Mohan V. Inpatient communication networks: leveraging secure text-messaging platforms to gain insight into inpatient communication systems. Appl Clin Inform 2019; 10 (03) 471-478
  Article in Thieme ConnectPubMedGoogle Scholar
• 33 Liu X, Sutton PR, McKenna R. et al. Evaluation of secure messaging applications for a health care system: a case study. Appl Clin Inform 2019; 10 (01) 140-150
  Article in Thieme ConnectPubMedGoogle Scholar
• 34 Arain MA, Tarraf R, Ahmad A. Assessing staff awareness and effectiveness of educational training on IT security and privacy in a large healthcare organization. J Multidiscip Healthc 2019; 12: 73-81
  CrossrefPubMedGoogle Scholar
• 35 Ayatollahi H, Shagerdi G. Information security risk assessment in hospitals. Open Med Inform J 2017; 11: 37-43
  CrossrefPubMedGoogle Scholar
• 36 Zarei J, Sadoughi F. Information security risk management for computerized health information systems in hospitals: a case study of Iran. Risk Manag Healthc Policy 2016; 9: 75-85
  CrossrefPubMedGoogle Scholar
• 37 Tsega S, Kalra A, Sevilla CT, Cho HJ. A bottom-up approach to encouraging sustained user adoption of a secure text messaging application. Appl Clin Inform 2019; 10 (02) 326-330
  Article in Thieme ConnectPubMedGoogle Scholar
• 38 Rozenblum R, Bates DW. Patient-centred healthcare, social media and the internet: the perfect storm?. BMJ Qual Saf 2013; 22 (03) 183-186
  CrossrefPubMedGoogle Scholar
• 39 Tan SS-L, Goonawardene N. Internet health information seeking and the patient-physician relationship: a systematic review. J Med Internet Res 2017; 19 (01) e9
  CrossrefPubMedGoogle Scholar
• 40 Sher M-L, Talley PC, Cheng T-J, Kuo K-M. How can hospitals better protect the privacy of electronic medical records? Perspectives from staff members of health information management departments. Health Inf Manag 2017; 46 (02) 87-95
  PubMedGoogle Scholar
• 41 Humaidi N, Balakrishnan V. Indirect effect of management support on users' compliance behaviour towards information security policies. Health Inf Manag 2018; 47 (01) 17-27
  PubMedGoogle Scholar
• 42 Hakmeh J. Cybercrime and the digital economy in the GCC countries. The Royal Institute of International Affairs, Chatham House. Accessed 2017 at: https://www.chathamhouse.org/sites/default/files/publications/research/2017-06-30-cybercrime-digital-economy-gcc-hakmeh.pdf
  PubMedGoogle Scholar
• 43 Kshetri N. Cybersecurity in Gulf Cooperation Council Economies. In: The Quest to Cyber Superiority. 1st ed.. Springer International Publishing; 2016: 183-194
  CrossrefGoogle Scholar

• Supplementary Material