Analysis of health professional security behaviors in a real clinical setting: An empirical study

International Journal of Medical Informatics

Volumn 84, Issue 6, 2015, Pages 454-467

  Fernández Alemán, José Luis ^a   Sánchez Henarejos, Ana ^a   Toval, Ambrosio ^a   Sánchez García, Ana Belén ^b   Hernández Hernández, Isabel ^b   Fernandez Luque, Luis ^c  

^a UNIVERSITY OF MURCIA   (Spain)

^b HOSPITAL UNIVERSITARIO REINA SOFÍA   (Spain)

^c Northern Research Institute   (Norway)

Author keywords

Health personnel; Personal health information; Privacy; Security; Surveys

Indexed keywords

DATA PRIVACY; HEALTH; HEALTH CARE; HOSPITALS; SECURITY SYSTEMS; SURVEYING; SURVEYS;

CONFIDENTIAL INFORMATION; HEALTH CARE PROFESSIONALS; HEALTH PROFESSIONALS; HEALTHCARE ORGANIZATIONS; PERSONAL HEALTH INFORMATIONS; SECURITY; SECURITY AND PRIVACY; SYSTEMATIC LITERATURE REVIEW;

PERSONNEL TRAINING;

ADULT; ARTICLE; AWARENESS; BEHAVIOR; COMPUTER SECURITY; E-MAIL; EMPIRICISM; FEMALE; HEALTH CARE PERSONNEL; HEALTH PRACTITIONER; HUMAN; INFORMATION PROCESSING; INTERNET; MALE; MEDICAL INFORMATION; MOTIVATION; PRINTING; PRIORITY JOURNAL; PRIVACY; PUBLIC HOSPITAL; QUESTIONNAIRE; SECURITY BEHAVIOR; STAFF TRAINING; CONFIDENTIALITY; EMPIRICAL RESEARCH; HEALTH CARE FACILITY; HEALTH CARE SURVEY; MIDDLE AGED; SPAIN;

ADULT; COMPUTER SECURITY; CONFIDENTIALITY; EMPIRICAL RESEARCH; FEMALE; HEALTH CARE SURVEYS; HEALTH FACILITIES; HEALTH PERSONNEL; HUMANS; MALE; MIDDLE AGED; SPAIN; SURVEYS AND QUESTIONNAIRES;

EID: 84927070214     PISSN: 13865056     EISSN: 18728243     Source Type: Journal    
DOI: 10.1016/j.ijmedinf.2015.01.010     Document Type: Article

References (106)

1. Committee on Maintaining Privacy and Security in Health Care Applications of the National Information Infrastructure, Commission on Physical Sciences, Mathematics, and Applications, National Research Council For the Record: Protecting Electronic Health Information 1997, The National Academies Press.
2. Appari A., Johnson M.E. Information security and privacy in healthcare: current state of research. Int. J. Internet Enterp. Manag. 2010, 6(4):279-314.
3. European Network and Information Security Agency ENISA Threat Landscape. Responding to the Evolving Threat Environment 2012, Available from http://www.enisa.europa.eu/activities/risk-management/evolving-threat-environment/ENISA_Threat_Landscape/at_download/fullReport (accessed 04.08.13).
4. Kierkegaard P. Medical data breaches: notification delayed is notification denied. Comput. Law Secur. Rev. 2012, 28(2):163-183.
5. Smith R., Gotel O. Using a game to introduce lightweight requirements engineering. 15th IEEE International Requirements Engineering Conference 2007, 379-380. IEEE Computer Society Press, New Delhi, India.
6. Liginlal D., Sim I., Khansa L. How significant is human error as a cause of privacy breaches? An empirical study and a framework for error management. Comput. Secur. 2009, 28(3-4):215-228.
7. Privacy Rights Clearinghouse, 2013. Available from https://www.privacyrights.org/data-breach (accessed 04.10.13).
8. U.S.Department of Health & Human Services Health Information Privacy 2014, Available from http://www.hhs.gov/ocr/privacy/ (accessed 04.02.14).
9. HealthIT Health Information Technology 2013, Available from http://www.healthit.gov/ (accessed 04.02.14).
10. ISO 27799:2008 Health informatics-information security management in health using ISO/IEC 27002 (ISO 27799:2008) 2008, European Committee for Standarization (CEN), Brussels.
11. Fernández-Alemán J.L., Señor I.C., Lozoya P.A.O., Toval A. Security and privacy in electronic health records: a systematic literature review. J. Biomed. Inform. 2013, 46(3):541-562.
12. Carrion Senor I., Fernandez-Aleman J.L., Toval A. [Access control management in electronic health records: a systematic literature review]. Gac. Sanit. 2012, 26(5):463-468.
13. Williams P.A.H. In a 'trusting' environment, everyone is responsible for information security. Inf. Secur. Tech. Rep. 2008, 13(4):207-215.
14. Colwill C. Human factors in information security: the insider threat - who can you trust these days?. Inf. Secur. Tech. Rep. 2009, 14(4):186-196.
15. Lluch M. Healthcare professionals' organisational barriers to health information technologies-a literature review. Int. J. Med. Inform. 2011, 80(12):849-862.
16. Kraemer S., Carayon P., Clem J. Human and organizational factors in computer and information security: pathways to vulnerabilities. Comput. Secur. 2009, 28(7):509-520.
17. Alban R.F., Feldmar D., Gabbay J., Lefor A.T. Internet security and privacy protection for the health care professional. Curr. Surg. 2005, 62(1):106-110.
18. The Office of the National Coordinator for Health Information Technology Guide to Privacy and Security of Health Information 2014, Department of Health and Human Services, Available from http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf (accessed 04.02.14).
19. Kwon J., Johnson M. The impact of security practices on regulatory compliance and security performance. Thirty Second International Conference on Information Systems 2011, 1-9.
20. Farzandipour M., Sadoughi F., Ahmadi M., Karimi I. Security requirements and solutions in electronic health records: lessons learned from a comparative study. J. Med. Syst. 2010, 34(4):629-642.
21. Fernando J., Dawson L. Clinician assessments of workplace security training - an informatics perspective. Electron. J. Health Inform. 2008, 3(1):e7.
22. Jeremy S.C. The human element: training, awareness, and human resources implications of health information security policy under the Health Insurance Portability and Accountability Act (HIPAA). Information Security Curriculum Development Conference (InfoSecCD'09) 2009, 95-99. ACM.
23. Fernando J.I., Dawson L.L. The health information system security threat lifecycle: an informatics theory. Int. J. Med. Inform. 2009, 78(12):815-826.
24. Murphy J., Stramer K., Clamp S., Grubb P., Gosland J., Davis S. Health informatics education for clinicians and managers-what's holding up progress?. Int. J. Med. Inform. 2004, 73(2):205-213.
25. King T., Brankovic L., Gillard P. Perspectives of Australian adults about protecting the privacy of their health information in statistical databases. Int. J. Med. Inform. 2012, 81(4):279-289.
26. Fernando J., Dawson L. The natural hospital environment: a socio-technical-material perspective. Int. J. Med. Inform. 2014, 83(2):140-158.
27. Rippen H.E., Pan E.C., Russell C., Byrne C.M., Swift E.K. Organizational framework for health information technology. Int. J. Med. Inform. 2013, 82(4):e1-e13.
28. McAlearney A.S., Chisolm D.J., Schweikhart S., Medow M.A., Kelleher K. The story behind the story: physician skepticism about relying on clinical information technologies to reduce medical errors. Int. J. Med. Inform. 2007, 76(11-12):836-842.
29. Carstens D., McCauley-Bell P., Malone L., DeMara R. Evaluation of the human impact of password authentication practices on information security. Inf. Sci. 2004, 7:67-85.
30. van Deursen N., Buchanan W.J., Duff A. Monitoring information security risks within health care. Comput. Secur. 2013, 37:31-45.
31. Rosenstock I.M. The health belief model and preventive health behavior. Health Educ. Monogr. 1974, 2:420-432.
32. Chan M., Woon I., Kankanhalli A. Perceptions of information security in the workplace: linking information security climate to compliant behavior. J. Inf. Priv. Secur. 2005, 1(3):18.
33. Ng B.-Y., Kankanhalli A., Xu Y. Studying users' computer security behavior: a health belief perspective. Decis. Support Syst. 2009, 46(4):815-825.
34. Stanton J.M., Stam K.R., Mastrangelo P., Jolton J. Analysis of end user security behaviors. Comput. Secur. 2005, 24(2):124-133.
35. Wiant T.L. Information security policy's impact on reporting security incidents. Comput. Secur. 2005, 24(6):448-459.
36. Facchiano L., Snyder C.H. Challenges surrounding provider/client electronic-mail communication. J. Nurse Pract. 2011, 7(4):309-315.
37. Hobbs J., Wald J., Jagannath Y.S., Kittler A., Pizziferri L., Volk L.A., Middleton B., Bates D.W. Opportunities to enhance patient and physician e-mail contact. Int. J. Med. Inform. 2003, 70(1):1-9.
38. Ye J., Rust G., Fry-Johnson Y., Strothers H. E-mail in patient-provider communication: a systematic review. Patient Educ. Couns. 2010, 80(2):266-273.
39. Ash J.S., Sittig D.F., Dykstra R.H., Guappone K., Carpenter J.D., Seshadri V. Categorizing the unintended sociotechnical consequences of computerized provider order entry. Int. J. Med. Inform. 2007, 76(Suppl. 1):S21-S27.
40. Ponemon Institute The State of USB Drive Security. U.S. Survey of IT and IT Security Practitioners 2011, July, Available from http://media.kingston.com/images/usb/pdf/MKP_272_Ponemon_WP.pdf (accessed 25.04.14).
41. Wang A., Li Z., Yang X., Yu Y. New attacks and security model of the secure flash disk. Math. Comput. Model. 2013, 57(11-12):2605-2612.
42. HealthcareInfoSecurity Healthcare Information Security Today 2013, Available from http://docs.ismgcorp.com/files/handbooks/HIS-Survey-2012/HIS_Survey_Report_2012.pdf (accessed 25.04.14).
43. Gorge M. USB & other portable storage device usage: be aware of the risks to your corporate data in order to take pre-emptive and/or corrective action. Comput. Fraud Secur. 2005, 2005(8):15-17.
44. Duggan G.B., Johnson H., Grawemeyer B. Rational security: modelling everyday password use. Int. J. Hum.-Comput. Stud. 2012, 70(6):415-431.
45. Zviran M., Haga W.J. Password security: an empirical study. J. Manag. Inf. Syst. 1999, 15(4):161-185.
46. Vu K.-P.L., Proctor R.W., Bhargav-Spantzel A., Tai B.-L., Cook J., Eugene Schultz E. Improving password security and memorability to protect personal and organizational information. Int. J. Hum.-Comput. Stud. 2007, 65(8):744-757.
47. ISO/IEC 27002:2005 - Information technology - Security techniques - Code of practice for information security management.
48. Scholl M.A., Stine K.M., Hash J., Bowen P., Johnson L.A., Smith C.D., Steinberg D. An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule 2009, NIST, Available from http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf (accessed 04.02.14).
49. Scarfone K., Souppaya M. Guide to Enterprise Password Management (Draft) Recommendations of the National Institute of Standards and Technology 2009, NIST, Available from http://csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf (accessed 04.02.14).
50. Borten K. HIPAA Handbook for Behavioral Health Staff: Understanding the Privacy and Security Regulations 2013, HCPro Inc., Available from http://hcmarketplace.com/hipaa-handbook-for-behavioral-health-staff1 (accessed 04.02.14).
51. Toval A., Carrillo-de-Gea J.M., Fernandez-Aleman J.L., Toval R. Learning systems development using reusable standard-based requirements catalogs. Global Engineering Education Conference (EDUCON) 2011, 907-912.
52. Sánchez-Henarejos A., Fernández-Alemán J.L., Toval A., Hernández-Hernández I., Sánchez-García A.B., Carrillo de Gea J.M. Guía de buenas prácticas de seguridad informática en el tratamiento de datos de salud para el personal sanitario en atención primaria. Aten. Prim. 2014, 46(4):214-222.
53. Cos J.A., Toval R., Toval A., Fernández-Alemán J.L., Carrillo-de-Gea J.M., Nicolás J. Internationalization requirements for e-learning audit purposes. Global Engineering Education Conference (EDUCON) 2012, 1-6.
54. Westbrook J.I., Ampt A. Design, application and testing of the Work Observation Method by Activity Timing (WOMBAT) to measure clinicians' patterns of work and communication. Int. J. Med. Inform. 2009, 78(Suppl. 1):S25-S33.
55. Lemos R. Targeted Attacks, Weak Passwords Top IT Security Risks in 2013 2013, eWeek, Available from http://www.eweek.com/security/targeted-attacks-weak-passwords-top-it-security-risks-in-2013/ (accessed 04.02.14).
56. Proctor R.W., Lien M.C., Vu K.P., Schultz E.E., Salvendy G. Improving computer security for authentication of users: influence of proactive password restrictions. Behav. Res. Methods Instrum. Comput. 2002, 34(2):163-169.
57. Pilar D.R., Jaeger A., Gomes C.F., Stein L.M. Passwords usage and human memory limitations: a survey across age and educational background. PLoS ONE 2012, 7(12):e51067.
58. Nelson D., Vu K.-P.L. Effectiveness of image-based mnemonic techniques for enhancing the memorability and security of user-generated passwords. CHB 2010, 26(4):705-715.
59. Ives B., Walsh K.R., Schneider H. The domino effect of password reuse. Commun. ACM 2004, 47(4):75-78.
60. Beuving J. IGZ/CBP. Informatiebeveiliging in ziekenhuizen voldoet niet aan de norm 2008, College Bescherming Persoonsgegevens, Inspectie voor de Gezondheidszorg, Den Haag, Available from http://www.cbpweb.nl/downloads_rapporten/rap_2008_informatiebeveiliging_ziekenhuizen.pdf (accessed 04.02.14).
61. Gehringer E.F. Choosing passwords: security and human factors. International Symposium on Technology and Society 2002, 369-373.
62. Haletky E. Virus and spam protection. Deploying LINUX on the Desktop 2005, 141-150. Digital Press, Burlington, (Chapter 9).
63. Sunner M. Email security best practice. Netw. Secur. 2005, 2005(12):4-7.
64. Lopes C., Cortez P., Sousa P., Rocha M., Rio M. Symbiotic filtering for spam email detection. Expert Syst. Appl. 2011, 38(8):9365-9372.
65. The Radicati Group I. Email Statistics Report, 2013-2017, Available from (accessed 04.02.14). http://www.radicati.com/.
66. O'Connor C., Friedrich J.O., Scales D.C., Adhikari N.K.J. The use of wireless e-mail to improve healthcare team communication. J. Am. Med. Inform. Assoc. 2009, 16(5):705-713.
67. Guth A.A., Diflo T. "You've got mail!": the role of e-mail in clinical breast surgical practice. Breast 2006, 15(6):713-717.
68. Mondal A., Trestian I., Qin Z., Kuzmanovic A. P2P as a CDN: a new service model for file sharing. Comput. Netw. 2012, 56(14):3233-3246.
69. Gonzalez J.L., Perez J.C., Sosa-Sosa V., Rodriguez Cardoso J.F., Marcelin-Jimenez R. An approach for constructing private storage services as a unified fault-tolerant system. J. Syst. Softw. 2013, 86(7):1907-1922.
70. Costa C., Almeida J. Reputation systems for fighting pollution in peer-to-peer file sharing systems. Seventh IEEE International Conference on Peer-to-Peer Computing 2007, 53-60.
71. Srivatsa M., Liu L. Countering targeted file attacks using locationguard. 14th Conference on USENIX Security Symposium, vol. 14 2005, 6. USENIX Association, Baltimore, MD.
72. Wang F., Zhang Y., Ma J. Defending passive worms in unstructured P2P networks based on healthy file dissemination. Comput. Secur. 2009, 28(7):628-636.
73. Chen Z., Roussopoulos M., Liang Z., Zhang Y., Chen Z., Delis A. Malware characteristics and threats on the internet ecosystem. J. Syst. Softw. 2012, 85(7):1650-1672.
74. Selvaraj C., Anand S. A survey on security issues of reputation management systems for peer-to-peer networks. Comput. Sci. Rev. 2012, 6(4):145-160.
75. News: advertising malware scammers get smarter. Netw. Secur. 2009, 2009(10):19-20.
76. Zhu Q., Yang X., Ren J. Modeling and analysis of the spread of computer virus. Commun. Nonlinear Sci. Numer. Simul. 2012, 17(12):5117-5124.
77. Anderson B., Anderson B. USB-based virus/malicious code launch. Seven Deadliest USB Attacks 2010, 65-96. Syngress, Boston, (Chapter 3).
78. HIMSS Analytics Report: Security of Patient Data 2012, Kroll Fraud Solutions, Available from http://www.krollcybersecurity.com/media/Kroll-HIMSS_2012_-_Security_of_Patient_Data_040912.pdf (accessed 04.02.14).
79. Little L., Briggs P., Coventry L. Public space systems: designing for privacy?. Int. J. Hum.-Comput. Stud. 2005, 63(1-2):254-268.
80. Straub D.W. Deterring Computer Abuse: The Effectiveness of Deterrent Countermeasures in the Computer Security Environment 1986, (Doctoral dissertation), Indiana University School of Business.
81. Williams P., Valli C. Trust me. I am a Doctor. Your records are safe?. Sixth Australian Information Security Management Conference 2008, 155-162. SECAU - Security Research Centre, Edith Cowan University, Mount Lawley, Western Australia.
82. Yoon-Flannery K., Zandieh S.O., Kuperman G.J., Langsam D.J., Hyman D., Kaushal R. A qualitative analysis of an electronic health record (EHR) implementation in an academic ambulatory setting. Inform. Prim. Care 2008, 16(4):277-284.
83. Wiljer D., Urowitz S., Apatu E., DeLenardo C., Eysenbach G., Harth T., Pai H., Leonard K.J. Patient accessible electronic health records: exploring recommendations for successful implementation strategies. J. Med. Internet Res. 2008, 10(4):e34.
84. The Office of the National Coordinator for Health Information Technology's Office of the Chief Privacy Officer Cybersecure: Your Medical Practice 2012, U.S. Department of Health & Human Services, Available from http://www.healthit.gov/sites/default/files/cybersecure/cybersecure.html (accessed 04.02.14).
85. Timmons S. Nurses resisting information technology. Nurs. Inq. 2003, 10(4):257-269.
86. Nichols P., Copeland T.S., Craib I.A., Hopkins P., Bruce D.G. Learning from error: identifying contributory causes of medication errors in an Australian hospital. Med. J. Aust. 2008, 188(5):276-279.
87. Gerber M., von Solms R. Information security requirements - interpreting the legal aspects. Comput. Secur. 2008, 27(5-6):124-135.
88. Ozkan S., Karabacak B. Collaborative risk method for information security management practices: a case context within Turkey. Int. J. Inf. Manag. 2010, 30(6):567-572.
89. Ou Yang Y.-P., Shieh H.-M., Tzeng G.-H. A VIKOR technique based on DEMATEL and ANP for information security risk control assessment. Inf. Sci. 2013, 232:482-500.
90. Martínez M.A., Lasheras J., Fernández-Medina E., Toval A., Piattini M. A personal data audit method through requirements engineering. Comput. Stand. Interfaces 2010, 32(4):166-178.
91. Iossifova A.R., Meyer-Goldstein S. Impact of standards adoption on healthcare transaction performance: the case of HIPAA. Int. J. Prod. Econ. 2013, 141(1):277-285.
92. Fedorowicz J., Ray A.W. Impact of HIPAA on the integrity of healthcare information. Int. J. Healthc. Technol. Manag. 2004, 6(2):142-157.
93. Khansa L., Cook D.F., James T., Bruyaka O. Impact of HIPAA provisions on the stock market value of healthcare institutions, and information security and other information technology firms. Comput. Secur. 2012, 31(6):750-770.
94. Mwagwabi F., McGill T., Dixon M. Improving compliance with password guidelines: how user perceptions of passwords and security threats affect compliance with guidelines. 47th Hawaii International Conference on System Sciences (HICSS'14) 2014, 3188-3197. IEEE Computer Society.
95. Luethi M., Knolmayer G.F. Security in health information systems: an exploratory comparison of U.S. and Swiss hospitals. 42nd Hawaii International Conference on System Sciences (HICSS'09) 2009, 1-10. IEEE Computer Society.
96. Ahmed N., Matulevičius R. Securing business processes using security risk-oriented patterns. Comput. Stand. Interfaces 2014, 36(4):723-733.
97. Wohlin C., Runeson P., Höst M., Ohlsson M.C., Regnell B., Wesslén A. Experimentation in Software Engineering 2012, Springer, London.
98. Hoffer J.A., Straub D.W. The 9 to 5 underground: are you policing computer crimes?. Sloan Manag. Rev. Summer 1989, 30(4):35.
99. Kavanagh J. Security Special Report: The Internal Threat 2006, Computer Weekly, Available from http://www.computerweekly.com/feature/Security-special-report-The-internal-threat (accessed 04.02.14).
100. Scandariato R., Wuyts K., Joosen W. A descriptive study of Microsoft's threat modeling technique. Requir. Eng. 2013, 1-18.
101. Johannessen L.K., Obstfelder A., Lotherington A.T. Scaling of an information system in a public healthcare market-infrastructuring from the vendor's perspective. Int. J. Med. Inform. 2013, 82(5):e180-e188.
102. Iversen T.B., Melby L., Toussaint P. Instant messaging at the hospital: supporting articulation work?. Int. J. Med. Inform. 2013, 82(9):753-761.
103. Gritzalis S., Liu L. Requirements engineering for security, privacy and services in cloud environments. Requir. Eng. 2013, 18(4):297-298.
104. Kalloniatis C., Mouratidis H., Islam S. Evaluating cloud deployment scenarios based on security and privacy requirements. Requir. Eng. 2013, 18(4):299-319.
105. Beckers K., CÔté I., Faßbender S., Heisel M., Hofbauer S. A pattern-based method for establishing a cloud-specific information security management system. Requir. Eng. 2013, 18(4):343-395.
106. Lang U., Schreiner R. Analysis of recommended cloud security controls to validate OpenPMF "policy as a service". Inf. Secur. Tech. Rep. 2011, 16(3-4):131-141.