Analysis of health professional security behaviors in a real clinical setting

An empirical study

José Luis Fernández-Alemán, Ana Sánchez-Henarejos, Ambrosio Toval, Ana Belén Sánchez-García, Isabel Hernández-Hernández, Luis Fernandez

Research output: Contribution to journalArticle

14 Citations (Scopus)

Abstract

Objective: The objective of this paper is to evaluate the security behavior of healthcare professionals in a real clinical setting. Method: Standards, guidelines and recommendations on security and privacy best practices for staff personnel were identified using a systematic literature review. After a revision process, a questionnaire consisting of 27 questions was created and responded to by 180 health professionals from a public hospital. Results: Weak passwords were reported by 62.2% of the respondents, 31.7% were unaware of the organization's procedures for discarding confidential information, and 19.4% did not carry out these procedures. Half of the respondents (51.7%) did not take measures to ensure that the personal health information on the computer monitor could not be seen by unauthorized individuals, and 57.8% were unaware of the procedure established to report a security violation. The correlation between the number of years in the position and good security practices was not significant (Pearson's r=. 0.085, P=. 0.254). Age was weakly correlated with good security practices (Pearson's r=. -0.169, P=. 0.028). A Mann-Whitney test showed no significant difference between the respondents' security behavior as regards gender (. U=. 2536, P=. 0.792, n=. 178). The results of the study suggest that more efforts are required to improve security education for health personnel. Conclusions: It was found that both preventive and corrective actions are needed to prevent health staff from causing security incidents. Healthcare organizations should: identify the types of information that require protection, clearly communicate the penalties that will be imposed, promote security training courses, and define what the organization considers improper behavior to be and communicate this to all personnel.

Original languageEnglish
Pages (from-to)454-467
Number of pages14
JournalInternational Journal of Medical Informatics
Volume84
Issue number6
DOIs
Publication statusPublished - 1 Jun 2015
Externally publishedYes

Fingerprint

Health
Organizations
Personal Health Records
Delivery of Health Care
Computer Security
Privacy
Public Hospitals
Confidentiality
Practice Guidelines
Health Personnel
Guidelines
Education
Surveys and Questionnaires

Keywords

  • Health personnel
  • Personal health information
  • Privacy
  • Security
  • Surveys

ASJC Scopus subject areas

  • Health Informatics

Cite this

Fernández-Alemán, J. L., Sánchez-Henarejos, A., Toval, A., Sánchez-García, A. B., Hernández-Hernández, I., & Fernandez, L. (2015). Analysis of health professional security behaviors in a real clinical setting: An empirical study. International Journal of Medical Informatics, 84(6), 454-467. https://doi.org/10.1016/j.ijmedinf.2015.01.010

Analysis of health professional security behaviors in a real clinical setting : An empirical study. / Fernández-Alemán, José Luis; Sánchez-Henarejos, Ana; Toval, Ambrosio; Sánchez-García, Ana Belén; Hernández-Hernández, Isabel; Fernandez, Luis.

In: International Journal of Medical Informatics, Vol. 84, No. 6, 01.06.2015, p. 454-467.

Research output: Contribution to journalArticle

Fernández-Alemán, JL, Sánchez-Henarejos, A, Toval, A, Sánchez-García, AB, Hernández-Hernández, I & Fernandez, L 2015, 'Analysis of health professional security behaviors in a real clinical setting: An empirical study', International Journal of Medical Informatics, vol. 84, no. 6, pp. 454-467. https://doi.org/10.1016/j.ijmedinf.2015.01.010
Fernández-Alemán, José Luis ; Sánchez-Henarejos, Ana ; Toval, Ambrosio ; Sánchez-García, Ana Belén ; Hernández-Hernández, Isabel ; Fernandez, Luis. / Analysis of health professional security behaviors in a real clinical setting : An empirical study. In: International Journal of Medical Informatics. 2015 ; Vol. 84, No. 6. pp. 454-467.
@article{c9f49bce85a541d9b12c4fa5e19d5e61,
title = "Analysis of health professional security behaviors in a real clinical setting: An empirical study",
abstract = "Objective: The objective of this paper is to evaluate the security behavior of healthcare professionals in a real clinical setting. Method: Standards, guidelines and recommendations on security and privacy best practices for staff personnel were identified using a systematic literature review. After a revision process, a questionnaire consisting of 27 questions was created and responded to by 180 health professionals from a public hospital. Results: Weak passwords were reported by 62.2{\%} of the respondents, 31.7{\%} were unaware of the organization's procedures for discarding confidential information, and 19.4{\%} did not carry out these procedures. Half of the respondents (51.7{\%}) did not take measures to ensure that the personal health information on the computer monitor could not be seen by unauthorized individuals, and 57.8{\%} were unaware of the procedure established to report a security violation. The correlation between the number of years in the position and good security practices was not significant (Pearson's r=. 0.085, P=. 0.254). Age was weakly correlated with good security practices (Pearson's r=. -0.169, P=. 0.028). A Mann-Whitney test showed no significant difference between the respondents' security behavior as regards gender (. U=. 2536, P=. 0.792, n=. 178). The results of the study suggest that more efforts are required to improve security education for health personnel. Conclusions: It was found that both preventive and corrective actions are needed to prevent health staff from causing security incidents. Healthcare organizations should: identify the types of information that require protection, clearly communicate the penalties that will be imposed, promote security training courses, and define what the organization considers improper behavior to be and communicate this to all personnel.",
keywords = "Health personnel, Personal health information, Privacy, Security, Surveys",
author = "Fern{\'a}ndez-Alem{\'a}n, {Jos{\'e} Luis} and Ana S{\'a}nchez-Henarejos and Ambrosio Toval and S{\'a}nchez-Garc{\'i}a, {Ana Bel{\'e}n} and Isabel Hern{\'a}ndez-Hern{\'a}ndez and Luis Fernandez",
year = "2015",
month = "6",
day = "1",
doi = "10.1016/j.ijmedinf.2015.01.010",
language = "English",
volume = "84",
pages = "454--467",
journal = "International Journal of Medical Informatics",
issn = "1386-5056",
publisher = "Elsevier Ireland Ltd",
number = "6",

}

TY - JOUR

T1 - Analysis of health professional security behaviors in a real clinical setting

T2 - An empirical study

AU - Fernández-Alemán, José Luis

AU - Sánchez-Henarejos, Ana

AU - Toval, Ambrosio

AU - Sánchez-García, Ana Belén

AU - Hernández-Hernández, Isabel

AU - Fernandez, Luis

PY - 2015/6/1

Y1 - 2015/6/1

N2 - Objective: The objective of this paper is to evaluate the security behavior of healthcare professionals in a real clinical setting. Method: Standards, guidelines and recommendations on security and privacy best practices for staff personnel were identified using a systematic literature review. After a revision process, a questionnaire consisting of 27 questions was created and responded to by 180 health professionals from a public hospital. Results: Weak passwords were reported by 62.2% of the respondents, 31.7% were unaware of the organization's procedures for discarding confidential information, and 19.4% did not carry out these procedures. Half of the respondents (51.7%) did not take measures to ensure that the personal health information on the computer monitor could not be seen by unauthorized individuals, and 57.8% were unaware of the procedure established to report a security violation. The correlation between the number of years in the position and good security practices was not significant (Pearson's r=. 0.085, P=. 0.254). Age was weakly correlated with good security practices (Pearson's r=. -0.169, P=. 0.028). A Mann-Whitney test showed no significant difference between the respondents' security behavior as regards gender (. U=. 2536, P=. 0.792, n=. 178). The results of the study suggest that more efforts are required to improve security education for health personnel. Conclusions: It was found that both preventive and corrective actions are needed to prevent health staff from causing security incidents. Healthcare organizations should: identify the types of information that require protection, clearly communicate the penalties that will be imposed, promote security training courses, and define what the organization considers improper behavior to be and communicate this to all personnel.

AB - Objective: The objective of this paper is to evaluate the security behavior of healthcare professionals in a real clinical setting. Method: Standards, guidelines and recommendations on security and privacy best practices for staff personnel were identified using a systematic literature review. After a revision process, a questionnaire consisting of 27 questions was created and responded to by 180 health professionals from a public hospital. Results: Weak passwords were reported by 62.2% of the respondents, 31.7% were unaware of the organization's procedures for discarding confidential information, and 19.4% did not carry out these procedures. Half of the respondents (51.7%) did not take measures to ensure that the personal health information on the computer monitor could not be seen by unauthorized individuals, and 57.8% were unaware of the procedure established to report a security violation. The correlation between the number of years in the position and good security practices was not significant (Pearson's r=. 0.085, P=. 0.254). Age was weakly correlated with good security practices (Pearson's r=. -0.169, P=. 0.028). A Mann-Whitney test showed no significant difference between the respondents' security behavior as regards gender (. U=. 2536, P=. 0.792, n=. 178). The results of the study suggest that more efforts are required to improve security education for health personnel. Conclusions: It was found that both preventive and corrective actions are needed to prevent health staff from causing security incidents. Healthcare organizations should: identify the types of information that require protection, clearly communicate the penalties that will be imposed, promote security training courses, and define what the organization considers improper behavior to be and communicate this to all personnel.

KW - Health personnel

KW - Personal health information

KW - Privacy

KW - Security

KW - Surveys

UR - http://www.scopus.com/inward/record.url?scp=84927070214&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84927070214&partnerID=8YFLogxK

U2 - 10.1016/j.ijmedinf.2015.01.010

DO - 10.1016/j.ijmedinf.2015.01.010

M3 - Article

VL - 84

SP - 454

EP - 467

JO - International Journal of Medical Informatics

JF - International Journal of Medical Informatics

SN - 1386-5056

IS - 6

ER -