José Luis Fernández-Alemán1, Ana Sánchez-Henarejos2, Ambrosio Toval3, Ana Belén Sánchez-García4, Isabel Hernández-Hernández5, Luis Fernandez-Luque6. 1. Faculty of Computer Science, Department of Informatics and System, University of Murcia, Spain. Electronic address: aleman@um.es. 2. Faculty of Computer Science, Department of Informatics and System, University of Murcia, Spain. Electronic address: anasanchez@um.es. 3. Faculty of Computer Science, Department of Informatics and System, University of Murcia, Spain. Electronic address: atoval@um.es. 4. Reina Sofia University Hospital, Murcia, Spain. Electronic address: absg2@um.es. 5. Reina Sofia University Hospital, Murcia, Spain. Electronic address: isabelhdezhdez@yahoo.es. 6. Northern Research Institute, Tromsø, Norway. Electronic address: luis.luque@norut.no.
Abstract
OBJECTIVE: The objective of this paper is to evaluate the security behavior of healthcare professionals in a real clinical setting. METHOD: Standards, guidelines and recommendations on security and privacy best practices for staff personnel were identified using a systematic literature review. After a revision process, a questionnaire consisting of 27 questions was created and responded to by 180 health professionals from a public hospital. RESULTS: Weak passwords were reported by 62.2% of the respondents, 31.7% were unaware of the organization's procedures for discarding confidential information, and 19.4% did not carry out these procedures. Half of the respondents (51.7%) did not take measures to ensure that the personal health information on the computer monitor could not be seen by unauthorized individuals, and 57.8% were unaware of the procedure established to report a security violation. The correlation between the number of years in the position and good security practices was not significant (Pearson's r=0.085, P=0.254). Age was weakly correlated with good security practices (Pearson's r=-0.169, P=0.028). A Mann-Whitney test showed no significant difference between the respondents' security behavior as regards gender (U=2536, P=0.792, n=178). The results of the study suggest that more efforts are required to improve security education for health personnel. CONCLUSIONS: It was found that both preventive and corrective actions are needed to prevent health staff from causing security incidents. Healthcare organizations should: identify the types of information that require protection, clearly communicate the penalties that will be imposed, promote security training courses, and define what the organization considers improper behavior to be and communicate this to all personnel.
OBJECTIVE: The objective of this paper is to evaluate the security behavior of healthcare professionals in a real clinical setting. METHOD: Standards, guidelines and recommendations on security and privacy best practices for staff personnel were identified using a systematic literature review. After a revision process, a questionnaire consisting of 27 questions was created and responded to by 180 health professionals from a public hospital. RESULTS: Weak passwords were reported by 62.2% of the respondents, 31.7% were unaware of the organization's procedures for discarding confidential information, and 19.4% did not carry out these procedures. Half of the respondents (51.7%) did not take measures to ensure that the personal health information on the computer monitor could not be seen by unauthorized individuals, and 57.8% were unaware of the procedure established to report a security violation. The correlation between the number of years in the position and good security practices was not significant (Pearson's r=0.085, P=0.254). Age was weakly correlated with good security practices (Pearson's r=-0.169, P=0.028). A Mann-Whitney test showed no significant difference between the respondents' security behavior as regards gender (U=2536, P=0.792, n=178). The results of the study suggest that more efforts are required to improve security education for health personnel. CONCLUSIONS: It was found that both preventive and corrective actions are needed to prevent health staff from causing security incidents. Healthcare organizations should: identify the types of information that require protection, clearly communicate the penalties that will be imposed, promote security training courses, and define what the organization considers improper behavior to be and communicate this to all personnel.
Authors: José A García-Berná; Sofia Ouhbi; José L Fernández-Alemán; Juan M Carrillo de Gea; Joaquín Nicolás; Begoña Moros; Ambrosio Toval Journal: Int J Environ Res Public Health Date: 2021-02-03 Impact factor: 3.390