Security Culture and Security Awareness as the Basic Factors for Security Effectiveness in Health Information Systems

Authors

  • Ahmad Bakhtiyari Shahri Faculty of Computer Science and Information Systems, Universiti Teknologi Malaysia, 81310 Johor Bahru, Johor, Malaysia
  • Zuraini Ismail Advanced Informatics School (AIS), Universiti Teknologi Malaysia, 54100 Kuala Lumpur, Malaysia
  • Nor Zairah Ab. Rahim Advanced Informatics School (AIS), Universiti Teknologi Malaysia, 54100 Kuala Lumpur, Malaysia

DOI:

https://doi.org/10.11113/jt.v64.2212

Keywords:

Health information system, security culture, security awareness, security effectiveness

Abstract

The use of Information and Communications Technology (ICT) in healthcare domains contributes to an increased complexity of the problems related to the security of Health Information Systems (HIS). This is primarily may be due to the introduction of human behaviors. In spite of many attempts in providing security for HIS, security incidents remain to continue due to human factors. The key to achieve security effectiveness of information systems is through the nurturing of HIS users security awareness and culture towards patients’ data. Hence, addressing the role of human behavior is the main focus for this study. Based on the secondary data resources, a theoretical model is proposed according to users’ awareness and users’ culture for HIS security. This work-in-progress study attempts to highlight the HIS users’ behaviors in enhancing the security effectiveness for HIS.

References

Lacey, D. 2009. Managing the Human Factor in Information Security: How to Win over Staff and Influence Business Managers: John Wiley & Sons Ltd.

Brady, J. W. 2011. Securing Health Care: Assessing Factors That Affect HIPAA Security Compliance in Academic Medical Centers. in 44th Hawaii International Conference on System Sciences. Kauai, HI: IEEE.

Clearinghouse, P. R. 2010. Privacy Rights Cearinghouse: Center for Public Interest Law, University of San Diego.

HIMSS Analytics. 2008. The 2008 HIMSS Analytics Report: Security of Patient Data. Technical Report.

HIMSS Analytics. 2010. The 2010 HIMSS Analytics Report: Security of Patient Data. Technical Report.

Ma, Q., A. C. Johnston, and J. M. Pearson. 2008. Information Security Management Objectives and Practices: A Parsimonious Framework. Information Management & Computer Security. 16(3): 251–270.

Winter, A., R. Haux, E. Ammenwerth, B. Brigl, N. Hellrung, and F. Jahn, Health Information Systems, in Health Information Systems. 2011, Springer: London. 33–42.

Liginlal, D., I. Sim, L. Khansa, and P. Fearn. 2009. Human Error and Privacy Breaches in Healthcare Organizations: Causes and Management Strategies. in 15th Americas Conference on Information Systems (AMCIS 2009). San Francisco, California.

Williams, P. 2009. Capturing Culture in Medical Information Security Research. Methodological Innovations Online. 4(3): 15–26.

Rotvold, G. 2008. How to Create a Security Culture in Your Organization. Information Management Journal. 42(6).

Dimitropoulos, L. and S. Rizk. 2009. A State-Based Approach to Privacy and Security for Interoperable Health Information Exchange. Health Affairs. 28(2): 428–434.

Benhocine, A., L. Laouamer, and H. Hadji. 2011. Toward an Efficient Security: A New Methodology for Information Security. Journal of Economics and Administration. 1(1).

Colwill, C. 2009. Human Factors in Information Security: The Insider Threat–Who Can You Trust These Days? Information Security Technical Report. 14(4): 186–196.

Keller, S., A. Powell, B. Horstmann, C. Predmore, and M. Crawford. 2005. Information Security Threats and Practices in Small Businesses. Information Systems Management. 22(2): 7–19.

Whitman, M. E. 2003. Enemy at the Gate: Threats to Information Security. Communications of the ACM. 46(8): 91–95.

Ramim, M. and Y. Levy. 2006. Securing E-Learning Systems: A Case of Insider Cyber Attacks and Novice IT Management in a Small University. Journal of Cases on Information Technology (JCIT). 8(4): 24–34.

Teer, F. P., S. Kruck, and G. P. Kruck. 2007. Empirical Study of Students' Computer Security Practices/Perception. The Journal of Computer Information Systems. 47(3): 105–110.

Leach, J. 2003. Improving User Security Behaviour. Computers & Security. 22(8): 685–692.

Stanton, J. M., K. R. Stam, P. Mastrangelo, and J. Jolton. 2005. Analysis of End User Security Behaviors. Computers & Security. 24(2): 124–133.

Kankanhalli, A., H. H. Teo, B. C. Y. Tan, and K. K. Wei. 2003. An Integrative Study of Information Systems Security Effectiveness. International Journal of Information Management. 23(2): 139–154.

Samy, G. N., R. Ahmad, and Z. Ismail. 2011. Health Information Security Guidelines for Healthcare Information Systems. In ISHIMR 2011. Zurich, Switzerland.

Maglogiannis, I., E. Zafiropoulos, A. Platis, and C. Lambrinoudakis. 2006. Risk Analysis of a Patient Monitoring System Using Bayesian Network Modeling. Journal of Biomedical Informatics. 39(6): 637–647.

Tupa, J. and F. Steiner. 2006. Implementation of Information Security Management System in the Small Healthcare Organization. Journal of Telecommunications and Information Technology. (2): 52–58.

Aytes, K. and T. Connolly. 2004. Computer Security and Risky Computing Practices: A Rational Choice Perspective. Journal of Organizational and End User Computing (JOEUC). 16(3): 22–40.

D’Arcy, J. and A. Hovav. 2009. Does One Size Fit All? Examining the Differential Effects of IS Security Countermeasures. Journal of Business Ethics. 89: 59–71.

Sushma, M., M. Robert, and L. Chasalow. 2011. Information Security Effectiveness: A Research Framework. Issues in Information Systems. 7(1): 246–255.

Straub, D. W. 1990. Effective IS Security. Information Systems Research. 1(3): 255–276.

Wiant, T. L. 2005. Information Security Policy's Impact on Reporting Security Incidents. Computers & Security. 24(6): 448–459.

Da Veiga, A. and J. H. P. Eloff. 2007. An Information Security Governance Framework. Information Systems Management. 24(4): 361–372.

Da Veiga, A. and J. Eloff. 2010. A Framework and Assessment Instrument for Information Security Culture. Computers & Security. 29(2): 196–207.

Herath, T. and H. Rao. 2009. Encouraging Information Security Behaviors in Organizations: Role of Penalties, Pressures and Perceived Effectiveness. Decision Support Systems. 47(2): 154–165.

Ismail, Z., M. Masrom, Z. Sidek, and D. Hamzah. 2010. Framework to Manage Information Security for Malaysian Academic Environment. Information Assurance & Cybersecurity. 2010: 1–16.

Ayyagari, R. and J. Tyks. 2012. Disaster at a University: A Case Study in Information Security. Journal of Information Technology Education. 11.

Knapp, K. J., T. E. Marshall, R. K. Rainer, and F. N. Ford. 2006. Information Security: Management's Effect on Culture and Policy. Information Management & Computer Security. 14(1): 24–36.

Figg, W. C. and H. J. Kam. 2011. Medical Information Security. International Journal of Security (IJS). 5(1): 22.

OECD. 2002. OECD Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security: Organisation for Economic Co-operation Development.

Lacey, D. 2010. Understanding and Transforming Organizational Security Culture. Information Management & Computer Security. 18(1): 4–13.

Ruighaver, A. B., S. Maynard, and S. Chang. 2007. Organisational Security Culture: Extending The End-User Perspective. Computers & Security. 26(1): 56–62.

D'Arcy, J. and G. Greene. 2009. The Multifaceted Nature of Security Culture and Its Influence on End User Behavior. In International Workshop on Information Systems Security Research.

Van Niekerk, J. and R. Von Solms. 2010. Information Security Culture: A Management Perspective. Computers & Security. 29(4): 476–486.

Kiely, L. and T. V. Benzel. 2006. Systemic Security Management. Journal of Security & Privacy, IEEE. 4(6): 74–77.

Gebrasilase, T. and L. F. Lessa. 2011. Information Security Culture in Public Hospitals: The Case of Hawassa Referral Hospital. The African Journal of Information Systems. 3(3): 72–86.

Khan, B., K. S. Alghathbar, S. I. Nabi, and M. K. Khan. 2011. Effectiveness of Information Security Awareness Methods Based on Psychological Theories. African Journal of Business Management. 5(26): 10862–10868.

Peltier, T. R. 2005. Implementing an Information Security Awareness Program. Information Systems Security. 14(2): 37–49.

Furnell, S. M., A. Jusoh, and D. Katsabas. 2006. The Challenges of Understanding and Using Security: A Survey of End-Users. Computers & Security. 25(1): 27–35.

Huang, D. L., P. L. Patrick Rau, G. Salvendy, F. Gao, and J. Zhou. 2011. Factors Affecting Perception of Information Security and Their Impacts on IT Adoption and Security Practices. International Journal of Human-Computer Studies. 69(12): 870–883.

Greene, G. and J. D’Arcy. 2010. Assessing the Impact of Security Culture and the Employee-Organization Relationship on IS Security Compliance. In Fifth Annual Symposium on Information Assurance. Albany.

Chang, A. J. T., J. Arthur, Q. J. Yeh, and J. Quey. 2006. On Security Preparations Against Possible IS Threats Across Industries. Information Management & Computer Security. 14(4): 343–360.

Downloads

Published

2013-10-15

Issue

Section

Social Sciences

How to Cite

Security Culture and Security Awareness as the Basic Factors for Security Effectiveness in Health Information Systems. (2013). Jurnal Teknologi (Sciences & Engineering), 64(2). https://doi.org/10.11113/jt.v64.2212