Knowledge, Awareness, and Behavior on Information Security of Thai Healthcare Providers: A Case Study of Buddhasothorn Hospital
Keywords:
healthcare, knowledge, awareness, behavior, information security cyber securityAbstract
This study is descriptive research aimed to study knowledge, awareness, and behavior regarding information security among Thai healthcare providers using Buddhasothorn Hospital as a case study. The sample consisted of 353 Buddhasothorn hospital employees. The study instrument was a newly developed assessment tool to measure knowledge, awareness, and behavior in information security. The data were analyzed using descriptive and correlational statistics. Results showed that 54.11% of staff had knowledge of information security at the highest level. Averagely 72.74%, 79.20%, and 78.20% of staffs correctly answered the questions about general knowledge on information security, information security-related laws, and secured password management, respectively, while only 52.32% of staffs correctly answered the questions about information and cyber threats. From the information security awareness and behavior assessment, 90.60% of staff had awareness at the high to highest level, and 93.75% of staff had risky information security behavior at the seldom to never level. Risky behaviors that were at the sometimes level were “do not log out of the information system when not using the computer for longer than 15 minutes”, “do not notify the computer center immediately after finding an abnormality of the computer in the information network”, “do not verify the URL of links in e-mails”, and “do not verify e-mail content and scan files attached with e-mails”. Awareness of information security had moderately positive correlations with information security knowledge and behavior, while knowledge had no significant relationship with information security behavior. The results of this study provide important information for planning knowledge development, raising awareness, and promoting information security behaviors among healthcare staff.
References
Albrechtsen, E. (2007). A qualitative study of users’ view on information security. Computers & Security, 26(4), 276-289. https://doi.org/10.1016/j.cose.2006.11.004
American Accreditation Commission International (AACI). (2018). Personal info of 1.5m Sing health patients, including PM Lee, stolen in Singapore’s worst cyber attack. Retrieved from https://aacihealthcare.com/news/personal-info-of-1-5m-singhealth-patients-stolen-in-singapores-worst-cyber-attack/
Bilal, K., Khaled, S. A., Syed, I. N., & Muhammad, K. K. (2011). Effectiveness of information security awareness methods based on psychological theories. African Journal of Business Management, 5(26), 10862-10868. doi: 10.5897/AJBM11.067
Box, D., & Pottas, D. (2013). Improving information security behaviour in the healthcare context. Procedia Technology, 9, 1093-1103. https://doi.org/10.1016/j.protcy.2013.12.122
Box, D., & Pottas, D. (2014). A model for information security compliant behaviour in the healthcare context. Procedia Technology, 16, 1462-1470. https://doi.org/10.1016/j.protcy.2014.10.166
Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2009). Effects of individual and organization based beliefs and the moderating role of work experience on insiders’ good security behaviors. Conference: Proceedings IEEE CSE’09, 12th IEEE International Conference on Computational Science and Engineering, August 29-31, 2009, Vancouver, BC, Canada (pp. 476-481). BC, Canada: IEEE
Chantanawaranont, P., & Vibultangman, A. (2017). Compliance with information technology security policies of employees in the system of a large real estate development company. EAU Heritage Journal Science and Technology, 11(2), 122-135. (in Thai)
Department of Health & Human Services USA. (2518). Health industry cybersecurity practices: Managing threats and protecting patients. USA: Healthcare & Public Health Sector Coordinating Councils.
Department of Health Service Support, Ministry of Public Health. (2020). Digital development strategic plan for the health service system and the public health system, a 5-year period of the Department of Health Service Support, 2021 - 2025. Retrieved from https://hss.moph.go.th/image/plan1.pdf (in Thai)
Ehrenfeld J. M. (2017). WannaCry, cybersecurity and health information technology: A time to act. Journal of Medical Systems, 41(7), 104. https://doi.org/10.1007/s10916-017-0752-1
Erceg, A. (2019). Information security: Threat from employees. Tehnički Glasnik, 13(2), 123-128. doi:10.31803/tg-20180717222848
HIPPA. (2020). Healthcare data breach report 2019. Retrieved from https://www.hipaajournal.com/january-2019-healthcare-data-breach-report/
Kongwarakom, S. (2021, Sep 7). Hacked hospital patients’ data ‘not important’. Bangkok Post. Retrieved from https://www.bangkokpost.com/thailand/general/2177887/hacked-hospital-patients-data-not-important. (in Thai)
Kruse, C. S., Frederick, B., Jacobson, T., & Monticone, D. K. (2017). Cybersecurity in healthcare: A systematic review of modern threats and trends. Technology and health care: Official journal of the European Society for Engineering and Medicine, 25(1), 1–10. https://doi.org/10.3233/THC-161263
Morgan, S. (2013). Healthcare industry to spend $125 billion on cybersecurity from 2020 to 2025, Cyber Security Ventures. Retrieved from https://cybersecurityventures.com/healthcare-industry-to-spend-125-billion-on-cybersecurity-from-2020-to-2025/
Ng, B.-Y., Kankanhalli, A., & Xu, Y. C. (2009). Studying users’ computer security behavior: A health belief perspective. Decision Support Systems, 46(4), 815-825. https://doi.org/10.1016/j.dss.2008.11.010
Nifakos, S., Chandramouli, K., Nikolaou, C. K., Papachristou, P., Koch, S., Panaousis, E., & Bonacina, S. (2021). Influence of human factors on cyber security within healthcare organisations: A systematic review. Sensors, 21(15), 5119. https://doi.org/10.3390/s21155119
Office of the Permanent Secretary Ministry of Public Health.(2022). Government inspection issues that focus on issue 4 digital health (health information system and medical technology). Retrieved from https://drive.google.com/drive/folders/1RuQIUOqqHTyddseJFd3DnC2ObusqdyoE. (in Thai)
Parsons, K., Calic, D., Pattinson, M., Butavicius, M., McCormac, A., & Zwaans, T. (2017). The human aspects of information security questionnaire (HAIS-Q): Two further validation studies. Computers & Security, 66, 40-51. https://doi.org/10.1016/j.cose.2017.01.004
Parsons, K., McCormac, A., Butavicius, M., Pattinson, M., & Jerram, C. (2014). Determining employee awareness using the human aspects of information security questionnaire (HAIS-Q). Computers & Security, 42, 165-176. https://doi.org/10.1016/j.cose.2013.12.003
Safa, N. S., Sookhak, M., Von Solms, R., Furnell, S., Ghani, N. A., & Herawan, T. (2015). Information security conscious care behaviour formation in organizations. Computers & Security, 53, 65-78. https://doi.org/10.1016/j.cose.2015.05.012
Safa, N. S., Von Solms, R., & Furnell, S. (2016). Information security policy compliance model in organizations. Computers & Security, 56, 70-82. https://doi.org/10.1016/j.cose.2015.10.006
Sarkar, S., Vance, A., Ramesh, B., Demestihas, M., & Wu, D. T. (2020). The influence of professional subculture on information security policy violations: A field study in a healthcare context. Information Systems Research, 31(4), 1240-1259. https://doi.org/10.1287/isre.2020.0941
Samy, G. N., Ahmad, R., & Ismail, Z. (2010). Security threats categories in healthcare information systems. Health Informatics Journal, 16(3), 201–209. https://doi.org/10.1177/1460458210377468
Saracli, S., & Erdoğmuş, A. (2019). Determining the effects of information security knowledge on information security awareness via structural equation modelings. Hacettepe Journal of Mathematics and Statistics, 48(4), 1201-1212. https://dergipark.org.tr/tr/pub/hujms/issue/47862/604508
Sean M. DeCarlo. (2020). Measuring the application of knowledge gained from the gamification of cybersecurity training in healthcare (Master’s thesis). Robert Morris University. USA
Seh, A. H., Zarour, M., Alenezi, M., Sarkar, A. K., Agrawal, A., Kumar, R., & Khan, R. A. (2020). Healthcare Data Breaches: Insights and Implications. Healthcare (Basel, Switzerland), 8(2), 133. https://doi.org/10.3390/healthcare8020133
Singh, I., & SINGH, Y. (2022). Cyber-security knowledge and practice of nurses in private hospitals in Northern Durban, Kwazulu-Natal. Journal of Theoretical and Applied Information Technology, 100(1), 246- 267. http://www.jatit.org/volumes/Vol100No1/21Vol100No1.pdf
Tech & Sci. (2020, Sep 9). Ransomware attack on Saraburi hospital. Thai News Agency. Retriveved from https://tna.mcot.net/techsci-533371
Van Niekerk, J., & Von Solms, R. (2006). Understanding information security culture: A conceptual framework. Conference: Proceedings of the ISSA 2006 from Insight to Foresight Conference, 5-7 July 2006, Balalaika Hotel, Sandton, South Africa (pp. 1-10). South Africa: Information Security South Africa (ISSA). https://digifors.cs.up.ac.za/issa/2006/Proceedings/Full/21_Paper.pdf
Wipatayotin, A. (2021, Sep 8). Hacker steals 40,000 patients’ data from kidney hospital. Bangkok Post. Retrieved from https://www.bangkokpost.com/thailand/general/2178503/hacker-steals-40-000-patients-data-from-kidney-hospital. (in Thai)
Zakaria, O. (2006). Internalisation of information security culture amongst employees through basic security knowledge. In: S. Fischer-Hübner, K. Rannenberg, L. Yngström, & S. Lindskog, (Eds) Security and Privacy in Dynamic Environments. SEC 2006. IFIP International Federation for Information Processing, vol 201. Boston: Springer. https://doi.org/10.1007/0-387-33406-8_38
Zwilling, M., Klien, G., Lesjak, D., Wiechetek, Ł., Cetin, F., & Basim, H. N. (2022). Cyber security awareness, knowledge and behavior: A comparative study. Journal of Computer Information Systems, 62(1), 82-97. https://doi.org/10.1080/08874417.2020.1712269
