Assessing cyber-security compliance level in paperless hospitals: An ethnographic approach

Abstract

Digitalisation in healthcare can be a double-edged sword. While it improves the efficiency of healthcare operations through IT infrastructure, its security and privacy concerns can be life-threatening, posing danger to the very lives that healthcare exists to safeguard. Motivated by this, we combined focus-group discussion and observational methods to assess the cyber security situations in two hospitals that have migrated to paperless systems in Ghana. Paperless systems involve the adoption of the Electronic Health Record (EHR) system by hospitals and are usually hosted within healthcare IT infrastructure. This is one of the few studies that has used the ethnographic investigation method to reveal the nature of security and privacy practice in hospitals, with the aim to enhance security practices in health-care. The findings revealed that the participants understood various areas of security practice knowledge; however, this did not translate into their security behaviour, as various security gaps were identified. System misuse and security and privacy violations, characterised by password sharing, authentication sharing, unauthorised access to patient information and physical security issues, were associated with the security practice of the healthcare staff. The causes of these security malpractices were attributed to factors such as peer pressure, bad moral conduct (e.g. personal gain), work factors and security development issues. Based on the assessment, practical implications were suggested to the hospitals. In addition, hospitals that are migrating to paperless systems were advised to establish fundamental security structures, such as security policy establishment and the right security personnel, to averse such security menace.