Abstract
This retrospective case report aimed to evaluate the impact of information security compliance in research programs across a large federal healthcare organization. The authors sought to discern whether the methodologies employed for promoting and ensuring compliance delivered the expected benefits and produced a more informed basis for employee decision-making. Data collected from compliance report assessments conducted at 103 federal research programs were reviewed and analyzed by clustering into three primary groupings (procedural, technological and behavioral). While noncompliance related to technological strategies was rare, moderate levels of procedural noncompliance was observed across most areas of analysis, and the highest rates of non-compliance identified in the behavioral category and observed across all areas of analysis, signifying the need for a more comprehensive approach to information security oversight and compliance strategies with specific consideration to those factors that impact human behavior.
Highlights
The security of information and information systems have become a priority to many organizations as dependence on those systems is often paramount to organizational operations, and its use inherently fraught with risk [1]
Human behavior in particular, is often considered the utmost, if not the primary determinant of risk [10] and as a result, the role that employees play in information security compliance cannot be understated
While noncompliance related to technological strategies was rare, moderate levels of procedural noncompliance was observed across most areas of analysis including the Sweden De Matas and Brendan Keegan: Challenges in Addressing Information Security Compliance in Healthcare Research: The Human Factor unauthorized use of external information systems, inadequate management of research information, inadequate reviews of research projects by subject matter experts for information security implications, unauthorized use and/or disclosure of sensitive information, noncompliant information security training requirements, and noncompliant reporting of research-related information security incidents
Summary
The security of information and information systems have become a priority to many organizations as dependence on those systems is often paramount to organizational operations, and its use inherently fraught with risk [1]. Without regard to increased federal scrutiny, information security incidents continue to increase with data losses occurring each year [4]. Amid these dynamics information security oversight and compliance strategies remain rather basic, and largely unevolved [5]. Leaderships’ involvement, effective information security policies [8], employee awareness, and human behavior [9], are all necessary factors in decreasing risk as well as promoting and motivating compliance. Human behavior in particular, is often considered the utmost, if not the primary determinant of risk [10] and as a result, the role that employees play in information security compliance cannot be understated
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
