How Information Security Management Systems Influence the Healthcare Professionals’ Security Behavior in a Public Hospital in Indonesia

Abstract

Aim/Purpose: This study analyzes health professionals’ information security behavior (ISB) as health information system (HIS) users concerning associated information security controls and risks established in a public hospital. This work measures ISB using a complete measuring scale and explains the relevant influential factors from the perspectives of Protection Motivation Theory (PMT) and General Deterrence Theory (GDT) Background: Internal users are the primary source of security concerns in hospitals, with malware and social engineering becoming common attack vectors in the health industry. This study focuses on HIS user behavior in developing countries with limited information security policies and resources. Methodology: The research was carried out in three stages. First, a semi-structured interview was conducted with three hospital administrators in charge of HIS implementation to investigate information security controls and threats. Second, a survey of 144 HIS users to determine ISB based on hospital security risk. Third, a semi-structured interview was conducted with 11 HIS users to discuss the elements influencing behavior and current information security implementation. Contribution: This study contributes to ISB practices in hospitals. It discusses how HIS managers could build information security programs to enhance health professionals’ behavior by considering PMT and GDT elements. Findings: According to the findings of this study, the hospital has implemented particular information security management system (ISMS) controls based on international standards, but there is still room for improvement. Insiders are the most prevalent information security dangers discovered, with certain working practices requiring HIS users to disclose passwords with others. The top three most common ISBs HIS users practice include appropriately disposing of printouts, validating link sources, and using a password to unlock the device. Meanwhile, the top three least commonly seen ISBs include transferring sensitive information online, leaving a password in an unsupervised area, and revealing sensitive information via social media. Recommendations for Practitioners: Hospital managers should create work practices that align with information security requirements. HIS managers should provide incentives to improve workers’ perceptions of the benefit of robust information security measures. Recommendation for Researchers: This study suggests more research into the components that influence ISB utilizing diverse theoretical foundations such as Regulatory Focus Theory to compare preventive and promotion motivation to enhance ISB. Impact on Society: This study can potentially improve information security in the healthcare industry, which has substantial risks to human life but still lags behind other vital sector implementations. Future Research: Future research could look into the best content and format for an information security education and training program to promote the behaviors of healthcare professionals that need to be improved based on this ISB measurement and other influential factors.