Evaluation of users information security practices at King Saud University Hospitals.
The growing dependence on information technology (IT) by healthcare organizations has made information security a permanent challenge facing these organizations (Knapp 2007). Almost all internet-connected organizations that use information technology in any way are striving hard to maintain effective information security (Stanton et al 2006). The loss of sensitive patients' data may cause a huge damage to the organization reputation. It can reduce customer confidence, undermine the organization reliability and jeopardize its competitiveness in the market. Breaches of confidentiality, in some cases, can result even in legal consequences, fines and penalties. (CISCO 2008, Williams 2008).
Information damage might take place in many forms such as intrusion into the systems, thefts of organization information, fraudulent use of information, defacement of organizational websites, and other forms of information loss or damage. Such damages are caused by hackers, virus writers, as well as insider users. Information security of healthcare systems is particularly vital due to the sensitive nature of information stored in these systems as well as the cost associated with the loss of patient data.
Information Security and User Behavior
Organizations sometimes consider information security as something that can be achieved by enhanced technologies (firewalls and intrusion detection software), and well trained IT professionals, while ignoring or giving only little attention to the role of systems' users who represent a critical factor in the implementation of the security process (Kajava et al 2006, Katz 2005). As many researchers have identified, technology can only be effective if it is taken within the framework of the environment in which it is placed (Williams 2008). Security threats emerging from user malicious practices are demonstrated by the size of computer crimes taken place in the last decades (Richardson 2008). Monitoring of user behavior and coordinating security awareness programs may contribute significantly in changing the user behavior toward security issues and accordingly reducing the risk of security threats (Johansson 2005). Several studies have shown that, rate of security malpractice drop significantly when employees are trained and understand the protective security measures and why they have been implemented (Williams 2008).
The objectives of the current study were to analyze the security behavior of users at King Saud University Hospitals, Riyadh, Saudi Arabia, within the context of healthcare environment and workplaces, and to examines whether such behavior differ across employee categories.
The study was conducted at King Saud University Hospitals (KSUHs) namely; King Khalid University Hospital (KKUH) and King Abdul Aziz University Hospital (KAUH), Saudi Arabia. KSUHs have 4112 full-time employees, including 843 physicians and 1595 nurses. The hospitals have 912 beds distributed among different clinical specialties. The study was approved by the KSUHs director and coordination with computer and information department.
Data collection was done by a means of a questionnaire distributed to a random sample of 2000 employees (220 administrative staff, 380 physicians, 900 nursing staff and 500 technical staff). The questions were set to address the security behavior of users and explore their awareness on some basics security and privacy issues. In total, 554 completed questionnaires were collected on which analysis was based.
The (SPSS 16[c]) was used throughout the analysis to generate the summary tables and perform all data analysis. Comparison was held statistically significant if (p< 0.05).
Demographics of the sample indicated that 73% were females, Saudis constituted 18%, age, (40 +/- 0.5 yrs; mean+/- SE), period of employment at the hospitals, (7 +/- 0.3 yrs; mean+/- SE) and time since employee started using the hospital IT system, (6 +/- 0.2; mean+/- SE) years. Respondents were distributed between professions as follows; 62 Physicians (consultants, specialists and general practitioners), 49 administrative staff, 354 nursing staff, and 84 allied health staff (laboratory, x-ray and other technicians).
Respondents access the hospital IT system to perform at least one of the following tasks; viewing and editing of medical records and accessing the hospital information system (HIS) (47%), investigating laboratory results (LAB system) (15%), retrieving of x-rays (22%) and for internet and e-mail services (15%).
Table 1 and 2 summarize and compare the employees' responses to a selected set of security practices. Tables show that 81% of hospital staff uses shared computers, and the proportion of nursing and allied health staff using shared computers is significantly higher than in other job categories such as physicians and administrative staff.
The results reveal that 16% of respondents do not sign out applications after working sessions, while no difference was found between professions regarding this behavior, a significant difference was observed between this behavior and the age of the employee. Old employees tend to be more aware about such a practice than their younger counterparts (p=0.01). The analysis also shows that communication of passwords between office mates and friends was reported by 27% of respondents. This practice is more frequent among females than among males (p=0.0001). At the same time it is also higher among nursing staff than other job categories (p=0.0001).
The practice of not changing the password after being known to unauthorized persons was stated by 45% of the study sample members. Males are significantly doing better concerning this habit than females. By the same argument, nursing staff appears to be the least aware group about changing their passwords when released to others than any other group of staff (p=0.0001). The study further shows that 70% of respondents had never changed their default system generated passwords. This practice is also more frequent among females compared to males and among nursing staff compared to other professions.
Results from the current study suggest that in general, information security practice among hospitals staff at KSUHs exhibits high levels of threats for patients' data privacy and confidentiality. The finding that 81% of hospital employees use shared computers represents an alarming source of threats to information security and privacy if a strict information policy not applied. Although sharing of workstations is not a user choice and it is more likely attributed to the nature of hospital work environment, however, previous studies agreed that a major component of organization's security threats is human misbehavior (Woodhouse 2007). In such a multiuser environment, security practice and awareness of users constitutes the first defense line to safeguard patient data. Given this result, one can argue that compliance with security policies and procedures is very hard in a multiuser shared environment than in other places where each user login to a dedicated personal computer.
The behavior of not logging off applications after working sessions is reported by 16% of respondents. This implies that unauthorized people can easily use the account to do any malicious alterations to patient's data. In a study by North 2006, of 465 students at Clark Atlanta University, 23% of them replied that they have used other people's computers without authorization. Another research conducted by CISCO in 2008, of 2000 users in ten countries showed that at least one of every three employees leave their computers logged on and unlocked when they are away from their desk to take a lunch or go home after working hours. Given the tremendous potential risk caused by such behavior, employees should be educated on the risk of such behavior and they would hold accountable of damage caused by this kind of behavior.
While 40% of respondents allow others to user their accounts credentials without releasing their password, 27% of them communicate the passwords to colleagues and office mates. These findings are generally higher than what have been reported by other studies. Woodhouse 2007, in a survey of 381 employees of a medium sized public sector agency, stated that 16% of the respondents shared passwords with other people. In another survey of students by Hart 2008, on password practices and attitudes, it was found that 22% of respondents share their webmail password with others. Similar conclusion was also reported by CISCO 2008, that 18% of the surveyed employees share passwords with co-workers. One can argue that most respondents are absolutely aware about the risk involved in sharing of passwords, the culture within the organizations, however, seem to tolerate or may even facilitate this behavior (Woodhouse 2007). It was interesting to note that although nursing staff appear to be the least, among all professions, to allow others to use their accounts, however, they appeared to be the most group that communicate passwords with others. Such a practice could be explained by the fact that once a nurse logged on to workstation, then every other nurse in the ward can use the account, by the same argument, sharing of password could be attributed to trust as well as by the job interdependence.
The fact that 45% of respondents did not change the password after being known to others and 70% of participants have never changed the default passwords since generated by the system reflects a clear lack of security awareness among users. Change of password, as a precautionary security measure, is highly recommended, mainly in three situations; after being issued by system administrator, after feeling that it was known by others, and after every regular time intervals. Studies have shown that users are generally reluctant to change their passwords. In a survey given to university students at Plattsburgh about their attitudes and practices regarding passwords, revealed that over 80% of them rarely change their password (Hart 2008). Users should be initiated and encouraged to change their passwords when felt for any reasons it become unsafe.
Based on findings of this study, one can argue that security-related behavior of users may pose a potential threat to patient information privacy and security if relevant polices and procedure are not implemented properly. All security misbehaviors demonstrate high levels of potential threats for patients' information privacy and confidentiality. This study further reveals that the nursing staff is the least to comply with security measures compared to other professions. In this context, understanding privacy, and security threats and challenges facing healthcare organization is essential for building a holistic security process and avoiding loss and threats to patient information. In such a multiuser environment, security awareness of users constitutes the first defense line to safeguard patient data.
To reduce security threats, healthcare organizations should build a sense of information security awareness among all staff to gain their support in protecting sensitive data. This is achieved by continuous educations and evaluation of the security processes. Besides, unauthorized access should be reduced by auto locking or logging off computers when they are not in use for predefined period. Furthermore, users should be instructed to strictly comply with policies and procedures that prevent communication of passwords, using others accounts and keeping of passwords unchanged for long time intervals. Developing methods for monitoring of user behavior are also important.
Williams, P. A. H. "The Effect of a University Information Security Survey on Instruction Methods in Information Security, Information Security", pp. 43-48.
Woodhouse, S. 2007, "Information Security: End User Behavior and Corporate Culture", in IEEE Seventh International Conference on Computer and InformationTechnology, IEEE Xplore, Japan, pp. 721-726.
Hart, D. 2008, " Attitudes and practices of students towards password security", J.Comput.Small Coll., vol. 23, no. 5, pp. 169-174.
Stanton, M. J. & Kathryn R.Stam 2006, The Visible Employee: Using Workplace Monitoring and Surveillance to Protect Information Assets--Without Compromising Employee Privacy or Trust Information Today, Inc, New Jersey, USA.
Katz, F. H. "The effect of a university information security survey on instruction methods in information security", in InfoSecCD '05, NY USA, pp. 43-48.
Cisco Systems, I. 2011, Data Leakage Worldwide: Common Risks and Mistakes Employees Make, Cisco Systems, Inc.
Richardson, R. 2008, CSI Computer Crime & Security Survey, Cisco Systems, Inc.
Kajava, J., Juhani Anttila, Rauno Varonen, Reijo Savola, & Juha Roning 2006, Information Security Standards and Global Business , IEEE Xplore.
Johansson, J. M. & Riley, S. 2005, Protect Your Windows Network: From perimeter to data, Pearson Education, Inc. edn.
Ching-Jiang Chen & Ming-Hwa Li 2008, "SecConfig: A Pre-Active Information Security Protection Technique", in Fourth International Conference on Networked Computing and Advanced Information Management, Gyeongju, pp. 48-52.
Knapp, J. K. & Thomas E.Marshall "Information Security and Task Interdependence: An Exploratory Investigation", in The 40th Hawaii International Conference on System Sciences, p. 246b.
Max M.North, Roy George, & Sarah M.North "Computer security and ethics awareness in university environments: a challenge for management of information systems", in The 44th annual Southeast regional conference (ACM-SE 44), NY, USA, pp. 34-39.
Ahmed I. Albarrak
Chair of Health Informatics, College of Medicine, King Saud University, Sau di Arabia
Ahmed I Albarrak can be contacted at: Albarrak@ksu.edu.sa
Table 1: Summary of parameters Parameter Response No. % Use of personal or shared computer Personal 99 19 Shared 418 81 Logging off the application after yes 448 84 work sessions no 83 16 Allowing others to use the account yes 213 40 without giving them the password no 317 60 Allowing office mates and friends yes 145 27 to know the password no 394 73 Changing the password after being yes 290 55 known to other people no 240 45 Changing the password after first yes 158 30 being generated by administrator no 370 70 Table 2: Comparison of Profession against Other Parameters Profession Parameter Response Physicians% Administrative% Use of personal or shared Personal 56 49 computer. Shared 44 51 Logging off the Yes 85 92 application after work sessions No 15 8 Allowing others to use Yes 54 57 the account without No 46 43 giving them the password Allowing office mates Yes 15 19 and friends to know the No 85 81 password Changing the password Yes 74 64 after being known to other No 26 36 people Changing the password Yes 34 40 after first being No 66 60 generated by administrator Profession Parameter Response Allied p Nursing% health staff% Use of personal or shared Personal 8 18 0.0001 computer. Shared 92 82 Logging off the Yes 84 84 application after work 0.518 sessions No 16 16 Allowing others to use Yes 31 55 0.0001 the account without No 69 45 giving them the password Allowing office mates Yes 34 12 0.0001 and friends to know the No 66 88 password Changing the password Yes 46 71 0.0001 after being known to other No 54 29 people Changing the password Yes 22 52 0.0001 after first being No 76 48 generated by administrator
|Printer friendly Cite/link Email Feedback|
|Author:||Albarrak, Ahmed I.|
|Publication:||Global Business and Management Research: An International Journal|
|Date:||Jan 1, 2011|
|Previous Article:||A new Lagrangian relaxation based approach to solve capacitated lot-sizing problem with backlogging.|
|Next Article:||Best practice through benchmarking in Egyptian organizations: an empirical analysis.|