Abstract
Human factors play a crucial role in the increasing number of information security incidents in the medical sector. European medical institutions, especially in Germany, have long neglected these factors, lacking legal obligations. Legislators recently responded with new regulations mandating medical facilities to implement information security awareness programs. To gain insights into how German medical institutions approach this challenge, we conducted an interview study with six information security experts from the medical sector. Using thematic analysis, we find that human factors are seen as both a risk and an opportunity for information security. We identified various target groups, goals, and obstacles for the implementation of information security awareness programs. Existing structures and regulations promote the risk of a checklist mentality, potentially resulting in ineffective measures being implemented. One great opportunity for effective information security awareness programs lies in the exchange with staff units on safety and hygiene, who have decades of experience with awareness programs in medical facilities. The study results serve for future research and tailored awareness programs in the medical sector.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Branchenspezifischer Sicherheitsstandard für die Gesundheitsversorgung im Krankenhaus (2019)
ENISA Threat Landscape 2023. Technical report (2023). https://www.enisa.europa.eu/publications/enisa-threat-landscape-2023
Abawajy, J.: User preference of cyber security awareness delivery methods. Behav. Inf. Technol. 33(3), 237–248 (2014)
Abu Ali, K., Alyounis, S.: CyberSecurity in healthcare industry. In: Proceedings of the International Conference on Information Technology (ICIT), pp. 695–701 (2021)
Alhuwail, D., Al-Jafar, E., Abdulsalam, Y., AlDuaij, S.: Information security awareness and behaviors of health care professionals at public health care facilities. Appl. Clin. Inform. 12(04), 924–932 (2021)
Altamimi, S., Renaud, K., Storer, T.: I do it because they do it : social-neutralisation in information security practices of Saudi medical interns. In: Kallel, S., Cuppens, F., Cuppens-Boulahia, N., Hadj Kacem, A. (eds.) CRiSIS 2019. LNCS, vol. 12026, pp. 227–243. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-41568-6_15
Amankwa, E., Loock, M., Kritzinger, E.: A conceptual analysis of information security education, information security training and information security awareness definitions. In: Proceedings of the 9th International Conference for Internet Technology and Secured Transactions (ICITST), pp. 248–252 (2014)
Amro, B.M., Al-Jabari, M.O., Jabareen, H.M., Khader, Y.S., Taweel, A.: Design and development of case studies in security and privacy for health informatics education. In: Proceedings of the 15th IEEE International Conference on Computer Systems and Applications (AICCSA), pp. 1–6 (2018)
Arain, M.A., Tarraf, R., Ahmad, A.: Assessing staff awareness and effectiveness of educational training on IT security and privacy in a large healthcare organization. J. Multidiscip. Healthc. 12, 73–81 (2019)
Aydın, Ö.M., Chouseinoglou, O.: Fuzzy assessment of health information system users’ security awareness. J. Med. Syst. 37(6), 9984 (2013)
Bhuyan, S.S., et al.: Transforming healthcare cybersecurity from reactive to proactive: current status and future recommendations. J. Med. Syst. 44(5), 98 (2020)
Branley-Bell, D., Coventry, L., Sillence, E.: Promoting cybersecurity culture change in healthcare. In: Proceedings of the 14th ACM Pervasive Technologies Related to Assistive Environments Conference (PETRA), pp. 544–549 (2021)
Coventry, L., Branley, D.: Cybersecurity in healthcare: a narrative review of trends, threats and ways forward. Maturitas 113, 48–52 (2018)
Coventry, L., et al.: Cyber-risk in healthcare: exploring facilitators and barriers to secure behaviour. In: Proceedings of the 2nd International Conference on HCI for Cybersecurity, Privacy and Trust (HCI-CPT), pp. 105–122 (2020)
Eikey, E.V., Murphy, A.R., Reddy, M.C., Xu, H.: Designing for privacy management in hospitals: understanding the gap between user activities and IT staff’s understandings. Int. J. Med. Inform. 84(12), 1065–1075 (2015)
ENISA: The new users’ guide: how to raise information security awareness (EN). Report/Study TP-30-10-582-EN-C. ENISA (2010)
Etikan, I.: Comparison of convenience sampling and purposive sampling. Am. J. Theor. Appl. Stat. 5(1), 1–4 (2016)
Evans, M., He, Y., Maglaras, L., Yevseyeva, I., Janicke, H.: Evaluating information security core human error causes (IS-CHEC) technique in public sector and comparison with the private sector. Int. J. Med. Inform. 127, 109–119 (2019)
Fabisiak, L., Hyla, T.: Measuring cyber security awareness within groups of medical professionals in Poland. In: Proceedings of the 53rd Hawaii International Conference on System Sciences (HICSS), pp. 3871–3880 (2020)
Fernández-Alemán, J.L., Sánchez-Henarejos, A., Toval, A., Sánchez-García, A.B., Hernández-Hernández, I., Fernandez-Luque, L.: Analysis of health professional security behaviors in a real clinical setting: an empirical study. Int. J. Med. Inform. 84(6), 454–467 (2015)
Gardner, B., Thomas, V.: Building an Information Security Awareness Program: Defending Against Social Engineering and Technical Threats, 1st edn. (2014)
Ghazvini, A., Shukur, Z.: A framework for an effective information security awareness program in healthcare. Int. J. Adv. Comput. Sci. Appl. 8(2), 193–205 (2017)
Ghazvini, A., Shukur, Z.: A serious game for healthcare industry: information security awareness training program for hospital universiti Kebangsaan Malaysia. Int. J. Adv. Comput. Sci. Appl. 9(9), 236–245 (2018)
Gioulekas, F., et al.: A cybersecurity culture survey targeting healthcare critical infrastructures. Healthcare 10(2), 327 (2022)
Hedström, K., Karlsson, F., Kolkowska, E.: Social action theory for understanding information security non-compliance in hospitals: the importance of user rationale. Inf. Manag. Comput. Secur. 21(4), 266–287 (2013)
Hepp, S.L., Tarraf, R.C., Birney, A., Arain, M.A.: Evaluation of the awareness and effectiveness of IT security programs in a large publicly funded health care system. Health Inf. Manag. J. 47(3), 116–124 (2018)
Jaeger, L.: Information security awareness: literature review and integrative framework. In: Proceedings of the 51st Hawaii International Conference on System Sciences (HICSS), pp. 4703–4712 (2018)
Jalali, M.S., Kaiser, J.P.: Cybersecurity in hospitals: a systematic, organizational perspective. J. Med. Internet Res. 20(5), e10059 (2018)
Kang, J., Seomun, G.: Development and validation of the information security attitude questionnaire (ISA-Q) for nurses. Nurs. Open 10(2), 850–860 (2023)
Katsikas, S.K.: Health care management and information systems security: awareness, training or education? Int. J. Med. Inform. 60(2), 129–135 (2000)
Kessler, S.R., Pindek, S., Kleinman, G., Andel, S.A., Spector, P.E.: Information security climate and the assessment of information security risk among healthcare employees. Health Inf. J. 26(1), 461–473 (2020)
Khan, B., Alghathbar, K.S., Khan, M.K.: Information security awareness campaign: an alternate approach. In: Kim, T., Adeli, H., Robles, R.J., Balitanas, M. (eds.) ISA 2011. CCIS, vol. 200, pp. 1–10. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23141-4_1
Kruse, C.S., Frederick, B., Jacobson, T., Monticone, D.K.: Cybersecurity in healthcare: a systematic review of modern threats and trends. Technol. Healthc. 25(1), 1–10 (2017)
Lambe, K., et al.: Understanding hand hygiene behaviour in the intensive care unit to inform interventions: an interview study. BMC Health Serv. Res. 20(1), 1–9 (2020)
Landolt, S., Hirschel, J., Schlienger, T., Businger, W., Zbinden, A.M.: Assessing and comparing information security in Swiss hospitals. Int. J. Med. Res. 1(2), e11 (2012)
Liginlal, D., Sim, I., Khansa, L., Fearn, P.: Human error and privacy breaches in healthcare organizations: causes and management strategies. In: Proceedings of the Fifteenth Americas Conference on Information System (AMCIS) (2009)
Lyngaas, S.: Brooklyn hospital network reverts to paper charts for weeks after cyberattack. CNN (2022). https://edition.cnn.com/2022/12/20/tech/hospital-ransomware/index.html
Maggio, L.A., Dameff, C., Kanter, S.L., Woods, B., Tully, J.: Cybersecurity challenges and the academic health center: an interactive tabletop simulation for executives. Acad. Med. J. Assoc. Am. Med. Coll. 96(6), 850–853 (2021)
Murphy, A.R., Reddy, M.C., Xu, H.: Privacy practices in collaborative environments: a study of emergency department staff. In: Proceedings of the 17th ACM Conference on Computer Supported Cooperative Work and Social Computing, CSCW 2014, pp. 269–282. Association for Computing Machinery, New York (2014)
Nifakos, S., et al.: Influence of human factors on cyber security within healthcare organisations: a systematic review. Sensors 21(15), 5119 (2021)
Özaslan, G., et al.: Evaluation of the effects of information security training on employees: a study from a private hospital. Int. J. Health Manag. Tour. 5(3), 336–347 (2020)
Pittet, D.: Improving compliance with hand hygiene in hospitals. Infect. Control Hosp. Epidemiol. 21(6), 381–386 (2000)
Ralston, W.: The untold story of a cyberattack, a hospital and a dying woman. WIRED (2020). https://www.wired.co.uk/article/ransomware-hospital-death-germany
Renaud, K., Goucher, W.: Health service employees and information security policies: an uneasy partnership? Inf. Manag. Comput. Secur. 20(4), 296–311 (2012)
Rizzoni, F., Magalini, S., Casaroli, A., Mari, P., Dixon, M., Coventry, L.: Phishing simulation exercise in a large hospital: a case study. Digital Health 8, 20552076221081716 (2022)
Sari, P.K., Handayani, P.W., Hidayanto, A.N., Yazid, S., Aji, R.F.: Information security behavior in health information systems: a review of research trends and antecedent factors. Healthcare 10(12), 2531 (2022)
Schmidt, T., Nøhr, C., Koppel, R.: A simple assessment of information security awareness in hospital staff across five Danish regions. Stud. Health Technol. Inf. 281, 635–639 (2021)
Siponen, M.T.: Five dimensions of information security awareness. ACM SIGCAS Comput. Soc. 31(2), 24–29 (2001)
Stewart, G., Lacey, D.: Death by a thousand facts: criticising the technocratic approach to information security awareness. Inf. Manag. Comput. Secur. 20(1), 29–38 (2012)
Taylor, R.: Management perception of unintentional information security risks. In: Proceedings of the 27th International Conference on Information Systems (ICIS) (2006)
Tsohou, A., Karyda, M., Kokolakis, S., Kiountouzis, E.: Managing the introduction of information security awareness programmes in organisations. Eur. J. Inf. Syst. 24(1), 38–58 (2015)
Wilson, M., Hash, J.: Building an Information Technology Security Awareness and Training Program. Technical report NIST SP 800-50. National Institute of Standards and Technology (2003)
Yeo, L.H., Banfield, J.: Human factors in electronic health records cybersecurity breach: an exploratory analysis. Perspect. Health Inf. Manag. 19, 1i (2022)
Acknowledgment
We thank our participants for participating in our study and the anonymous reviewers for their valuable feedback on our research. This research was funded by the German Federal Ministry of Health (grant number ZMI1-2521FSB801).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Ethics declarations
Disclosure of Interests
The authors have no competing interests to declare that are relevant to the content of this article.
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Tolsdorf, J., Lo Iacono, L. (2024). Expert Perspectives on Information Security Awareness Programs in Medical Care Institutions in Germany. In: Moallem, A. (eds) HCI for Cybersecurity, Privacy and Trust. HCII 2024. Lecture Notes in Computer Science, vol 14729. Springer, Cham. https://doi.org/10.1007/978-3-031-61382-1_7
Download citation
DOI: https://doi.org/10.1007/978-3-031-61382-1_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-61381-4
Online ISBN: 978-3-031-61382-1
eBook Packages: Computer ScienceComputer Science (R0)