Skip to main content

Expert Perspectives on Information Security Awareness Programs in Medical Care Institutions in Germany

  • Conference paper
  • First Online:
HCI for Cybersecurity, Privacy and Trust (HCII 2024)

Abstract

Human factors play a crucial role in the increasing number of information security incidents in the medical sector. European medical institutions, especially in Germany, have long neglected these factors, lacking legal obligations. Legislators recently responded with new regulations mandating medical facilities to implement information security awareness programs. To gain insights into how German medical institutions approach this challenge, we conducted an interview study with six information security experts from the medical sector. Using thematic analysis, we find that human factors are seen as both a risk and an opportunity for information security. We identified various target groups, goals, and obstacles for the implementation of information security awareness programs. Existing structures and regulations promote the risk of a checklist mentality, potentially resulting in ineffective measures being implemented. One great opportunity for effective information security awareness programs lies in the exchange with staff units on safety and hygiene, who have decades of experience with awareness programs in medical facilities. The study results serve for future research and tailored awareness programs in the medical sector.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Branchenspezifischer Sicherheitsstandard für die Gesundheitsversorgung im Krankenhaus (2019)

    Google Scholar 

  2. ENISA Threat Landscape 2023. Technical report (2023). https://www.enisa.europa.eu/publications/enisa-threat-landscape-2023

  3. Abawajy, J.: User preference of cyber security awareness delivery methods. Behav. Inf. Technol. 33(3), 237–248 (2014)

    Article  MathSciNet  Google Scholar 

  4. Abu Ali, K., Alyounis, S.: CyberSecurity in healthcare industry. In: Proceedings of the International Conference on Information Technology (ICIT), pp. 695–701 (2021)

    Google Scholar 

  5. Alhuwail, D., Al-Jafar, E., Abdulsalam, Y., AlDuaij, S.: Information security awareness and behaviors of health care professionals at public health care facilities. Appl. Clin. Inform. 12(04), 924–932 (2021)

    Article  Google Scholar 

  6. Altamimi, S., Renaud, K., Storer, T.: I do it because they do it : social-neutralisation in information security practices of Saudi medical interns. In: Kallel, S., Cuppens, F., Cuppens-Boulahia, N., Hadj Kacem, A. (eds.) CRiSIS 2019. LNCS, vol. 12026, pp. 227–243. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-41568-6_15

    Chapter  Google Scholar 

  7. Amankwa, E., Loock, M., Kritzinger, E.: A conceptual analysis of information security education, information security training and information security awareness definitions. In: Proceedings of the 9th International Conference for Internet Technology and Secured Transactions (ICITST), pp. 248–252 (2014)

    Google Scholar 

  8. Amro, B.M., Al-Jabari, M.O., Jabareen, H.M., Khader, Y.S., Taweel, A.: Design and development of case studies in security and privacy for health informatics education. In: Proceedings of the 15th IEEE International Conference on Computer Systems and Applications (AICCSA), pp. 1–6 (2018)

    Google Scholar 

  9. Arain, M.A., Tarraf, R., Ahmad, A.: Assessing staff awareness and effectiveness of educational training on IT security and privacy in a large healthcare organization. J. Multidiscip. Healthc. 12, 73–81 (2019)

    Article  Google Scholar 

  10. Aydın, Ö.M., Chouseinoglou, O.: Fuzzy assessment of health information system users’ security awareness. J. Med. Syst. 37(6), 9984 (2013)

    Article  Google Scholar 

  11. Bhuyan, S.S., et al.: Transforming healthcare cybersecurity from reactive to proactive: current status and future recommendations. J. Med. Syst. 44(5), 98 (2020)

    Article  Google Scholar 

  12. Branley-Bell, D., Coventry, L., Sillence, E.: Promoting cybersecurity culture change in healthcare. In: Proceedings of the 14th ACM Pervasive Technologies Related to Assistive Environments Conference (PETRA), pp. 544–549 (2021)

    Google Scholar 

  13. Coventry, L., Branley, D.: Cybersecurity in healthcare: a narrative review of trends, threats and ways forward. Maturitas 113, 48–52 (2018)

    Article  Google Scholar 

  14. Coventry, L., et al.: Cyber-risk in healthcare: exploring facilitators and barriers to secure behaviour. In: Proceedings of the 2nd International Conference on HCI for Cybersecurity, Privacy and Trust (HCI-CPT), pp. 105–122 (2020)

    Google Scholar 

  15. Eikey, E.V., Murphy, A.R., Reddy, M.C., Xu, H.: Designing for privacy management in hospitals: understanding the gap between user activities and IT staff’s understandings. Int. J. Med. Inform. 84(12), 1065–1075 (2015)

    Article  Google Scholar 

  16. ENISA: The new users’ guide: how to raise information security awareness (EN). Report/Study TP-30-10-582-EN-C. ENISA (2010)

    Google Scholar 

  17. Etikan, I.: Comparison of convenience sampling and purposive sampling. Am. J. Theor. Appl. Stat. 5(1), 1–4 (2016)

    Article  MathSciNet  Google Scholar 

  18. Evans, M., He, Y., Maglaras, L., Yevseyeva, I., Janicke, H.: Evaluating information security core human error causes (IS-CHEC) technique in public sector and comparison with the private sector. Int. J. Med. Inform. 127, 109–119 (2019)

    Article  Google Scholar 

  19. Fabisiak, L., Hyla, T.: Measuring cyber security awareness within groups of medical professionals in Poland. In: Proceedings of the 53rd Hawaii International Conference on System Sciences (HICSS), pp. 3871–3880 (2020)

    Google Scholar 

  20. Fernández-Alemán, J.L., Sánchez-Henarejos, A., Toval, A., Sánchez-García, A.B., Hernández-Hernández, I., Fernandez-Luque, L.: Analysis of health professional security behaviors in a real clinical setting: an empirical study. Int. J. Med. Inform. 84(6), 454–467 (2015)

    Article  Google Scholar 

  21. Gardner, B., Thomas, V.: Building an Information Security Awareness Program: Defending Against Social Engineering and Technical Threats, 1st edn. (2014)

    Google Scholar 

  22. Ghazvini, A., Shukur, Z.: A framework for an effective information security awareness program in healthcare. Int. J. Adv. Comput. Sci. Appl. 8(2), 193–205 (2017)

    Google Scholar 

  23. Ghazvini, A., Shukur, Z.: A serious game for healthcare industry: information security awareness training program for hospital universiti Kebangsaan Malaysia. Int. J. Adv. Comput. Sci. Appl. 9(9), 236–245 (2018)

    Google Scholar 

  24. Gioulekas, F., et al.: A cybersecurity culture survey targeting healthcare critical infrastructures. Healthcare 10(2), 327 (2022)

    Article  Google Scholar 

  25. Hedström, K., Karlsson, F., Kolkowska, E.: Social action theory for understanding information security non-compliance in hospitals: the importance of user rationale. Inf. Manag. Comput. Secur. 21(4), 266–287 (2013)

    Article  Google Scholar 

  26. Hepp, S.L., Tarraf, R.C., Birney, A., Arain, M.A.: Evaluation of the awareness and effectiveness of IT security programs in a large publicly funded health care system. Health Inf. Manag. J. 47(3), 116–124 (2018)

    Google Scholar 

  27. Jaeger, L.: Information security awareness: literature review and integrative framework. In: Proceedings of the 51st Hawaii International Conference on System Sciences (HICSS), pp. 4703–4712 (2018)

    Google Scholar 

  28. Jalali, M.S., Kaiser, J.P.: Cybersecurity in hospitals: a systematic, organizational perspective. J. Med. Internet Res. 20(5), e10059 (2018)

    Article  Google Scholar 

  29. Kang, J., Seomun, G.: Development and validation of the information security attitude questionnaire (ISA-Q) for nurses. Nurs. Open 10(2), 850–860 (2023)

    Article  Google Scholar 

  30. Katsikas, S.K.: Health care management and information systems security: awareness, training or education? Int. J. Med. Inform. 60(2), 129–135 (2000)

    Article  MathSciNet  Google Scholar 

  31. Kessler, S.R., Pindek, S., Kleinman, G., Andel, S.A., Spector, P.E.: Information security climate and the assessment of information security risk among healthcare employees. Health Inf. J. 26(1), 461–473 (2020)

    Article  Google Scholar 

  32. Khan, B., Alghathbar, K.S., Khan, M.K.: Information security awareness campaign: an alternate approach. In: Kim, T., Adeli, H., Robles, R.J., Balitanas, M. (eds.) ISA 2011. CCIS, vol. 200, pp. 1–10. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23141-4_1

    Chapter  Google Scholar 

  33. Kruse, C.S., Frederick, B., Jacobson, T., Monticone, D.K.: Cybersecurity in healthcare: a systematic review of modern threats and trends. Technol. Healthc. 25(1), 1–10 (2017)

    Google Scholar 

  34. Lambe, K., et al.: Understanding hand hygiene behaviour in the intensive care unit to inform interventions: an interview study. BMC Health Serv. Res. 20(1), 1–9 (2020)

    Article  Google Scholar 

  35. Landolt, S., Hirschel, J., Schlienger, T., Businger, W., Zbinden, A.M.: Assessing and comparing information security in Swiss hospitals. Int. J. Med. Res. 1(2), e11 (2012)

    Google Scholar 

  36. Liginlal, D., Sim, I., Khansa, L., Fearn, P.: Human error and privacy breaches in healthcare organizations: causes and management strategies. In: Proceedings of the Fifteenth Americas Conference on Information System (AMCIS) (2009)

    Google Scholar 

  37. Lyngaas, S.: Brooklyn hospital network reverts to paper charts for weeks after cyberattack. CNN (2022). https://edition.cnn.com/2022/12/20/tech/hospital-ransomware/index.html

  38. Maggio, L.A., Dameff, C., Kanter, S.L., Woods, B., Tully, J.: Cybersecurity challenges and the academic health center: an interactive tabletop simulation for executives. Acad. Med. J. Assoc. Am. Med. Coll. 96(6), 850–853 (2021)

    Article  Google Scholar 

  39. Murphy, A.R., Reddy, M.C., Xu, H.: Privacy practices in collaborative environments: a study of emergency department staff. In: Proceedings of the 17th ACM Conference on Computer Supported Cooperative Work and Social Computing, CSCW 2014, pp. 269–282. Association for Computing Machinery, New York (2014)

    Google Scholar 

  40. Nifakos, S., et al.: Influence of human factors on cyber security within healthcare organisations: a systematic review. Sensors 21(15), 5119 (2021)

    Article  Google Scholar 

  41. Özaslan, G., et al.: Evaluation of the effects of information security training on employees: a study from a private hospital. Int. J. Health Manag. Tour. 5(3), 336–347 (2020)

    Google Scholar 

  42. Pittet, D.: Improving compliance with hand hygiene in hospitals. Infect. Control Hosp. Epidemiol. 21(6), 381–386 (2000)

    Article  MathSciNet  Google Scholar 

  43. Ralston, W.: The untold story of a cyberattack, a hospital and a dying woman. WIRED (2020). https://www.wired.co.uk/article/ransomware-hospital-death-germany

  44. Renaud, K., Goucher, W.: Health service employees and information security policies: an uneasy partnership? Inf. Manag. Comput. Secur. 20(4), 296–311 (2012)

    Article  Google Scholar 

  45. Rizzoni, F., Magalini, S., Casaroli, A., Mari, P., Dixon, M., Coventry, L.: Phishing simulation exercise in a large hospital: a case study. Digital Health 8, 20552076221081716 (2022)

    Article  Google Scholar 

  46. Sari, P.K., Handayani, P.W., Hidayanto, A.N., Yazid, S., Aji, R.F.: Information security behavior in health information systems: a review of research trends and antecedent factors. Healthcare 10(12), 2531 (2022)

    Article  Google Scholar 

  47. Schmidt, T., Nøhr, C., Koppel, R.: A simple assessment of information security awareness in hospital staff across five Danish regions. Stud. Health Technol. Inf. 281, 635–639 (2021)

    Google Scholar 

  48. Siponen, M.T.: Five dimensions of information security awareness. ACM SIGCAS Comput. Soc. 31(2), 24–29 (2001)

    Article  Google Scholar 

  49. Stewart, G., Lacey, D.: Death by a thousand facts: criticising the technocratic approach to information security awareness. Inf. Manag. Comput. Secur. 20(1), 29–38 (2012)

    Article  Google Scholar 

  50. Taylor, R.: Management perception of unintentional information security risks. In: Proceedings of the 27th International Conference on Information Systems (ICIS) (2006)

    Google Scholar 

  51. Tsohou, A., Karyda, M., Kokolakis, S., Kiountouzis, E.: Managing the introduction of information security awareness programmes in organisations. Eur. J. Inf. Syst. 24(1), 38–58 (2015)

    Article  Google Scholar 

  52. Wilson, M., Hash, J.: Building an Information Technology Security Awareness and Training Program. Technical report NIST SP 800-50. National Institute of Standards and Technology (2003)

    Google Scholar 

  53. Yeo, L.H., Banfield, J.: Human factors in electronic health records cybersecurity breach: an exploratory analysis. Perspect. Health Inf. Manag. 19, 1i (2022)

    Google Scholar 

Download references

Acknowledgment

We thank our participants for participating in our study and the anonymous reviewers for their valuable feedback on our research. This research was funded by the German Federal Ministry of Health (grant number ZMI1-2521FSB801).

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Jan Tolsdorf .

Editor information

Editors and Affiliations

Ethics declarations

Disclosure of Interests

The authors have no competing interests to declare that are relevant to the content of this article.

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Tolsdorf, J., Lo Iacono, L. (2024). Expert Perspectives on Information Security Awareness Programs in Medical Care Institutions in Germany. In: Moallem, A. (eds) HCI for Cybersecurity, Privacy and Trust. HCII 2024. Lecture Notes in Computer Science, vol 14729. Springer, Cham. https://doi.org/10.1007/978-3-031-61382-1_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-61382-1_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-61381-4

  • Online ISBN: 978-3-031-61382-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics