Analysis of health professional security behaviors in a real clinical setting: An empirical study

Objective The objective of this paper is to evaluate the security behavior of healthcare professionals in a real clinical setting. Method Standards, guidelines and recommendations on security and privacy best practices for staff personnel were identified using a systematic literature review. After a revision process, a questionnaire consisting of 27 questions was created and responded to by 180 health professionals from a public hospital. Results Weak passwords were reported by 62.2% of the respondents, 31.7% were unaware of the organization's procedures for discarding confidential information, and 19.4% did not carry out these procedures. Half of the respondents (51.7%) did not take measures to ensure that the personal health information on the computer monitor could not be seen by unauthorized individuals, and 57.8% were unaware of the procedure established to report a security violation. The correlation between the number of years in the position and good security practices was not significant (Pearson's r =0.085, P =0.254). Age was weakly correlated with good security practices (Pearson's r =−0.169, P =0.028). A Mann–Whitney test showed no significant difference between the respondents' security behavior as regards gender ( U =2536, P =0.792, n =178). The results of the study suggest that more efforts are required to improve security education for health personnel. Conclusions It was found that both preventive and corrective actions are needed to prevent health staff from causing security incidents. Healthcare organizations should: identify the types of information that require protection, clearly communicate the penalties that will be imposed, promote security training courses, and define what the organization considers improper behavior to be and communicate this to all personnel.