Analysis of health professional security behaviors in a real clinical setting: An empirical study

• Privacy and security training sessions are needed for the health professionals.
• Most of the health professionals have weak passwords.
• Knowing the healthcare organization's security policy may lower security incidents.

ObjectiveThe objective of this paper is to evaluate the security behavior of healthcare professionals in a real clinical setting.MethodStandards, guidelines and recommendations on security and privacy best practices for staff personnel were identified using a systematic literature review. After a revision process, a questionnaire consisting of 27 questions was created and responded to by 180 health professionals from a public hospital.ResultsWeak passwords were reported by 62.2% of the respondents, 31.7% were unaware of the organization's procedures for discarding confidential information, and 19.4% did not carry out these procedures. Half of the respondents (51.7%) did not take measures to ensure that the personal health information on the computer monitor could not be seen by unauthorized individuals, and 57.8% were unaware of the procedure established to report a security violation. The correlation between the number of years in the position and good security practices was not significant (Pearson's r = 0.085, P = 0.254). Age was weakly correlated with good security practices (Pearson's r = −0.169, P = 0.028). A Mann–Whitney test showed no significant difference between the respondents’ security behavior as regards gender (U = 2536, P = 0.792, n = 178). The results of the study suggest that more efforts are required to improve security education for health personnel.ConclusionsIt was found that both preventive and corrective actions are needed to prevent health staff from causing security incidents. Healthcare organizations should: identify the types of information that require protection, clearly communicate the penalties that will be imposed, promote security training courses, and define what the organization considers improper behavior to be and communicate this to all personnel.