This is an open-access article distributed under the terms of the Creative Commons Attribution License (https://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work, first published in JMIR Human Factors, is properly cited. The complete bibliographic information, a link to the original publication on https://humanfactors.jmir.org, as well as this copyright and license information must be included.
Data breaches in health care are on the rise, emphasizing the need for a holistic approach to mitigation efforts.
The purpose of this study was to develop a comprehensive framework for modeling and analyzing health care professionals’ information security practices related to their individual characteristics, such as their psychological, social, and cultural traits.
The study area was a hospital setting under an ongoing project called the Healthcare Security Practice Analysis, Modeling, and Incentivization (HSPAMI) project. A literature review was conducted for relevant theories and information security practices. The theories and security practices were used to develop an ontology and a comprehensive framework consisting of psychological, social, cultural, and demographic variables.
In the review, a number of psychological, social, and cultural theories were identified, including the health belief model, protection motivation theory, theory of planned behavior, and social control theory, in addition to some social demographic variables, to form a comprehensive set of health care professionals’ characteristics. Furthermore, an ontology was developed from these theories to systematically organize the concepts. The framework, called the psychosociocultural (PSC) framework, was then developed from the various combined psychological and sociocultural attributes of the ontology. The Human Aspect of Information Security Questionnaire was adopted as a comprehensive tool for gathering staff security practices as mediating variables in the framework.
Data breaches occur often in health care today. This frequency has been attributed to the lack of experience of health care professionals in information security, the lack of development of conscious care security practices, and the lack of motivation to incentivize health care professionals. The frequent data breaches in health care threaten the mutual trust between health care professionals and patients, which implicitly impacts the quality of the health care service. The modeling and analysis of health care professionals’ security practices can be conducted with the PSC framework by combining methods of statistical survey, observations, and interviews in relation to PSC variables, such as perceptions (perceived benefits, perceived threats, and perceived barriers) or psychological traits, social factors, cultural factors, and social demographics.
Data breaches in health care are on the rise, emphasizing the need for a holistic approach to risk mitigation. According to IBM’s 2019 report [
The use of information technology (IT) in health care (like in other sectors) has become indispensable [
Perimeter defenses have long been the default mechanism for providing information and network security and have therefore matured over the years. Perimeter defenses refer to securing the boundary between a company’s intranet and the public network (the internet) with physical security systems and technological countermeasures, such as firewalls, intrusion detection and prevention systems, security policy configurations, and antivirus systems [
The health care context is characterized by high levels of trust between various social and peer groups [
Security issues in health care have serious consequences [
To this end, there is a need to assess the security practices of the human element in order to control data breaches in health care. Good security practices have been defined in regulations, policies, standards, guidelines, and codes of conduct, which are required to be implemented with both technical and nontechnical measures. However, to what extent do users comply with the established security policies? What are the challenges often faced by health care workers in their effort to comply with the prescribed security practices while doing their work? Are these security measures in conflict with the health care professionals’ health-related practices? How can the security requirements be improved for effective compliance while improving security effectiveness? How can health care workers be incentivized to better comply with security requirements while conducting their primary work? To protect the very sensitive nature of health care data, the health care domain needs to be properly modeled, assessed, and analyzed from the perspective of all possible entry points to mitigate attacks that are often associated with the psychological, social, cultural, and demographic characteristics of system users [
Amid the increasing frequency of data breaches in health care, all possible methods that can be used to model and analyze health care professionals’ security activities for security metrics should be considered. To this end, the Healthcare Security Practice Analysis, Modeling, and Incentivization (HSPAMI) project was introduced to model and analyze the security practices of health care professionals with the objective of assessing the gap between required security practices and current health care security practices [
The security practices of health care professionals are influenced by their personal characteristics, such as social demographics, perceptions, and other social and cultural factors. Psychological theories have been used in studies focusing on human behavior where the results could predict human information security practices [
PSC characteristics in this study refer to personal aspects, such as perceptions, attitudes, norms, and beliefs, as well as social and cultural factors that can influence the security practice of health care professionals [
In a security practice analysis, the identified theories are usually related with various security practices. Peasons et al identified internet use, email use, social media use, password management, incident reporting, information handling, and mobile computing as comprehensive security practices in their survey work [
As outlined in the HAIS-Q, health care professionals’ security practices include the security measures being adopted in the information security usage activities in response to security policies to safeguard the confidentiality, integrity, and availability of health care information systems. The requirements for such practices are usually expressed in regulations, directives, legislations, and security policies and specified in standards, best practices, and codes of conduct. Health care professionals’ security practices include security measures being adopted in the usage of the internet, email, and social media; password management; incident reporting; information handling; and mobile computing [
Psychological, sociocultural, and demographic constructs.
Construct | Definition, hypothesis, and the effect on security practice |
Social demographics | Social demographics refer to professionals’ demographics and work-related factors that influence their security practices [ |
Psychological characteristics | Psychological characteristics in this study refer to an individual’s traits, perceptions, beliefs, thought processes, etc. These characteristics are influenced by various factors, including environmental factors [ |
Social factors | Social factors refer to the influence of peers and other professional groups. Social bonding, peer pressure, and trust level impact health care professionals’ security practices [ |
Cultural characteristics | Environmental norms, cultural beliefs, and assumptions impact security practices [ |
Relating independent variables with security practices.
In contributing to security conscious care behavior among health care workers, Humaidi et al developed a conceptual framework for determining the statistical significance of perceptions [
Similarly, Cannoy et al employed the technology acceptance model (TAM), the theory of reasoned action (TRA), information assurance and security ethical behavior, organizational culture, and health information management [
Furthermore, the PMT and theory of planned behavior (TPB) [
Relatedly, Box et al reviewed the literature and proposed a model for information security compliant security practices within health care environments [
In an effort to improve health care professionals’ conscious care behavior, van Deursen et al aimed to understand the sociotechnical risks of information security in the health care sector [
Various theories are used to model and assess the security practices of users. Cheng et al identified such theories, including the TRA/TPB, general deterrence theory, PMT, and TAM, as the most widely used theories for studying human security practices in the PSC context [
Similarly, Yeng et al surveyed for related theories, security practices, and evaluation methods [
Health care security practices are not only impacted by social demographic traits (eg, age, gender, and experience) [
In view of the shortfall of the above framework to allow for the efficient study of health care professionals’ security practices, we proposed the PSC framework to create a holistic set of health care professionals’ characteristics for analyzing a wide range of security practices.
Information security issues attributed to the human element have been recognized to be as important as technological security measures. Therefore, various frameworks have been developed in the PSC context, but none is comprehensive within this study scope. Some of the frameworks were developed to assess only perception variables [
This study proposes a holistic framework that consists of psychological, sociodemographic, and sociocultural variables, which can be used to analyze a comprehensive set of health care professionals’ security practices, as shown in
The framework builds on studies collected in a literature review, as shown in
We conducted a literature review of the state-of-the-art theories and security practices in health care in order to develop a holistic framework. According to previous reports [
The literature search was conducted between June 2019 and December 2019 through Google Scholar, Science Direct, Elsevier, IEEE Explore, ACM Digital, PubMed, and Scopus. Different keywords, such as “healthcare,” “health,” “staff,” “employee,” “professional,” “information security,” “behavior,” and “practice” were used. To ensure a good-quality search strategy, the keywords were combined using the Boolean functions “AND,” “OR,” and “NOT.” Peer-reviewed journals and articles were considered. The inclusion and exclusion criteria were developed based on the study objective and through discussions among the authors. Initially, 337 articles were selected by skimming through the titles and keywords for articles that aligned with the inclusion and exclusion criteria. Screening was further applied by quickly reading the abstracts and keywords. Duplicates were then filtered out, and articles that appeared relevant, based on the inclusion and exclusion criteria, were read in their entirety and evaluated. Twenty-six articles were further removed from the study in the full reading and evaluation stage based on various reasons, including limited scope and articles not meeting the inclusion and exclusion criteria. For instance, a study [
PRISMA (Preferred Reporting Items for Systematic Reviews and Meta-Analyses) flowchart.
Articles included in the review were required to be about security practices in the health care context and to pertain to health care professionals’ information security behaviors in relation to their work. Other articles, such as those that were not related to the health care context and did not focus on human behavior in health care, were excluded.
Data collection and categorization were established from the study objective through completion of the literature review and based on discussions of the authors. In order to assess, analyze, and evaluate the study, these categories were exclusively defined as follows:
Theory used: This category included only theories (psychological, social, or cultural theories) used in the study to relate human characteristics to security practices.
Security practice: This category included the security measures (eg, password management, incident reporting, and internet usage) used in the study.
Study type: This category specified the type of study, whether theoretical or empirical. In this study, “empirical” refers to practical studies conducted in the health care context and “theoretical” refers to reviews and proposed frameworks for related studies.
Study context: This category specified what area (eg, psychological, social, cultural, or demographic context) the study covered.
The selected articles were assessed, analyzed, and evaluated based on the above defined categories. We performed an analysis on each of the categories (theory used, security practice, study type, and study construct) to evaluate the state-of-the-art approaches. The percentages of the attributes for the categories were calculated based on the total number of counts (n) of each attribute type. Some studies used multiple categories; therefore, the number of counts for these categories exceeded the total number of articles in the study.
This section presents the findings of the literature review, the ontology, and the proposed theoretical framework.
The searches in the aforementioned online databases resulted in a total of 337 records being initially identified by following the guidelines of the inclusion and exclusion criteria in the reading of titles, abstracts, and keywords. We further screened and selected articles by reading the objective, methods, and conclusion sections of each study, and this led to a further exclusion of 185 articles that did not meet the defined inclusion criteria. A total of 96 duplicates were also removed, and the remaining 56 articles were fully read and appraised. After the full-text reading, a total of 30 articles were included and analyzed in the study (
Psychological, social, and cultural theories.
Theory | Count, n |
Health belief model [ |
6 |
Theory of planned behavior [ |
5 |
General deterrence theory [ |
4 |
Protection motivation theory [ |
4 |
Technology acceptance theory [ |
2 |
Technology threat avoidance theory [ |
1 |
Social bond theory [ |
1 |
Situational crime prevention [ |
1 |
Institutional theory [ |
1 |
Grounded theory [ |
1 |
Social control [ |
1 |
The big five theory [ |
1 |
The security practices that were often related with the individual characteristics of the health care professionals at their workplaces included password management (n=6), unauthorized disclosure (n=3), security policy and procedures (n=3), and email use with sensitive data (n=2), as shown in
The categories of theories frequently identified included psychology (n=7), demographics (n=6), social (n=3), and cultural (n=3), as shown in
Security practices.
Security practice | Count, n |
Password management [ |
6 |
Security policy and procedure [ |
3 |
Unauthorized discloser [ |
3 |
Email use with sensitive data [ |
2 |
Logging off session [ |
2 |
Emergency access [ |
2 |
Categories of the studies identified.
Category | Count, n |
Psychology | 7 |
Demographics | 6 |
Social | 3 |
Cultural | 3 |
Linguistics | 1 |
A higher proportion of empirical studies (n=15) was identified, compared with theoretical studies (n=9).
Ontologies are formal specifications of key concepts within a domain and the relationships among them. Ontologies are purposeful artefacts that make domain assumptions explicit, enable the construction of a common understanding among stakeholders, enable the reuse of expert knowledge, etc [
Structure of the ontology representing concepts as classes and specifying the relationship among the classes. The relationships among concepts are represented by the arrows between concepts in the rectangles. HSPAMI: Healthcare Security Practice Analysis, Modeling, and Incentivization.
The main objective of the proposed ontology was to map the HSPAMI main study areas to empirically supported research results in order to develop a literature-based comprehensive holistic framework that can be utilized in the project and by researchers or practitioners interested in the domain of information security within the health care context [
The proposed ontology aimed to (1) structure the main focus areas of the HSPAMI project, (2) create a connection between these study areas and existing empirical research results, and (3) develop a comprehensive PSC framework that efficiently communicates domain knowledge to various stakeholders. Thus, the domain is defined as health care professionals’ security practices, and the scope is restricted to research results investigating the relationship between psychological and sociocultural theories and variables with respect to security behaviors.
Literature searches were conducted for existing comprehensive domain ontologies on Google Scholar, ScienceDirect, and Scopus, with the following keywords: “ontology,” “healthcare,” “security behavior,” and “practice.” These keywords were also combined with the Boolean functions of “AND,” “OR,” and “NOT.” No comprehensive ontology was identified. Ontologies that explicitly model and structure the domain have been proposed for various purposes in the health care domain, such as interoperability [
The fundamental concepts were identified in a previous report [
In order to represent the relationship between concepts of the domain and empirical research results, the classes were conceptually connected to each other. The combination approach was followed in defining the classes and hierarchy, which combined top-down and bottom-up approaches. More salient concepts (HSPAMI concepts and study components) were defined first, and then, based on the identified empirical results, more specific concepts were included. To deal with different terminologies applied to similar concepts (synonyms), the equivalence of classes was represented by the “isEquivalentTo” relationship between concepts, which was inherited by the instances added to the classes. Thus, theories that consisted of constructs could be included in the ontology by defining and connecting an instance to the accompanying theory. Variables that were not specifically part of any theory (eg, demographic variables) could be included by restricting the domain attribute to the class of constructs.
Main concepts defined as classes.
Classes | Instances |
HSPAMIa | —b |
HealthCareStaff | Doctors, nurses, etc |
Intervention/Incentivization | Motivation, deterrence, etc |
PsychoSocialCulturalDemographicVariable | Gender, age, etc |
SecurityPractice | PasswordManagement, EmailUse, etc |
Theory | Theory of planned behavior, protection motivation theory, etc |
Construct/IndependentVariable | Attitude, SubjectiveNorm, etc |
DependentVariable | ActualBehavior, SecuriyAwareness, etc |
aHSPAMI: Healthcare Security Practice Analysis Modeling and Incentivization.
bNo instance.
The main objective of this step was to describe the relationship of a class to other individuals. The properties were defined at the most general class; thus, all members of that class inherited the given property.
Relation of classes.
Relation of classes | Classes connected |
consistsOf | Theory - Construct |
influence | IndependentVariable - DependentVariable |
isEquivalentTo | Construct - PsychoSocialCulturalDemographicVariable |
exhibit | HealthCareStaff - SecurityPractice, DependentVariable |
isCharacterizedBy/isModeledBy | HealthCareStaff - Construct |
aimsToModify | Intervention/Incentivization - SecurityPractice |
focusesOn | HSPAMIa - Intervention, HealthCareStaff |
isATypeOf | Gender - Construct |
hasAttribute | SelfEfficacy - Psychological; Gender - Demographic |
aHSPAMI: Healthcare Security Practice Analysis Modeling and Incentivization.
This step was excluded in the development of the ontology at this stage. Since ontologies can be developed at various levels of granularity, these steps may be iteratively completed at a future stage when the requirements (eg, development of software) are defined more specifically. For the purpose of creating a comprehensive framework of health care staff characteristics and security practices, this step was unnecessary.
The research papers meeting the inclusion criteria were subsequently analyzed in detail to extract instances for the previously enumerated classes. The list of papers reviewed for constructing the ontology are presented in
For the purpose of demonstration,
Instances and additional properties defined from the review paper [
Expansion of the ontology based on results from a previous report [
The framework shown in
Independent variables: This aspect of the PSC framework consists of the characteristics of the health care staff that can impact health care professionals’ security practices. With reference to
Social bonding: Social bonding is related to social behaviors that can influence health care professionals’ information security behaviors. Such constructs include social bonding, peer pressure, and trust level, as shown in
Cultural factors: Culture-related traits that can impact information security include environmental norms, beliefs, and assumptions.
Social demographics: Social demographics, such as gender, workload, information security experience, emergency, role, and experience, are hypothesized to have an impact on information security relating to health care staff.
Proposed psychosociocultural framework.
The PSC framework also has mediating variables that are basically the security practices of the health care staff. The health care security practices are the required security-related behaviors defined in the policies, standards, regulations, and codes of conduct for health care personnel. Health care staff are therefore required to abide by such security measures to enhance the confidentiality, integrity, and availability of health care data. The security practices in the PSC framework were adopted from the HAIS-Q. The HAIS-Q is a framework consisting of a comprehensive information security practice. In a typical health care environment, health care staff members go through their daily security practices within the scope of the HAIS-Q, and these security practices are impacted by independent variables. Security practices include social network usage, password management, incident reporting, mobile computing, and internet use, as shown in
Finally, the target or the dependent variable is the measured security practice of health care staff. Such a security metric can therefore be used for management decision-making, such as implementing intervention measures aimed to improve conscious care security practices.
Information security management for mitigating data breaches involves identifying the threats to information security and devising efficient countermeasures [
To this end, we identified constructs capturing psychological, sociocultural, and demographic variables (termed in this study as “psychosociocultural context”) to develop the PSC framework to understand health care professionals’ security practices. The main contribution of this paper is the development of the PSC framework implemented as a domain ontology. Specifically, the framework includes concepts and important variables that have been empirically proven to influence the behavior (ie, security-related practices) of health care professionals when dealing with sensitive information in a health care work setting.
Based on the overview of existing literature [
The utility of the proposed framework will be tested in the HSPAMI project by scoping the forthcoming investigations on factors that must be considered in monitoring and modifying health care professionals’ security-related behaviors. While specific empirical research papers are necessarily limited with respect to their scope on the security practices and the theories utilized, such papers provide the crucial building blocks of the overarching framework. The first major advantage of the present framework is that it encompasses accumulated knowledge by utilizing the evidence from previous investigations (each focusing on narrowly defined behaviors [
Based on the literature survey, we also developed an ontology to include significant concepts for the development of the PSC framework. Within the PSC context of health care professionals’ security practices, various studies exist [
Evaluation of the ontology refers to judgments about the technical features of the ontology and assessment of its usability and utility. Generally, evaluation aims at ensuring the correctness and completeness of an ontology [
With respect to the comprehensiveness of the current PSC framework, it is comparable to similar approaches [
To complement the efforts of health care professionals in maintaining the confidentiality, integrity, and availability of health care data, a systematic approach to identify the detailed and subtle health care professionals’ characteristics that impact information security practices must be applied. All these constructs are vital when measuring the conscious care behavior of health care professionals. For example, if we assume that psychological constructs are not measured in a typical empirical study of security conscious care behaviors, there will be a gap since the perception of the health care security practice will not be captured [
Therefore, through the PSC framework developed in this paper, we identified various constructs within the project domain. The holistic approach is much needed because it strives to capture the entire problem area in the scope of the project. Focusing on just one or two aspects of staff-related traits that impact security in the health care industry might not be sufficiently effective [
The mutual trust between health care professionals and their patients is under threat owing to frequent and large data breaches in health care. Furthermore, the richness of health care data is attracting cyber criminals. Since scaling universal technological security measures is challenging, cyber criminals tend to exploit health care staff for easy entry.
To curtail this ascendance in data breaches, a comprehensive set of health care professionals’ characteristics and security practices, which can impact information security, was identified. An ontology was developed from the identified literature generated by a literature review. Then, a holistic PSC framework was developed. The framework can be implemented with a mixed method approach encompassing both qualitative and quantitative studies [
Owing to the systematic approach used to develop the PSC framework, it is possible to identify reliable security metrics while considering all the subtle characteristics of health care professionals and their related security practices. Such metrics can then be used to develop incentivization or motivational measures aimed toward building stronger “human firewalls” to curtail data breaches in health care. Beyond the conventional qualitative evaluation methods of interviews and questionnaires or surveys, other approaches, including team-based learning [
Furthermore, clarifying the meaning and interconnectedness of various terms imported from different domains (eg, psychology, information security, sociology, etc) can be beneficial for discovering contradictory or converging pieces of evidence revealed by researchers. While the ontology currently captures only a limited number of concepts from the PSC and demographic contexts of health care professionals, it is flexible and can be extended with new results based on advances in the literature. The level of granularity can, for instance, be increased depending on the requirements of the applications in future work. The emphasis on empirical foundations could also be strengthened by representing associations between variables through specifying additional object properties associated with the classes (eg, correlations, predictive accuracy, etc). The compatibility of this domain ontology with other ontologies (eg, health care staff demographic characteristics in employee databases) needs to be investigated in future work to increase reusability and to achieve more realistic mapping between research results and the opportunities to observe the variables included in the framework. Additional expert knowledge could be useful for enriching the framework, and this can be achieved through iterative workshop sessions with other stakeholders (eg, health care staff, security practitioners, etc).
Analysis of the theories and their application areas in the Healthcare Security Practice Analysis Modeling and Incentivization (HSPAMI) project [<xref ref-type="bibr" rid="ref4">4</xref>].
Summary of the literature review.
Articles used to construct the ontology.
General Data Protection Regulation
Human Aspect of Information Security Questionnaire
Healthcare Security Practice Analysis Modeling and Incentivization
information technology
protection motivation theory
psychosociocultural
technology acceptance model
theory of planned behavior
theory of reasoned action
None declared.