‘Inconvenient’ Cybersecurity Policies Put Healthcare Organizations at Risk

• Information security policies are not grounded in the realities of an employee’s work responsibilities
• Physicians who are dealing with emergency situations constantly are more likely to leave a workstation unlocked
• Security professionals must find ways to seamlessly integrate ISP compliance within specific job tasks

Organizations need to find ways to accommodate different employees' responsibilities – especially in healthcare institutions, according to an extensive study by researchers from Binghamton University, State University of New York.

The study – The Influence of Professional Subculture on Information Security Policy Violations: A Field Study in a Healthcare Context – took years to complete, with one researcher ‘planting’ himself in a hospital setting for over two years to observe and analyze activities, and conduct interviews and surveys with staff.

The researchers found that information security policies are not grounded in the realities of an employee’s work responsibilities and priorities, exposing organizations to a higher risk of data breaches. Specifically, they found that subcultures within an organization carry massive influence on whether employees violate or obey standard security practices.

“Every organization has a culture that is typically set by top management. But within that, you have subcultures among different professional groups in the organization,” said Sumantra Sarkar, associate professor of management information systems in Binghamton University’s School of Management. “Each of these groups are trained in a different way and are responsible for different tasks.”

Sarkar and his fellow researchers focused on compliance within three subcultures in a typical hospital setting – physicians, nurses and support staff. Because patient data is highly confidential, researchers focused on hospital employees' obligation to lock their electronic health record (EHR) workstation when they’re not around.

“Physicians who are dealing with emergency situations constantly were more likely to leave a workstation unlocked. They were more worried about the immediate care of a patient than the possible risk of a data breach,” said Sarkar. “On the opposite end, support staff rarely kept workstations unlocked when they were away, as they felt they were more likely to be punished or fired should a data breach occur.”

The results should apply, more or less, to any large organization, but the healthcare industry seems particularly prone to circumventing security policies based on mission and subculture. Binghamton University researchers recommend consulting with each subculture while developing internal security policies.

“Information security professionals should have a better understanding of the day-to-day tasks of each professional group, and then find ways to seamlessly integrate ISP compliance within those job tasks. It is critical that we find ways to redesign ISP systems and processes in order to create less friction,” said Sarkar.