Differing Medical Professional Cultures Shape How Clinicians, Staff Handle InfoSec Issues

Data from a recent research study suggests that the subcultures in which nurses, doctors and healthcare support staff work can have a big influence on whether they’re likely to comply with healthcare information security policies.  Healthcare organizations could face a higher risk of data breaches if they don’t address those differing work styles in their security plans, researchers concluded.

The researchers, whose work was published in Information Systems Research, worked with Temple University, Georgia State University, Wellstar Kennestone Hospital and Emory University School of Medicine to look at the extent to which people working in these organizations were complying with information security policies.

The initiative, which examined infosec compliance among physicians, nurses and staffers over several years, posted a researcher in a hospital for more than two years. This researcher conducted interviews and surveys with employees in addition to analyzing their activities.

One of the key focus areas of the study was whether hospital employees took the time to lock their EHR workstation when they weren’t present. The research team concluded that physicians, who may deal with emergency situations often, were more likely to leave workstations unlocked, as they worried more about patients’ needs than the risk of a possible data breach. On the other hand, they found, support staffers were unlikely to leave their workstations unlocked when they left their desks. They reported being afraid that they’d be punished or even fired if a data breach took place.

In light of these findings, researchers are recommending that health employers do an overhaul of the design and implementation of their infosec policies. One key part of making this shift will be to work with employees to find ways to fit compliance into their day-to-day workflow. This should include consulting with each of the major organizational subcultures to make sure that their specific needs are addressed.

To tackle the problem of unlocked, unoccupied workstations, researchers are recommending touchless, proximity-based authentication mechanisms that can lock or unlock workstations when employees approach or leave their workspace.

Of course, security measures don’t exist in a vacuum, and there are other forces afoot which could overwhelm any benefits employee-centered infosec tweaks could generate. According to a study done last year by Black Book Market Research, few hospitals were focused on methodically beefing up their cybersecurity.

However, the pressures imposed by the pandemic throw yet another spanner in the works. While CTOs certainly haven’t forgotten about security concerns, they’re still facing huge shifts in their business which continue to arise from COVID. That makes it less likely that they’ll have the time and resources to invest in process improvement projects.

Still, over the longer term, it seems likely that tailoring information security policies to address individual workers’ needs makes sense. Ultimately, if you want to run an organization efficiently, establishing smart workflows is king.

About the author

Anne Zieger

Anne Zieger

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.