INFORMATION SECURITY IN HEALTH CARE - Evaluation with Health Professionals

Robin Krens, Marco Spruit, Nathalie Urbanus-van Laar


Information security in health care is a topic of much debate. Various technical and means-end oriented approaches have been presented over the years, yet have not shown to be sufficient. This paper outlines an alternative view and approaches medical information security from a health professional’s perspective. The Information Security Employee’s Evaluation (ISEE) is presented to evaluate and discuss medical information security with health professionals. The ISEE instrument consists of seven dimensions: priority, responsibility, incident handling, functionality, communication, supervision and training and education. The ISEE instrument can be used to better understand health professional’s perception, needs and problems when dealing with information security in practice. Following the design science approach, the ISEE instrument was validated within a focus group of security experts and pilot tested as workshops across five hospital departments in two medical centers. Although the ISEE instrument has by no means the comprehensiveness of existing security standards, we do argue that the instrument can provide valuable insights for both practitioners and research communities.


  1. Ashenden, D. (2008). Information security management: A human challenge? Information Security Technical Report, 13(4):195-201.
  2. Barber, B. (1998). Patient data and security: an overview. International Journal of Medical Informatics, 49(1):19-30.
  3. Dhillon, G. and Backhouse, J. (2001). Current directions in IS security research: towards socioorganizational perspectives. Information Systems Journal, 11(2):127-154.
  4. Fernando, J. I. and Dawson, L. L. (2009). The health information system security threat lifecycle: An informatics theory. International Journal of Medical Informatics, 78(12):815-826.
  5. Ferreira, A., Antunes, L., Chadwick, D., and Correia, R. (2010). Grounding information security in healthcare. International Journal of Medical Informatics, 79(4):268-283.
  6. Gaunt, N. (2000). Practical approaches to creating a security culture. International Journal of Medical Informatics, 60(2):151-157.
  7. Hevner, A. R., March, S. T., Park, J., and Ram, S. (2004). Design science in information systems research. MIS Quarterly, 28(1):75-105.
  8. International Organization for Standardization (2005). Information technology - security techniques - code of practice for information security management. Technical Report ISO/IEC 27002:2005, International Organization for Standardization, Geneva.
  9. Kraemer, S. and Carayon, P. (2005). Computer and information security culture: Findings from two studies. In Human factors and the Ergonomics Environment, pages 1483-1487, Orlando. Human Factors and the Ergonomics Society.
  10. Nosworthy, J. D. (2000). Implementing information security in the 21st century do you have the balancing factors? Computers & Security, 19(4):337-347.
  11. OECD (2002). Guidelines for the security of information systems and networks: Towards a culture of security. Technical report, Organization for Economic Cooperation and Development, Paris.
  12. Parker, D. and Hudson, P. T. (2001). HSE: Understanding your culture. Shell International Exploration and Production, EP 2001 - 5124.
  13. Pope, C., Mays, N., and Kitzinger, J., editors (2006). Qualitative research in health care, chapter Focus Groups, pages 21-31. Blackwell Publishing, Oxford, 3rd edition.
  14. Reason, J. (1993). The identification of latent organizational failures in complex systems. In J.A. Wise, V.D. Hopkin, P. S., editor, Verification and identification of complex systems: human factor issues, pages 223-237, New York. Springer-Verlag.
  15. Siponen, M. T. (2005). An analysis of the traditional IS security approaches: implications for research and practice. European Journal of Information Systems, 14(3):305-315.
  16. Stamp, M. (2006). Information security: principles and practice. John Wiley & Sons, Hoboken, 2nd edition.
  17. University of Manchester and National Patient Safety Agency (2006). Manchester patient safety framework MaPSaF.
  18. Westrum, R. (1993). Cultures with requisite imagination. In J.A. Wise, V. D. Hopkin, P. S., editor, Verification and Validation in Complex Man-machine Systems, pages 401-416, New York. Springer-Verlag.
  19. Williams, P. A. H. (2008). When trust defies common security sense. Health Informatics Journal, 14(3):211- 221.

Paper Citation

in Harvard Style

Krens R., Spruit M. and Urbanus-van Laar N. (2011). INFORMATION SECURITY IN HEALTH CARE - Evaluation with Health Professionals . In Proceedings of the International Conference on Health Informatics - Volume 1: HEALTHINF, (BIOSTEC 2011) ISBN 978-989-8425-34-8, pages 61-69. DOI: 10.5220/0003157700610069

in Bibtex Style

author={Robin Krens and Marco Spruit and Nathalie Urbanus-van Laar},
title={INFORMATION SECURITY IN HEALTH CARE - Evaluation with Health Professionals},
booktitle={Proceedings of the International Conference on Health Informatics - Volume 1: HEALTHINF, (BIOSTEC 2011)},

in EndNote Style

JO - Proceedings of the International Conference on Health Informatics - Volume 1: HEALTHINF, (BIOSTEC 2011)
TI - INFORMATION SECURITY IN HEALTH CARE - Evaluation with Health Professionals
SN - 978-989-8425-34-8
AU - Krens R.
AU - Spruit M.
AU - Urbanus-van Laar N.
PY - 2011
SP - 61
EP - 69
DO - 10.5220/0003157700610069