Behavioural Information Security Practices of Healthcare Professionals: A Five-Year Systematic Literature Review

Abstract

Information security is critical to fortifying organisations in a technologically evolving world where cyber criminals, threats and challenges remain prominent, particularly for healthcare organisations. The healthcare industry has been known as a patient-centric sector focusing and investing in increasing patient care, services, and medical devices to ensure services operate efficiently and effectively; however, health organisations still need to be equipped and remain under-trained against cyber threats and attacks. This study focused on the behavioural interactions of health professionals through a systematic literature review between 2017 and 2023. The study found seventeen behavioural interactions, including but not limited to shared workstations, shared passwords and credential log-in, utilising shared USB sticks and sticky notes to record patient information. The behavioural interactions were sorted against a factor, which included information security knowledge and awareness, workload management, information security culture, access and authentication, and data backup and encryption. The behavioural interactions against the factors were found to have implications on the overall cybersecurity dimensions of people, processes, and technology. The study recommended using the CIS benchmark, and HIPAA controls to address the identified behaviours, in addition to a proposed information security knowledge and awareness implementation framework that highlights the training contents that could be used to address the behavioural interactions of health professionals.