Information security compliance in a healthcare setting: A user behavior pilot study

Human behavior is known to be one of the weakest links to information security and a likely cause of incidents that may lead or contribute to the loss or compromise of sensitive information (Ahmad, & Ismail, 2010; Akhunzada, Kam, 2015; Aloul, 2012; Cain, Edwards, & Still, 2018; Long, 2013; Narayana, Sookhak, & Anuar, 2015; Pike, 2011; Seidenberger, 2016). The Health Insurance Portability and Accountability Act (1996) requires healthcare organizations to comply with national standards to reduce the likelihood of a privacy breach. Online stolen data markets, where cybercriminals operate in the dark web, advertise, sell, share, and trade sensitive personally identifiable information for nefarious purposes (Chertoff, 2017; Holt et al., 2016). The 29-statement pilot study survey replicates the Safa et al. (2015) survey and was administered to 39 UW Medicine (UWM) employees via the UWM Research Electronic Data Capture online survey application. The survey statements are based on the Theory of Planned Behavior, the Protection Motivation Theory, and the Safa et al. (2015) employee information security conscious care behavior model. The UWM pilot study statements were modified, and results are presented (n = 32). Descriptive statistics are provided, as well as lessons learned, which will be incorporated into a larger-scale survey deployment. This is a timely study to determine how best to reduce the likelihood of a user error or a cyber adversary exploiting a weakness that could lead to or cause a global catastrophic cyber event that could potentially trigger further political, economic, and social volatility