Physicians, nurses and support staff respond differently to data breach security policies: study

Posted on: Wednesday, October 7, 2020 By: KorchekStaff

The different subcultures of physicians, nurses and support staff will influence whether employees violate information security policies, including locking the EHR workstation, according to Binghamton (N.Y.) University researchers.

In a study recently published in Information Systems Research, the research team worked with Temple University, Georgia State University, Wellstar Kennestone Hospital and Emory University School of Medicine to analyze information security policy compliance.

The researchers spent years on the analysis and examined ISP compliance among physicians, nurses and support staff. One researcher was stationed in a hospital for more than two years to monitor and analyze activities as well as conduct interviews and surveys with numerous employees.

One main area of focus for the study was the requirement for hospital employees to lock their EHR workstation when not present, which physicians were less likely to do, said Sumantra Sarkar, PhD, associate information systems management professor at Binghamton University, according to the Oct. 6 news release.

"Physicians, who are dealing with emergency situations constantly were more likely to leave a workstation unlocked. They were more worried about the immediate care of a patient than the possible risk of a data breach," writes Dr. Sarkar. "On the opposite end, support staff rarely kept workstations unlocked when they were away, as they felt they were more likely to be punished or fired should a data breach occur."

While the EHR is one example, the researchers concluded that each subculture within a hospital organization will respond differently to the organization wide ISP, which leaves organizations at a greater risk of data breaches. To mitigate risk, the researchers recommend consulting each subculture while developing ISP so the protocols are designed to accommodate their workflows.

"There shouldn't be situations where physicians are putting the entire hospital at risk for a data breach because they are dealing with a patient who needs emergency care," Dr. Sarkar said. "We need to find ways to accommodate the responsibilities of different employees within an organization."

Comments