Information Security Awareness and Behaviors of Health Care Professionals at Public Health Care Facilities

Objectives This study investigated information security behaviors of professionals working in the public health sector to guide policymakers toward focusing their investments in infrastructure and training on the most vulnerable segments. We sought to answer the following questions: (1) Are certain professional demographics more vulnerable to cybersecurity threats? (2) Do professionals in different institution types (i.e., hospitals vs. primary care clinics) exhibit different cybersecurity behaviors? (3) Can Internet usage behaviors by professionals be indicative of their cybersecurity awareness and the risk they introduce? Methods A cross-sectional, anonymous, paper-based survey was distributed among professionals working in public health care organizations in Kuwait. Data were collected about each professional's role, experience, work environment, cybersecurity practices, and understanding to calculate a cybersecurity score which indicates their level of compliance to good cybersecurity practices. We also asked about respondents' internet usage and used K-means cluster analysis to segment respondents into three groups based on their internet activities at work. Ordinary least squares regression assessed the association between the collected independent variables in question on the overall cybersecurity behavior. Results A total of 453/700 (64%) were responded to the survey. The results indicated that professionals with more work experience demonstrated higher compliance with good cybersecurity practices. Interestingly, nurses demonstrate higher cybersecurity aptitude relative to physicians. Professionals that were less inclined to use the internet for personal use during their work demonstrated higher cybersecurity aptitude. Conclusion Our findings provide some guidance regarding how to target health care professional training to mitigate cybersecurity risks. There is a need for ensuring that physicians receive adequate cybersecurity training, despite the opportunity costs and other issues competing for their attention. Additionally, classifying professionals based on their internet browsing patterns may identify individuals vulnerable to cybersecurity incidents better than more discrete indicators such as age or gender.