Security and privacy oriented information security culture (ISC): Explaining unauthorized access to healthcare data by nursing employees

Protecting sensitive healthcare data is particularly challenging. Nursing employees are critical in protecting healthcare data since they make up a large portion of the healthcare workforce and have direct access to healthcare data. Information security culture (ISC) plays a prominent role in protection of healthcare data albeit their relationship remains unclear. In this study, we first define and operationalize two new dimensions of organizational ISC related to security and privacy. Then, a survey of Slovenian nursing employees (n = 527) was conducted to validate the measurement instrument and examine the associations between the newly developed ISC dimensions and unauthorized access to healthcare data by nursing employees based on the theory of planned behavior (TPB). The measurement instrument was first validated with an exploratory and then with a confirmatory factor analysis. Both analyses indicate adequate validity and reliability of the newly developed ISC dimensions. The results of PLS-SEM analysis show that security oriented ISC is negatively associated with subjective norm and normative beliefs while privacy oriented ISC is negatively associated with attitude towards behavior. Additionally, they indicate that TPB explains well unauthorized access to healthcare data. The results of our study thus indicate an indirect relation between ISC and unauthorized access to healthcare data. Awareness training is considered as essential means for ensuring proper practical implementations of ethical norms, such as privacy-preserving behavior, by nursing employees. Our study suggests that such awareness interventions may aim either to strengthen the social influence on nursing employees, their attitudes or both. Awareness interventions aiming to strengthen the social influence of nursing employees may focus on established organizational data protection practices and other important organizational values, norms, and accepted ways of working in an organization. Attitudes of nursing employees may be strengthened with awareness interventions focusing on their personal beliefs and ethics.