Skip to main content

Advertisement

SpringerLink
Log in

Fuzzy Assessment of Health Information System Users’ Security Awareness

  • Original Paper
  • Published:
Journal of Medical Systems Aims and scope Submit manuscript

Abstract

Health information systems (HIS) are a specific area of information systems (IS), where critical patient data is stored and quality health service is only realized with the correct use and efficient dissemination of this data to health workers. Therefore, a balance needs to be established between the levels of security and flow of information on HIS. Instead of implementing higher levels and further mechanisms of control to increase the security of HIS, it is preferable to deal with the arguably weakest link on HIS chain with respect to security: HIS users. In order to provide solutions and approaches for transforming users to the first line of defense in HIS but also to employ capable and appropriate candidates from the pool of newly graduated students, it is important to assess and evaluate the security awareness levels and characteristics of these existing and future users. This study aims to provide a new perspective to understand the phenomenon of security awareness of HIS users with the use of fuzzy analysis, and to assess the present situation of current and future HIS users of a leading medical and educational institution of Turkey, with respect to their security characteristics based on four different security scales. The results of the fuzzy analysis, the guide on how to implement this fuzzy analysis to any health institution and how to read and interpret these results, together with the possible implications of these results to the organization are provided.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1

Similar content being viewed by others

Notes

  1. Ng et al. define computer security incidents as “a security-related adverse event in which there is a loss of information confidentiality, disruption of information or system integrity, disruption or denial of system availability, or violation of any computer security policies” [1]

References

  1. Ng, B.-Y., Kankanhalli, A., and Xu, Y., Studying users' computer security behavior: a health belief perspective. Decis. Support. Syst. 46(4):815–825, 2009.

    Article  Google Scholar 

  2. Kankanhalli, A., Teo, H.-H., Tan, B. C. Y., and Wei, K.-K., An integrative study of information systems security effectiveness. Int. J. Inf. Manag. 23(2):139–154, 2003.

    Article  Google Scholar 

  3. Stanton, J. M., Mastrangelo, P. R., Stam, K. R., and Jolton, J., Behavioral information security: two end user survey studies of motivation and security practices. Proceedings of the Tenth Americas Conference on Information Systems, New York, 2004.

    Google Scholar 

  4. Aurigemma, S., and Panko, R., A composite framework for behavioral compliance with information security policies. System Science (HICSS) 45th Hawaii International Conference on System Sciences, Maui, 2012.

    Google Scholar 

  5. Chan, M., Woon, I., and Kankanhalli, A., Perceptions of information security at the workplace: linking information security climate to compliant behavior. Journal of Information Privacy and Security 1(3):18–41, 2005.

    Google Scholar 

  6. Pahnila, S., Siponen, M., and Mahmood, A., Employeesbehavior towards IS security policy compliance. System Sciences, 2007. HICSS 2007. 40th Annual Hawaii International Conference on, 2007.

  7. D’Arcy, J., and Hovav, A., Countermeasures and information systems misuse behaviors. Journal of Information System Security 3(2):3–30, 2007.

    Google Scholar 

  8. Hadasch, F., Mueller, B., and Maedche, A., Exploring antesedent environmental and organizational factors to user-caused information leaks: a qualitative study. ECIS 2012 Proceedings, 2012.

  9. Zhang, J., Reithel, B. J., and Li, H., Impact of perceived technical protection on security behaviors. Information Management & Computer Security 17(4):330–340, 2009.

    Article  Google Scholar 

  10. Bulgurcu, B., Cavusoglu, H., and Benbasat, I., Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness. MIS Q. 34(3):523–548, 2010.

    Google Scholar 

  11. LaRose, R., Rifon, N. J., and Enbody, R., Promoting personal responsibility for internet safety. Commun. ACM 51(3):71–76, 2008.

    Article  Google Scholar 

  12. Health Information Systems, 27 07 2009. [Online]. Available: http://go.worldbank.org/XFTO56S8S0. [Accessed 2 03 2013].

  13. Katsikas, S. K., Health care management and information systems security: awareness, training or education? Int. J. Med. Inform. 60(2):129–135, 2000.

    Article  MathSciNet  Google Scholar 

  14. Giuse, D. A., and Kuhn, K. A., Health information systems challenges: the Heidelberg conference and the future. International journal of medical informatics 69(2):105–114, 2003.

    Article  Google Scholar 

  15. Ammenwerth, E., Gräber, S., Herrmann, G., Bürkle, T., and König, J., Evaluation of health information systems—problems and challenges. Int. J. Med. Inform. 71(2):125–135, 2003.

    Article  Google Scholar 

  16. Haux, R., Health information systems? past, present, future. Int. J. Med. Inform. 75(3–4):268–281, 2006.

    Article  Google Scholar 

  17. Appari, A., and Johnson, M. E., Information security and privacy in healthcare: current state of research. Int. J. Internet and Enterprise Management 6(4):279–314, 2010.

    Article  Google Scholar 

  18. Grandison, T., and Sloman, M., A survey of trust in internet applications. Communications Surveys & Tutorials 3(4):2–16, 2000.

    Article  Google Scholar 

  19. Blumenthal, D., Stimulating the adoption of health information technology. N. Engl. J. Med. 360(15):1477–1479, 2009.

    Article  Google Scholar 

  20. Goldschmidt, P. G., HIT and MIS: implications of health information technology and medical information systems. Commun. ACM 48(10):68–74, 2005.

    Article  Google Scholar 

  21. Janczewski, L., and Xinli Shi, F., Development of information security baselines for healthcare information systems in New Zealand. Computers & Security 21(2):172–192, 2002.

    Article  Google Scholar 

  22. Rindfleisch, T. C., Privacy, information technology, and health care. Commun. ACM 40(8):92–100, 1997.

    Article  Google Scholar 

  23. Smith, E., and Eloff, J., Cognitive fuzzy modeling for enhanced risk assessment in a health care institution. Intelligent Systems and their Applications, IEEE 15(2):69–75, 2000.

    Article  Google Scholar 

  24. Buckovich, S. A., Rippen, H. E., and Rozen, M. J., Driving toward guiding principles a goal for privacy, confidentiality, and security of health information. J. Am. Med. Inform. Assoc. 6(2):122–133, 1999.

    Article  Google Scholar 

  25. Zadeh, L. A., Fuzzy sets as a basis for a theory of possibility. Fuzzy sets and systems 100 Supplement, pp. 9–34, 1999.

  26. Dhillon, G., and Torkzadeh, G., Value–focused assessment of information system security in organizations. Inf. Syst. J. 16(3):293–314, 2006.

    Article  Google Scholar 

  27. Carrasco, R. A., Muñoz-Leiva, F., Sánchez-Fernández, J., and Liébana-Cabanillas, F. J., A model for the integration of e-financial services questionnaires with SERVQUAL scales under fuzzy linguistic modeling. Expert Syst. Appl. 39:11535–11547, 2012.

    Article  Google Scholar 

  28. Ngan, S.-C., Decision making with extended fuzzy linguistic computing, with applications to new product development and survey analysis. Expert Syst. Appl. 38:14052–14059, 2011.

    Google Scholar 

  29. Belohlavek, R., Sigmund, E., and Zacpal, J., Evaluation of IPAQ questionnaires supported by formal concept analyis. Inf. Sci. 181:1774–1786, 2011.

    Article  MathSciNet  Google Scholar 

  30. Azar, A., and Darvishi, Z. A., Development and validation of a measure of justice perception in the frame of fairness theory—fuzzy approach. Expert Syst. Appl. 38:7364–7372, 2011.

    Article  Google Scholar 

  31. Hosmer, H. H., Security is fuzzy!: applying the fuzzy logic paradigm to the multipolicy paradigm. Proceedings on the 1992-1993 workshop on New security paradigms, 1993.

  32. Phuong, N. H., and Kreinovich, V., Fuzzy logic and its applications in medicine. Int. J. Med. Inform. 62(2):165–173, 2001.

    Article  Google Scholar 

  33. Binaghi, E., Gallo, I., Ghiselli, C., Levrini, L., and Biondi, K., An integrated fuzzy logic and web-based framework for active protocol support. Int. J. Med. Inform. 77(4):256–271, 2008.

    Article  Google Scholar 

  34. Başçiftçi, F., and İncekara, H., Design of web-based fuzzy input expert system for the analysis of serology laboratory tests. J. Med. Syst. 36(4):2187–2191, 2012.

    Article  Google Scholar 

  35. Esposito, M., De Falco, I., and De Pietro, G., An evolutionary-fuzzy DSS for assessing health status in multiple sclerosis disease. Int. J. Med. Inform. 80(12):245–254, 2011.

    Article  Google Scholar 

  36. Lopes, M. H. B. D. M., Ortega, N. R. S., Silveira, P. S. P., Massad, E., Higa, R., and Marin, H. D. F., Fuzzy cognitive map in differential diagnosis of alterations in urinary elimination: a nursing approach. Int. J. Med. Inform. 80(12):201–208, 2013.

    Article  Google Scholar 

  37. Badawi, A. M., Derbala, A. S., and Youssef, A.-B., Fuzzy logic algorithm for quantitative tissue characterization of diffuse liver diseases from ultrasound images. Int. J. Med. Inform. 55(2):135–147, 1999.

    Article  Google Scholar 

  38. Singh, S., Kumar, A., Panneerselvam, K., and Vennila, J. J., Diagnosis of arthritis through fuzzy inference system. J. Med. Syst. 36(3):1459–1468, 2012.

    Article  Google Scholar 

  39. Das, S., Chowdhury, S. R., and Saha, H., Accuracy enhancement in a fuzzy expert decision making system through appropriate determination of membership functions and its application in a medical diagnostic decision making system. J. Med. Syst. 36(3):1607–1620, 2012.

    Article  Google Scholar 

  40. Ogutcu, G., and Aydin, O., Analysis of personal information security behavior and awareness in E-transformation process. Submitted manuscript.

  41. Milne, G. R., Labrecque, L. I., and Cromer, C., Toward an understanding of the online consumer’s risky behavior and protection practices. J. Consum. Aff. 43(3):449–473, 2009.

    Article  Google Scholar 

  42. Bechara, A., Risky business: emotion, decision-making, and addiction. J. Gambl. Stud. 19(1):23–51, 2003.

    Article  Google Scholar 

  43. Moore, S., and Gullone, E., Predicting adolescent risk behavior using a personalized cost-benefit analysis. Journal of Youth and Adolescence 25(3):343–359, 1996.

    Article  Google Scholar 

  44. Birch, D. G., and McEvoy, N. A., Risk analysis for information systems. J. Inf. Technol. 7(1):44–53, 1992.

    Article  Google Scholar 

  45. Rainer, R. K. J., Snyder, C. A., and Carr, H. H., Risk analysis for information technology.

  46. Horst, M., Kuttschreuter, M., and Gutteling, J. M., Perceived usefulness, personal experiences, risk perception and trust as determinants of adoption of e-government services in The Netherlands. Comput. Hum. Behav. 23(4):1838–1852, 2007.

    Article  Google Scholar 

  47. Slovic, P., Finucane, M. L., Peters, E., and MacGregor, D. G., Risk as analysis and risk as feelings: some thoughts about affect, reason, risk, and rationality. Risk Anal. 24(2):311–322, 2004.

    Article  Google Scholar 

  48. Tsohou, A., Karyda, M., Kokolakis, S., and Kiountouzis, E., Formulating information systems risk management strategies through cultural theory. Information Management & Computer Security 14(3):198–217, 2006.

    Article  Google Scholar 

  49. Dubois, D., and Prade, H., Gradualness, uncertainty and bipolarity: making sense of fuzzy sets. Fuzzy Sets Syst. pp. 3–24, 2012

  50. Gong, D.-W., Yuan, J., and Sun, X.-Y., Interactive genetic algorithms with individual’s fuzzy fitness. Comput. Hum. Behav. 27(5):1482–1492, 2011.

    Article  Google Scholar 

  51. Chiou,H.-K., Tzeng, G.-H. and Cheng, D.-C., Evaluating sustainable fishing development strategies using fuzzy MCDM approach, Omega, pp. 223–234, 2005

  52. Deng, W.-J., and Pei, W., Fuzzy neural based importance-performance analysis for determining critical service attributes, Expert Systems With Applications, pp. 3774–3784, 2009

  53. Ma, J., Ruan, D., Xu, Y., and Zhang, G., A fuzzy-set approach to treat determinacy and consistency of linguistic terms in multi-criteria decision making. International Journal of Approximate Reasoning, pp. 165–181, 2007

  54. Klir, G. J., and Yuan, B., Fuzzy sets and systems. Prentice Hall PTR, New Jersey, 1995.

    Google Scholar 

  55. Tsai, H.-H., and Lu, I.-Y., The evaluation of service quality using generalized Choquet integral. Inf. Sci. 176(6):640–663, 2006.

    Article  MATH  Google Scholar 

Download references

Acknowledgments

The authors would like to thank Gizem Ogutcu for sharing the data from health employees and students that were used in this study.

Conflict of interest

The authors declare that they have no conflict of interest.

Author information

Authors and Affiliations

  1. Statistics and Computer Science Department, Başkent University, Room G510, 06810, Ankara, Turkey

    Özlem Müge Aydın

  2. Statistics and Computer Science Department, Başkent University, 06810, Ankara, Turkey

    Oumout Chouseinoglou

Authors
  1. Özlem Müge Aydın
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Oumout Chouseinoglou
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Özlem Müge Aydın.

Appendix A

Appendix A

The responses to questions between 1 and 60 are given as “Always, Often, Usually, Rarely or Never”

  1. 1.

    I use Messenger, GTalk, Skype and similar chat programs.

  2. 2.

    I use e-mail.

  3. 3.

    I use my corporate e-mail address for my private matters as well.

  4. 4.

    I join e-mail groups on the Internet.

  5. 5.

    I use Facebook, Twitter and similar social network sites.

  6. 6.

    I have more than one e-mail addresses.

  7. 7.

    I accept invitations for applications sent through social networks.

  8. 8.

    I use online banking.

  9. 9.

    I shop on the Internet.

  10. 10.

    I use web sites that provide e-citizenship services (identity number inquiry, social security premiums etc.).

  11. 11.

    I play online games.

  12. 12.

    I download/save music, movies, programs and files from the Internet.

  13. 13.

    I watch online videos/movies.

  14. 14.

    I share my contact information on the Internet when required (Cell number, e-mail, address etc.).

  15. 15.

    I share my personal information on the Internet when required (First and last name, date of birth etc.).

  16. 16.

    I prefer to install/use original (licensed) software in my computer.

  17. 17.

    I use security programs like anti-virus, spyware removal etc.

  18. 18.

    I use security programs as firewall, adware preventing etc.

  19. 19.

    I use content filtering software.

  20. 20.

    I use e-mail filtering software.

  21. 21.

    I am informed about online activities by using follow up software.

  22. 22.

    I review the temporary Internet files and the Internet browsing history.

  23. 23.

    I delete the temporary Internet files and Internet history before leaving a public computer.

  24. 24.

    I use passwords for my files.

  25. 25.

    I use complex and long passwords that cannot be easily guessed for my accounts.

  26. 26.

    I use electronic/mobile signature.

  27. 27.

    I generally use the favorites list while browsing the Internet.

  28. 28.

    I transfer files while I chat.

  29. 29.

    I share the files on my computer.

  30. 30.

    I use online banking by public Internet.

  31. 31.

    I report to the authorities IS security incidents that I encounter on the Internet.

  32. 32.

    I share my passwords with others.

  33. 33.

    I keep my passwords written in places that can easily be found.

  34. 34.

    I have a password to turn on my computer.

  35. 35.

    I turn off the auto-complete feature of my computer.

  36. 36.

    I open e-mails from people that I do not know and I download their attachments.

  37. 37.

    I check whether the web sites I visit have an SSL certificate.

  38. 38.

    I change my passwords periodically.

  39. 39.

    I change my wireless modem password periodically.

  40. 40.

    When sending the same message to multiple recipients, I use blind carbon copy (BCC).

  41. 41.

    I do regular updates on the software I use.

  42. 42.

    I have experienced troubles because of computer viruses.

  43. 43.

    I have experienced financial loss as a result of online shopping.

  44. 44.

    My credit card has been copied.

  45. 45.

    I have experienced troubles since I started sharing my personal information on the Internet.

  46. 46.

    I have experienced financial loss since I started using electronic banking.

  47. 47.

    My personal information has been shared with third parties/published on the Internet without my consent.

  48. 48.

    My usernames and passwords related with my accounts on the Internet were accessed illegally.

  49. 49.

    I have been insulted or threatened on the Internet by people I do not know.

  50. 50.

    I have experienced financial loss due to gambling web sites.

  51. 51.

    I have experienced financial loss due to social network sites.

  52. 52.

    I have experienced financial loss due to friendship sites.

  53. 53.

    I have been faced out of my intention with websites with violence or pornographic content while surfing on the Internet.

  54. 54.

    The files on my computer have been stolen/deleted.

  55. 55.

    Fake accounts have been created on behalf of me.

  56. 56.

    Correspondence I did on the Internet was viewed or saved by others out of my intention or knowledge.

  57. 57.

    I follow the legal developments related to computer and the Internet security.

  58. 58.

    I know who to inform if I come under or come across to a cyber-crime

  59. 59.

    I know that my personal information can be used by some others abusively.

  60. 60.

    Other parties’ recording my credit card details are not important for me while I use my credit card on online shopping.

  61. 61.

    I wanted to be a hacker.

The responses to questions between 61 to 89 are given as “Too Dangerous, Dangerous, Less Dangerous, Safe or No Idea”

  1. 62.

    Virus software.

  2. 63.

    Antivirus Software.

  3. 64.

    Spy programs (Keylogger, Screenlogger,Trojan etc.)

  4. 65.

    File sharing programs (Ares, Limewire etc.)

  5. 66.

    Web browser scripts such as ActiveX, Javascript etc.

  6. 67.

    Web browsers (Internet Explorer, Mozilla Firefox, Google Chrome etc.)

  7. 68.

    Chat programs (Messenger, etc.)

  8. 69.

    Undesired, Spam or Junk e-mail.

  9. 70.

    Online games.

  10. 71.

    USB/External memory devices.

  11. 72.

    MS Office applications (Word, Excel etc.)

  12. 73.

    Use of manual keyboard when entering a password.

  13. 74.

    Use of copy/pirated program.

  14. 75.

    Downloading materials such as music/photo/movie from the Internet without paying anything.

  15. 76.

    Opening e-mails with advertising content.

  16. 77.

    Use of online banking.

  17. 78.

    Sharing chat/information with strangers online.

  18. 79.

    Shopping online.

  19. 80.

    Browsing pornographic web sites.

  20. 81.

    Browsing gambling web sites.

  21. 82.

    Becoming a member to social networks (Facebook, Twitter etc.)

  22. 83.

    Use of Bluetooth.

  23. 84.

    Use of wireless modem.

  24. 85.

    Loading credits to phone through the Internet.

  25. 86.

    Use of unlicensed or free security programs.

  26. 87.

    Handing out identity card or driving license to security staff at the building entrance.

  27. 88.

    Giving identity card details to cargo, cell phone operator or similar agencies.

  28. 89.

    Knowing others’ citizenship number.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Aydın, Ö.M., Chouseinoglou, O. Fuzzy Assessment of Health Information System Users’ Security Awareness. J Med Syst 37, 9984 (2013). https://doi.org/10.1007/s10916-013-9984-x

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s10916-013-9984-x

Keywords

Search

Navigation