Information and cybersecurity competence of healthcare care personnel

Abstract

This study is part of a broader study on the cybersecurity competence, training needs and personnel’s views of data security of the own organization. The study was conducted between autumn 2020 and spring 2021.

This article reports the results of nursing staff. The research question was: How do nursing staff working in healthcare organizations assess their information and cybersecurity competence? The research data was collected using a structured questionnaire. The discretionary sample was designed in cooperation with two hospital districts and one primary health care organization. Each target organization defined the target group(s) and who and how the survey link would be shared. According to the researchers' estimate, the target group included approximately 3500 respondents, of which 383 answered the survey. There were 194 respondents in nursing positions.

The data was analyzed using the data analysis tools of the Webropol survey program. Open-ended responses were used as direct quotes to illustrate the results. The concept of cybersecurity was familiar to 80% of respondents. The majority of respondents (74%) believe that they have sufficient information and cybersecurity skills to perform their duties. Most inadequate skills were reported from respondents belonging to the age group of 50-64 years (p<0.01). According to their own estimates, 83% of respondents know how to act in the event of an information system failure. Respondents in the youngest age group (under 30 years old) reported the most uncertainty regarding how to act in a disruption (p<0.01).

Nine per cent of the respondents would give their passwords by phone to the information administration and 14 per cent would hand it over by phone to the authority. Sixteen per cent of the respondents considered it possible to transfer the patient's data by e-mail to a place of further treatment, and eight per cent thought that the student could use their supervisor's usernames. Nine per cent of the respondents said that they had used a co-worker's username.

Awareness of the possibility of a cyberattack and its impact on patient information systems, medical and remote monitoring devices should be part of the basic competence of everyone in the field. More contents related to information and cyber security are needed for the nursing education curriculum and continuing education of nursing. The current competence is deficient, and the subject area is not sufficiently considered in nursing education.