Information Security Awareness and Practices of Systems Administrators in State Sector Health Institutes in Sri Lanka

Abstract

Sri Lanka is embarking on the process of digital health transformation resulting accumulation of wide variety of sensitive health information in digital format. Real time information is critical for decision making. Securing integrity and confidentiality of information while preserving the availability is a challenging process. This research is aimed to assess the knowledge and practices of information system administrators related to the information security of state-sector health information systems. An online questionnaire was emailed to all the system administrators of state sector health institutions with functional health information systems and collaborating with the Ministry of Health through focal points. Responses were recorded over a period of three weeks. Interviews were carried out with the participants who responded to the online questionnaire. A descriptive analysis was carried out afterward. The response rate for the online questionnaire was 50% (n = 40). Out of the responded, 55% of the information systems contain information classified as “confidential”. Among the system administrators, 57.8% are aware of at least three standards, guidelines, or policies relevant to health information security. The majority of institutes (84.2%) were not practicing the recommended information security practices. Fifteen system administrators consented and participated in the key informant interviews. The majority of health information systems contain confidential information. The current level of health information security practices is not adequate to confront the constantly changing information security threats. Enhancing knowledge and practices related to health information security guidelines, standards, and policies will lead to secured healthcare delivery by ensuring confidentiality, integrity, and availability of health information