The COVID-19 pandemic has progressively pushed health care institutions to use information technology solutions in providing health services that might raise the exposure to information security threats such as phishing emails, ransomware attacks, and network outages [1]. Ransomware attacks are increasingly targeting hospitals in many nations [2], disrupting health care operations and putting patients’ lives in danger. During the COVID-19 pandemic, the work from home policy required organizations, including health care institutions, to activate their information systems so that they could be accessible from outside the facility [3]. Cyberattacks have grown during the COVID-19 pandemic as a result of personnel lacking an adequate level of security knowledge to work from home [4].

The health information system (HIS) functions are getting wider, from the electronic medical record system to the current telemedicine system to provide web-based health services. HIS users, including health workers and patients, are also expanding. Information security has become an essential factor to be evaluated in HIS implementation [5]. The security threat from human factors is increasing because of diverse users. Meanwhile, patients as research participants are rarely studied empirically [6]. Many instances of security breaches in health care providers are brought on by human behavior [7-9]. Therefore, it is significant to understand HIS users’ information security behavior (ISB) to determine the proper information security controls.

Security behavior intentions might be divided into 2 main categories [10]. First, prosecurity behavior refers to the intention to support information security, including complying with security policies and assuring security controls using required tools [11]. Second, antisecurity behavior reflects the intent of disruptive information security, including violating security policies, making risky use of information system resources, and dismissing security requirements [11].

This study answers the research call from Ahouanmenou et al [12] that stated a gap related to information security studies in hospitals where less research has been carried out on how humans affect information security-related incidents. Most of the studies focus on protection technology, processes, and procedures. Advanced information systems require knowledgeable individuals to prevent security breaches following established security requirements, so the information security knowledge and expertise of health professionals must be quantified [13]. Therefore, this study aims to understand the ISB of HIS users based on a complete measurement scale adjusted to the information security risks in health care and linked to demographic differences. Academic contributions to information security research, mainly empirical measurement of HIS users’ ISB. A practical contribution is provided by proposing appropriate training approaches to raise security awareness in the health care organization.

There are several frameworks for measuring ISB from previous literature, namely the Human Aspects of Information Security Questionnaire (HAIS-Q) [14,15], Security Behavior Intentions Scale (SeBIS) [16], Risky Cybersecurity Behaviors Scale (RScB) [17], and counterproductive computer security behaviors (CCSB) [18]. HAIS-Q and SeBIS focus on prosecurity behaviors that support information security protection. In contrast, RScB and CCSB focus on antisecurity behaviors that risk causing information security incidents.

Previous studies in the health care context mostly used the HAIS-Q [19-22], a study [19] used HAIS-Q and SeBIS, and a study used the RScB [13]. The majority of studies [13,19-21] investigate health workers as research participants, while a study [22] examine patient behavior as an end user of clinical mobile apps. The riskiest behavior of health workers is visiting external websites using the hospital’s computer [22], while patients rarely choose complex passwords and change passwords in their mobile health (mHealth) apps [22]. Demographic factors, such as age, gender, and education level, are commonly used to predict ISB. However, different results were obtained from previous research. Previous studies [23-26] revealed a difference in ISB of health care professionals based on age, while a study [13] showed otherwise. As well as gender, a significant difference in ISB was established in a study [25] but not in other studies [13,23,24]. Meanwhile, education level is still less explored and found significant to ISB in a study [24] but not substantial in another study [23].

This study uses a quantitative method to investigate ISB from 2 types of HIS user, health worker and patient, which are still understudied. We also examine the differences between ISB according to demographic factors. Therefore, this study has 2 research questions (RQ) to be addressed:

This study has 4 hypotheses to address the RQs as follows:

The population of this study was users of HIS applications managed by health facilities in Indonesia as a case study context. Indonesia has the lowest score on the cybersecurity index for G20 countries [27]. Most Indonesian health care providers have inadequate information security policies due to a lack of national health information security regulation. Meanwhile, the government is encouraging the HIS implementation in all health care facilities. By understanding the ISB, we may take the first step toward building better health information security policies.

The sampling technique is nonprobability sampling, especially purposive sampling, according to the established criteria:

Table 1 describes each framework’s theoretical background, measurement scope and indicators, and measurement scale. This study establishes a modified ISB measurement scale from 4 ISB frameworks in Table 1 as research instruments. We use a 5-point scale (“never” to “always”) to refer to SeBIS. There are 28 behaviors as research indicators in this study, consisting of 14 prosecurity behaviors and 14 antisecurity behaviors. The mapping of each indicator with the related framework can be seen in Table 2.

In general, we divide the ISB indicators into 4 focus areas, that is, device protection (code 1.1 to 1.6), password management (code 2.1 to 2.6), proactive awareness (code 3.1 to 3.10), and information handling (code 4.1 to 4.6). We collected data through web-based and offline surveys of several health care facilities in Indonesia. We asked for respondents’ consent before they fulfill the questionnaire.

A statistical differences analysis of the sample according to users’ type, age, gender, and education will be conducted to analyze survey results. A test of normality (Kolmogorov-Smirnov and Shapiro-Wilk) will be conducted to define whether a parametric or nonparametric test should be performed [28]. When some data fail to meet the normality assumption test (asymptotic significance value P<.05), the researcher will use nonparametric statistical procedures such as the Mann-Whitney test for comparing 2 independent samples or the Kruskal-Wallis test for comparing more than 2 independent samples [29]. A descriptive analysis (mean, median, and SD) of the sample in the different variables shows which group has better ISB [30]. The higher mean value indicates better ISB, which means more frequently adopting prosecurity practices and less frequently adopting antisecurity practices. Furthermore, a correlative analysis was carried out to determine the significance of the correlation between ISB and age and level of education, which are ordinal variables. The correlative test uses the Spearman correlation coefficient, with a significance value of (2-tailed) P<.05 indicating a significant association between ISB indicators and the age or educational level of HIS users. Meanwhile, the mean value of each group may be used to analyze the significance of the correlation between security behavior, gender, and user type.

Respondents will not be harmed in any way as a result of their participation in this study. The participants provide written informed consent before the trial. The privacy of research respondents will be maintained. Respondents’ voluntary involvement in the study will be regarded as extremely valuable. Respondent data are admissible only for the purpose of this study. Any deceptive details, as well as biased depictions of the main data findings, should be avoided. This study has been reviewed and approved by Manager of Research and Community Services, Faculty of Computer Science, Universitas Indonesia (IRB approval number S-252/UN2.F11.D1.5/PPM.00.00/2023).

We collected 564 responses through the survey from March to May 2022. After validating, 143 responses were excluded since they did not fulfill the respondents’ criteria and were not completed. We processed 421 responses to be analyzed further. Figure 1 shows respondents’ characteristics in this study.

The findings of the research instrument’s validity test with 28 indicators reveal a significance value of P<.05, except for indicator 3.5. So, indicator 3.5 was deleted from the instrument and recalculated. Then, for 27 indicators, a revalidity test was performed, and the results are displayed in Table 3. It shows that all items in the instrument are valid. The Cronbach α rating for the research instrument reliability test with 27 indications was .793. Cronbach α values of .70 or above are typically deemed acceptable (Hair et al [31]). This demonstrates that the instrument used is valid and trustworthy for assessing HIS users’ ISB.

The reliability test for the research instrument shows Cronbach α value is .785. Cronbach α is commonly regarded as having an acceptable range of .70 or above [31]. The normality test result shows all the data are not normal (P<.05); therefore, we use a nonparametric test for the hypothesis testing, namely the Mann-Whitney U test and the Kruskal-Wallis test.

All hypotheses are accepted for overall ISB where the hypotheses testing shows significant results according to the user’s type (P<.001), gender (P<.001), age (P=.008), and education (P<.001). Table 4 shows the hypothesis testing result (P value) for each ISB indicator. Total 7 behaviors (1.2, 1.4, 2.3, 2.4, 3.6, 4.1, and 4.4) are significantly different based on 4 demographic factors, while 3 others (1.1, 2.1, and 2.2) are not significantly different for all factors. The most behavioral differences are based on the education level, followed by user’s type, gender, and age. The differences are dominated by antisecurity behavior in all demographic factors.

Table 5 shows the results of the descriptive analysis calculation for each behavior indicator. The bigger the mean or median value, the better the ISB since it suggests that security behavior is performed more frequently for prosecurity indicators and less frequently for antisecurity indicators. There are some information security practices that still need to be improved based on the mean and median values in Table 5. First, in terms of device security, more respondents do not use the device screen lock feature to get access to the HIS with a password (item 1.1). Furthermore, respondents almost never signed out after using HIS (item 1.4) and upgrading critical apps such as antivirus and operating systems (item 1.5). Second, in terms of password management, many respondents still do not update their passwords on a regular basis (item 2.3). Third, when it comes to proactive awareness in using the internet, social media, email, and incident reporting, many respondents continue to provide information to websites without first confirming their legitimacy and security (item 3.1). Furthermore, respondents continue to allow colleagues or acquaintances to violate information security (item 3.10).

This study included further comparative and correlative analyses. A correlational analysis was conducted to determine the relevance of the association between ISB and age and level of education, which is ordinal data. While the mean value of each group descriptively allows for comparison research to assess the relevance of the association between security behavior and gender and user type. The correlative test uses the Spearman correlation coefficient, with a significance value of (2-tailed) P=.05 indicating a significant association between ISB indicators and HIS users’ age or educational level.

Table 6 displays the correlation research results for prosecurity behavior with age and educational level. The behavior of users to use passwords to unlock devices used to access HIS (1.2) and ensure sensitive printouts (such as medical resumes, test results, and prescriptions) are appropriately destroyed before disposal (4.1) is significantly positively connected with age. This demonstrates that older HIS users are more likely to engage in both activities. Meanwhile, the behavior of HIS users to update HIS passwords on a regular basis (2.3), maintain social media privacy (3.4), and back up essential data on HIS (4.3) shows a negative association with age, with older users doing it less frequently. The correlation of HIS user behavior for not opening email attachments from unknown senders (3.3) shows a positive correlation with education level, with the higher the educational level of HIS users, the more frequently this behavior occurs. Because of the negative link, HIS users with higher levels of education change HIS account passwords (2.3) less frequently and back up essential data on HIS (4.3).

Table 7 shows the correlative study results for antisecurity behavior with age and education. The behavior of not logging out of HIS (1.4), sticking passwords in the open (2.4), downloading files from unofficial sources (3.6), sending sensitive information using public Wi-Fi (3.7), sharing sensitive information on social media (3.8), doing nothing when colleagues commit security breaches (3.10), not treating sensitive data carefully (4.4), and sending personal information to unknown websites (4.6) significantly positively correlated with age, so that the older HIS users tend to do less of this behavior. While the educational level of HIS users has a positive correlation with the behavior of disabling antivirus (1.6), pasting passwords (2.4), downloading files from unofficial sources (3.6), not treating sensitive data with care (4.4), and sending sensitive data through instant messaging without verifying the authenticity of the account (4.5). This shows that the higher the educational level of HIS users, the less likely they are to engage in this behavior.

There is no previous study comparing the security behaviors of health workers and patients directly. This study shows that patients update and change default passwords more frequently. Patients also share their HIS password less often than health workers, who use HIS to work and share information with their colleagues. In contrast with a previous study [22], mHealth end users do not change their password regularly but use strong and different passwords. Health workers are more likely to use the same password due to stress factors in the health care environment [19]. This study also shows that health workers use the default password, which is usually the same for all accounts. They can easily ask their colleagues if they forget the password. The high workload sometimes causes health workers not to be able to access the HIS on their own, so they ask a coworker to help them by using their passwords. There is a significant difference in prosecurity behavior between health care workers and patients when it comes to reporting security events or disruptions to the HIS manager. Most of the staff will report incidents, but most of the patients will not. As a result, if there is a HIS problem, HIS managers must engage more with patients or provide more information about complaint services. User-reported events can be used to detect attacks or larger issues. Patients frequently do not log out after using HIS, which makes a significant impact in antisecurity behavior. This might happen since patients use their own devices to access the HIS, so they can feel safer if they do not log out, but health workers use institutional devices that someone else can use.

This study shows female and male users’ ISBs are different as a whole or in several indicators. Women tend to adopt prosecurity practices and avoid antisecurity behaviors, except for updating HIS password regularly. This result contradicts previous studies that took health workers [25] and nonhealth workers [32,33] as research participants and revealed that males are more likely to adhere to security controls and avoid risky behavior. However, a previous study [34] that included health workers as part of its research revealed that females are more likely to comply with security policies. There is a significant disparity in prosecurity behavior between both genders, with male users changing their HIS passwords more regularly and female users being more cautious while deleting sensitive information such as medicine prescriptions, ultrasound printouts, or medical resumes. Antisecurity behavior that differs substantially between male and female users includes not closing the system after usage, downloading files from unknown sources, and not frequently managing sensitive data with care. Female users are less likely to engage in all 3 of these behaviors. The causes for the disparities in behavior between male and female users must be investigated further.

In general, the older the HIS user, the more frequently they engage in prosecurity behavior and seldom engage in antisecurity behavior. However, younger HIS users are more likely to change passwords on a regular basis, set privacy on social media, and back up crucial data. It is supported by previous study where younger users are more likely to use security controls on mobile devices [25], but older users generally are more cautious with sensitive information [26]. The younger HIS users are more likely to embrace detailed processes. Still, most older people groups evaluate and accept informal security measures as a more seasoned response to security problems [24]. Older users (>40 years old) have better overall behavior. This is demonstrated by a correlation analysis between user age and security behavior, particularly antisecurity behavior, where the older the user, the less likely it is to engage in antisecurity behavior. However, the younger the user, the more frequently they change passwords and social media privacy settings.

This finding shows that education level mostly influences the differences in prosecurity behavior. However, higher education does not guarantee better ISB for HIS users. It is supported by a previous study [24] that revealed security policy compliance was lower at the master’s level than at the undergraduate level. Overall, users with a diploma education behave better than other age groups. However, these disparities in behavior vary sufficiently so that, according to the correlative analysis, there isn’t a very substantial association between education level and user security behavior. Furthermore, this study indicates that the higher the education of HIS users, the less frequently they change passwords and back up essential data.

Overall, the frequency with which HIS users engage in risky security behavior is lower than the frequency with which behavior is predicted. Because patients have a lower degree of security behavior than health care workers, information security education for HIS users is critical. This study adds a deeper understanding of HIS user behavior by age, gender, and educational level. Health care facilities management may personalize education programs and formats to the target group of end users.

These findings suggest the necessity for security education programs specific to user demographics and the categories of security behaviors the organization wants to enhance. Differences primarily influence antisecurity behavior in user roles, age, and gender, but education level affects both equally. This study demonstrates distinctions between prosecurity and antisecurity behaviors that have not been thoroughly examined in earlier studies. Health care facilities should focus on user-specific needs, knowledge, ability, and work limitations to reduce conflict between protection and work efficiency goals and develop customized security training programs [21].

Security education for the patient should be considered since they do antisecurity more often than health workers and can pose security threats. This study also differs from most previous studies because female users exhibit more secure behavior than males. Younger HIS users are more susceptible to engaging in risky security behavior, but they are also more likely to engage in prosecurity behavior, while older users are better at preventing antisecurity behavior. Based on educational degree, there are significant disparities in ISB. Users with a high school education are more susceptible to antisecurity behavior, thus they should be educated on information security risks. As users with undergraduate and postgraduate degrees are less likely to engage in prosecurity behavior, technical security training is required. Some behaviors that can be improved include regularly updating the HIS password, setting the device screen to automatically lock when not in use, not logging out after using the HIS, verifying website security before sending sensitive information, and delaying software updates such as operating system and antivirus updates. Security threats posed by HIS user behavior can be mitigated by including technological security measures into HIS, such as an automated logout function on HIS and user devices after a given amount of inactivity and implementing a password validity period for a set length of time. HIS users should be educated on potential risks that might occur if the software used is not kept up to date, as well as how to assess the security of a website.

This study uses a self-reported survey and does not distinguish the types of health facilities. It might cause bias because the security behavior described by the respondents’ answers can apply to a particular health facility. Additionally, this work does not thoroughly investigate the relationship between ISB and HIS features and the used devices. For instance, patients use smartphones more frequently to register through mobile apps, while health workers use desktop computers more frequently to access electronic medical records. Current technology adopting artificial intelligence might bring new security risks to health care systems [35]. Future research can investigate more relevant information security knowledge and behavior to cope with security risks from those technologies. This study assesses the ISB of HIS users based on a history of security events in health institutions and potential security threats. The influence of this user behavior on information security in associated health institutions has not been studied further. Future research can do a longitudinal study on a specific health institution to see the impact of this behavior and make measurements before and after introducing suitable security measures.

Health care providers other than hospitals are still understudied. Studies related to both prosecurity and antisecurity behaviors show that the factors preventing protection can be different from the factors promoting information security violations. Therefore, both types of security behavior are necessary to be investigated for further research. The development of technological solutions used by health facilities since the COVID-19 outbreak, such as telemedicine and mHealth apps, has caused the coverage of HIS users to expand. Protection of health information security does not only rely on health care professionals but also on patients who participate in managing their own personal data. Information security risk does not only come from internal users at the health care provider but also from external users who have access rights to the system. Therefore, studies on ISB in the context of health organizations need to understand the patient’s perspective, which is still rarely studied.