Information security cultural differences among health care facilities in Indonesia

Background: Health information security (IS) breaches are increasing with the use of information technology for health care services, and a strong security culture is important for driving employees' information asset protection behavior. Objective: This study aimed to analyze differences in information security cultures (ISCs) across health care providers based on factors drawn from the ISC model. Methods: We used twelve factors to measure the ISCs of health care providers. This research applied a survey method with the Kruskal–Wallis H Test and the Mann–Whitney U Test as data analysis techniques. We collected the data through a questionnaire distributed to 470 employees of health care facilities (i.e. hospitals, community health centers, and primary care clinics) in Indonesia. Results: The results revealed the differences between health care provider types for 9 of the 12 security culture factors. Top management support, change management, and knowledge were the differentiating factors between all types of health care providers. Organizational culture and security compliance only differed in primary care clinics. Meanwhile, security behavior, soft issues and workplace independence, information security policies, training, and awareness only differed in hospitals. Conclusion: The results indicated that each type of health care provider required different approaches to develop an ISC considering the above factors. They provided insight for top management to design suitable programs for cultivating ISCs in their institutions.