4 November 2015 at 11:43 #2280
Citation: Bernd Carsten Stahl, Neil F Doherty and Mark Shaw article, “Information security policies in the UK healthcare sector: a critical evaluation” Information Systems Journal 22.1 (2012).
The authors emphasises the high level of data security required in the healthcare industry by critiquing several Information Security policies that are created by Trusts of the UK National Health Service. These policies, although created by each Trust are heavily influenced by the National Health Service and the International Standards Agency. Reviewing these policies through a critical theoretical lens via a method called critical discourse analysis; they go in search of evidence of ideology and hegemony within sample policies from the UK’s NHS.
The aim in this journal is to highlight that; in any organisation, information security is paramount but pay special attention to the healthcare industry, primarily because of the sensitive nature of the industry’s data’s. Mentioning the occurrence of widespread data breaches, they delve into the possible reasoning behind such spectacles and suggest that the main reason behind these breaches may be because of weak theoretical research in the realm of Information Security. They adopt the critical discourse analysis, which provides insights into the role and purpose of Information Security Policies.
The areas that are covered are:
• Review of literature on Information Security Policies.
• Introduction to Critical Theory
• Methodology of Critical Discourse Analysis is Applied
• Evidence of problems with Information Security Policies in the UK’s NHS is presented.
• Analysis and discussion of the findings which underpin the relevance of the research and points towards theoretical and practical consequences.
The Authors focus is on the meaning of the Information Security Policies that are created by each Trust in the NHS. In reviewing the literature some statements emphasise the difficulties and ambiguity of creating an information security policy. Following on from this they highlight the role the information security document plays in the organisation by the use of hegemony, ideology, reification and commodification. They theorize that heavily influenced/enforced security principles can result in their philosophies becoming a solid workplace measure, thus leading to the principle becoming a commodity that will be freely available to use to influence strict adherence to the information security policy.
Throughout this journal the standard of expression regarding the complete process and influence of creating an information security policy is remarkable. The level of detail to which they describe their Literature Review, Critical Theory, Methodology of Critical Discourse analysis, Evidence arising from chosen policies and finally the conclusion are all extremely distinct. Through the use of the critical discourse analysis, they focus on a branch adopted by Cukie et al. which is primarily based on Jurgen Haberma’s Theory of Communicative Action; the authors apply his theory underpinning his validity claims of Truth, Legitimacy, Sincerity/Authenticity and finally an additional idea, although not initially thought of by Haberma, Clarity or Comprehensibility. To elaborate on these validity claims they use guiding questions for each. They continue to suggest that the four validity claims support the Critical Theory concepts of Ideology, Hegemony, Reification and Commodification.
The introduction of Haberma’s Theory of Communicative Action enables the authors to introduce definite means to analyse the policies supplied by the various NHS Trusts. Haberma’s Theory of Communicative Action details how language when clearly defined and constructed can help influence rationality amongst the population. The authors discover policies which iterate that information should be freely available to ensure an efficient health service but Information Security should not be compromised in order to achieve this end goal. Elaborating, they compare information to that of a tangible asset, which today is an ideology that is widely accepted amongst all realms in the Information Technology industry. Clarifying Policies, they investigate the sturdiness of semantics used in them and argue if they were in any way ambiguous to the staff member without the familiarity of technical jargon, focussing on who is blameworthy in the event of a breach of the policy. To legitimize their policy, they discovered that there was a regular pattern emerging with each Trust, one that emphasized that there was endorsement from senior management and technical experts, albeit with different role titles, encouraging hegemony regarding information security.
With today’s ever emerging demand for use of information systems not only on campus of a particular trust but remotely, I would like to ponder if these security policies have included mechanisms to ensure that a reliable workflow can be created but also iterate that information security be of upmost importance while carrying out these duties. At the time of the review, I did not have to hand any particular NHS Trusts Information Security Policy so was working from the insight that was provided by the authors. Also in today’s modern collaborative healthcare sector there are now several non-staff type entities, these include researchers, locum staff who because of their job type may not get to read the policy in the first instance, third party companies that provide clinical support and general service support. The authors focussed on staff of the NHS Trust, the journal did not allow for these unusual staff type situations.
Another branch that should be kept in mind is to apply the information security policy to the patient. This could emphasise that any patient trying to perceive illegitimate information from the Trust could have legal ramifications towards him or her. Since data and voice networks converged, management responsible for the patient stay experience have been voicing their opinions on possible ideas to improve the patient stay. From experience, one idea that constantly crops up is the idea of having patient entertainment systems at the bedside, to enable the patient a means of communication to relatives and social media. Several solutions exist in this realm but the most popular is the idea of combining clinical systems with patient entertainment systems on one piece of hardware located at the bedside. This, in turn leads to the possibility of patients seeing data that they should not necessarily see.
To conclude, the author’s use of the Haberma’s concept of Communicative Theory provided great evidence on how Information Security Policies strengthen Higher Management’s expectations on staff conduct when using Information Systems during the course of their career with the organisation. This idyllically, should limit but not completely mitigate future security breaches.
6 November 2015 at 01:26 #2318
- This topic was modified 2 years, 8 months ago by forde1208.
Great review Dave.
Given your background, how does this compare to the Information security policies of the Irish healthcare system?
You must be logged in to reply to this topic.