Locked the Car, Why Not the Computer: A Qualitative and Quantitative Study on Data Safety Compliance

Abstract

Information technology has become an integral part of health care in the United Kingdom National Health Service (NHS). All health care professionals are required to have a certain level of cyber ethics and knowledge of computers. This is assured by regular mandatory training. The government of the United Kingdom has charted out a course to strengthen cyber security and prevent any crises like Wannacry. Simple things like leaving a computer unlocked can pose a potential threat to the cyber security of the whole NHS. These cannot be addressed with money alone, as they involve complex interactions of human factors. Such seemingly simple non-compliance results often in harm to the patient or breach of confidentiality. We tried to find out the compliance among junior doctors to the Trust Information Technology (IT) Safe Usage Policy. We made interventions and interviewed junior doctors to find out the reasons for non-compliance. We re-audited in order to see if our interventions helped. We also audited compliance in another Trust independently, which showed that this problem is not specific to a particular trust. Here we suggest the changes that all Trusts can make and follow our model to audit their compliance.