Developing a contextual framework for establishing a cybersecurity culture in the public e-health institutions: a case study of South Africa

Abstract

The adoption and use of information and communication technology has transformed the way healthcare institutions perform administrative and clinical operations. The everyday use of this technology in the health sector requires an E-Health information system and this, when combined with telecommunication, is commonly known as E-Health. E-Health systems have many benefits for the wide variety of stakeholders in healthcare institutions. However, these systems are beset by a variety of risks, including challenges related to cybercrime, security, privacy and integrity. Healthcare institutions find it difficult to keep up with existing and evolving cybersecurity threats, making them very vulnerable. Coordinated and unified cybersecurity strategies must be implemented to counter these cyber threats and risks in E-Health institutions. However, a technological cybersecurity solution on its own is not sufficient as factors, such as a lack of security awareness, need for training, and irresponsible or careless digital behaviour, point to the need to create a cybersecurity culture as well. Studies related to cybersecurity culture form an emerging research area and this has not been thoroughly investigated in the E-Health sector. The main objective of this research was to develop a contextual framework for establishing a cybersecurity culture in public E-Health institutions. The study adopted a pragmatic world view supported by a case study strategy. Mixed-method research (quantitative and qualitative) accommodated both deductive and inductive research approaches in the collection and analysis of data. The data collection took place in three cycles using four data collection techniques (a systematic literature review, questionnaires, interviews and an expert review). Data were collected from one tertiary hospital as well as district hospitals in Mpumalanga province of South Africa. The proposed contextual framework was developed by following the conceptual framework analysis phases and was evaluated through a defined use case, comparative analysis and expert reviews. Hence, the methodological contribution of the study is to demonstrate the design and development of the contextual framework using the conceptual framework analysis phases. Practically, the framework of the study will be able to guide the establishment of a cybersecurity culture in healthcare institutions. The study contributed by providing a step-by-step guideline as implementation support for the framework. A limitation of this research was that data collection was limited to Mpumalanga Province. Data from Mpumalanga alone may not be a true representation of data from national health vi departments in all provinces of South Africa. Additionally, the proposed Cybersecurity Culture Framework only considered a use case demonstrated in hospitals in the one province. Future work could expand the scope of the research to other provinces and different healthcare categories. It is proposed that future work should include conducting real-time implementation tests to assess the effectiveness of the proposed framework.