Abstract

The constantly evolving digital landscape has accelerated the need for companies to implement and adopt sustainable and effective information security. This has resulted in great opportunities within the healthcare industry to improve information security in line with the increasing demand for care and nursing services. This development has, however, also created many challenges within the healthcare industry. It can be difficult for healthcare organizations to effectively manage the security risks related to employees since many healthcare organizations already are struggling to meet the needs of their clients and patients due to a shortage of staff. The aim of this thesis is therefore to develop a model for how healthcare organizations can act to manage the human factor of information security without taking time and resources from patient care. To meet this purpose, a proposed model was developed through a literature review which was later evaluated through data collected by conducting semi-structured interviews with a variety of different healthcare organizations, where the interviewees held a range of roles within the organizations.

The results suggests that healthcare organization can improve their information security related to their employees by first establishing an information security policy that includes guidelines for all employees and then ensure compliance of that policy. To ensure compliance leaders within the organization must manage and implement information security. To make this possible the organization must take action to improve management’s information security awareness. When management has a high level of information security awareness, sufficient resources will be devoted to information security work. Furthermore, management will utilize strategies such as creating information security awareness, reducing perceived inconvenience, as well as developing a strong ethical climate to improve employee’s information security policy compliance. Information security policy compliance will also over time lead to the development of an information security culture, which will further strengthen the information security in the organization.