This literature review explores key facets of information security within healthcare Knowledge Process Outsourcing (KPOs) in Sri Lanka. It underscores the significance of adhering to healthcare standards, notably the HIPAA Act, as a foundational requirement for KPOs. Health Information Systems (HIS) are delineated as central to capturing, storing, managing, and transmitting health data. The review delves into essential security considerations, encompassing physical security, site maintenance, audits, and controls, as pivotal components of compliance. The engagement of management is emphasized for cultivating a culture of compliance and allocating resources to bolster security. The organizational framework emerges as a significant influencer shaping information security culture within KPOs. Finally, the review underscores the importance of promoting awareness regarding information security threats and breaches. This concise summary provides a comprehensive overview of the interconnected elements in the context of information security within healthcare KPOs in Sri Lanka.
A. Information Security Issues in Healthcare
According to Apar et al [4] a variety of challenges need to be resolved in order to enhance healthcare information security. Healthcare technology provides many benefits, but it also carries a significant risk to information confidentiality. It is true that health information systems come with many advantages and risks at the same time. According to SO/IEC 27002 (ISO 27799:2008), there were 22 threat categories identified in Malaysia that had a significant impact on healthcare information systems [3].
Healthcare information security issues include costs associated with implementing IT security, manager issues, trust, security policies, and awareness of IT security, according to Noor and Zuraini [5]. In addition to promoting information security awareness, management is responsible for ensuring it is implemented. Numerous studies have promoted security awareness [9], [10]. There is a crucial relationship between organizations based on trust. Consequently, trust between internal and external stakeholders increases, results are more consistent, and law and regulation compliance are easier. By implementing the Security Policy in Healthcare, it is ensured that the use of the Internet to transmit sensitive data meets the policy's requirements. As part of observing security policies in the healthcare environment, Suhaila et al. [11] identified seven principles common to maintaining information privacy. As healthcare evolves, information sharing can change the way services are provided. A system of accountability can help ensure that information sharing exchanges in general health scenarios are not misused, as suggested by Gajanayake et al. [12].
B. Healthcare standards
Protection of information during processing, particularly in healthcare contexts, is imperative [13], as evidenced by legislative mandates that rigorously safeguard client data. Various laws, such as the Family Education Rights and Privacy Act, the Fair Credit Reporting Act, and the Children's Online Privacy Protection Act, underscore the importance of privacy protection in the United States and beyond [14]. New Zealand's Health Information Privacy Code is a significant piece of legislation, guiding health information protection. International standards, such as ISO 17799 and AS/NZS ISO/IEC 17799, have influenced compliance standards in New Zealand and Australia [14]. Health Canada Privacy Act also provides compliance standard guidelines [15], while Europe and Asia adopt similar privacy laws to the United States.
In the context of healthcare Knowledge Process Outsourcing (KPOs), which are predominantly based in the USA, this research focuses on HIPAA compliance, a pivotal law [16]. The Healthcare Insurance Portability and Accountability Act (HIPAA) encompasses provisions for privacy and security, safeguarding medical patient confidentiality [15]. Achieving HIPAA compliance necessitates investments in information systems, organizational policies, and partnership agreements [17]. While it is estimated that HIPAA compliance will cost the healthcare industry $18 billion, it is expected to yield $30 billion in administrative savings [16]. Enacted in 1996, HIPAA introduced a tiered system of civil penalties through the American Recovery and Reinvestment Act of 2009 (ARRA) [97], enhancing consistency in handling HIPAA violations. Healthcare providers have embraced HIPAA compliance through computer security guidelines, patient consent forms, and training programs [17].
C. Healthcare Information Systems
Information technology and the internet have transformed access to a vast array of information sources, becoming a pivotal information hub [18] [19] [20]. This transformation extends to medical professionals, facilitated by the widespread use of mobile devices like smartphones, tablets, and iPads, which provide access to medical records. The internet's evolution into a data-centric environment [21] has driven a profound shift in healthcare services. This transformation encompasses remote health monitoring, online consultations, e-prescriptions, e-clinical trials, patient data accessibility, and asset tracking [22], delivering substantial benefits to all stakeholders.
Electronic Patient Records (EPR) systems offer instant access to patient demographics, medical histories, lab results, and images for healthcare providers and workers. However, EPR adoption remains limited, necessitating a distinction between EPRs within a single healthcare organization and Electronic Health Records (EHR) shared among multiple providers [23] [24]. While healthcare records exist in both paper and electronic formats (EMRs), EHRs integrate them to enhance care quality [25].
EHRs encompass various components, including appointment management, admissions, discharges, prescription records, dietary supplement tracking, picture archiving, and smart card authentication. Decision-making in healthcare relies on health information systems that generate, compile, analyze, synthesize, communicate, and utilize data. These systems typically consist of EHR systems or a collection of such systems, analyzing data from the health sector and other relevant fields to inform healthcare decisions [26] [27].
The healthcare ecosystem relies heavily on healthcare organizations and professionals. Healthcare Information Systems facilitate electronic communication among all stakeholders, standardize diagnostic data, and maintain context while enabling new interpretations [25]. Interoperability in healthcare information systems, achieved through Reference Information Models (RIMs) and agreed vocabularies, is supported by a generic component model developed in the mid-nineties [27]. Open EHRs and the Health Level Seven Version model (HL7) integrate into comprehensive models to manage existing structures, features, and terminology, aligning with European Committee for Normalization standards (CEN).
Recognizing the critical role of information system security [28] [29], healthcare information systems must prioritize addressing privacy and security concerns to gain societal acceptance. These systems confront a spectrum of threats, both internal and external, including viruses, worms, keyloggers, and insider attacks [30]. Intrusions into IT infrastructure, whether internal or external, pose risks, with denial-of-service attacks standing out as significant threats [31]. Cybersecurity incidents, exemplified by the 2014 HealthCare.gov breach, underscore the imperative of resilient systems [32]. Hardware and software failures further compound security vulnerabilities [33].
Numerous studies identify diverse health information system threats, emphasizing issues like power, network, system, and software failures [34]. Human factors contribute to high-risk threats. Research findings coalesce into five primary threat categories: power loss, human error, technological obsolescence, hardware failure, and software issues. Addressing these security challenges entails deploying technological solutions such as encryption, firewalls, and access management systems [35].
D. Management Contributions
There is no way to treat security as an add-on component. In their article [5], Noor and Zuraini emphasize the importance of security. Management must understand the importance of security in order to achieve organizational goals and objectives. An integral part of governance should be security awareness. Safety awareness has been advocated by many researchers [9], [10]. By supporting security enhancements through change management and authorizing actions aimed at strengthening security, organizations can enhance security and reliability in their working environments [5], as well as reduce the gap between the current security compliance level and the required level. It is stated in an article by Knapp, Marshall, Rainer et al. [36] that most organizations do not incorporate information security into their daily operations. A suitable security culture within the organization should be established based on the motivation of employees by management.
A greater amount of money was spent on implementing information security. Higher management has a problem providing sufficient budgets. Getting top management support for computer security functions may be difficult for Keefe [37]. Organizations are less likely to adopt security functions after experiencing a loss from security initiatives, according to Straub's [38] argument. Organizations consider security spending a cost, according to Shedden et al. [39]. According to Ong et al. [40], most companies do not believe that security threats are worth investing in or would negatively impact efficiency and productivity. Several healthcare organizations have paid enormous amounts of money to settle potential security violations under HIPAA and other security compliance standards (U.S. Department of Health and Human Services). It is clear from these examples that management needs to open its eyes.
Moreover, Fitzgerald [41] stated that organizations' views on information security can be categorized into three categories depending on their organizational culture: high, moderate, and low. As a result of these categories, it is evident that management has made a significant contribution to providing a more robust information security culture. The categories are briefly 1. The system of managing information security is regarded by the executive management as important as making sure the computer is running. 2. The creation of policies for information security may occur, but the enforcement of these policies is poor, and 3. IT budgets and IT support budgets usually include information security as part of their budgets. The management involvement between information security and organizational culture was further explained by Joo et al. [42].
E. Organisation System
In an organization, people are organized, structured, and managed in order to achieve collective goals. Every organized human activity, including the creation of a pot, the placement of a man on the moon, and every organized activity in between, is characterized by the existence of two fundamental and opposing elements: the division of labor into different tasks, and the coordination of those tasks to ensure the success of the task [43]. According to Schein [44], "organizational culture determines how employees perceive the organization. It has been found by a number of researchers that the ability to understand organizational systems and culture is crucial for the successful implementation of IT-based information systems [45], [46]. Security Culture can be defined as the integration of information protection into day-to-day operations, as determined by Bélanger and Robert et al. [46]. Despite the fact that research indicates that primary care medical practices do not take adequate security measures to protect the patient information, it is evident that they are concerned about the security of patient information despite the fact that research indicates that they are concerned about the security of patient information. [47]. There has long been researched that suggests that technologies play a part in some security challenges, but a greater impact is exerted by processes and people, commonly referred to as organizational factors, on security applications [48].
In medical practices, the trusty environment further complicates security practices by affecting the formation and implementation of the security policy [49]. Organizational culture can impact the security of information both negatively and positively. It is vital that the organization has a positive attitude toward information security, according to [63]. Zakaria, et al. [50] and Vroom et al. [51], studies yielded the same results. There is no doubt that information security culture should be embedded into organizational activities, according to Von Soloms [52].
Organizations sometimes face cultural obstacles when adopting an Information Security Culture. New technologies and systems could be affected significantly by a country's national culture. In their study, Sengun and Janell [53] concluded that cultural factors play a significant role in product acceptance. Hofstede's [54] national culture model can help us to better understand the culture of information security. The Hofstede framework [54] suggests that there are five dimensions to a national culture that can be considered. As the following table indicates, the first factor is power distance, the second factor is uncertainty avoidance, the third factor is individualism, the fourth factor is masculinity, and the fifth factor is a long- term focus. In accordance with Hofstede's [54] model of security culture, Alnatheer and Nelson, [55] proposed a framework for analyzing the implementation and adoption of security culture in accordance with this framework of security compliance.
There is a chance of creating new revenue opportunities. They believe that the use of blockchain can reduce around $100 million spent each year on clearing and settlement fees for the brokers as well as make millions of dollars in cost savings for ASX. The reason is because the system does not need market participants to reconcile their databases with those held by the exchange, various custodians and brokers. By analysing above findings and suggestions, it can be concluded that there are gaps in practical use of disruptive technologies in accounting in areas such as superannuation payment system, payroll compliance, budgeting, taxation and some of the auditing tasks to solve many re-occurring issues.
F. Information Security Awareness
Information security is undeniably a critical societal concern, as emphasized by Mensch and Wikie [56], corroborated by Okenyi and Owens [57], and discussed by Ku et al. [58] in the context of enabling businesses and nations to function effectively. Alarmingly, a survey of 450 IT directors and information security officers revealed that less than half of employees receive training on information security awareness [59], exposing a significant gap in preparedness.
Luo and Liao [60] aptly point out that cybercriminals are outpacing technological advancements, making it increasingly challenging to pinpoint the location of attackers [61]. Consequently, information security has transcended borders and become a global imperative, prompting many countries to enact national-level security policies. Examples include the UAE's recognition of the need for security awareness in higher education [62], Taiwan's national policy on information security [58], the United Kingdom's focus on phishing education [64], and South Africa's commitment to information security education [65].
Effective security education policies are deemed the solution to mitigate security breaches, as noted by Kieke [66], and the importance of consistently reminding users about security concerns cannot be overstated [67]. Doge et al. [68] emphasize that organizations must elevate user security awareness and provide education and training. Siponen [69] highlighted this need back in 2000, and subsequent studies have underscored the importance of security awareness training, encompassing policies, procedures, and tools [58], [70], [67]. The efficacy of a security policy hinges on users' understanding and acceptance of its requirements [71].
To combat information system misuse, researchers argue for security education, training, and awareness [71], [72], [73] with ongoing efforts proven effective in deterring misuse attempts through instruction on correct and incorrect information system usage [74]. Furnell et al. advocate diverse organizational training approaches, including information awareness programs, to enhance daily security within organizations.
Furthermore, a training and awareness program on information security empowers organizations to hold employees accountable for any information system misuse, ensuring appropriate consequences, as outlined by Whiteman and Mattord [71]. Research by Hovav and De'Arcy [10] and Kruger et al. [9] demonstrates a clear correlation between information security threat awareness and the development of an information security culture.