• Security practices and insider...

Treffer: Security practices and insider threats in Spanish healthcare centers: a survey-based risk assessment.

Title:
Security practices and insider threats in Spanish healthcare centers: a survey-based risk assessment.
Authors:
Herrera Montano I; Department of Signal Theory and Communications and Telematics Engineering University of Valladolid, Paseo de Belén, 15, 47011 Valladolid, Spain. Electronic address: isabel.herrera.montano@uva.es., Góngora Alonso S; Department of Signal Theory and Communications and Telematics Engineering University of Valladolid, Paseo de Belén, 15, 47011 Valladolid, Spain. Electronic address: susel.gongora@uva.es., Sañudo García S; Admission and Clinical Documentation Service, Hospital Universitario Río Hortega, Valladolid, Spain. Electronic address: ssanudo@saludcastillayleon.es., García Aranda JJ; Department of Innovation, Nokia, Maria Tubau Street, 9, 28050 Madrid, Spain. Electronic address: jose_javier.garcia_aranda@nokia.com., Rodrígues JJPC; Federal University of Piauí, Teresina-PI, Brazil; Instituto de Telecomunicações, Covilhã, Portugal. Electronic address: joeljr@ieee.org., de la Torre Díez I; Department of Signal Theory and Communications and Telematics Engineering University of Valladolid, Paseo de Belén, 15, 47011 Valladolid, Spain. Electronic address: isator@uva.es.
Source:
International journal of medical informatics [Int J Med Inform] 2026 Jan; Vol. 205, pp. 106107. Date of Electronic Publication: 2025 Sep 02.
Publication Type:
Journal Article
Language:
English
Journal Info:
Publisher: Elsevier Science Ireland Ltd Country of Publication: Ireland NLM ID: 9711057 Publication Model: Print-Electronic Cited Medium: Internet ISSN: 1872-8243 (Electronic) Linking ISSN: 13865056 NLM ISO Abbreviation: Int J Med Inform Subsets: MEDLINE
Imprint Name(s):
Original Publication: Shannon, Co. Clare, Ireland : Elsevier Science Ireland Ltd., c1997-
MeSH Terms:
Computer Security*/standards , Confidentiality* , Hospital Information Systems* , Health Facilities*, Spain ; Humans ; Cross-Sectional Studies ; Risk Assessment ; Surveys and Questionnaires ; Male ; Female
Contributed Indexing:
Keywords: Cybersecurity; Healthcare; Information security; Insider threats; Survey
Entry Date(s):
Date Created: 20250905 Date Completed: 20251017 Latest Revision: 20251017
Update Code:
20251018
DOI:
10.1016/j.ijmedinf.2025.106107
PMID:
40912160
Database:
MEDLINE

Weitere Informationen

Introduction: Insider threats pose a critical risk in healthcare environments, where Hospital Information Systems (HIS) manage sensitive patients data. Authorized users may intentionally or accidentally compromise data confidentiality, integrity, and availability. This study assessed information security practices from the perspective of healthcare professionals in Spanish medical centers.
Methods: A descriptive, analytical, cross-sectional study was conducted using a survey administered to 41 healthcare professionals with access to confidential data. The survey covered access control, encryption at rest and in transit, communication channels, and data usage control. Descriptive statistics, Chi-square tests, and Cramér's V were applied to identify significant associations. K-means clustering and Silhouette coefficient were used to define user profiles. Principal Component Analysis (PCA) was used to visualize behavior patterns. A Random Forest model identified the most relevant predictive variables.
Results: Critical security gaps were detected, 31.7 % reported no control over data usage. Only 29.3 % encrypted data at rest and 36.6 % during transmission. Over 40 % used personal email or messaging apps to share sensitive data, and 97.6 % relied solely on passwords for authentication. These practices are inadequate to mitigate insider threats.
Conclusion: There is an urgent need to strengthen insider data protection. Security strategies should be tailored to user risk profiles. Measures must include strong authentication, full encryption, and stricter control of data transmission to reduce exposure to insider threats (intentionally or unintentionally) in healthcare settings. Additionally, there is a need to promote continuous cybersecurity training.
(Copyright © 2025 The Author(s). Published by Elsevier B.V. All rights reserved.)

Declaration of competing interest The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.