It is well acknowledged that information technology has transformed the way business transactions are performed in large, small and medium-sized, and startup companies across diverse industries. It has hastened interactions, facilitated informed decision-making, and enhanced communication flows. The present paper has appraised existing literature with the objective of discussing the role of information management in the digital era. Information security management is especially fundamental in healthcare institutions where almost all information is sensitive, and it should be treated with the level of confidentiality it deserves. The paper has outlined the significance of information governance (IG), information security (IS), and the role of corporate executives in information security management. The review has also expounded on the adoption of VISION and DOCMAN by the Practice hospital in the UK, cloud-based systems which enabled the institution to decline cost of managing physical server and enhanced decision making. Finally, the review has highlighted the importance of employee development, particularly the necessity for staff education, to boost competency, motivation, and staff retention.
Information Security Management
Information and communication technology (ICT) has improved the efficiency of digital activities, like online purchases, by reducing the distance and time impediments that mark shopping in physical shops. Today, with the aid of ICT, business transactions can be performed 24 hours all week long. Furthermore, with online shopping, buyers benefit from espousing online information to compare prices and products by just a press of a button. From this perspective, data, which is considered to be among the most valuable company assets, plays a crucial role in designing of both products and services, attracting consumers’ feedback, evaluating performance, and predicting the future achievement and productivity of a firm (Sundqvist & Svärd 2016). Nonetheless, although ICT has generated limitless business opportunities, it has also resulted in a wide array of challenges that range from information security breaches, technological implications, data management systems, and dramatic transformations in organizational designs (Rebollo, Mellado & Fernández-Medina 2012). Therefore, to mitigate the aforementioned issues, it is fundamental to make sure that information is effectively managed by ensuring that governance measures are employed with the strictest data security frameworks possible.
Besides, previously, management of information security was addressed from a technical perspective, and much of the focus was directed towards technological solutions (Singh et al. 2013), including such measures as implementation of access controls, securing networks through firewalls, and encryption; initiatives which have been proven to be inadequate (Albrechtsen & Hovden 2010). Empirical findings contend that issues revolving around information security should also be taken into account from a governance or management milieu (Siponen, Adam Mahmood & Pahnila 2014). And Singh et al. (2013) indicate that guaranteeing information safety is no longer only a technical issue but also a management challenge; therefore governance measures are pivotal.
These suggestions necessitate an appraisal of available literature with respect to management of information security. This is particularly important in healthcare institutions where almost all information is sensitive, and it should be treated with the level of confidentiality it deserves. Therefore, the present paper will offer an evaluation of information governance (IG), information security (IS), and the role of corporate executives in information security management. In addition, the paper will expound on the concept of cloud computing, its benefits, and the inroads which have evolved in the realm of computing. Other aspects which will be discussed in the paper encompass cybersecurity, the influence of social media on staff development, communication, and decision making in general practice and surgical institution (United Kingdom), where the author is a senior partner. Finally, the paper will offer a critical analysis of the significance of information security management in the general practice and surgical hospital.
As described by Singh et al. (2013), IS infers to the employment of any managerial and technological measures to safeguard information assets, including software, hardware, and sensitive data, from any authorized access. De Bruijn and Janssen (2017) describes IS as the practice of protecting organizational data from access, scrutiny, disruption, modification, use, and revelation by illegal or malicious individuals. By doing so, IS guarantees the core factors for information accuracy, including credibility, privacy, and authenticity. Similarly, IS facilitates an organizational decision-making process ensures that credible information is made available and accessible to authorized employees or parties (Veiga & Eloff 2007).
Notably, organizations across the world have spent a significant amount of monetary resources on the mitigation of information security breaches by protecting their internet connections and computers from hackers via the installation of a blend of anti-spyware/anti-virus programs, intrusion deterrence and detection software, firewalls, and content filtering systems (Sundqvist & Svärd 2016). But, as earlier indicated, this line of defense has failed to proffer sufficient bolster as technological measures can be overpowered owing to employees’ practices (Albrechtsen & Hovden 2010; Singh et al. 2013; Siponen, Adam Mahmood & Pahnila 2014; Posthumus & Von Solms 2004). For example, staff or computer users can forget to sign out their corporate/personal email accounts after using public networks/computers, or even abandon their laptops unattended in crowded areas; as a result, they facilitate the creation of avenues for hackers or malicious persons to expose or distort sensitive organizational information (Öʇütçü, Testik, & Chouseinoglou 2016). Besides, through the espousal of social engineering approaches, novice computer users regularly reveal classified company data, their emails and login information, or any other information that is supposed to be kept private. Such instances place technology users and workers to serve as the weakest bridge in information security management chain (Rebollo, Mellado & Fernández-Medina 2012).
From the above standpoints, it is evident that information safety is more than a technological concern, but in addition, it is both a legal and a strategic organizational issue that requires to be tackled as a governance obligation which should entail engagement of risk management attempts, reporting, and culpability on the portion of boards of directors and executive leaders. In this case information governance is described as the “specifications of decision rights and an accountability framework to motivate desirable behavior in the valuation, creation, storage, usage, archival, and deletion of information” (Proença, Vieira & Borbinha 2016, 1). It comprises the processes, responsibilities, measures, and guidelines that direct the efficient and effective espousal of organizational data to accomplish corporate objectives (Proença, Vieira & Borbinha 2016).
In Posthumus and Von Solms’s (2004) standpoint, IG refers to the processes through which IS is managed at an administrative level, while Siponen, Adam Mahmood and Pahnila (2014) consider it as the element of a company’s broader business governance approach that begins at the executive level. Similarly, Ernst and Young (2012) agree that IS should be reckoned as a Board level priority given that in a wider perspective, executive company leadership has core accountability for corporate affairs, implying that it has a substantial influence on all the business transactions. From these descriptions, an effective IG strategy ensures that information is open and accessible to authorized employees, security information policies are in place, staff complies with the set regulations, and continuous audits are performed to evaluate all the implement IG approaches. In brief, IG practices encompass information policy (ISP) formulation, creating of ISP awareness through training programs, and fostering ISP compliance among employees (Sundqvist & Svärd 2016)
Information Security Policies
Singhand associates (2013) argue that effective execution of IS involves the active engagement of organizational managers to assess the firm’s environment, probable risks, and the approaches to shield the company from such vulnerabilities or threats. Besides, supervisors are obligated to outline the firm’s strategic vision, a move that will facilitate the alignment of its business objectives with the IS requirements (Alhassan, Sammon & Daly 2016). Sundqvist and Svärd (2016) add that a fruitful information security management necessitates the involvement of both junior and executive staff in a company, an action which can be accomplished via the use of effective communication approaches and adoption of participative leadership skills in diverse organizational IS management tasks. For instance, engaging employees in the formulation of ISP will provide management support and direction to various IS practices. Siponen, Adam Mahmood and Pahnila (2014) reiterate that there should be a clear ISP in place for successful amenability. These authors argue that the visibility of an ISP positively shapes employees’ compliance behavior to IS measures, including no sharing of passwords, logging off computers before exiting a room, downloading suspicious email attachments, visiting unverified websites, or leaving personal computers unattended in public areas, like at a café (Siponen, Adam Mahmood & Pahnila 2014). For instance, Guo and Yuan (2012) emphasize that the negation of staff’s participation in the formulation and implementation of ISPs will result in policies which are highly likely to be dissociated from the desires of junior staff.
However, irrespective of well-established ISPs, some employees continue to be at increased risk than others of intentionally or fortuitously compromising organizational information security (Sundqvist & Svärd 2016; Öʇütçü, Testik, & Chouseinoglou 2016; Siponen, Adam Mahmood & Pahnila 2014). Warkentin and Willison (2009) ascribe the difference to the Big Five personality characteristics of agreeableness, neuroticism, conscientiousness, extraversion, and openness. Notably, individuals who score highly in sociability are largely targeted by hackers through phishing techniques, while those who score poorly in extraversion have less propensity of being motivated by social attention sought by online attackers. With regards to thoroughness, scholars contend that since conscientious employees tend to adhere to company policies, they are at increased risk to social engineering techniques used by cyber attackers. Similarly, openness is linked to technological expertise and online experiences, therefore, candid and knowledgeable individuals are able to distinguish suspicious websites, email attachments, or links from genuine ones (McCormac et al. 2017).
Shropshire, Warkentin, and Sharma, (2015) espoused agreeableness and conscientiousness to explore if they would serve as measures of organizational citizenship behavior, and consequently, compliance with ISPs. The researchers reported that people rated highly on the conscientiousness domain are considered to be accomplishment-oriented, self-disciplined, reliable, careful, organized, and less likely to employ escape-avoidance habits to circumvent ISPs. On the other hand, neurotic employees appeared to be anxious about the use of technology, and their personality may serve as a barrier to implementation of ISPs.
Other empirical studies attribute the employee’s increased susceptibility to IS breaches to greed, self-interest, guilt, connectedness with others, and lack of cybersecurity awareness (Greavu-Serban & Serban 2014), while Cheng et al. (2013) and Ifinedo (2014) claim that the widespread cases of ISP non-compliance are due to insiders’ malicious habits of exposing organizational information for personal gain. Such employees’ conducts can be described as either intentional or deviant, such as organizational or political spying, sabotage, and information theft; or accidental/misbehavior, like use of predictable passwords, trusting colleagues with login details, opening suspicious attachments without heeding prior warning, visiting unrelated work websites, and carelessly exposing personal data on social media or unsecured sites. Furthermore, in addition to roguish habits, negligence, and ignorance, online attackers are presently employing sophisticated methods to disrupt the confidentiality, trustworthiness, veracity, openness, and availability of information by limiting their targets to technological novices, staff who tend to resist adherence to ISPs, and those who lack information security awareness.
The Role and Responsibilities of Senior Leadership in Information Governance: The Case of Procter & Gamble
As discussed earlier, effective leadership of IG is pivotal in making sure that appropriate processes, policies, priorities, and strategies are productively entrenched in a company, both to take full advantage of the opportunities and decline the threats emanating from information it holds (Sundqvist & Svärd 2016). Notably, a strong IG model makes it possible for companies to proactively address their slowly accumulating silos of information and data, an action that is motivated by various drivers. These encompass: i) the espousal of data analytics techniques to mine big data, thereby enabling the creation of improved or new services or products; ii) mitigating probable information threats, like privacy breaches and cybersecurity attacks, which may otherwise result in substantial reputational damage, loss of productivity, business disruption, and legal suits (Albrechtsen & Hovden 2010; Lim, Stratopoulos & Wirjanto, 2013).
For many companies, the capability of information technology is straightforwardly linked to the lasting implications of choices made by the executive management. Conventionally, board-level managers left central information technology choices to the organization’s ICT experts, who often provided the inadequate technical solutions which did not fulfill the interests of all stakeholders without planned actions involving the top management. As such, the executive managers should understand that IG concerns the stewardship of ICT assets on behalf of the company’s shareholders who anticipate a profit from their ventures.
Procter & Gamble is a multinational firm that is known for maintaining its brand at the top, with the success being ascribed to various factors, encompassing effective governance of information resources which are offered by their core analytics group. With the direction of the firm’s senior management, led by the CEO, Bob McDonald, as well as by the visionary and ambitious efforts of the CIO, Passerini, the company has placed strong emphasis on the espousal of business analytics in making better and smarter decisions based on real data drawn from all the company’s departments. Business analytics is described as a universal approach to the management, processing, and analysis of the data-oriented dimensions of value, veracity, velocity, variety, and volume to formulate designs for establishing competitive edges, measuring performance, and ensuring sustained value (Lim, Stratopoulos & Wirjanto 2013). Through the Global Business Services (GBS), the executive leaders have seamlessly incorporated data analytics into P&G’s operations such that at a press of a button, high-level data is availed, thereby enabling a real-time evaluation of the company’s performance by retailer, initiative, brand, and individual stores. Besides, the use of predictive analytics supported automatic update and forecasts of the firm’s performance in the next twelve months.
The practices of the senior executive leaders of P&G of serving as champions for IG resulted in a remarkable shift in information processing, while the use of data analytics transformed the corporate culture towards an approach of management that is focused on how and why instead to what. In the past, P&G was marked by a preview sort of tradition, where any information was pre-analyzed and processed by middle-level managers before being presented to the top executives. This meant that the middle-level supervisors spent long hours to come up with plans to mitigate any problems. The senior executive-led approach to information management implied that real-time data could be viewed and discussed by all stakeholders, thus, fostering the traits of accountability and transparency. Therefore, information governance ensured that P&G transformed remarkably to a rapid-paced business entity given that the mission of the senior managers was to enable hastened decision-making process grounded on real-time information instead of waiting for many validations.
What the CIO describes as “Information and Decision Solutions” IDS successfully enabled the employees to manage the cultural shift. Via the embedded IDS, the CIO mentored the business managers concerning how to employ the governance instruments effectively, including access and safe use of information. The easy access to information and the capacity to speedily recognize attention areas as well as fast feedback enhanced transparency. Besides, owing to the centralization of IDS and non-stop data updates from all units, logistics and forecasting were incorporated into marketing, sales, and production departments and their duties were updated.
From the analysis of P&G case study, it is apparent that the principles of IG have transformed the corporate culture, particularly given that the information management team comprises of two senior managers with knowledge on computer engineering and operations research, wealthy experiences in information management, and shared the passion for business analytics. The case study has also outlined the necessary steps in the development of processes, systems, and tools that aid in the analysis and mining of data. The authors reiterate the use of real-time data in formulating speedy business decisions instead of deferring for validation and recommended that executive leaders ought to invest in workforces, particularly middle-level managers, coach them, and offer them guidance on how to best use data to make effective and smart choices. To do so, companies need to comprehend the changing environment, foster knowledge creation, and creativity, and finally make informed decisions. Acceptance of information governance, starting from the board level, eases the formulation and implementation of the necessary structural and strategic transformations following the adoption of the change (business analytic techniques), and monitoring and evaluation of the benefits and probable risks (Rocha Flores & Ekstedt 2016; Gunasekaran et al. 2017).
Therefore, companies ought to understand that practices that heighten an organization’s performance greatly rely on the readiness of the senior management to buy in and embed business operations on effectively managed business decisions. Thus, senior executives require to be engaged and remain involved in the protection and stewardship of informational resources of the company, an issue that can only be accomplished via effective and continuous information security assessment, documentation, and reporting. In addition, the effectiveness of the senior executives and middle-level managers is greatly reliant on how successfully they can transform data into actionable objectives as well as their readiness to prioritize the incorporation of business analytics in processing real-time data.
Analysis of Information Management System in a Healthcare Organization and Impact of Cloud Computing and Social Media
In the recent past, organizations have demonstrated a mounting interest in the espousal of cloud computing services to reinforce crucial business operations. According to El-gazzar, Hustad, and Olsen (2016), cloud computing is among the three most influential ICT investments and one of the most significant technologies across the globe. Cloud computing is described as “a model for enabling infiltrating, convenient, on-demand network access to a shared pool of configurable computing resources, such as services, applications, storage, servers, and networks, that can be quickly provisioned and released with minimal involvement effort or service provider interaction” (Hsu & Ray 2014, 474). It allows clients to lease information technology software services, platforms, and infrastructure in the cloud when it is necessary (Kao et al. 2018; Sultan 2014; Phaphoom et al. 2015). Therefore, cloud consumers can install their business applications, run analyzes, and store information over the internet on a pay-per-use basis (Sultan 2014). With the aforementioned unique features, cloud computing transforms conventional adoption and management of information technology (Phaphoom et al. 2015).
Notably, in the past, costly information technology inventions were normally embraced by large corporations as they had the financial capacity to afford them. Presently, it is thought that cloud computing is an indispensable application for both startups and small and medium-sized enterprises (SMEs) as they eradicate the up-front commitment and permits them to “pay for use of computing infrastructure on a short-time basis” (Kumar et al. 2016, 61). Nonetheless, irrespective of the striking advantages, various security concerns have been raised, encompassing network jams, latency, performance instability, and information confidentiality (Hsu & Ray 2014; El-gazzar, Hustad & Olsen 2016).
Our company (The Practice) is a healthcare organization that is specialized in general practice and surgical services in the United Kingdom. Like most health-oriented institutions, the Practice still outsources limited data to the cloud, and the highly confidential and multifaceted information is sourced within the institution, particularly owing to the sensitivity of patient details. At present, technically all the clinical guidelines and patient information are on a cloud-based clinical system known as VISION that is only accessible via N3 server. In addition, the Practice follows a paperless framework, and besides the VISION, another cloud-based computing system known as DOCMAN has been espoused in storing scanned copies of important paper-based documents, like patient records, referral forms, and hospital letters. In this view, cloud computing has saved boundless storage space at the hospital and declined the cost of labor and time previously spent on information records’ staff. Furthermore, with the emphasis on the adoption of electronic medical records in England, the Practice is among the first health institutions to embrace private cloud computing in South England.
During the consideration-to-adopt stage, various concerns were taken into account, including data security, cost-effectiveness, accessibility of the information only by the authorized users, the efficiency with mobile technologies, data recovery, and most importantly, dependability of the chosen cloud. This implies that the highly crucial dimension was the technology itself, followed human factors, organizational structure, and finally the setting atmosphere. Just like in the P&G, the Practice instituted an information governance team that was deliberated by the senior management and steered by the CIO. This is according to von Solms and Viljoen’s (2012) recommendation that “the board is responsible for ensuring that opportunities presented by developments in IT are recognized and exploited in a manner that adds value to an organization and is secure and compliant with regulations, policies, standards, and best practice guidelines” (73).
Since adopting the VISION and DOCMAN cloud computing technologies, the Practice has noted various benefits, encompassing a significant decline in the maintenance cost for a physical server, the time used to manage paper-based/physical data and run on-site backups on a daily basis was substantially reduced, and the clinicians have been in a position to access their patients’ information even from remote locations, especially during home or community visits. Nonetheless, as Sundqvist and Svärd (2016) note, the biggest impediment is the enhanced risk of cybersecurity attack. This susceptibility was revealed during the National Health Services (NHS) ransomware attack that affected several hospitals in the UK in 2017 which resulted in a deferral of surgeries, invalidation of appointments, and profound setbacks for healthcare delivery all over England. To mitigate the challenge of cybersecurity, the management of the Practice has held extensive training of staff to create cyber security awareness using the health belief theory and TAM theories. At the technical level, the institution has embraced a virtual machine monitor cloud-based intrusion detection, and prevention systems (CIDPS) suggested by Mishra et al. (2017) to secure the infrastructure layer (IaaS).
The Impact of Social Media
Since its introduction in 2004, the use of social by patients and medical professionals has been mounting for health-associated reasons. Nonetheless, healthcare is a highly regulated field owing to the sensitivity of the information it holds, therefore, most hospitals are careful when using online platforms. In other non-medical organizations, however, social media has become a force to reckon in terms of marketing of products and services (Smailhodzic et al. 2016). At Practice, the use of social media has been limited to publication of the organization’s services and accomplishments. The Practice has a Facebook fan page where regular updates on general health issues have been posted. Similarly, the hospital has a dormant Twitter account. The organization’s website promotes good health and well-being and comprises links which direct users to diverse health-related videos, articles, and blogs on chronic ailments and career development opportunities.
Staff Development in Line with Organizational Goals
Several corporate business managers or owners hold less consideration for staff development as they do not believe it plays any major role, or if it does, there is no sufficient time, particularly in healthcare where employees’ shortage is common (Gesme, Towle & Wiseman 2010). Nonetheless, staff development, which comprises of processes and initiatives that enhance work-associated knowledge, proficiencies, and attitudes, has been linked to increased organizational performance, particularly in information management where investment on staff education has led to heightened cybersecurity awareness (Albrechtsen & Hovden 2010). Kao et al. (2018) add that staff educational forum and development declines pressure placed on senior managers with respect to the necessity for supervision, fosters employee motivation, and enhances the quality of work by junior staff.
During the transition from the convention on-site servers to cloud computing at our hospital, the emphasis was placed on the need for staff development. This encompassed formal orientation program, sponsoring of ICT staff to undertake cybersecurity courses, allowing staff interested in advancing their careers in information technology, coaching, continuous medical education (CME) forums on a weekly basis, and maintenance of professional skills. In addition, the Practice performs impromptu and scheduled audits to assess the level of information security awareness and ensuring that the staff delivers quality service at all times. These staff development initiatives are in line with the organization’s long-term goals, which encompass: to be the best healthcare employer in South England and to provide safe and quality care to all patients. As such, staff development approaches have seen a decline in staff turnover, enhanced staff drive owing to the creation of a practice culture that motivates learning and fosters education, thereby making the staff dedicated to organization’s vision, increased patient satisfaction, employee confidence, and practice efficiency. The staff development has also improved the fast flow of information as communication strategies were emphasized during training. In addition, whenever there was a possibility of a security breach, our staff have been quick to document and report by following the set policies and protocols.
Information Security Development
Sundqvist and Svärd (2016) point out that the presence and visibility of ISPs in the absence of awareness and adequate training will not be effective in the observation of information security measures. Thus, an emphasis has been placed on heightening creation of information security awareness through training forums. To improve the effectiveness of the learning forums at our hospital, the avoidance of conventional command-and-control approaches, where organizational staff enforce disciplinary measures or punishments for failing to comply with ISPs has been followed as recommended by Öʇütçü, Testik and Chouseinoglou (2016) and Kolkowska et al. 2017). The Practice’s senior management understands that such forceful techniques may result in undesired behaviors, such as resistance to ISPs, reluctance, or postponing to execute the guidelines. To curb undesired habits and improve ISA, formulation of ISPs and IS measures should be based on a comprehension of human behavior, an element that can shift depending on the user’s subjective norms, conscientiousness, and perceptions (de Bruijn & Janssen 2017).
Safa and associates (2015) suggest the usage of the theory of planned behavior (TPB) and protection motivation theory (PMT) in the formulation of ISP awareness creation modules. Apparently, the espousal of the two frameworks can instill conscious care behavior among organizational staff as they are grounded on the assertion that a technology user’s conduct is driven by a behavioral goal, where the willpower to change is a function of the person’s perception to the habit. Soomro et al. (2016) claim that from a TPB’s standpoint, an individual’s negative or positive assessment of a particular ISP will shape his or her attitude, and as a result, make them conscious of information security measures.
D’Arcy and Herath (2011) argue that in information governance, instead of addressing IS as a technical issue, it should be regarded business security, and therefore, organizational managers should prioritize and handle it accordingly like any other security concern. Therefore, at Practice, IG entails using deterrence framework that is profoundly ingrained in criminology and holds that ICT users make sound decisions to perform or desist from criminal activities escalation of benefits and reduction of the concomitant cost. The deterrence framework is grounded on legal sanctions and argues that the increased the perceived severity, rapidity, and inevitability of sanctions for a criminal act, the more the number of individuals who will be prohibited from negating the implementation of ISPs and observation of conscious care behaviors. By espousing deterrence theory as well as incorporating the safeguarding of information data into the company’s business strategy, the organizational governance team will create a competitive advantage within a susceptible digitalized business environment (Safa et al. 2015; Ifinedo 2014). At the technical level, in addition to the adoption of the CIDPS, the Practice has secured mobile IT systems from unauthorized access, damage, modification, or loss through encryption and staff only have limited access to specific areas of the hospital. In addition, the ICT department works 24/7 to monitor any intrusions and maintain the confidentiality of patient and hospital data.
The paper has explored digital data management in healthcare, and from the reviewed articles, it is evident that information is a vital organizational asset that shapes the process of decision-making. The discussion has shown that in the past, most companies in diverse industries depended only on the technical line of defense against information security breaches which have been confirmed to be ineffective, thus, the necessity for consideration of human factors when designing ISPs. The analysis of P&G noted the significance of IG in driving organizational outcomes. At Practice, although the adoption of cloud computing resulted in various benefits, including reduction of cost, it exposed the institution to cybersecurity concerns. The Practice has embraced social media, but it has limited its use to the publication of the organization’s services.