Security in health workforce information systems: a case of regulatory human resource information system

Abstract

The health workforce distribution, efficiency and competence are a major concern in health care delivery in Kenya. A well designed health workforce information system can inform policy making to a great extent. However, if health workforce information systems are not well secured, the information can be misleading. The purpose of this study was to assess the level of security in the Regulatory Health Workforce Information System (rHIS) and develop an information security plan for the rHIS. The rHIS is intended to streamline the operations of the Health Regulatory Boards and Councils including routine tracking of training, registration, practice and deployment of the health workforce to make the processes consistent, efficient and effective. The study assessed the security of rHIS deployment in four regulatory Boards and Councils within the Ministry of Health in Kenya i.e. Nursing Council of Kenya (NCK), Clinical Officers’ Council (COC), Kenya Medical Laboratory Technicians and Technologists Board (KMLTTB), Medical Practitioners and Dentists Board (MPDB). The ISO/IEC 27002 standard was adopted as the best practice on information security management. The assessment was based on ISO/IEC 17799:2005 audit checklist. A gap analysis applicability matrix was developed to indicate which questions were asked to which category of respondents in scope. The results indicated that the system security compliance differed across the Boards and Councils implying that the effectiveness of the security of rHIS is dependent upon the environment on which the system is deployed. It was evident that the compliance level was higher where an information security policy exists. The study used the gaps identified as a basis to propose a security plan that would provide a way forward in addressing the weaknesses and threats that exists in the various Boards and Councils.