An exploration of research information security data affecting organizational compliance

In this article, data collected from onsite assessments of federal healthcare research programs were reviewed and analyzed. 103 research programs were evaluated for adherence to federal and organizational information security requirements and the data clustered into three primary compliance groupings, technological, procedural, and behavioral. Frequency and cross-tabulation statistics were conducted and chi-square statistics used to test for associations.


a b s t r a c t
In this article, data collected from onsite assessments of federal healthcare research programs were reviewed and analyzed. 103 research programs were evaluated for adherence to federal and organizational information security requirements and the data clustered into three primary compliance groupings, technological, procedural, and behavioral. Frequency and cross-tabulation statistics were conducted and chi-square statistics used to test for associations.

Experimental features
Frequency, cross-tabulation and chi-square statistics Data source location Data represented federal healthcare research programs across the United States Data accessibility All the data are in this article

Value of the data
Public availability and further analysis of this data will expand the literature regarding information security compliance including those specific factors that directly impact organizational risk mitigation strategy and employee adherence (e.g., employee decision-making).
This analysis may further inform decisions surrounding routine technological and procedural resources for detecting and mitigating information security risk.
The trends in this data will help inform information security compliance decisions regarding program development and employee behavior.
This data provides the first comprehensive review of information security compliance in a research setting on an enterprise scale.

Data
The sample included data collected from onsite research information security compliance reviews completed by the Veterans Health Administration (VHA) Office of Research Oversight (ORO) from the year 2009 through 2017. The purpose of these reviews was to evaluate VHA research programs adherence to federal and organizational information security requirements. 103 research programs were evaluated with 10% of the sample size acquired from research programs located at VHA hospitals of lower complexity, 12% from research programs located at VHA hospitals of medium complexity, and 78% from research programs located at VHA hospitals of high complexity (see Table 1). Of the programs evaluated, over two thousand employees participated in the onsite reviews ranging from support to executive staff with the highest participation from the research program (see Fig. 1). Compliance and oversight staff accounted for 14% of employee participation and included Privacy Officers, Information Security Systems Officers (ISSOs), and Research Compliance Officers.
Information collected during the onsite research information security compliance reviews were derived from in-depth interviews, document reviews, and physical evaluations of the research space including offices, laboratories, assigned clinical spaces, and server rooms. In addition, physical evaluations of certain data capable information technology (IT) equipment were completed as part of each review.
Noncompliance for each site was documented in a site-specific report, and the data contained in those reports compiled and subjected to statistical analysis. In addition, anecdotal evidences contained in reviewer notes relating to the reasons for the noncompliance were also qualitatively aggregated.

Experimental design, materials and methods
Onsite reports were reviewed and each finding of noncompliance placed in one of fifteen broad categories (see Table 2). Those categories were further distilled and the findings of noncompliance clustered based on similarity, and placed into seven primary groupings (Use of external information systems, management of research information, use of mobile and portable devices, ISSO reviews, privacy-related requirements, training, and reporting). The findings in each of the seven categories were then separated into three subcategories representing technological, procedural, and behavioral implications. For example, if an automated backup of research related data failed; the consequential finding was placed into the technological subcategory. Likewise, if the noncompliance was because of an erroneous policy or required form, that finding was placed in the procedural subcategory. Last, noncompliance as a direct consequence of an employee behavior such as the failure of research staff to properly store and/or transmit sensitive research data in compliance with established policy, the failure to report a research information security incident, or complete required training was relegated to the behavioral subcategory. The ensuing data are illustrated in Tables 3-7. 1 For statistical analysis, frequency and cross-tabulation statistics were conducted to describe the sample and check for coding errors. Chi-square statistics were used to test for associations between complexity and noncompliance for each area of interest. Significant associations were reported using unadjusted odds ratios (OR) with 95% confidence intervals (95% CI). Statistical significance was assumed at an alpha value of 0.05 and all analyses were conducted using the Statistical Package for the Social Sciences (SPSS) Version 22 (Armonk, NY: IBM Corporation).
Chi-square statistics found several significant differences in rates of noncompliance between the complexity groups. Research programs located at complex VHA hospitals were five times more likely (95% CI 1.25-19.93) to have procedural noncompliance with the use of external information systems versus research programs located at those VHA hospitals of lower complexity. Similarly, the trend was that research programs located at higher complex VHA hospitals were more likely to have higher rates of behavioral noncompliance versus those research programs located at VHA hospitals with a lower complexity in the categories of behavioral noncompliance associated with the use of external    Table 3 Noncompliance identified at research programs located at VHA hospitals of high (level 1a) complexity.   MRI  MPD  IR  PR  TRNG  REP   T  P  B  T  P  B  T  P  B  T  P  B  T  P  B  T  P  B  T     The single exception to the trend involved technological noncompliance related to the management of research information where research programs located at more complex VHA hospitals were less likely to have noncompliance versus those programs located at VHA hospitals with a lower complexity (OR 0.63 [95% CI 0.01-0.76]). No significant differences were observed between those research programs located at VHA hospitals of a medium complexity and those with a lower Table 5 Noncompliance identified at research programs located at VHA hospitals of high (level 1c) complexity.

CPXITY
EIS MRI  MPD  IR  PR  TRNG  REP   T  P  B  T  P  B  T  P  B  T  P  B  T  P  B  T  P  B  T  P  B   1c  0  0  1 Table 8. By far, the highest rates of noncompliance occurred in the behavioral category, and observed across all areas of analysis (use of external information systems, management of research information, use of mobile and portable devices, ISSO reviews, privacy related noncompliance, training, and the proper reporting of research information security incidents). In addition, rates of procedural noncompliance associated with the proper reporting of research information security incidents were above 40% for research programs at all VHA hospital levels. Public availability and further review and analysis of this Table 7 Noncompliance identified at research programs located at VHA hospitals of low (level 3) complexity.