Effects of Continuous Security Monitoring on Security Controls of Electronic Health Records in Public Hospitals, Tanzania

This paper examines the effects of continuous security monitoring on the security of electronic health records in Tanzanian public hospitals. The study adopted a cross-sectional research design and quantitative research approach using a sample of 300 respondents from the six public hospitals in Tanzania. A questionnaire was used to collect data from the main users of EHRs such as medical doctors, IT officers, nurses, pharmacists, laboratory technologists, record officers and administrative officers. A multiple linear regression model was used to evaluate the effects of continuous security monitoring on the security of electronic health records in Tanzanian public hospitals. The findings revealed that continuous security monitoring is a significant predictor of the security of electronic health records in Tanzanian public hospitals, (B= .509, p< 0.001). This implies that, continuous security monitoring explains 50.9% of the variance in security of electronic health records in Tanzanian


INTRODUCTION
The rise in the number and severity of information security breaches and attacks in healthcare organizations has stimulated the need to protect systems against breaches and attacks, Ponemon Institute (2018).Attacks target all aspects of a system from email to web applications to the network backbone infrastructure itself, Microsoft (2018).While hospitals security experts work to stay ahead of the curve, they find themselves competing against attacks and attackers can cause widespread chaos throughout a network with very little work.While attackers of information systems are utilizing automated attacks techniques often, security experts have not heavily invested on continuous security monitoring despite studies which show that continuous security monitoring helps to minimize the frequency and severity of data breaches.
Continuous security monitoring goes beyond appliances which is the point many technical personnel miss out when planning for the techniques to secure their institutions against attackers.Continuous security monitoring provides situational awareness or real-time risk management whereby organizations get to know what is going on regarding risks and vulnerabilities in their organizations, NIST (2000).Organizations also get to know the situation before, during and after attacks when continuous security monitoring exists.
Therefore, healthcare organizations can eliminate some of the possible security dangers through continuous security monitoring as the continuous monitoring of information security processes allows for collecting and aggregating data, correlating information, and making decisions in ways that are not possible for human cyber security experts (AlSadhan& Park,2015).When organization automate the update of antivirus software it does little good for a yet unseen virus.Similarly, when organization automate the update of operating systems it does little to protect things like zero-day vulnerabilities that could potentially take down entire systems.Continuous security monitoring through automation serves two significant purposes, to free the administrator up to do work that is value-adding and needs human interaction and to minimize reaction time between when an event occurs and when a system responds (Kirtley, 2018).
In healthcare settings with a shortage of skilled security professionals, particularly in developing countries, continuous security monitoring through automation will work effectively in analysing and responding to security incidents.Continuous security monitoring can result in higher productivity and can minimize the stress experienced at healthcare organizations hence lead to less burnout.Despite the numerous advantages of continuous security monitoring in information systems, organizations are not taking full advantage of this technology to improve their security capabilities effectively, NIST (2000).This has resulted in attackers getting a more accessible way in their attacks and breaches while security professionals depend on manual systems (2018).
It is evident that, Tanzanian public hospitals extensively have adopted ICT by employing the use of electronic health record systems (MOHCDGEC, 2017).However, little study has been conducted to address ICT's impact on privacy and security issues in EHRs.Thus, there is a lack of enough information on the effects of continuous security monitoring on security controls in electronic health records.This is a silent issue which may harm the privacy and security of individuals and groups during capturing, processing, storage, or transmission of electronic health records.Therefore, the study intends to explore the effects of continuous security monitoring on security controls of electronic health records in Tanzanian public hospitals.Hence, the study aimed to test the hypothesis that: Ho: Continuous security monitoring has no significant effects on security controls of electronic health records in Tanzanian public hospitals.

LITERATURE REVIEW
According to Yash (2017) continuous security monitoring provides detective controls which are used to oversee and compare access permission concerning current network utilization in order to guarantee that observed actions correspond to the granted authorizations.When inconsistency detected, responsive measures are taken and send alerts to inform the relevant administrators, allowing them to rectify the problem immediately, thereby mitigating any potential risks to the organization.This is a proactive process in risk and vulnerability management in information systems.
Ellen (2019) stated that, continuous security monitoring helps in automatically blocking any events that infringe the organization's security policies, data encryption and other protective activities to prevent end-users from unintentionally or maliciously sharing data that could put the organizations at risk and vulnerabilities.This is very important as many healthcare organizations in developing countries faced lack of experienced and well-trained IT expertise to manage security issues.
According to Jacob (2016) continuous security monitoring through automation process can filter threats to the system, for example, spam filters are designed to scan email automatically.Firewalls block traffic based on its source and direction.The systems can notify system administrators of suspicious traffic or take action against suspicious traffic.For instance, the system may email to the administrator informing him or her of a potential problem, or it may act on its own without human being involvements.Justin (2019) opines that since organizations sometimes consider external services and remote users which usually are connected in the organizations' network, security administrators need to have continuous security monitoring to monitor what these users are doing to the information systems of an organization.Continuous security monitoring may help to monitor all external services and what users are doing, what devices they are accessing or using, what apps they access and if they are using a virtual private network (VPN) and whether they follow the security policies and procedures of an organization.
According to Petersdide and Butakoy ( 2015) continuous security monitoring emphasises on the use of automation to give management critical information needed to make cost-effective, riskbased decisions that support adequate security controls.Among functions that are performed through security automation are threat detection, patch management, vulnerability assessment, inventory management, and compliance monitoring and disaster recovery.The primary objective of continuous security monitoring is near real-time risk management by removing unnecessary human elements.Montesino and Fenz (2011) assert that continuous security monitoring techniques through automation perform the task without the need for the user to initiate the security event.
According to Tsai et al., (2018) networking monitoring is a critical concept in the network management as it helps a network administrator to determine the behaviour of a network and the level of safety of its components.The study also added that, continuous monitoring help keep an eye on all events occurring in an organization's network settings through automation hence helping to prevent unauthorized access to the systems or services by identifying intruders and responding to them promptly.

MATERIAL AND METHODS
This paper is based on the quantitative research approach.This approach can be used to identify trends and averages, establish hypothesis, determine causality, and extrapolate results to large populations (Apuke 2017).The explanatory and cross-sectional research design was used as a study's foundation.The study's population included EHRs users in public hospitals such as hospital IT officers, medical doctors, record officers, pharmacists, health laboratory technologists, nurses and administrative staff.The six public hospitals were purposively selected from the six country zones.The selection of hospitals based on its experiences in the use of EHR systems and the number of patients served per year in a particular zone.The selected hospitals had a target population of 1200.Quantitative data were collected using a questionnaire with the use of Kobo toolbox.

Sample Size and Sampling Techniques
The study employed purposive sampling technique.Sampling is the process of selecting a small subset from the entire population McCall (2018).The purposive sampling was employed to enable researchers to restrict data collection to the targeted respondents only.Sample size for this study was calculated using the formula developed by Yamane (1967).In this formula, sample size can be calculated at 3%, 5%, 7% and 10% precision (e) levels.The sample size for the study was calculated at precision level of 5% (e = 0.05) as shown below: Whereas: n = Sample size for population, N= Size of population, e= level of precision (0.05).
According to the above formula, the sample size for this study is: - Therefore, the minimum sample size for this study was 300 respondents

Questionnaire
The study used a survey questionnaire to collect data from respondents.The questionnaire had a close ended questions to encourage specific response.A total of 360 participants from the targeted population was requested to fill out questionnaire.An online data collection tool (Kobo toolbox) was used as data was collected from the broader geographical locations.The total of 300(83%) responses was received.The technique was used to help in avoidance of bias by the researchers; cost-effective way of collecting data, large samples can be contacted easly, and thus the results can be made more dependable and reliable (Kothari, 2004;Cohen et al., 2007;Saunders et al., 2009).

Data Processing and Analysis
The collected quantitative data were assessed using descriptive statistics including frequency, mean, median, mode and standard deviation.An SPSS table was used to display the results.The multiple linear regression analysis was used determine the link between independent variables and outcome variable.This method also allowed researchers to examine the variance of the model together with the proportional contributions of each independent variable to the overall variance.Before data analysis exercise, researchers tested the assumptions of multiple linear regression analysis.Normality test was performed by developing the normal distribution table and assessed kurtosis and skewness.The finding revealed that, values were within range (i.e., greater, or equal to -2 and less or equal to 2), as suggested by Hair et al. (2010).Researcher also developed and assessed histogram, which also showed that collected data was normally distributed.Linearity test was also performed using the analysis of the graphs produced by the use of SPSS IBM version 25, in which linear correlation was observed between the variables.Thus, the finding revealed that, there was a linear relationship between variables.
Researcher created and analysed scattered plots using SPSS IBM version 25 to test for homoscedasticity as suggested by Hair et al. (2010).The result revealed that, homoscedasticity assumption was met.To test for multicollinearity assumption, the researchers examined variance inflation factor (VIF) and tolerance value.The variance inflation factors (VIF<3) revealed the absence of multicollinearity.Tolerance values were acceptable when ranged between 0 and 1.The condition index indicated that all variables were < 4.

Validity and Reliability
In this study, content validity index (CVI) was used to check validity of the tool.The mean CVI for the study was 0.802, hence the value was higher than 0.70.Constructs validity was maintained by restricting the question to the conceptualization of the variables and ensuring that the metrics for a given variable fit within the same construct.A cronbach's alpha was used to test reliability of the study.The finding revealed that cronbach's alpha was 0.782, 0.747 and 0.832 which is higher than 0.70.Hence, the data was reliable.

Sample Description
Under the sample description, five demographic characteristics were assessed; namely gender, age, education level, occupation and working experience (see Table 3).The proportion of male and female respondents was almost the same.The highest group was those with the age between 20-30 years who constituted 40%.The finding revealed that more than 50% of respondents had bachelor degree level of education and above.The working experience result indicated that the majority of the participants have been working in the hospitals for more than 5 years.Hence, participants had enough knowledge on security issues on electronic health records.

Descriptive Statistics Results
The descriptive result revealed that respondents had perception that automated measurement has a moderate effect on security of electronic health records as indicated in Table 4.This is apparent from the total composite score mean of automated measurement, which had approximately 9.56 hence fall under the moderate range of 2-25 as formulated in this study (see Table 4).This result justifies the need for automated security measures to ensure security of electronic health records.
When reporting tools and dashboards assessed, the mean value was 7.19, which fall in the moderate range as established by this study (see Table 4).This implies that, respondent had perception that reporting tools and dashboards had moderate effect on the security controls of electronic health records.Moreover, the finding revealed that, alerting and tracking tools had a total mean value of 4.25 indicating that alerting and tracking tools had moderate effect on security of electronic health records.Generally, this finding implies that, continuous security monitoring moderately affects security controls in electronic health records in Tanzanian public hospitals.

Correlation Analysis
The study conducted correlation analysis using Pearson correlation to determine the relationship between two or more variables or datasets in a single group.The result displayed in Table 5 indicates that all of the correlations were significant at 0.01 significance level.The automated measurement 0.453, reporting tools and dashboards 0.489 and alerting and tracking tools 0.158.Thus, this the result indicates that continuous security monitoring has a positive and statistically significant relationship with security controls of electronic health records in Tanzanian public hospitals.Specifically, this means continuous security monitoring practices have a moderate positive significant effect on security controls of electronic health records.

Regression Analysis
The multiple linear regression analysis was used to determine the effects of continuous security monitoring on the security of electronic health records.The coefficient of determination (R 2 ) indicated in a model summary shows the proportional of the outcome variable variance that can be predicted from the predictor variables.On the other hand, the correlation coefficient (r) shows the strength of the relationship between dependent and independent variables.
The level of significant of each regression coefficient was reported in the study findings and tabulated in Table 7, the result shows that both had statistically significant coefficient.A unit increase in automated measurement will account for 40.3% of positive variances in security control of EHRs, while reporting tools and dashboard will account for 24.1% of positive variances in security control of EHRs and alerting and tracking tools will account for 71.1% of positive variances in security control of EHRs.
The study's hypothesised relationship between the independent and dependent variables was subjected to the test.The study hypothesis stated that: Ho1: Continuous security monitoring has no effect on security controls of electronic health records in Tanzanian public hospitals".The beta coefficient for the effect of continuous security monitoring on security controls of electronic health records in Tanzanian public hospitals was 0.171, 0.351 and 0.124 and the significance level was p= 0.030, 0.000 and 0.014 respectively.The study rejected the null hypothesis.Therefore, again it can be concluded that continuous security monitoring is statistically significant in affecting security controls of EHRs because all p-values was smaller than the 0.05 limit.

DISCUSSION
The results revealed that continuous security monitoring has been agreed to positively affect security controls of electronic health records in Tanzanian public hospitals.This means that having automated measurement, reporting tools and alerting and tracking systems enhance security controls of EHRs in Tanzanian public hospitals.The respondents moderately agreed that continuous security monitoring affect security of EHRs as their response had a mean score of 2.3 to 4.3.The finding is similar to those found by Yash (2017) which reported a significant positive effect between continuous security monitoring practices and security controls in an organization.Abiola & Oyewole (2013) corroborates this finding that monitoring and control activities had positive and significant effects on fraud detection in Nigeria's commercial banks with a P-value of 0.000, 0.005, 0.005, 0.000 and 0.004.Despite the fact that this finding were obtained in banking industry, it can be related to the healthcare industry as patient's information is sensitive as the personal data in the banking industry.
The study conducted by Ellen (2019) was also in line with findings of this study that continuous monitoring has positive effects on the security controls as it helps to automatically block any events that infringe the organizations security policies, data encryption and other protective activities.The respondents agreed that public hospitals had continuous security monitoring however, low level of continuous security monitoring was identified.They insisted on improving security automation, reporting tools and alerting and tracking tools for proper security controls in electronic health record systems.The study found that continuous security monitoring influence security controls of EHRs in a positive significant way, the effects was up to 26.8% hence, effective mechanisms for ensuring continuous security monitoring should not underestimated.

CONCLUSION AND RECOMMENDATIONS
Based on the findings, this paper concludes that continuous security monitoring has a positive and significant effect on the security controls of electronic health records in Tanzanian public hospitals.The Tanzanian public hospitals still have low level of continuous security monitoring due low level of technologies employed in the hospitals.When there is strengthens in continuous security monitoring security controls of electronic health records can be ensured to be effective for more than 25%.
It is therefore recommended that public hospitals should improve its investment on continuous security monitoring practices by the use of automation techniques like antivirus software, intrusion detection and intrusion prevention systems, window firewalls, file encryption, biometrics, audit trail log.The hospitals should combine automatic tools because these tools have different capabilities; for example, intrusion prevention system (IPS) can detect and identify attacks that a firewall and antivirus software cannot detect.
The public hospitals should allocate enough budget for continuous security monitoring including budget for automated infrastructure, regular staff training and awareness on different automated tools.
Further, the hospital management should increasingly and continuously pursue standards and procedures that ensure continuous security monitoring are not compromised with budget availability to ensure security controls is achieved on electronic health records.
This study revealed that continuous security monitoring affect security control of EHRs in Tanzanian public hospitals with other factors, the future study can be conducted to focus on other factors which affect security of EHRs and its significant on security controls of EHRs.Similarly, the future studies can focus on both private and public hospitals to get a broader perspective of the subject under the study. https://doi.org/10.37284/2707-4269

Figure 1 :
Figure 1: Histogram for the Standardized Residual of continuous security monitoring

Table 6 : Model Summary Model R R Square Adjusted R Square Std. Error of the Estimate Change Statistics R Square Change F Change df1 df2 Sig. F Change
Predictors: (Constant), Alerting tracking tools, Reporting tools and dashboard, Automated measurement Security controls of EHRs