Information security policies in the UK healthcare sector: a critical evaluation

All organisations must take active steps to maintain the security and integrity of their information resources, and nowhere is this strategy more critical than in hospitals where issues of information accuracy and patient confidentiality are paramount. Of all the tools at the information security manager's disposal, none is more widely valued and used than the information security policy. Much research therefore concentrates on the way in which information security policies contribute to the protection of systems from internal and external threats. Such work is legitimate and important, but it often fails to explore alternative views of security and related policies. Against this backdrop, this paper seeks to provide novel insights into the role and purpose of information security policies by reviewing them through a critical theoretical lens. It presents the results of a critical discourse analysis which looked for evidence of ideology and hegemony within a sample of information security policies from the UK's National Health Service. The findings support the contention that an alternative description of information security policies from a critical perspective provides better insights into existing problems than most mainstream work. The paper concludes by discussing the implications of the findings and future research avenues.