Analysis of security culture among companies connected to Helsenett services.

Helsenett is the provider of the national health network in Norway, which transmits all health data. Institutions connected to Helsenett must comply with a set of rules for Information Security, which include governance and a culture of good data practices in companies.

In two projects, I-Trust has used the KFE method to evaluate practices in companies. Helsenett received data-driven knowledge and advice on focus areas in relation to connected businesses.

KFE is a method that verifies whether employees have received, understood and can work according to rules, and is an expression of:

• Knowledge and understanding of the need for
• Policies and guidelines
• and the will to comply with it

Read more about the KFE method here

Measures of employee knowledge and focus on information security included:

• How good is the organisation at working with safety rules and instructions?
• How well are the rules organised in terms of work processes?
• Are the rules communicated effectively to employees and others who use them?
• Are the rules designed so that different types of employees can understand and use them?

The recommendations of the conclusion are divided into an overall level of knowledge, understanding and compliance In addition, conclusions were drawn in relation to security behaviour around email use, employees’ general approach to data, use of the Internet, external and internal factors For employees, it was seen, for example, that the clearer the organisation sets out the framework and objectives, the more employees become familiar with the safety rules.

The KFE survey helped Helsenett and participating organisations to:

Demonstrate results of awareness and capacity building efforts

A measurable demonstration of how the programme had an “impact”

Making the ‘non-measurable’ – measurable

With the reports, the municipalities have obtained measurable data in an area where they previously did not have the opportunity.

Areas in need of attention

Reporting for each municipality allows targeting of areas where additional efforts are needed.

A comprehensive package of recommendations and implementation actions was delivered to Helsenett, along with a detailed report of the study and its findings and conclusions.