Overview of proposed research: presents background, findings of literature review, and proposed methodology

1. Access to e-resources within the NHS in
England: the role and impact of organisational
culture, information governance,
and IT strategy
Catherine Ebenezer
Health Informatics
Supervisor: Professor Peter Bath
02/10/13
1

2. • Introduction and background
• Literature review findings
• Methodology and proposed methods
• Research ethics and governance
• Timescales and plan
2

3. • LIS Manager in mental health NHS FT 2008-2012
• Variety of technological barriers / hindrances to information
seeking, teaching and learning, clinical practice
– ascribed variously to:
• Information governance
• Information security
• IT infrastructure policies and practices
• Blocking of ‘legitimate’ websites
• Obstacles to use of particular content types and applications
• Social media / Web 2.0 a particular problem
• Implications?
3

4. • Information governance (IG): (Cayton, 2006)
• “The structures, policies and practice of the DH, the NHS
and its suppliers to ensure the confidentiality and security
of all records, and especially patient records, and to
enable the ethical use of them for the benefit of individual
patients and the public good”.
• Information security (IS): (Anderson, 2003)
• “A well-informed sense of assurance that information
risks and controls are in balance.”
4

5. Policy support in English NHS for evidence-based
practice:
• All NHS staff to have access to the evidence base of
health care via the web (Information for health, 1998)
• NHS Evidence (High quality health for all, 2008)
• Evidence-based practice a pillar of clinical governance
(NHS quality improvement system)
• Health professions’ regulatory bodies set requirements
for keeping up to date
5

6. Strategic support in English NHS for e-learning:
• Framework for technology-enhanced learning, 2011
• Establishment of governance structures
• Development of content at national and local level
• Facilities for checking suitability of local PC infrastructure
• Much e-learning content also produced by HEIs,
professional bodies
• Wide range of delivery methods and content types
• Role of NHS libraries
6

7. • Information Governance Statement of Compliance (IGSoC)
variously interpreted (Blenkinsopp, 2008)
• NHS the locus of much teaching and research – not
recognised?
• IS policies and practices cf. organisational values
• Dominance of IG agenda – narrow view of business need
• Health and Social Care Information Centre (HSCIC) not
communicating proactively to NHS staff
• Web 2.0 and social media issues poorly understood –– access
usually blocked within trust network perimeter
• Inadequate input into trust IT and business
planning processes by LIS, workforce development
professionals
7

8. • NHS-HE Forum and Connectivity Project
• Commissioned report on educational use of social media from
specialist - eventually published as:
Lafferty, N. (2013). NHS-HE connectivity project: Web 2.0 and
social media in education and research. London: NHS-HE Forum.
At https://community.ja.net/groups/nhs-he-forum-connectivity-project
• Strategic Health Authority Library Leads IT subgroup
• Carried out survey of NHS library managers to map nature and
extent of resource access problems (mid-2008)
• Established centralised, regularly updated whitelist of websites
“never to be blocked within the NHS”
8

9. To investigate the possible relationship between stated
policy regarding evidence-based practice and professional
learning and the actual provision of computing facilities and
IT security policy and practice within NHS trusts in England.
More specifically:
1) the impacts that inadequate functionality and restrictions on access
to information facilities have on professional information-seeking,
learning and clinical practice
2) the practices, attitudes, values, and presuppositions of the relevant
staff regarding information-seeking and business need which bear on
how information security (i.e. of networks and devices) is implemented
9

10. Main areas:
• Information behaviour
• Multi-professional studies
• Doctors
• Nurses
• Health services managers
• Others
• Organisational culture and subcultures, IT staff
subcultures
• NHS information governance, information security
• Risk management
10

11. Leckie, Pettigrew and Sylvain (1996) model of (individual)
professional information behaviour
• Work roles and their associated tasks the primary
motivation of information-seeking
• Information-seeking shaped by variables relating to:
11
• Demographics
• Organisational context
• Frequency
• Predictability
• Sources – formal and informal
• Source preferences
• Awareness of sources
• Perceived accessibility of sources
• Familiarity
• Timeliness
• Previous successful use
• Cost

12. 12
Leckie, Pettigrew and Sylvain’s model of professional information behaviour
From Leckie & Pettigrew, 1997, p. 100

13. General findings
• Wide variations by professional group in
• Cultural attitudes to information-seeking
• Access to and use of the Internet
• Preferences for types of resources consulted
• Overall moderate online information resource usage
• Use of Google is ubiquitous
• Obstacles to information-seeking frequently cited
• Lack of time
• Lack of training in conducting searches
• Shortage of computer facilities (nurses)
13

14. • Little agreement on definitions of organisational culture
• “The way things are done around here” ???
• Schein’s account (1985, 1996) best known / widely cited
within information security literature:
• Organisational culture (OC) operates at three levels:
• Deep tacit assumptions - invisible
• Espoused values and the norms that derive from
them – more recognisable, especially when
challenged
• Day-to-day behaviour and artifacts – visible, but
often indecipherable
14

15. • Definition of subculture:
“A subset of an organization’s members that identify
themselves as a distinct group within the organization and
routinely take action on the basis of their unique collective
understandings.” (Hatch, 2006)
• May reflect shared professional or other identities
• Can create “silos” and barriers to effective communication and
teamwork
• Occupational communities a particular type of occupational
subculture (Van Maanen & Barley, 1982);
• IT staff fulfil criteria (Duliba & Baroudi, 1991)
• Differences among occupational subcultures can lead to
organisational conflict and dysfunction (Trice, 1993)
15

16. Occupational subgroups characterised by:
• Consciousness of kind
• Pervasiveness of norms
• Abundance of cultural forms
• Ethnocentrism and feelings of superiority
towards other groups
• Esoteric knowledge
• Being subject to extreme demands
• Complaints about members of other subcultures
(Trice, 1993)
16

17. • IT staff form a distinct occupational subculture - they displayed
Trice’s (1993) characteristic signs (Guzman et al., 2004)
• Feelings of superiority reinforced by the technical vocabulary of IT
• Tendency to blame end-users for systems failures
• Distrust / negative stereotyping of end-users:
• “technophobic”
• “difficult to communicate with”
• “ignorant of technical priorities”
• Desire to restrict end-user functionality in an effort to retain control
of systems
• Cf. “Users are the weakest link” (Schneier, 2000)
17

18. • Web application security
• Network perimeter and end-point security
measures
• Information governance and security
within the NHS
• Structures
• Standards
18

19. • Definitions of risk
• No agreed definition! (Renn, 1998, cited by Joffe, 2003)
• “The probability of an event combined with the magnitude of the
losses and gains that it will entail”
• “Danger from future damage” (Douglas, 1994)
• Theories of risk / factors influencing risk assessment
• Cultural hypothesis (Douglas & Wildavsky, 1982)
• Social amplification of risk framework (Kasperson, 1988)
• Risk perception and communication research within cognitive and
social psychology (reviewed by Taylor-Gooby & Zinn, 2006)
• Risk homeostasis theory (Wilde, 1998)
• Social representation of risk theory (Moscovici, 1988)
19

20. • Plan|Do|Check|Act cycle:
Assess risks | treat risks | monitor and report risks | identify
risks
• Threat landscape is complex and evolving rapidly
• Judgments in both qualitative and quantitative risk analysis
methods are uncertain (Gerber & von Solms, 2005)
-- therefore a subjective process
• Relationships between risks, vulnerabilities, threats and
security measures can be complex (Bojanc et al., 2012)
• Trade-off between security and functionality
(Besnard & Arief, 2004)
• Precautionary in character and commercially driven
(Stewart, 2004); attitudes subject to groupthink? (Rose, 2011)
20

21. Rationale
• Employers’ legal liability for:
• Clogging of network bandwidth by non-work related use
• Wasted staff time
• Importance of acceptable use policies (AUPs)
21
• Hacking
• Discrimination
• Fraud
• Breaches of the
Data Protection Act
• Possession and distribution of illegal
pornography, other obscene or racially
inflammatory material
• Racial or sexual harassment
• Defamation of managers, customers etc.
• Copyright infringement, software piracy

22. Technologies
• Devices
• Web security gateways, application proxy firewalls,
deep packet inspection firewalls
• Approaches
• Labelling
• Blacklisting / whitelisting
• Content analysis / classification techniques
• Evaluation methods
• NB trade-off between percentages of true and false positives
- i.e. over-blocking
22

23. Impacts
• Prince, Kass & Klaber (2010) survey:
Medical e-resource availability (22 titles) in 37 NHS trusts
• “Shouldn’t we be managing the risks more effectively in order to
allow learners the freedom to use IT resources
to better effect?”
• “… of its nature intrusive and disruptive” (Gomez Hidalgo, 2009)
• Denial of autonomy
• Form of censorship – problem for librarians
• Inaccurate – over-blocking / false positives
• Problematic in respect of health information
• Low staff morale – demotivation / alienation
23

24. 24
77
57
51
69
35
25
11
9
0 10 20 30 40 50 60 70 80 90
Social networking applications
Wikis and blogs
Communication tools
Discussion forums
Webmail
E-journals*
E-books*
Online databases
% of trusts
SHALL IT subgroup survey of NHS librarians (2008)
*’core content’
or locally
purchased
Impacts

25. Information behaviour
• Heterogeneity between professions
• Very little direct consideration of time frames or degrees of urgency
in seeking information, though time factors frequently discussed
indirectly
• Information-seeking does not feature as an aspect of clinical or
professional autonomy – no parallel with academic freedom
• Technical obstacles to information-seeking nowhere discussed in
sufficient detail to be informative
• Link between negative attitudes to the Internet and to information-
seeking and poor levels of access
• “Cyber-bureaucrat” view of web use (Anandarajan et al., 2006)
may be widespread and extend to all forms of use
25

26. Organisational culture / information security / risk management
• Very few studies directly addressing the research questions
(Kolkowska, 2011, closest in aim and method)
-- an exploratory approach is required
• Many wider issues:
• Management of information security risks: technical and organisational
aspects
• Strategic planning of NHS information technology
• Organisational politics / subcultures / professional agendas
• Values: organisational / professional / cultural
• Cultural attitudes to information-seeking
• Paradigmatic differences underlying concepts of risk
26

27. 1. What is the current extent of information access problems?
2. To what extent is information seeking encouraged or
supported as a legitimate component of professional work /
as an aspect of professional autonomy and judgement? How
does this relate to overall culture, values and priorities?
3. What approach is taken to the strategic management of
information technology infrastructure?
4. How are risks managed that relate to the security of
information technology, in the context of overall risk
management?
5. What issues for the accessibility of information within the
English NHS are posed by current approaches to IT
infrastructure management and to information risk?
27

28. Exploratory case study
• Unit(s) of analysis
• One or more NHS trusts
• Methods
• Semi-structured interviews with key informants (15+ per trust)
• selected via purposive / snowball sampling
• representing a variety of perspectives:
• Library and information
• Information governance
• Network security and PC support
• Human resources, workforce development
• Communications
28

29. Exploratory case study
• Methods (cont’d)
• Telephone interviews with representatives of information providers
• Explore technical problems encountered in setting up access to
e-resources for NHS customers
• Documentary analysis
• Policies and strategies: IT, LIS, workforce development,
information governance, Internet AUP
• Network topology / N3 connections / security devices
• Q-methodology (if time allows)
• Investigate further the attitudes of information security and
information governance staff to online information-seeking
• Q-sort statements previous interviews,
literature review
29

30. Exploratory case study
• Assuring validity
• Integration of methods/triangulation: multiple vantage points,
comprehensiveness
• Member checking of transcriptions and analysis
• Need to develop:
• Interview guide(s)
• (Simple) data management plan
• Field notes
• Reflective diary
(Simons, 2009; Thomas, 2011; Yin, 2009)
• Data analysis
• Framework analysis - a possible approach (Ritchie & Spencer, 1994)
30

31. • NHS Research Ethics Committee approval not required
• Does require local NHS trust research governance approval
• Ethical issues are those of social research in general:
• Efficacy of design
• Excellent treatment of individuals
• Transparency of process
• Plausibility of products (Savin-Baden & Major, 2013)
• Safeguard interests of interview respondents:
• Data protection
• Provide clear information about study
• Fairly obtain and record informed consent
• Manage data securely
• Ensure anonymity of participants and organisation
• Disseminate findings in accordance with copyright law
• Information security a sensitive subject!
31

32. Activity Deliverable
September 2013
Develop methodology chapter
Submit School ethics application
Prepare for research presentation and viva
Presentation
October 2013
Submit ethics application to Information
School
Submit research governance application to
NHS trust(s) research governance depts.
Completed ethics application to
Information School
Ethics application paperwork for NHS
trust research governance depts.
First complete draft of literature
review
November 2013 Data collection and analysis – phase 1:
Arrange interviews
Develop interview guide
Conduct interviews
Transcribe interviews
Analyse interview data
First draft of methodology chapterDecember 2013
January 2014
February 2014
32

33. Activity Deliverable
June 2014
Write up chapter 4 Thesis chapter 4
July 2014
August 2014
Plan and design data collection phase 2September 2014
October 2014
November 2014 Submit ethics application
(if required)
December 2014 Data collection and analysis – phase 2:
as indicated
e.g. further interviews,
Q-sort
January 2015
February 2015
March 2015
April 2015
May 2015
Write up additions to chapter 4
June 2015
July 2015 Thesis draft to PB
August 2015 Revising thesis draft
September 2015 Submit thesis Thesis final draft
33

34. Questions?
Catherine Ebenezer
lip12cme@sheffield.ac.uk
http://www.mendeley.com/profiles/catherine-ebenezer1/
34

35. • Anandarajan, M., Paravastu, N., & Simmers, C. A. (2006). Perceptions of personal web usage in
the workplace: Q-methodology approach. CyberPsychology and Behavior, 9(3), 325–35.
• Anderson, J. (2003). Why we need a new definition of information security. Computers and Security
22(4), 308-313.
• Besnard, D., & Arief, B. (2004). Computer security impaired by legitimate users. Computers and
Security, 23(3), 253–264.
• Blenkinsopp, J. (2008). Bookmarks: web blocking – giving Big Brother a run for his money. He@lth
Information on the Internet, (62), 2008.
• Bojanc, R., Jerman-Blažič, B., & Tekavčič, M. (2012). Managing the investment in information
security technology by use of a quantitative modeling. Information Processing and Management,
48(6), 1031–1052.
• Cayton, H. (2006). Information governance in the Department of Health and the NHS.
London: Care Record Development Board, Department of Health.
• Darzi, A. (2008). High quality health for all: NHS Next Stage Review final report.
London: Department of Health.
• Department of Health. (2011). A framework for technology enhanced learning.
London: Department of Health.
• Douglas, M., & Wildavsky, A. B. (1983). Risk and culture: An essay on the
selection of technological and environmental dangers.
Berkeley and Los Angeles, CA: University of California Press.
35

36. • Douglas, M. (1994). Risk and blame: essays in cultural theory. London: Routledge.
• Duliba, K. A., & Baroudi, J. (1991). IS personnel: do they form an occupational community?. ACM
SIGCPR Computer Personnel, 13(2), 24-35.
• Elejabarrieta, F. (1994). Social positioning: a way to link social identity and social
representations. Social Science Information, 33(2), 241–253.
• Fidel, R., Pejtersen, A. M., Cleal, B., & Bruce, H. (2004). A multidimensional approach to the study
of human-information interaction: a case study of collaborative information retrieval. Journal of the
American Society for Information Science and Technology, 55(11) 939-953
• Gerber, M., & von Solms, R. (2005). Management of risk in the information age. Computers and
Security, 24(1), 16–30.
• Guzman, I. R., Stanton, J. M., Stam, K. R., Vijayasri, V., Yamodo, I., Zakaria, N., & Caldera, C.
(2004). A qualitative study of the occupational subculture of information systems employees in
organizations. In SIGMIS (Vol. 1). Tucson, AZ.
• Hatch, M. J. (2006). Organization theory: modern, symbolic and postmodern perspectives (2nd
ed.). New York: Oxford University Press.
• Jasanoff, S. (1998). The political science of risk perception. Reliability Engineering & System
Safety, 59(1), 91-99.
• Kasperson, R. E., Renn, O., Slovic, P., Brown, H. S., Emel, J., Goble, R., … Ratick, S. (1988). The
social amplification of risk: a conceptual framework. Risk Analysis, 8(2), 177–187.
36

37. • Kolkowska, E. (2011). Security subcultures in an organization - exploring value conflicts. ECIS 2011
Proceedings.
• Kummerow, E. H., & Innes, J. M. (1994). Social representations and the concept of organizational
culture. Social Science Information, 33(2), 255–271.
• Lafferty, N. (2013). NHS-HE connectivity project: Web 2.0 and social media in
education and research. Retrieved from
https://community.ja.net/groups/search/NHS-HE%2520forum
• Leckie, G. J., Pettigrew, K. E., & Sylvain, C. (1996). Modeling the information
seeking of professionals: a general model derived from research on engineers, health care
professionals, and lawyers. The Library Quarterly, 66(2), 161–193.
• Martin, J., Frost, P. J., & O’Neill, O. A. (2006). Organizational culture: beyond struggles for
intellectual dominance. In S. R. Clegg, C. Hardy, T. B. Lawrence, & W. R. Nord (Eds.), The Sage
handbook of organization studies (2nd ed., pp. 725–753). London: Sage.
• Moscovici, S. (1988). Notes towards a description of social representations. European Journal of
Social Psychology, 18, 211–250.
• NHS Executive. (1998). Information for health: an information strategy for the modern NHS 1998-
2005.
• Prince, N. J., Cass, H. D., & Klaber, R. E. (2010). Accessing e-learning and
e-resources. Medical Education, 44(436-437).
37

38. • Reddy, M. & Dourish, P. (2002). A finger on the pulse: temporal rhythms and information
seeking in medical work. Proceedings of the Conference on Computer Supported
Collaborative Work, 344-353. New Orleans, LA: ACM.
• Resnick, P., Richardson, C., & Hansen, D. (2002). See no evil: how internet filters affect the
search for online health information. Menlo Park, CA. Retrieved from www.kff.org
• Resnick, P. J., Hansen, D. L., & Richardson, C. R. (2004). Calculating error rates for filtering
software. Communications of the ACM, 47(9), 67-71
• Ritchie, J. & Spencer, E. (1994). Qualitative data analysis for applied policy research (pp.
173-194). In Bryman, A. & Burgess, R. G. (Ed.), Analyzing qualitative data. London:
Routledge.
• Rose, J. D. (2011). Diverse perspectives on the groupthink theory – a literary review.
Emerging Leadership Journeys, 4(1), 37 – 57.
• Savin-Baden, M., & Major, C. H. (2013). Qualitative research: the essential guide to
theory and practice. London: Routledge.
• Schein, E. H. (1985). Organizational culture and leadership. San Francisco, CA: Jossey-Bass.
• Schein, E. H. (1996). Three cultures of management: the key to organizational learning. Sloan
Management Review, 38(1), 9–20.
• Simons, H. (2009). Case study research in practice. London: Sage
38

39. • Stewart, A. (2004). On risk: perception and direction. Computers and Security, 23(5), 362–
370.
• Taylor-Gooby, P., & Zinn, J. O. (2006). Current directions in risk research: new
developments in psychology and sociology. Risk Analysis, 26(2), 397–411.
• Technical Design Authority Group. (2008). TDAG survey of access to electronic resources in
healthcare libraries. London: TDAG.
• Thomas, G. (2011) How to do your case study. London: Sage.
• Trice, H. M. (1993). Occupational subcultures in the workplace. Ithaca, NY: ILR Press.
• Vaast, E. (2007). Danger is in the eye of the beholders: social representations of information
systems security in healthcare. The Journal of Strategic Information Systems, 16(2), 130–
152.
• Van Maanen, J., & Barley, S. R. (1982). Occupational communities: culture and control in
organizations (Report no. TR-ONR-10). Cambridge, MA: Alfred P. Sloan School of
Management.
• Wilde, G. J. S. (1998). Risk homeostasis theory: an overview. Injury Prevention, 4, 89–91.
• Yin, R. K. (2009). Case study research: design and methods (4th ed., Vol. 5).
Thousand Oaks, CA: Sage.
39