Health Information System (HIS) has been implemented in Malaysia since late 1990s. HIS is an integration of several hospitals’ information system to manage administration works, patients and clinical records. Accessing HIS data through the internet make it more vulnerable to data lost, misuses and attacks. Health data is extremely sensitive, therefore they require high protection and information security must be carefully watched as it plays an important role to protect the data from being stolen or harmed. Despite the vast research in information security, the human factor has been neglected from the research community, with most security research giving focus on the technological component of an information technology system. The human factor is still subject to attacks and thus, in need of auditing and addressing any existing vulnerabilities.