Cyber-Risk in Healthcare: Exploring Facilitators and Barriers to Secure Behaviour

There are increasing concerns relating to cybersecurity of healthcare data and medical devices. Cybersecurity in this sector is particularly important given the criticality of healthcare systems, the impacts of a breach or cyberattack (including in the worst instance, potential physical harm to patients) and the value of healthcare data to criminals. Technology design is important for cybersecurity, but it is also necessary to understand the insecure behaviours prevalent within healthcare. It is vital to identify the drivers behind these behaviours, i.e., why staff may engage in insecure behaviour including their goals and motivations and/or perceived barriers preventing secure behaviour. To achieve this, in-depth interviews with 50 staff were conducted at three healthcare sites, across three countries (Ireland, Italy and Greece). A range of seven insecure behaviours were reported: Poor computer and user account security; Unsafe e-mail use; Use of USBs and personal devices; Remote access and home working; Lack of encryption, backups and updates; Use of connected medical devices; and poor physical security. Thematic analysis revealed four key facilitators of insecure behaviour: Lack of awareness and experience, Shadow working processes, Behaviour prioritisation and Environmental appropriateness. The findings suggest three key barriers to security: i) Security perceived as a barrier to productivity and/or patient care; ii) Poor awareness of consequences of behaviour; and iii) a lack of policies and reinforcement of secure behaviour. Implications for future research are presented.

[1]  Ian Watt,et al.  Exploring the Impact of Primary Care Physician Burnout and Well-Being on Patient Care: A Focus Group Study , 2017, Journal of patient safety.

[2]  Noa Segall,et al.  Faculty of 1000 evaluation for Usability and safety in electronic medical records interface design: A review of recent literature and guideline formulation. , 2015 .

[3]  Ben D. Sawyer,et al.  Hacking the Human: The Prevalence Paradox in Cybersecurity , 2018, Hum. Factors.

[4]  Mary Barna Bridgeman,et al.  Burnout syndrome among healthcare professionals. , 2018, American journal of health-system pharmacy : AJHP : official journal of the American Society of Health-System Pharmacists.

[5]  P. Briggs,et al.  Behavior Change Interventions for Cybersecurity , 2017 .

[6]  Carl A. Gunter,et al.  Privacy and Security in Mobile Health: A Research Agenda , 2016, Computer.

[7]  M. Allen,et al.  A Meta-Analysis of Fear Appeals: Implications for Effective Public Health Campaigns , 2000, Health education & behavior : the official publication of the Society for Public Health Education.

[8]  Jacob M. Appel,et al.  Safeguarding Confidentiality in Electronic Health Records , 2017, Cambridge Quarterly of Healthcare Ethics.

[9]  Reeshad S. Dalal,et al.  Psychosocial Dynamics of Cyber Security , 2016 .

[10]  John Baker,et al.  Mental healthcare staff well‐being and burnout: A narrative review of trends, causes, implications, and recommendations for future interventions , 2018, International journal of mental health nursing.

[11]  Peter Honeyman,et al.  A brief chronology of medical device security , 2016, Commun. ACM.

[12]  Karin Hedström,et al.  Social action theory for understanding information security non-compliance in hospitals: The importance of user rationale , 2013, Inf. Manag. Comput. Secur..

[13]  Jerome Billeter,et al.  Delivering better services for people with long term conditions , 2013 .

[14]  Andreas Vossler,et al.  The Counselling and Psychotherapy Research Handbook , 2014 .

[15]  A. Darzi,et al.  Smartphones let surgeons know WhatsApp: an analysis of communication in emergency surgical teams. , 2015, American Journal of Surgery.

[16]  John M. Blythe Cyber Security in the Workplace: Understanding and Promoting Behaviour Change , 2013, CHItaly.

[17]  Virginia Braun,et al.  How to use thematic analysis with interview data (process research) , 2014 .

[18]  Ian Watt,et al.  Healthcare Staff Wellbeing, Burnout, and Patient Safety: A Systematic Review , 2016, PloS one.

[19]  Karen Renaud,et al.  Moving from a 'human-as-problem" to a 'human-as-solution" cybersecurity mindset , 2019, Int. J. Hum. Comput. Stud..

[20]  L. Coventry,et al.  Cybersecurity in healthcare: A narrative review of trends, threats and ways forward. , 2018, Maturitas.

[21]  Linda Little,et al.  Behavior Change Research and Theory: Psychological and Technological Perspectives , 2016 .