Abstract
There are increasing concerns relating to cybersecurity of healthcare data and medical devices. Cybersecurity in this sector is particularly important given the criticality of healthcare systems, the impacts of a breach or cyberattack (including in the worst instance, potential physical harm to patients) and the value of healthcare data to criminals. Technology design is important for cybersecurity, but it is also necessary to understand the insecure behaviours prevalent within healthcare. It is vital to identify the drivers behind these behaviours, i.e., why staff may engage in insecure behaviour including their goals and motivations and/or perceived barriers preventing secure behaviour. To achieve this, in-depth interviews with 50 staff were conducted at three healthcare sites, across three countries (Ireland, Italy and Greece). A range of seven insecure behaviours were reported: Poor computer and user account security; Unsafe e-mail use; Use of USBs and personal devices; Remote access and home working; Lack of encryption, backups and updates; Use of connected medical devices; and poor physical security. Thematic analysis revealed four key facilitators of insecure behaviour: Lack of awareness and experience, Shadow working processes, Behaviour prioritisation and Environmental appropriateness. The findings suggest three key barriers to security: i) Security perceived as a barrier to productivity and/or patient care; ii) Poor awareness of consequences of behaviour; and iii) a lack of policies and reinforcement of secure behaviour. Implications for future research are presented.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Kotz, D., Gunter, C.A., Kumar, S., Weiner, J.P.: Privacy and security in mobile health: a research agenda. Computer (Long Beach Calif) 49, 22–30 (2016). https://doi.org/10.1109/MC.2016.185
Burns, A.J., Johnson, M.E., Honeyman, P.: A brief chronology of medical device security. Commun. ACM 59, 66–72 (2016). https://doi.org/10.1145/2890488
Coulter, A., Roberts, S., Dixon, A.: Delivering Better Services for People with Long-Term Conditions. Building the House of Care (2013)
Hedström, K., Karlsson, F., Kolkowska, E.: Social action theory for understanding information security non-compliance in hospitals the importance of user rationale. Inf. Manag. Comput. Secur. (2013). https://doi.org/10.1108/IMCS-08-2012-0043
Shenoy, A., Appel, J.M.: Safeguarding confidentiality in electronic health records. Camb. Q. Healthc. Ethics 26, 337–341 (2017). https://doi.org/10.1017/S0963180116000931
Coventry, L., Branley, D.: Cybersecurity in healthcare: a narrative review of trends, threats and ways forward. Maturitas 113, 48–52 (2018). https://doi.org/10.1016/j.maturitas.2018.04.008
Systems shut down in Victorian hospitals after suspected cyber attack (2019). https://www.theguardian.com/australia-news/2019/oct/01/systems-shut-down-in-victorian-hospitals-after-suspected-cyber-attack
Albert, M: Why do we need to wait for people to be hurt?. Medical cyber attacks soar 1400%. In: SFGate (2019). https://www.sfgate.com/healthredesign/article/medical-cyber-attacks-terrorism-hospital-health-13853912.php. Accessed 11 Oct 2019
Kam, R.: The human risk factor of a healthcare data breach - Community Blog. In: Heal. IT Exch (2015). https://searchhealthit.techtarget.com/healthitexchange/CommunityBlog/the-human-risk-factor-of-a-healthcare-data-breach/. Accessed 10 Apr 2018
Scott, M., Wingfield, N.: Hacking attack has security experts scrambling to contain fallout (2017). https://www.nytimes.com/2017/05/13/world/asia/cyberattacks-online-security-.html
National Audit Office: Investigation: WannaCry cyber attack and the NHS (2018)
Sussman, B.: Doctors Quitting Due to Ransomware Attacks. In: SecureWorld (2019). https://www.secureworldexpo.com/industry-news/are-doctors-quitting-after-ransomware-attacks. Accessed 30 Jan 2020
Zimmermann, V., Renaud, K.: Moving from a “human-as-problem” to a “human-as-solution” cybersecurity mindset. Int. J. Hum Comput Stud. 131, 169–187 (2019). https://doi.org/10.1016/j.ijhcs.2019.05.005
Boyce, M.W., Duma, K.M., Hettinger, L.J., et al.: Human performance in cybersecurity: a research agenda. In: Proceedings of the Human Factors and Ergonomics Society 55th Annual Meeting, pp 1115–1119 (2011)
Hall, L.H., Johnson, J., Watt, I., et al.: Healthcare staff wellbeing, burnout, and patient safety: a systematic review. PLoS One 11, e0159015 (2016). https://doi.org/10.1371/journal.pone.0159015
Hall, L.H., Johnson, J., Heyhoe, J., et al.: Exploring the impact of primary care physician burnout and well-being on patient care. J. Patient Saf. 1 (2017). https://doi.org/10.1097/PTS.0000000000000438
Johnson, J., Hall, L.H., Berzins, K., et al.: Mental healthcare staff well-being and burnout: a narrative review of trends, causes, implications, and recommendations for future interventions. Int. J. Ment. Health Nurs. 27, 20–32 (2018). https://doi.org/10.1111/inm.12416
Bridgeman, P.J., Bridgeman, M.B., Barone, J.: Burnout syndrome among healthcare professionals. Am. J. Heal. Pharm. 75, 147–152 (2018). https://doi.org/10.2146/ajhp170460
Zaccaro, S.J., Dalal, R.S., Tetrick, L.E., et al.: The psychosocial dynamics of cyber security: an overview. In: Psychosocial Dynamics of Cyber Security. Routledge, pp 31–42 (2016)
Blythe, J.M.: Cyber security in the workplace: understanding and promoting behaviour change. In: Proceedings of CHI 2013 Doctoral Consortium (2013)
Vossler, A., Moller, N., Braun, V., et al.: How to use thematic analysis with interview data. In: The Counselling and Psychotherapy Research Handbook (2017)
Williams, B.: The dangers of password sharing at work. In: TechRadar (2019). https://www.techradar.com/news/the-dangers-of-password-sharing-at-work. Accessed 14 Oct 2019
Caldwell, F.: Why Sharing Passwords Is Now Illegal And What This Means for Employers And Digital Businesses (2016)
Zahabi, M., Kaber, D.B., Swangnetr, M.: Usability and safety in electronic medical records interface design: a review of recent literature and guideline formulation. Hum. Factors 57, 805–834 (2015). https://doi.org/10.1177/0018720815576827
Johnston, M.J., King, D., Arora, S., et al.: Smartphones let surgeons know WhatsApp: An analysis of communication in emergency surgical teams. Am. J. Surg. (2015). https://doi.org/10.1016/j.amjsurg.2014.08.030
Coventry, L., Branley-Bell, D., Magalini, S., et al.: Cyber-risk in healthcare: exploring facilitators and barriers to secure behaviour (2020)
Sawyer, B.D., Hancock, P.A.: Hacking the human: the prevalence paradox in cybersecurity. Hum. Factors 60, 597–609 (2018). https://doi.org/10.1177/0018720818780472
Briggs, P., Jeske, D., Coventry, L.: Behavior change interventions for cybersecurity. In: Behavior Change Research and Theory: Psychological and Technological Perspectives, pp 115–136. Academic Press (2017)
Witte, K., Allen, M.: A meta-analysis of fear appeals: Implications for effective public health campaigns. Heal Educ. Behav. 27, 591–615 (2000). https://doi.org/10.1177/109019810002700506
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Coventry, L. et al. (2020). Cyber-Risk in Healthcare: Exploring Facilitators and Barriers to Secure Behaviour. In: Moallem, A. (eds) HCI for Cybersecurity, Privacy and Trust. HCII 2020. Lecture Notes in Computer Science(), vol 12210. Springer, Cham. https://doi.org/10.1007/978-3-030-50309-3_8
Download citation
DOI: https://doi.org/10.1007/978-3-030-50309-3_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-50308-6
Online ISBN: 978-3-030-50309-3
eBook Packages: Computer ScienceComputer Science (R0)