Your hospital needs you: Eliciting positive cybersecurity behaviours from healthcare staff
Staff behaviour plays a key role in the cybersecurity position of an organisation. Despite this, behaviour-change interventions are not commonly applied within the field of cybersecurity. Behaviour change technique could be particularly beneficial given increasing concerns around healthcare cybersecurity risks; particularly following the 2017 WannaCry ransomware attack which had devastating results on healthcare services. Cyber-risk is particularly concerning within healthcare given the criticality of medical systems and the potential impacts of a cyberbreach or attack. In worst case scenarios, cybersecurity incidents could result in patient harm or even fatalities. Whilst there has been concerted investment in improving healthcare’s technological defences against cyberthreat, the same level of investment has not been made in healthcare staff. This has left staff behaviour as a vulnerability which can be exploited by attackers. This paper introduces a structured approach to help organisations work through four key steps that we refer to as the AIDE approach to Assess, Identify, Develop and Evaluate behaviour change techniques to facilitate more secure behaviour. We include a worked example of how we are applying this approach to the development of interventions to mitigate insecure cybersecurity behaviours in a healthcare context.
Ajzen, I. (1985). From Intentions to Actions: A Theory of Planned Behavior. In Action Control. https://doi.org/10.1007/978-3-642-69746-3_2
Ajzen, I. (1991). The theory of planned behavior. Organizational Behavior and Human Decision Processes, 50(2), 179–211. https://doi.org/10.1016/0749-5978(91)90020-T
Akey, J. E., Rintamaki, L. S., & Kane, T. L. (2013). Health Belief Model deterrents of social support seeking among people coping with eating disorders. Journal of Affective Disorders, 145(2), 246–252.
Albert, M. (2019). “Why do we need to wait for people to be hurt?” Medical cyber attacks soar 1400%. Retrieved October 11, 2019, from https://www.sfgate.com/healthredesign/article/medical-cyber-attacks-terrorism-hospital-health-13853912.php
Blythe, J. M. (2013). Cyber security in the workplace: Understanding and promoting behaviour change. In Proceedings of CHI 2013 Doctoral Consortium. Retrieved from http://chitaly2013.disi.unitn.it/wp-content/uploads/2013/08/CHItaly_DC_Blythe.pdf
Coventry, L., Branley-Bell, D., Magalini, S., Mari, P., Magkanaraki, A., & Kalliopi, A. (2020). Cyber-risk in healthcare: Exploring facilitators and barriers to secure behaviour. In Lecture Notes in Computer Science.
Coventry, L., & Branley, D. (2018). Cybersecurity in healthcare: A narrative review of trends, threats and ways forward. Maturitas, 113, 48–52. https://doi.org/10.1016/j.maturitas.2018.04.008
Coventry, L., Briggs, P., & Jeske, D. (2014). SCENE: A Structured Means for Creating and Evaluating Behavioral Nudges in a Cyber Security Environment. https://doi.org/10.1007/978-3-319-07668-3_23
Dolan, P., Hallsworth, M., Halpern, D., King, D., & Vlaev, I. (2010). MINDSPACE:Influencing behaviour through public policy. Retrieved from https://www.instituteforgovernment.org.uk/sites/default/files/publications/MINDSPACE.pdf
Fishbein, M. (2008). A Reasoned Action Approach to Health Promotion. Medical Decision Making, 28(6), 834–844. https://doi.org/10.1177/0272989X08326092
Hall, L. H., Johnson, J., Heyhoe, J., Watt, I., Anderson, K., & OʼConnor, D. B. (2017).Exploring the Impact of Primary Care Physician Burnout and Well-Being on Patient Care. Journal of Patient Safety, 1. https://doi.org/10.1097/PTS.0000000000000438
Hall, L. H., Johnson, J., Watt, I., Tsipa, A., & O’Connor, D. B. (2016). Healthcare Staff Wellbeing, Burnout, and Patient Safety: A Systematic Review. PLOS ONE, 11(7), e0159015. https://doi.org/10.1371/journal.pone.0159015
Hedström, K., Karlsson, F., & Kolkowska, E. (2013). Social action theory for understanding information security non-compliance in hospitals the importance of user rationale.Information Management and Computer Security. https://doi.org/10.1108/IMCS-08- 2012-0043
Kam, R. (2015). The human risk factor of a healthcare data breach - Community Blog. Retrieved April 10, 2018, from https://searchhealthit.techtarget.com/healthitexchange/CommunityBlog/the-human-risk- factor-of-a-healthcare-data-breach/
Kelly, M. P., & Barker, M. (2016). Why is changing health-related behaviour so difficult?Public Health, 136, 109–116. https://doi.org/10.1016/j.puhe.2016.03.030
May, C., & Finch, T. (2009). Implementing, Embedding, and Integrating Practices: An Outline of Normalization Process Theory. Sociology, 43(3), 535–554. https://doi.org/10.1177/0038038509103208
Michie, S., Atkins, L., & West, R. (2014). The Behaviour Change Wheel: A Guide to Designing Interventions. London, UK: Silverback Publishing.
Michie, S., & Johnston, M. (2012, March). Theories and techniques of behaviour change: Developing a cumulative science of behaviour change. Health Psychology Review. https://doi.org/10.1080/17437199.2012.654964
Michie, S., Richardson, M., Johnston, M., Abraham, C., Francis, J., Hardeman, W., … Wood, E. (2013). The behavior change technique taxonomy (v1) of 93 hierarchically clustered techniques: Building an international consensus for the reporting of behavior change interventions. Annals of Behavioral Medicine, 46(1), 81–95. https://doi.org/10.1007/s12160-013-9486-6
National Audit Office. (2018). Investigation: WannaCry cyber attack and the NHS. Retrieved from https://www.nao.org.uk/wp-content/uploads/2017/10/Investigation-WannaCry-cyber-attack-and-the-NHS-Summary.pdf
PANACEA Research. (2020). Retrieved January 27, 2020, from https://panacearesearch.eu/ Pfleeger, S. L., & Caputo, D. D. (2012). Leveraging Behavioral Science to Mitigate Cyber Security Risk. Retrieved from https://ai2-s2- pdfs.s3.amazonaws.com/e755/aa8baf01ef655ef7b1472ceba505b7c45b91.pdf
Rogers, R. W. (1975). A Protection Motivation Theory of Fear Appeals and Attitude Change. The Journal of Psychology. https://doi.org/10.1080/00223980.1975.9915803
Rosenstock, I. M. (1974). The Health Belief Model and Preventive Health Behavior. Health Educ Behav, 2(4), 354–386. https://doi.org/10.1177/109019817400200405
Rosenstock, I. M. (1990). The Health Belief Model: Explaining Health Behavior Through Expectancies. Health Behavior and Health Education: Theory, Research, and Practice.
Scott, M., & Wingfield, N. (2017, May 13). Hacking attack has security experts scrambling to contain fallout. The New York Times. Retrieved from https://www.nytimes.com/2017/05/13/world/asia/cyberattacks-online-security-.html
Service, O., Hallsworth, M., Halpern, D., Algate, F., Gallagher, R., Nguyen, S., … Kirkman, (2015). EAST Four simple ways to apply behavioural insights.
Shenoy, A., & Appel, J. M. (2017). Safeguarding confidentiality in electronic health records. Cambridge Quarterly of Healthcare Ethics, 26(2), 337–341. https://doi.org/10.1017/S0963180116000931
Sulleyman, A. (2017, February 12). NHS cyber attack: Why stolen medical information is so much more valuable than financial data | The Independent. The Independent. Retrieved from http://www.independent.co.uk/life-style/gadgets-and-tech/news/nhs-cyber-attack-medical-data-records-stolen-why-so-valuable-to-sell-financial-a7733171.html
Thaler, R. H., & Sunstein, C. R. (2008). Nudge: Improving decisions about health, wealth, and hapiness. Focus.
Timlett, R. E., & Williams, I. D. (2008). Public participation and recycling performance in England: A comparison of tools for behaviour change. Resources, Conservation and Recycling, 52(4), 622–634. https://doi.org/10.1016/j.resconrec.2007.08.003
Turton, R., Bruidegom, K., Cardi, V., Hirsch, C. R., & Treasure, J. (2015). Novel methods to help develop healthier eating habits for eating and weight disorders: A systematic review and meta-analysis. Neuroscience and Biobehavioral Reviews, 61, 132–155. https://doi.org/10.1016/j.neubiorev.2015.12.008
van Winssen, K. P. M., van Kleef, R. C., & van de Ven, W. P. M. M. (2016). Potential determinants of deductible uptake in health insurance: How to increase uptake in The Netherlands? The European Journal of Health Economics, 17(9), 1059–1072. https://doi.org/10.1007/s10198-015-0745-2
Copyright (c) 2020 Annals of Disaster Risk Sciences
This work is licensed under a Creative Commons Attribution 4.0 International License.