Annals of Disaster Risk Sciences
Vol 3 No 1 (2020): Special issue on cyber-security of critical infrastructure
Articles

Your hospital needs you: Eliciting positive cybersecurity behaviours from healthcare staff

HTML
  • Dawn Branley-Bell,
  • Lynne Coventry,
  • Elizabeth Sillence,
  • Sabina Magalini,
  • Pasquale Mari,
  • Aimilia Magkanaraki,
  • Kalliopi Anastasopoulou
Dawn Branley-Bell
Northumbria University
Lynne Coventry
Northumbria University
Elizabeth Sillence
Northumbria University
Sabina Magalini
Fondazione Policlinico Universitario Gemelli
Pasquale Mari
Fondazione Policlinico Universitario Gemelli
Aimilia Magkanaraki
7th Health Region of Crete
Kalliopi Anastasopoulou
7th Health Region of Crete
CYSEC2020
DOI: https://doi.org/10.51381/adrs.v3i1.51
Published November 17, 2020
Keywords
  • cybersecurity,
  • insecure behaviour,
  • healthcare,
  • security,
  • behaviour change
How to Cite
Branley-Bell, D., Coventry, L., Sillence, E., Magalini, S., Mari, P., Magkanaraki, A., & Anastasopoulou, K. (2020). Your hospital needs you: Eliciting positive cybersecurity behaviours from healthcare staff. Annals of Disaster Risk Sciences, 3(1). https://doi.org/10.51381/adrs.v3i1.51

Copyright (c) 2020 Annals of Disaster Risk Sciences

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

Abstract

Staff behaviour plays a key role in the cybersecurity position of an organisation. Despite this, behaviour-change interventions are not commonly applied within the field of cybersecurity. Behaviour change technique could be particularly beneficial given increasing concerns around healthcare cybersecurity risks; particularly following the 2017 WannaCry ransomware attack which had devastating results on healthcare services. Cyber-risk is particularly concerning within healthcare given the criticality of medical systems and the potential impacts of a cyberbreach or attack. In worst case scenarios, cybersecurity incidents could result in patient harm or even fatalities. Whilst there has been concerted investment in improving healthcare’s technological defences against cyberthreat, the same level of investment has not been made in healthcare staff. This has left staff behaviour as a vulnerability which can be exploited by attackers. This paper introduces a structured approach to help organisations work through four key steps that we refer to as the AIDE approach to Assess, Identify, Develop and Evaluate behaviour change techniques to facilitate more secure behaviour. We include a worked example of how we are applying this approach to the development of interventions to mitigate insecure cybersecurity behaviours in a healthcare context.

HTML

References

  1. Ajzen, I. (1985). From Intentions to Actions: A Theory of Planned Behavior. In Action Control. https://doi.org/10.1007/978-3-642-69746-3_2
  2. Ajzen, I. (1991). The theory of planned behavior. Organizational Behavior and Human Decision Processes, 50(2), 179–211. https://doi.org/10.1016/0749-5978(91)90020-T
  3. Akey, J. E., Rintamaki, L. S., & Kane, T. L. (2013). Health Belief Model deterrents of social support seeking among people coping with eating disorders. Journal of Affective Disorders, 145(2), 246–252.
  4. Albert, M. (2019). “Why do we need to wait for people to be hurt?” Medical cyber attacks soar 1400%. Retrieved October 11, 2019, from https://www.sfgate.com/healthredesign/article/medical-cyber-attacks-terrorism-hospital-health-13853912.php
  5. Blythe, J. M. (2013). Cyber security in the workplace: Understanding and promoting behaviour change. In Proceedings of CHI 2013 Doctoral Consortium. Retrieved from http://chitaly2013.disi.unitn.it/wp-content/uploads/2013/08/CHItaly_DC_Blythe.pdf
  6. Coventry, L., Branley-Bell, D., Magalini, S., Mari, P., Magkanaraki, A., & Kalliopi, A. (2020). Cyber-risk in healthcare: Exploring facilitators and barriers to secure behaviour. In Lecture Notes in Computer Science.
  7. Coventry, L., & Branley, D. (2018). Cybersecurity in healthcare: A narrative review of trends, threats and ways forward. Maturitas, 113, 48–52. https://doi.org/10.1016/j.maturitas.2018.04.008
  8. Coventry, L., Briggs, P., & Jeske, D. (2014). SCENE: A Structured Means for Creating and Evaluating Behavioral Nudges in a Cyber Security Environment. https://doi.org/10.1007/978-3-319-07668-3_23
  9. Dolan, P., Hallsworth, M., Halpern, D., King, D., & Vlaev, I. (2010). MINDSPACE:Influencing behaviour through public policy. Retrieved from https://www.instituteforgovernment.org.uk/sites/default/files/publications/MINDSPACE.pdf
  10. Fishbein, M. (2008). A Reasoned Action Approach to Health Promotion. Medical Decision Making, 28(6), 834–844. https://doi.org/10.1177/0272989X08326092
  11. Hall, L. H., Johnson, J., Heyhoe, J., Watt, I., Anderson, K., & OʼConnor, D. B. (2017).Exploring the Impact of Primary Care Physician Burnout and Well-Being on Patient Care. Journal of Patient Safety, 1. https://doi.org/10.1097/PTS.0000000000000438
  12. Hall, L. H., Johnson, J., Watt, I., Tsipa, A., & O’Connor, D. B. (2016). Healthcare Staff Wellbeing, Burnout, and Patient Safety: A Systematic Review. PLOS ONE, 11(7), e0159015. https://doi.org/10.1371/journal.pone.0159015
  13. Hedström, K., Karlsson, F., & Kolkowska, E. (2013). Social action theory for understanding information security non-compliance in hospitals the importance of user rationale.Information Management and Computer Security. https://doi.org/10.1108/IMCS-08- 2012-0043
  14. Kam, R. (2015). The human risk factor of a healthcare data breach - Community Blog. Retrieved April 10, 2018, from https://searchhealthit.techtarget.com/healthitexchange/CommunityBlog/the-human-risk- factor-of-a-healthcare-data-breach/
  15. Kelly, M. P., & Barker, M. (2016). Why is changing health-related behaviour so difficult?Public Health, 136, 109–116. https://doi.org/10.1016/j.puhe.2016.03.030
  16. May, C., & Finch, T. (2009). Implementing, Embedding, and Integrating Practices: An Outline of Normalization Process Theory. Sociology, 43(3), 535–554. https://doi.org/10.1177/0038038509103208
  17. Michie, S., Atkins, L., & West, R. (2014). The Behaviour Change Wheel: A Guide to Designing Interventions. London, UK: Silverback Publishing.
  18. Michie, S., & Johnston, M. (2012, March). Theories and techniques of behaviour change: Developing a cumulative science of behaviour change. Health Psychology Review. https://doi.org/10.1080/17437199.2012.654964
  19. Michie, S., Richardson, M., Johnston, M., Abraham, C., Francis, J., Hardeman, W., … Wood, E. (2013). The behavior change technique taxonomy (v1) of 93 hierarchically clustered techniques: Building an international consensus for the reporting of behavior change interventions. Annals of Behavioral Medicine, 46(1), 81–95. https://doi.org/10.1007/s12160-013-9486-6
  20. National Audit Office. (2018). Investigation: WannaCry cyber attack and the NHS. Retrieved from https://www.nao.org.uk/wp-content/uploads/2017/10/Investigation-WannaCry-cyber-attack-and-the-NHS-Summary.pdf
  21. PANACEA Research. (2020). Retrieved January 27, 2020, from https://panacearesearch.eu/ Pfleeger, S. L., & Caputo, D. D. (2012). Leveraging Behavioral Science to Mitigate Cyber Security Risk. Retrieved from https://ai2-s2- pdfs.s3.amazonaws.com/e755/aa8baf01ef655ef7b1472ceba505b7c45b91.pdf
  22. Rogers, R. W. (1975). A Protection Motivation Theory of Fear Appeals and Attitude Change. The Journal of Psychology. https://doi.org/10.1080/00223980.1975.9915803
  23. Rosenstock, I. M. (1974). The Health Belief Model and Preventive Health Behavior. Health Educ Behav, 2(4), 354–386. https://doi.org/10.1177/109019817400200405
  24. Rosenstock, I. M. (1990). The Health Belief Model: Explaining Health Behavior Through Expectancies. Health Behavior and Health Education: Theory, Research, and Practice.
  25. Scott, M., & Wingfield, N. (2017, May 13). Hacking attack has security experts scrambling to contain fallout. The New York Times. Retrieved from https://www.nytimes.com/2017/05/13/world/asia/cyberattacks-online-security-.html
  26. Service, O., Hallsworth, M., Halpern, D., Algate, F., Gallagher, R., Nguyen, S., … Kirkman, (2015). EAST Four simple ways to apply behavioural insights.
  27. Shenoy, A., & Appel, J. M. (2017). Safeguarding confidentiality in electronic health records. Cambridge Quarterly of Healthcare Ethics, 26(2), 337–341. https://doi.org/10.1017/S0963180116000931
  28. Sulleyman, A. (2017, February 12). NHS cyber attack: Why stolen medical information is so much more valuable than financial data | The Independent. The Independent. Retrieved from http://www.independent.co.uk/life-style/gadgets-and-tech/news/nhs-cyber-attack-medical-data-records-stolen-why-so-valuable-to-sell-financial-a7733171.html
  29. Thaler, R. H., & Sunstein, C. R. (2008). Nudge: Improving decisions about health, wealth, and hapiness. Focus.
  30. Timlett, R. E., & Williams, I. D. (2008). Public participation and recycling performance in England: A comparison of tools for behaviour change. Resources, Conservation and Recycling, 52(4), 622–634. https://doi.org/10.1016/j.resconrec.2007.08.003
  31. Turton, R., Bruidegom, K., Cardi, V., Hirsch, C. R., & Treasure, J. (2015). Novel methods to help develop healthier eating habits for eating and weight disorders: A systematic review and meta-analysis. Neuroscience and Biobehavioral Reviews, 61, 132–155. https://doi.org/10.1016/j.neubiorev.2015.12.008
  32. van Winssen, K. P. M., van Kleef, R. C., & van de Ven, W. P. M. M. (2016). Potential determinants of deductible uptake in health insurance: How to increase uptake in The Netherlands? The European Journal of Health Economics, 17(9), 1059–1072. https://doi.org/10.1007/s10198-015-0745-2