Promoting Cybersecurity Culture Change in Healthcare

D. Branley-Bell, L. Coventry, E. Sillence, ACM Digital Library, PETRA 2021 conference: PErvasive Technologies Related to Assistive Environments Conference

Cybersecurity problems have traditionally been addressed through technological solutions and staff training. Whilst technology can reduce or remove some weaknesses some attacks specifically target human users. Whilst training can educate staff on how to behave more securely, this is often not sufficient to promote actual secure behaviours . Knowing what to do is necessary but not sufficient. It is also necessary to remove barriers to the required behaviour and to intervene in a way that affords behaviour change. This is particularly true in healthcare, where environmental factors including time pressure, and staff fatigue can create barriers for cybersecurity behaviour change. Technology and training are only a partial solution. Only by taking a more holistic approach which encompasses technology, people and processes and addressing the culture change needed to facilitate more secure behaviours will any progress be made in the workplace. We conducted a series of in-depth interviews and workshops with staff across 3 healthcare organisations in Italy, Crete and Ireland. This paper reflects on our main findings, including key requirements for future cybersecurity interventions. We used this reflection to develop a secure behaviour toolkit to help healthcare organisations identify problematic behaviours, co-create interventions to increase secure staff behaviour being mindful that sometimes culture change is necessary to enable the required security behaviours. The toolkit also provides a means to evaluate the interventions identified and the final implementation of the intervention.

https://doi.org/10.1145/3453892.3461622 | https://dl.acm.org/doi/abs/10.1145/3453892.3461622?sid=SCITRUS