Cyber-risk in healthcare: exploring facilitators and barriers to secure behaviour

Lynne Coventry; Dawn Branley-Bell; Elizabeth Sillence; Sabina Magalini; Pasquale Mari; Aimilia Magkanaraki; Kalliopi Anastasopoulou

doi:10.1007/978-3-030-50309-3_8

Cyber-risk in healthcare: exploring facilitators and barriers to secure behaviour

Lynne Coventry^*, Dawn Branley-Bell, Elizabeth Sillence, Sabina Magalini, Pasquale Mari, Aimilia Magkanaraki, Kalliopi Anastasopoulou

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

41 Citations (Scopus)

Abstract

There are increasing concerns relating to cybersecurity of healthcare data and medical devices. Cybersecurity in this sector is particularly important given the criticality of healthcare systems, the impacts of a breach or cyberattack (including in the worst instance, potential physical harm to patients) and the value of healthcare data to criminals. Technology design is important for cybersecurity, but it is also necessary to understand the insecure behaviours prevalent within healthcare. It is vital to identify the drivers behind these behaviours, i.e., why staff may engage in insecure behaviour including their goals and motivations and/or perceived barriers preventing secure behaviour. To achieve this, in-depth interviews with 50 staff were conducted at three healthcare sites, across three countries (Ireland, Italy and Greece). A range of seven insecure behaviours were reported: Poor computer and user account security; Unsafe e-mail use; Use of USBs and personal devices; Remote access and home working; Lack of encryption, backups and updates; Use of connected medical devices; and poor physical security. Thematic analysis revealed four key facilitators of insecure behaviour: Lack of awareness and experience, Shadow working processes, Behaviour prioritisation and Environmental appropriateness. The findings suggest three key barriers to security: i) Security perceived as a barrier to productivity and/or patient care; ii) Poor awareness of consequences of behaviour; and iii) a lack of policies and reinforcement of secure behaviour. Implications for future research are presented.

Original language	English
Title of host publication	HCI for Cybersecurity, Privacy and Trust
Subtitle of host publication	Second International Conference, HCI-CPT 2020, Held as Part of the 22nd HCI International Conference, HCII 2020, Proceedings
Editors	Abbas Moallem
Place of Publication	Cham
Publisher	Springer
Pages	105-122
Number of pages	18
ISBN (Electronic)	9783030503093
ISBN (Print)	9783030503086
DOIs	https://doi.org/10.1007/978-3-030-50309-3_8
Publication status	Published - 10 Jul 2020
Externally published	Yes
Event	2nd International Conference on HCI for Cybersecurity, Privacy and Trust, HCI-CPT 2020, held as part of the 22nd International Conference on Human-Computer Interaction, HCII 2020 - Copenhagen, Denmark Duration: 19 Jul 2020 → 24 Jul 2020

Publication series

Name	Lecture Notes in Computer Science (including subseries Information Systems and Applications, incl. Internet/Web, and HCI (LNISA))
Publisher	Springer
Volume	12210
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	2nd International Conference on HCI for Cybersecurity, Privacy and Trust, HCI-CPT 2020, held as part of the 22nd International Conference on Human-Computer Interaction, HCII 2020
Country/Territory	Denmark
City	Copenhagen
Period	19/07/20 → 24/07/20

Keywords

Cybersecurity
Health
Healthcare
Cyberthreat
Behaviour change

Access to Document

10.1007/978-3-030-50309-3_8

Cite this

Coventry, L., Branley-Bell, D., Sillence, E., Magalini, S., Mari, P., Magkanaraki, A., & Anastasopoulou, K. (2020). Cyber-risk in healthcare: exploring facilitators and barriers to secure behaviour. In A. Moallem (Ed.), HCI for Cybersecurity, Privacy and Trust: Second International Conference, HCI-CPT 2020, Held as Part of the 22nd HCI International Conference, HCII 2020, Proceedings (pp. 105-122). (Lecture Notes in Computer Science (including subseries Information Systems and Applications, incl. Internet/Web, and HCI (LNISA)); Vol. 12210). Springer. https://doi.org/10.1007/978-3-030-50309-3_8

Coventry, Lynne ; Branley-Bell, Dawn ; Sillence, Elizabeth et al. / Cyber-risk in healthcare : exploring facilitators and barriers to secure behaviour. HCI for Cybersecurity, Privacy and Trust: Second International Conference, HCI-CPT 2020, Held as Part of the 22nd HCI International Conference, HCII 2020, Proceedings. editor / Abbas Moallem. Cham : Springer, 2020. pp. 105-122 (Lecture Notes in Computer Science (including subseries Information Systems and Applications, incl. Internet/Web, and HCI (LNISA))).

@inproceedings{835013c67edf443caef9aaaff0c3522a,

title = "Cyber-risk in healthcare: exploring facilitators and barriers to secure behaviour",

abstract = "There are increasing concerns relating to cybersecurity of healthcare data and medical devices. Cybersecurity in this sector is particularly important given the criticality of healthcare systems, the impacts of a breach or cyberattack (including in the worst instance, potential physical harm to patients) and the value of healthcare data to criminals. Technology design is important for cybersecurity, but it is also necessary to understand the insecure behaviours prevalent within healthcare. It is vital to identify the drivers behind these behaviours, i.e., why staff may engage in insecure behaviour including their goals and motivations and/or perceived barriers preventing secure behaviour. To achieve this, in-depth interviews with 50 staff were conducted at three healthcare sites, across three countries (Ireland, Italy and Greece). A range of seven insecure behaviours were reported: Poor computer and user account security; Unsafe e-mail use; Use of USBs and personal devices; Remote access and home working; Lack of encryption, backups and updates; Use of connected medical devices; and poor physical security. Thematic analysis revealed four key facilitators of insecure behaviour: Lack of awareness and experience, Shadow working processes, Behaviour prioritisation and Environmental appropriateness. The findings suggest three key barriers to security: i) Security perceived as a barrier to productivity and/or patient care; ii) Poor awareness of consequences of behaviour; and iii) a lack of policies and reinforcement of secure behaviour. Implications for future research are presented.",

author = "Lynne Coventry and Dawn Branley-Bell and Elizabeth Sillence and Sabina Magalini and Pasquale Mari and Aimilia Magkanaraki and Kalliopi Anastasopoulou",

note = "Publisher Copyright: {\textcopyright} Springer Nature Switzerland AG 2020.; 2nd International Conference on HCI for Cybersecurity, Privacy and Trust, HCI-CPT 2020, held as part of the 22nd International Conference on Human-Computer Interaction, HCII 2020 ; Conference date: 19-07-2020 Through 24-07-2020",

year = "2020",

month = jul,

day = "10",

doi = "10.1007/978-3-030-50309-3\_8",

language = "English",

isbn = "9783030503086",

series = "Lecture Notes in Computer Science (including subseries Information Systems and Applications, incl. Internet/Web, and HCI (LNISA))",

publisher = "Springer",

pages = "105--122",

editor = "Abbas Moallem",

booktitle = "HCI for Cybersecurity, Privacy and Trust",

}

Coventry, L, Branley-Bell, D, Sillence, E, Magalini, S, Mari, P, Magkanaraki, A & Anastasopoulou, K 2020, Cyber-risk in healthcare: exploring facilitators and barriers to secure behaviour. in A Moallem (ed.), HCI for Cybersecurity, Privacy and Trust: Second International Conference, HCI-CPT 2020, Held as Part of the 22nd HCI International Conference, HCII 2020, Proceedings. Lecture Notes in Computer Science (including subseries Information Systems and Applications, incl. Internet/Web, and HCI (LNISA)), vol. 12210, Springer, Cham, pp. 105-122, 2nd International Conference on HCI for Cybersecurity, Privacy and Trust, HCI-CPT 2020, held as part of the 22nd International Conference on Human-Computer Interaction, HCII 2020, Copenhagen, Denmark, 19/07/20. https://doi.org/10.1007/978-3-030-50309-3_8

Cyber-risk in healthcare: exploring facilitators and barriers to secure behaviour. / Coventry, Lynne; Branley-Bell, Dawn; Sillence, Elizabeth et al.
HCI for Cybersecurity, Privacy and Trust: Second International Conference, HCI-CPT 2020, Held as Part of the 22nd HCI International Conference, HCII 2020, Proceedings. ed. / Abbas Moallem. Cham: Springer, 2020. p. 105-122 (Lecture Notes in Computer Science (including subseries Information Systems and Applications, incl. Internet/Web, and HCI (LNISA)); Vol. 12210).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Cyber-risk in healthcare

T2 - 2nd International Conference on HCI for Cybersecurity, Privacy and Trust, HCI-CPT 2020, held as part of the 22nd International Conference on Human-Computer Interaction, HCII 2020

AU - Coventry, Lynne

AU - Branley-Bell, Dawn

AU - Sillence, Elizabeth

AU - Magalini, Sabina

AU - Mari, Pasquale

AU - Magkanaraki, Aimilia

AU - Anastasopoulou, Kalliopi

PY - 2020/7/10

Y1 - 2020/7/10

N2 - There are increasing concerns relating to cybersecurity of healthcare data and medical devices. Cybersecurity in this sector is particularly important given the criticality of healthcare systems, the impacts of a breach or cyberattack (including in the worst instance, potential physical harm to patients) and the value of healthcare data to criminals. Technology design is important for cybersecurity, but it is also necessary to understand the insecure behaviours prevalent within healthcare. It is vital to identify the drivers behind these behaviours, i.e., why staff may engage in insecure behaviour including their goals and motivations and/or perceived barriers preventing secure behaviour. To achieve this, in-depth interviews with 50 staff were conducted at three healthcare sites, across three countries (Ireland, Italy and Greece). A range of seven insecure behaviours were reported: Poor computer and user account security; Unsafe e-mail use; Use of USBs and personal devices; Remote access and home working; Lack of encryption, backups and updates; Use of connected medical devices; and poor physical security. Thematic analysis revealed four key facilitators of insecure behaviour: Lack of awareness and experience, Shadow working processes, Behaviour prioritisation and Environmental appropriateness. The findings suggest three key barriers to security: i) Security perceived as a barrier to productivity and/or patient care; ii) Poor awareness of consequences of behaviour; and iii) a lack of policies and reinforcement of secure behaviour. Implications for future research are presented.

AB - There are increasing concerns relating to cybersecurity of healthcare data and medical devices. Cybersecurity in this sector is particularly important given the criticality of healthcare systems, the impacts of a breach or cyberattack (including in the worst instance, potential physical harm to patients) and the value of healthcare data to criminals. Technology design is important for cybersecurity, but it is also necessary to understand the insecure behaviours prevalent within healthcare. It is vital to identify the drivers behind these behaviours, i.e., why staff may engage in insecure behaviour including their goals and motivations and/or perceived barriers preventing secure behaviour. To achieve this, in-depth interviews with 50 staff were conducted at three healthcare sites, across three countries (Ireland, Italy and Greece). A range of seven insecure behaviours were reported: Poor computer and user account security; Unsafe e-mail use; Use of USBs and personal devices; Remote access and home working; Lack of encryption, backups and updates; Use of connected medical devices; and poor physical security. Thematic analysis revealed four key facilitators of insecure behaviour: Lack of awareness and experience, Shadow working processes, Behaviour prioritisation and Environmental appropriateness. The findings suggest three key barriers to security: i) Security perceived as a barrier to productivity and/or patient care; ii) Poor awareness of consequences of behaviour; and iii) a lack of policies and reinforcement of secure behaviour. Implications for future research are presented.

U2 - 10.1007/978-3-030-50309-3_8

DO - 10.1007/978-3-030-50309-3_8

M3 - Conference contribution

AN - SCOPUS:85088744924

SN - 9783030503086

T3 - Lecture Notes in Computer Science (including subseries Information Systems and Applications, incl. Internet/Web, and HCI (LNISA))

SP - 105

EP - 122

BT - HCI for Cybersecurity, Privacy and Trust

A2 - Moallem, Abbas

PB - Springer

CY - Cham

Y2 - 19 July 2020 through 24 July 2020

ER -

Coventry L, Branley-Bell D, Sillence E, Magalini S, Mari P, Magkanaraki A et al. Cyber-risk in healthcare: exploring facilitators and barriers to secure behaviour. In Moallem A, editor, HCI for Cybersecurity, Privacy and Trust: Second International Conference, HCI-CPT 2020, Held as Part of the 22nd HCI International Conference, HCII 2020, Proceedings. Cham: Springer. 2020. p. 105-122. (Lecture Notes in Computer Science (including subseries Information Systems and Applications, incl. Internet/Web, and HCI (LNISA))). Epub 2020 Jul 10. doi: 10.1007/978-3-030-50309-3_8

Cyber-risk in healthcare: exploring facilitators and barriers to secure behaviour

Abstract

Publication series

Conference

Keywords

Access to Document

Fingerprint

Cite this