Human behaviour and cybersecurity in health and social care organisations

A common idea in cybersecurity is that the human factor is the weakest link in the cybersecurity chain. It is believed that people and human behaviour are the main risk for maintaining cybersecurity, because people make bad decisions, ignore warning signs, or might not care about cybersecurity at all. As a result, a lot of attention is brought to intervene on this topic by developing awareness programmes and education of employees. However, this idea of being the weakest link is often incorporated as a core message in those trainings. This is not a helpful perspective to find solutions to improve cybersecurity nor a constructive message to staff members (Alashe, 2020). Often the education that is provided to staff members is lacking and doesn’t address the right topics to enable staff members to be more cybersecure. Additionally, this message can be demoralising and further strengthen the idea of powerlessness for staff, which can result in avoidance of cybersecurity behaviours or even instill fear of making a mistake (Alashe, 2020; SecureHospitals.eu, 2019).

Another counterpoint to the ‘weakest link’ perspective is the following: while even the most sophisticated technological security measures can potentially be undone by human action, the other way around is possible too. Staff members can act in the best way possible in terms of cybersecurity, but if the technology does not allow for that, security will be affected. This way, technology can also obstruct good cybersecurity behaviour. However, cybersecurity improvement is often discussed in terms of technological cybersecurity measures or in terms of how human behaviour affects cybersecurity (Ayala, 2016), often negatively. This creates an artificial divide that does not hold in real life contexts. There is an interrelation between the technology and human behaviour, and it is often in the interaction that cybersecurity incidents happen. In some cases, it is useful to find out whether an issue stems from a technological or human error, but often there is not one specific mistake, and the security issue stems from a set of actions in which both people and technology are involved.

Routine behaviours in healthcare

For this reason, a more holistic view on cybersecurity in which the interaction between technology, people, and the context they move in, can be more constructive. It is helpful to think in terms of ‘practices’. Practices can be seen as routine behaviours and decisions, activities and the places, spaces and equipment that make these possible. Practices can themselves be understood as the outcome of materials, competencies, and meaning (Feldman & Orlikowski, 2011; Shove et al., 2012).

Technologies such as electronic health records, operating robots, health-related home automation solutions, and medicine delivery systems have changed the way healthcare is performed. For the healthcare sector, the increase of digital technologies has had the consequence that staff members had to change their routine behaviours and learn new skills.

Context and and complications

Adopting cybersecure behaviours is often complicated by contextual factors. Commonly noted problems within healthcare and social care organisations are:

• Time pressure and heavy workload
• Workflow issues, such as needing multiple systems and multiple logins
• The complex design of systems and variety in user interfaces
• Policies, protocols, and processes that do not correspond with real-life working situations
• Physical environment, floor plans, furnishings

While technical aspects will always remain important in diminishing cybersecurity risks, engineering technical solutions does not provide sufficient security on its own. Together with the technology, security policies, human behaviour shapes the cybersecurity chain. Being aware of the role of human behaviour, the interaction with technology, and the influence of contextual factors, cybersecurity in healthcare can be improved much more effectively.

The following list of do’s and don’ts can assist those who are responsible for addressing the role of human behaviour within social care and healthcare organisations:

• Focus on behaviour change and security culture, alongside awareness programs
• Understand role of technology and contextual factors that may work against good cybersecurity practices of staff members
• Create a team of people to assess the technology on the workfloor, workflow, policies, processes, and security implementations. This means that people from different departments need to be involved in this team.
• Give constructive tips that staff members can apply in their daily work
• Avoid a message of fear

Read also:

• Assessing training needs
• Step-by-step guide for developing new cybersecurity courses for healthcare organisations
• How to establish a cybersecurity culture

Literature

Alashe, O. (2020, March 10). Stop saying employees are the weakest link in cybersecurity. Growth Quarters | The Next Web. https://thenextweb.com/growth-quarters/2020/03/10/stop-saying-employees-are-the-weakest-link-in-cybersecurity/

Ayala, L. (2016). Cybersecurity for Hospitals and Healthcare Facilities. A Guide to Detection and Prevention. Apress.

Feldman, M. S., & Orlikowski, W. J. (2011). Theorizing Practice and Practicing Theory. Organization