JMIR Publications

ABSTRACT

Background:

Previous studies have identified that the effective management of cyber security in large healthcare environments is likely have a significant dependence on human and social factors, as much as technical controls. However, there have been limited attempts to confirm this with measured and integrated studies focussed on users in order to understand their motivations and behaviours.

Objective:

This study aimed to gather data from a variety of users working within large Australian healthcare provider (LAHP) environments, to record and verify their motivations in understanding and applying essential cyber security messaging and operational controls.

Methods:

An explanatory sequential mixed-methods approach was undertaken, gathering quantitative data via a user survey (n=103), with variables mapped to the extended Technology Acceptance Model (TAM2) and results scrutinized via an exploratory factor analysis. A parallel qualitative review was also undertaken via in-depth interviews with staff (n=9), which were also encoded to the TAM2 model and examined for thematic frequency. The coded comments were analysed to create an emic-to-etic understanding, which was integrated with the quantitative results to produce verified conclusions.

Results:

Via both the quantitative and qualitative investigations, users prioritised the TAM2 Perceived usefulness of cyber security measures, and the operational subjective norms of their professional peers as being the main influences on their knowledge and behaviours.

Conclusions:

To pragmatically manage and improve cyber security governance in large healthcare environments, efforts should be focussed on demonstrating how controls can benefit staff and patients without getting in the way of complex treatments. Further consideration needs to be given to how clinicians need to share data and collaborate on patient care, with tools and processes provided to support and manage this securely.