JMIR Publications

ABSTRACT

Background:

Over the last decade, the healthcare technology landscape has expanded significantly, introducing new and innovative solutions to address healthcare needs. The implications of cybersecurity incidents in the healthcare context extend beyond data breaches to potentially harming individuals' health and safety. Risk perception is influenced by various contextual factors, contributing to cybersecurity concerns that technological safeguards alone cannot address. Thus, it is imperative to study risk perceptions, contextual factors, and technological benefits to guide policy development, risk management, education, and implementation strategies.

Objective:

To investigate the differences in cybersecurity risk perception among various stakeholders in the healthcare sector in Norway and British Columbia (BC), Canada, and identify specific contextual factors that shape these perceptions. We expect to identify differences in risk perceptions for the explored healthcare technologies.

Methods:

Using a mixed-methods approach comprising surveys and interviews, we sampled healthcare-related wearable technology stakeholders, including healthcare workers, patients (adults and adolescents) and their families, health authorities and hospital staff (biomedical engineers, IT support, research), and device vendors/industry professionals in both Norway and BC. Surveys explored information security scenarios based on the Behavioural Cognitive Internet Security Questionnaire (BCISQ), risk perception, and contextualizing variables. We analyzed both survey datasets to summarize participants’ characteristics and responses to questions related to the BCISQ (behaviour and attitude) and risk perception. Interviews were analyzed thematically using an inductive-deductive approach to explore risk perception and contextual factors.

Results:

Data from 274 survey respondents were available for analysis: 185 from Norway, including 139 (75%) females, and 89 from BC, including 57 (64%) females. Forty-five respondents (31 in Norway and 14 in BC) participated in interviews. The BCISQ showed minor differences between locations; respondents demonstrated generally low-risk behaviour and robust information security awareness. However, password simulation demonstrated discrepancies between self-assessed and “real” behaviour by sharing or willingness to share passwords. Perceived risk is generally considered low, yet consequences of cybersecurity risks were evaluated as major but unlikely. Risk perception was stronger for assisted living and diabetes technologies than for smartwatches. The most important contextual factors shaping risk perceptions are human factors encompassing knowledge, competence, familiarity, feelings of dread, perceived benefit, and trust, as well as the technological factor of device functionality. Organizational and technological factors had lesser effects.

Conclusions:

We found minimal differences in behaviour and risk perception among Norwegian and BC participants. Human factors and device functionality were most influential in shaping cybersecurity risk perceptions. Considering the rising need for assisted living technologies and wearables, insight into risk perceptions can strengthen risk management, awareness, and competence building. Further, it can address potential concerns amongst stakeholders to enable quicker technology adoption.