JMIR Publications

ABSTRACT

Background:

Human behavior remains one of the most persistent and underaddressed sources of cybersecurity risk in healthcare. Despite increasing awareness, most existing methodologies fail to provide actionable insights or integrate effectively into organizational risk management systems.

Objective:

This study applies and validates an updated Human-Centric Cyber Hygiene (HCCH) methodology, designed to assess, quantify, and mitigate human-factor cybersecurity risks in healthcare settings.

Methods:

The HCCH methodology combines a behaviorally structured questionnaire, risk scoring system, and strategy-to-control mapping to evaluate awareness and practices across diverse staff roles. A dynamic analysis tool enables multidimensional risk analysis by group, department, and role. The methodology was applied in a university hospital involving over 1,800 participants across 10 distinct occupational categories, including clinical and administrative personnel.

Results:

Findings revealed significant variability in awareness and behavior across roles, with nonclinical and junior staff demonstrating lowest perceived risk. The methodology enabled dynamic mapping of behaviors to risk categories, identification of vulnerabilities, and automated assignment of tailored human-centric controls. The validation demonstrated strong alignment with ISO 27001 principles and high usability for Governance-Risk-Compliance (GRC) teams.

Conclusions:

The HCCH methodology offers a scalable, modular, and evidence-based solution for embedding human-focused cybersecurity risk management into healthcare institutions. It bridges the gap between awareness assessment and operational mitigation, supporting more resilient and adaptive digital environments.