Cyber hygiene methodology for raising cybersecurity and data privacy awareness in healthcare organisations


Background: Cyber threats are increasing across all business sectors and the cost of cybersecurity and data privacy incidents is rising globally, especially in the healthcare domain. In response to the emerging threats, healthcare organisations are enhancing the technical measures with the use of antivirus, firewalls, and firmware/software patches to protect and preserve the business continuity of patient services. Despite such efforts the threat of cybersecurity is ever increasing, and such measures have not been sufficient to counter cyber-attacks as the role of personnel in the chain of cyber defence is often neglected. In practice, healthcare organisations are requested to apply general cybersecurity and data privacy guidelines that focus on the human factor. However, there is limited literature on the methodologies and procedures which can assist healthcare organisations to successfully map to specific controls (interventions), including awareness activities and training programs, with a measurable impact on personnel. To this end, tools, and structured methodologies for assisting the higher management to select the minimum number of required controls that will be most effective on the healthcare workforce are highly desirable, yet not available at the moment. Objective: This paper introduces a Cyber Hygiene (CH) methodology that is developed based on a unique survey-based risk assessment tool for raising cybersecurity and data privacy awareness of different employee groups in healthcare organisations. The proposed CH methodology considers the human factor in the chain of cyber defence by focusing on the gaps and needs of individual employee groups. The main objective of the methodology is to identify the most effective strategy for managing cybersecurity and data privacy risks and recommend targeted human-centric controls (e.g., awareness activities, training programs, rewards, etc.) that are tailored to the organisation-specific needs (e.g., culture, personnel background, employee role and responsibilities, etc.) to implement the strategy. The recommended controls, which are selected from a larger set of candidate controls, ensure that cybersecurity and data privacy awareness will be improved, while keeping the cost low because only a smaller subset of controls is applied. Methods: The development of the CH methodology relied on the collection of survey responses to extract knowledge and assess the needs and gaps of 4 different employee groups, i.e., i) Administrative; ii) Medical/Clinical; iii) IT/Technical; and iv) Executive/Security, across 3 European healthcare organisations. The online survey including 28 questions was released to evaluate the situation for all 4 employee groups at each organisation with respect to 7 types of cybersecurity and data privacy risks (i.e., risk categories). In total, 356 responses were collected and analysed, and we attained detailed results in terms of the risk levels per organisation, employee group, risk category, and selected topics of interest associated with specific survey questions. For anonymization purposes, the organisations are randomised and thereafter referred to as HO1, HO2, and HO3. Indicative high-level findings include: i) Administrative and Medical/Clinical employees at HO3 have fewer high risks compared to HO1 and HO2. This implies that these employee groups at HO3 seem to better understand the general concepts of cyber hygiene and ii) Administrative and Medical/Clinical employees at HO1 and HO2 have medium-high risk evaluation in most risk categories. Thus, they are encouraged to adopt the controls recommended by our CH methodology to manage these risks and improve the situation with respect to the personnel’s cybersecurity and data privacy perception and behaviour. Results: The information gathered from the questionnaires have been processed and analysed resulting in the application of a risk assessment procedure to evaluate and quantify various cybersecurity and data privacy risks. These risks have been discretized into a range of 1 to 5 with 1 representing lowest form of risk and 5 representing highest form of risk from the employees’ perspective. Thus, we identify the most effective strategy (ranging from ‘acceptance’ to ‘mitigation’) to manage each risk. Each risk category has been mapped to a set of human-centric, rather than IT-based, controls and implementation levels (e.g., quarterly training with beginners’ level material) based on the corresponding risk management strategy. These are categorised as Training, Awareness, Motivation, and Rewarding controls. Our mapping empowers the recommendation of the optimal subset of human-centric controls to implement the identified strategy for managing each risk. Conclusions: In this paper we present a structured methodology for improving the cyber hygiene perception and behaviour of personnel in the healthcare sector. The applicability and added value of the proposed CH methodology is demonstrated using real- life survey data collected at 3 European healthcare organisations. Our findings suggest that there are considerable differences with respect to human-oriented cybersecurity and data privacy risks across different organisations and diverse employee groups within the same organisation. By applying the CH methodology, we provide the risk strategies together with the list of recommended human-centric controls for managing a wide range of cybersecurity and data privacy risks related to healthcare employees.

Journal of Medical Internet Research
(JCR 2022: 7.08, CiteScore 2021: 8.2)