Evaluating Staff Attitudes, Intentions, and Behaviors Related to Cyber Security in Large Australian Health Care Environments: Mixed Methods Study

BACKGROUND: Previous studies have identified that the effective management of cyber security in large health care environments is likely to be significantly impacted by human and social factors, as well as by technical controls. However, there have been limited attempts to confirm this by using measured and integrated studies to identify specific user motivations and behaviors that can be managed to achieve improved outcomes. OBJECTIVE: This study aims to document and analyze survey and interview data from a diverse range of health care staff members, to determine the primary motivations and behaviors that influence their acceptance and application of cyber security messaging and controls. By identifying these issues, recommendations can be made to positively influence future cyber security governance in health care. METHODS: An explanatory sequential mixed methods approach was undertaken to analyze quantitative data from a web-based staff survey (N=103), with a concurrent qualitative investigation applied to data gathered via in-depth staff interviews (N=9). Data from both stages of this methodology were mapped to descriptive variables based on a modified version of the Technology Acceptance Model (TAM; TAM2). After normalization, the quantitative data were verified and analyzed using descriptive statistics, distribution and linearity measures, and a bivariate correlation of the TAM variables to identify the Pearson coefficient (r) and significance (P) values. Finally, after confirming Cronbach α, the determinant score for multicollinearity, and the Kaiser-Meyer-Olkin measure, and applying the Bartlett test of sphericity (χ(2)), an exploratory factor analysis (EFA) was conducted to identify the primary factors with an eigenvalue (λ) >1.0. Comments captured during the qualitative interviews were coded using NVivo software (QSR International) to create an emic-to-etic understanding, which was subsequently integrated with the quantitative results to produce verified conclusions. RESULTS: Using the explanatory sequential methodology, this study showed that the perceived usefulness of security controls emerged as the most significant factor influencing staff beliefs and behaviors. This variable represented 24% of all the variances measured in the EFA and was also the most common category identified across all coded interviews (281/692, 40.6%). The word frequency analysis showed that systems, patients, and people represented the top 3 recurring themes reported by the interviewees. CONCLUSIONS: To improve cyber security governance in large health care environments, efforts should be focused on demonstrating how confidentiality, integrity, availability, policies, and cloud or vendor-based controls (the main contributors of usefulness measured by the EFA) can directly improve outcomes for systems, staff, and patients. Further consideration also needs to be given to how clinicians should share data and collaborate on patient care, with tools and processes provided to support and manage data sharing securely and to achieve a consistent baseline of secure and normalized behaviors.