Cybersecurity and critical care staff: A mixed methods study

Introduction: Cyberattacks on healthcare organisations are becoming increasingly common and represent a growing threat to patient safety. The majority of breaches in cybersecurity have been attributed to human error. Intensive care departments are particularly vulnerable to cyberattacks. The aim of this study was to investigate cybersecurity awareness, knowledge and behaviours among critical care staff. Methods: This was a multi-site cross-sectional survey study administered to critical care staff. Cybersecurity awareness was evaluated using the validated HAIS-Q instrument. Knowledge and behaviours were evaluated by direct questioning and scenario-based multiple-choice questions. Free text options were also offered to respondents. Thematic analysis was performed on free text sections. Results: Median scores of 12–15 in each of the HAIS-Q focus areas were achieved, indicating high levels of cybersecurity awareness among critical care staff. However, self-reported confidence in cybersecurity practices, especially identifying signs of cybersecurity breaches and reporting cybersecurity incidents, were relatively low. Participants responses to the scenarios demonstrated a lack of knowledge and awareness of some of the mechanisms of cyberattacks. Barriers to safe cybersecurity practices among staff that emerged from the qualitative analysis included: a lack of training and education; heavy workloads and staff fatigue; perceived lack of IT support and poor IT infrastructure. Conclusion: Critical care staff appear to have a high-level cybersecurity awareness. However, in practice safe cybersecurity practices are not always followed. ICU departments and hospitals must invest in the human aspect of cybersecurity to strength their cyber-defences and to protect patients.