Close this search box.

Data protection-critical incidents resulting from human error are often rooted in stress, routine, negative attitudes toward IT, and deficits in employees' identification with the healthcare facility.

How cyberpsychology helps prevent human errors leading to data leaks

Employees are not the weakest element in data protection – poorly trained employees are. A novel field on the intersection of psychology and cybersecurity provides insights into enhancing human-technology interactions, thereby fostering more informed decision-making when working with computers

Hackers know how to manipulate people

According to a study by Stanford University, 88% of data security breaches start with some human error. Cybercriminals know it’s much easier to trick a human being and thus gain access to data than to break ever better security technology. They use social engineering to get an employee to click on a sent link or open an attachment, allowing malware into the system.

It is estimated that a successful ransomware attack occurs every 11 seconds. Activated by inattention or ignorance, the malware takes control of a network and computer – in return for unlocking it, the hackers demand a ransom. Anyone can fall victim to the increasingly sophisticated methods of hackers sending emails and impersonating messages from trusted institutions, banks, and couriers.

How can psychology help?

Cybersecurity training is by far the best way to safeguard against hackers. Nevertheless, they are not always as effective as expected. In the flurry of responsibilities and stress, people quickly forget what they have learned and make errors.

Engineers and psychologists are trying to study human-technology interactions, identify sensitive situations, and reduce human errors. A new concept of “human-centered cybersecurity” is being created based on the latest research, which involves understanding how employees use computers. Cyberpsychology combines technical knowledge of cybersecurity with human behavioral science to develop new principles for working safely with new technologies.

Following this new discipline, when building a data protection policy, you need to pay attention to several elements:

Change employees’ attitudes toward technology. People tend to cede their responsibility to technology: “The computer should always work well, and the IT department is responsible for security, so I don’t need to bother with hackers.” With such an attitude, cybersecurity is seen as a burden – it requires attention, not routine use of technology on autopilot.

Training should emphasize a different approach, such as zero trust in incoming emails, which may include phishing. This, of course, does not exclude the responsibility of the IT department to apply technical safeguards. Doctors won’t blame the equipment if a stethoscope malfunctions because they know how the working one functions and can react. The same awareness should apply to IT equipment and systems.

Make employees identify with their IT infrastructure. Cyber-risky behavior among employees can result from treating computers as if they were the company’s equipment, not their own.

Experiments conducted by Professor Phil Morgan and his team from New Castle University have shown that personalizing a device increases the sense of responsibility. Professor Morgan worked for Airbus for three years, studying the causes of risky behavior in cyberspace. In several studies, he concluded that the assumption that “a computer is a company’s hardware” results in an automatic shift of responsibility for data protection to the organization and a lack of a sense of shared responsibility.

Build a human-centered approach to cyber security based on the triad of knowledge, awareness, and understanding. Knowledge is gained through systematic training on data protection and new methods used by hackers. To enhance the understanding component, create a culture of learning from mistakes. The organization must communicate that an employee’s mistake that leads to a hacker attack will not be a reason for dismissal or punishment but is part of a culture of continuous process improvement.

Such an approach ensures that employees are willing to report errors faster, allowing the organization to respond quickly to an incident and minimize its impact. On the other hand, hiding an incident leads to increased harm proportionally to the time elapsed.

Professor Morgan argues that instead of seeing a security mistake as something to be ashamed of, we should see it as something that happens to people and is normal. A culture that encourages error reports further helps build trust within an organization. Just as reporting medical errors is essential to improving patient safety, reporting security incidents makes it easier to strengthen protection against hackers.

Personalize the user interface so that the computer is treated as a user-friendly tool. People who have been victims of cyber-attacks often claim to have been well aware of the threat beforehand and don’t know how they could have fallen into such a trap.

The problem may be incorrect IT system configuration. People forget to follow procedures because, over time, they perform repetitive actions mechanically. That’s why systems should remind them, for example, to log out (or do it automatically after a particular time), change their passwords regularly, etc. One of the methods is the implementation of a few seconds’ delay in accessing data or the need for additional verification by using multi-factor authentication so that an employee does not act in an affair but has time to think carefully about whether he wants to open an attachment or share data. 

Where should you start to implement cybersecurity principles?

Cybersecurity training once a year isn’t enough anymore because protecting data is a process that needs to be addressed daily. Managing data security starts when hiring and onboarding a new employee. People need to know that they are responsible for the computers they work on, but in case of a mistake, they are welcome to report any data security incidents.

Training should be conducted in groups according to organizational roles since the interaction of medical and administrative staff with computers is different.

Risks identified by the IT department should be analyzed and communicated. It is recommended to include an emotional factor to remember better the information conveyed, for example, showing a case study of data leakage and its consequences, citing data from current reports, etc.

It can’t just be raw data, but examples showing what happens when an attack occurs, how patients, personnel, and the entire healthcare facility are affected, how much stress it can cost to return to normal operations, etc.

The level of cyber security also needs to be monitored by arranging simulated cyberattacks. One idea is to introduce an element of gamification. For example, a group of employees take on the role of a group of hackers and are tasked with creating a malicious phishing message. This one is then distributed among workers by the IT department. In the end, it is verified on which computers the email was opened and analyzed why it happened.

Upgrade your cyber security standards

The methods used by hackers are rapidly evolving, and now cybercriminals also have new tools at their disposal to operate even more effectively. These include artificial intelligence and deep fakes. Thus, healthcare entities must update their methods to avoid falling into criminals’ traps.

Data protection-critical incidents resulting from human error are often rooted in stress, routine, negative attitudes toward IT, and deficits in employees’ identification with the healthcare facility. The first front line of protection should always be technology – antivirus systems, software updates, real-time security copies. The second is that people are informed about threats and their role in defending against hackers.

Tom Xhofleer

ICT&health World Conference 2024

Experience the future of healthcare at the ICT&health World Conference from May 14th to 16th, 2024!
Secure your ticket now and immerse yourself in groundbreaking technologies and innovative solutions.
Engage with fellow experts and explore the power of global collaborations.

Share this article!

Read also
Navigating Digital Maturity in Healthcare IT
Digital maturity vs. Reality. How to rethink the IT staff role in a hospital
Online health care icon application on smart phone
End-users of mobile health apps expect far more than a good design
Mayo Clinic started with its innovations for its ten million patients and demonstrated that its model worked, and that data could be ethically and responsibly used to drive innovations.
John Halamka: 'Create the Fear of Missing Out'
Balancing regulatory compliance with seamless adoption, healthcare navigates the integration of AI solutions.
A guide to implementing AI in healthcare amid the EU AI Act
Futurist Amy Webb claims that wearables will evolve into "connectables"
Digital health solutions empower patients to better manage their health and integrate care into their daily lives.
How to improve Digital Patient Engagement to streamline workflows
For people with diabetes, inaccurate blood glucose measurements can lead to errors in diabetes management, including taking the wrong dose of insulin, sulfonylureas, or other medications that can rapidly lower blood glucose.
Smartwatches measuring glucose level: Harmful but easy to buy fake innovations
How to introduce innovation and AI in healthcare organizations if there is no business model for prevention and quality – Our interview with Professor Ran Balicer, the Chief Innovation Officer at Clalit Health Services and founding Director of Clalit Research Institute.
I see no legitimate rationale for delaying the digital transformation in healthcare
Pioneering Cardiac Arrest Detection for Enhanced Survival.
CardioWatch Revolutionizes Cardiac Arrest Detection
Dr. Oscar Díaz-Cambronero, Head of Perioperative Medicine Department at La Fe Hospital, spearheads innovative telemonitoring initiatives revolutionizing patient care
Smartwatches Saving Lives Inside and Outside the Hospital
Follow us