Usability and Feasibility Evaluation of a Web-Based and Offline Cybersecurity Resource for Health Care Organizations (The Essentials of Cybersecurity in Health Care Organizations Framework Resource): Mixed Methods Study

Abstract

Background Cybersecurity is a growing challenge for health systems worldwide as the rapid adoption of digital technologies has led to increased cyber vulnerabilities with implications for patients and health providers. It is critical to develop workforce awareness and training as part of a safety culture and continuous improvement within health care organizations. However, there are limited open-access, health care–specific resources to help organizations at different levels of maturity develop their cybersecurity practices. Objective This study aims to assess the usability and feasibility of the Essentials of Cybersecurity in Health Care Organizations (ECHO) framework resource and evaluate the strengths, weaknesses, opportunities, and threats associated with implementing the resource at the organizational level. Methods A mixed methods, cross-sectional study of the acceptability and usability of the ECHO framework resource was undertaken. The research model was developed based on the technology acceptance model. Members of the Imperial College Leading Health Systems Network and other health care organizations identified through the research teams’ networks were invited to participate. Study data were collected through web-based surveys 1 month and 3 months from the date the ECHO framework resource was received by the participants. Quantitative data were analyzed using R software (version 4.2.1). Descriptive statistics were calculated using the mean and 95% CIs. To determine significant differences between the distribution of answers by comparing results from the 2 survey time points, 2-tailed t tests were used. Qualitative data were analyzed using Microsoft Excel. Thematic analysis used deductive and inductive approaches to capture themes and concepts. Results A total of 16 health care organizations participated in the study. The ECHO framework resource was well accepted and useful for health care organizations, improving their understanding of cybersecurity as a priority area, reducing threats, and enabling organizational planning. Although not all participants were able to implement the resource as part of information computing technology (ICT) cybersecurity activities, those who did were positive about the process of change. Learnings from the implementation process included the usefulness of the resource for raising awareness and ease of use based on familiarity with other standards, guidelines, and tools. Participants noted that several sections of the framework were difficult to operationalize due to costs or budget constraints, human resource limitations, leadership support, stakeholder engagement, and limited time. Conclusions The research identified the acceptability and usability of the ECHO framework resource as a health-focused cybersecurity resource for health care organizations. As cybersecurity in health care organizations is everyone’s responsibility, there is potential for the framework resource to be used by staff with varied job roles. Future research needs to explore how it can be updated for ICT staff and implemented in practice and how educational materials on different aspects of the framework could be developed.