Usability and feasibility evaluation of an online and offline cybersecurity resource for healthcare organizations (the ECHO framework resource): A mixed methods study (Preprint)

Abstract

Cybersecurity is a growing challenge for health systems globally as the rapid adoption of digital technologies has led to increased cyber vulnerabilities with implications for patients and health service providers. It is critical to develop workforce awareness and training as part of a safety culture and continuous improvement within health care organisations. However, there are limited open access, healthcare-specific resources to help organisations at different levels of maturity develop their cybersecurity practices.

To assess the useability and feasibility of the ECHO framework resource and evaluate the strengths, weaknesses, opportunities, and threats associated with implementing the resource at the organisational level.

A mixed-methods, cross-sectional study of acceptability and useability of the ECHO framework resource was undertaken. The research model was developed based on the Technology Acceptance Model. Members of the Imperial College Leading Health Systems Network and other health care organizations identified through the research teams’ networks were invited to participate in the research. Study data was collected via online surveys 1-month and 3-months from the date the ECHO framework resource was received by the participants. Quantitative data were analysed using R (v.4.2.1). Descriptive statistics were calculated using the mean and 95% confidence intervals. T-tests were used to determine significant differences between the distribution of answers from comparing results from the two survey time points. Qualitative data were analysed using Microsoft Excel. Thematic analysis used deductive and inductive approaches to capture themes and concepts.

A total of 16 healthcare organizations participated in the study. The ECHO framework resource was well accepted and useful for healthcare organizations improving understanding of cybersecurity as a priority area in healthcare organisations, reducing threats, and enabling users to develop organisational planning. Although not all participants were able to implement the resource as part of ICT cybersecurity activities, those who did were positive about the process of change. Learnings from the implementation process included usefulness of resource for awareness raising, as a reference guide, and ease of use based on familiarity with other standards, guidelines, and tools. Participants noted that several sections of the framework were difficult to operationalise due to costs/budget constraints, human resource limitations, leadership support, stakeholder engagement, and limited time.

The research identified the acceptability and utility of ECHO framework resource as a health-focused cybersecurity resource for health care organizations. As cybersecurity in health care organizations is everyone’s responsibility, there is potential for the ECHO framework resource to be used by staff with varied job roles. Future research should explore how the resource can be updated for ICT staff and how educational snapshots on aspects of the framework could be developed as an educational tool for other staff groups.