Protecting Healthcare from Cyber Threats: Integrating Behavioral Insights into Cybersecurity Strategies

  1. Jack Dalton Flannery

Reviewed by

Read the full article See related articles

Discuss this preprint

Start a discussion What are Sciety discussions?

Listed in

Log in to save this article

Abstract

Cybersecurity breaches in healthcare often stem from human-factor vulnerabilities such as phishing, social engineering, and policy non-compliance. Despite evolving technical defenses, behavioral risk remains a critical gap. This study uses Protection Motivation Theory (PMT) to examine how healthcare cybersecurity professionals perceive and address these threats. Semi-structured interviews with ten professionals revealed five themes: (1) tension between clinical workflows and security, (2) limited impact of generic training, (3) policy inconsistencies among leadership, (4) value of mentorship and IT presence, and (5) need for behavioral design in policies and technology. Findings suggest healthcare cybersecurity must prioritize human-centered design, participatory policy-making, and adaptive interventions, offering practical insights to bolster cyber resilience.

Article activity feed

  1. PREreview

    This Zenodo record is a permanently preserved version of a Structured PREreview. You can view the complete PREreview at https://prereview.org/reviews/17547867.

    Does the introduction explain the objective of the research presented in the preprint? Yes 1. Yes, the introduction explicitly explains the objective of the research presented in the preprint by first detailing the escalating risk in healthcare cybersecurity, noting that more than 60 percent of breaches are attributed to human-factor vulnerabilities such as phishing, social engineering, and policy non-compliance, despite increased investments in technical controls 2. The study addresses a critical gap defined as the "missing integration of behavioral science in healthcare cybersecurity programs" 3. The central objective is stated as applying Protection Motivation Theory (PMT) "to examine how security leaders assess and mitigate human-factor risks in real-world contexts," since PMT is widely used to study end-user behavior, but rarely focuses on those who design and enforce enterprise security protocols 4. The primary goal is specifically "to provide actionable insights for healthcare cybersecurity leaders" using qualitative interviews and thematic analysis to identify key barriers and enablers to behavioral compliance, with the ultimate aim of providing practical recommendations for aligning security strategies with clinical operations to strengthen resilience and reduce enterprise risk
    Are the methods well-suited for this research? Highly appropriate The methods employed in the preprint are well-suited for the research objective of providing actionable insights by examining how healthcare cybersecurity professionals assess and mitigate human-factor risks in real-world contexts. The study utilized a generic qualitative inquiry approach, selected to allow flexibility in gathering nuanced, experience-based insights from practitioners about their perceptions and barriers, rather than being confined by more rigid methodological constraints. This approach is paired with semi-structured interviews to capture the experience of U.S.-based healthcare professionals with at least three years' experience who are directly involved in designing and enforcing security protocols. Furthermore, the interview protocol was intentionally guided by Protection Motivation Theory (PMT), framing questions around core constructs such as threat and coping appraisals, ensuring that the data collected directly address the behavioral factors central to the research. Finally, the use of thematic analysis, following Braun and Clarke's framework, with a hybrid deductive–inductive coding approach, is appropriate for systematically identifying the key barriers and enablers to behavioral compliance across participants' experiences.
    Are the conclusions supported by the data? Highly supported 1. Yes, the conclusions are strongly supported by the data from the thematic analysis of semi-structured interviews with 10 healthcare cybersecurity professionals. The study's primary findings, which highlight persistent challenges and the need for human-centered strategies, align closely with the five major themes derived from participants' real-world experiences. 2. Specifically, the finding that challenges undermine secure behaviors is evidenced by Theme 1 (Tension Between Policy and Workflow), where professionals noted security requirements like multi-factor authentication conflict with high-stress clinical operations, sometimes leading to risky behavior such as shared credentials, which illustrates perceived vulnerability. 3. Additionally, the conclusion regarding training fatigue is supported by Theme 2 (Limited Training Efficacy), as participants widely criticized generic annual training as a "checkbox" activity that lacks clinical relevance and fails to improve response efficacy or self-efficacy. The systemic barrier of inconsistent enforcement is supported by Theme 3 (Compliance Double Standards), in which exceptions granted to leadership or physicians weaken coping appraisal by signaling that security is optional. 4. Lastly, the conclusions supporting practical, human-centered strategies are substantiated by Theme 4 (Mentorship and Engagement), emphasizing that visible IT liaisons and peer mentorship build trust and promote staff self-efficacy, and Theme 5 (Behavioral Integration in Policy), demonstrating that involving frontline clinicians in policy co-design and implementing nudges or gamified reminders improves response efficacy and practicality. These five themes collectively provide the empirical data validating the study's core conclusion that integrating behavioral insights into organizational strategies is essential for strengthening cyber resilience
    Are the data presentations, including visualizations, well-suited to represent the data? Highly appropriate and clear The data presentations, including visualizations, are well-suited to represent the research data because the study utilized a generic qualitative inquiry approach and thematic analysis to gather nuanced, experience-based insights from cybersecurity professionals. The core findings, which consist of five major themes (such as Tension Between Policy and Workflow and Limited Training Efficacy), are effectively presented through systematic textual description. Crucially, the visualization in Figure 1 is highly appropriate as it conceptually maps the five empirical interview themes directly to the constructs of the guiding theoretical framework, Protection Motivation Theory (PMT), illustrating the linkages between real-world perceptions and theoretical elements (e.g., connecting themes to Threat Appraisal, Coping Appraisal, and Self-Efficacy). In addition, the presentation is bolstered by the inclusion of direct participant quotes, which provide tangible evidence supporting the derived themes, and Table 1, which provides quantitative context by summarizing the frequency of mentions for key concepts across the ten interviews.
    How clearly do the authors discuss, explain, and interpret their findings and potential next steps for the research? Very clearly 1. The authors clearly discuss and interpret their findings by utilizing Protection Motivation Theory (PMT) as the analytical lens, which systematically maps the five major themes derived from the interviews to specific PMT constructs, such as Threat Appraisal, Coping Appraisal, and Self-Efficacy 2. They explain that while cybersecurity professionals consistently demonstrate strong threat appraisal regarding the likelihood and consequences of cyber incidents, coping appraisal and self-efficacy are highly variable and influenced significantly by institutional factors, noting that policy-workflow misalignment (Theme 1) and compliance double standards (Theme 3) undermine secure behaviors by signaling that security is optional
    Is the preprint likely to advance academic knowledge? Highly likely - The research uniquely advances Protection Motivation Theory (PMT) by shifting the analytical focus from end-user behavior to the security professionals responsible for designing and enforcing enterprise security protocols. - This methodological choice extends PMT's application to organizational governance and leadership, providing new insights into how institutional dynamics, cultural context, and managerial factors shape coping appraisal and self-efficacy within clinical environments - By identifying five major themes, including systemic barriers like "Tension Between Policy and Workflow" and "Compliance Double Standards," the study generates novel, experience-based evidence that highlights specific challenges and effective human-centered strategies for bolstering cyber resilience
    Would it benefit from language editing? No
    Would you recommend this preprint to others? Yes, it's of high quality The preprint is highly recommended, especially for healthcare cybersecurity professionals and researchers focused on organizational governance and risk, as it successfully addresses the "critical gap: the missing integration of behavioral science in healthcare cybersecurity programs".
    Is it ready for attention from an editor, publisher or broader audience? Yes, after minor changes

    Competing interests

    The author declares that they have no competing interests.

    Use of Artificial Intelligence (AI)

    The author declares that they did not use generative AI to come up with new ideas for their review.

  2. Version published to 10.20944/preprints202510.2418.v1