Ronald E. Thompson III and Hamza Khalid, Tufts University; Hilary Fisher, Brigham & Women's Hospital; Rhea Votipka, Beth Israel Lahey Health; Daniel Votipka, Tufts University
Cyberattacks are a critical patient safety issue, yet security controls often fail to account for the uniqueness of the clinical environment. This paper addresses the gap in understanding clinicians' security perspectives through a mixed-methods study, with 12 interviews of US clinicians, followed by a 303-participant survey of clinicians across the US, UK, and Canada. Our findings reveal a significant misalignment between perceived threats and deployed controls. Clinicians perceive confidentiality failures (e.g., data breaches) as most likely. They view integrity failures (e.g., manipulated values) as catastrophic but trust their own expertise to ignore anomalous data. Finally, they manage likely and dangerous availability failures with analog workarounds like paper charting, introducing new risks. These results show the need to integrate clinicians into security, highlighting where existing approaches are lacking and providing recommendations for developing more effective, clinician-centered security.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
