Nudging the NHS: improving digital resilience

Robin Smith explains how South Yorkshire NHS Trust is using the concept of “nudging” to help busy clinicians acquire new digital skills to enhance security protection, particularly against social engineering attacks and cybercrime.

How do you build cyber skills in the age of the mega-hack? This ­question vexed every organisation until new work exploring the world of ­behavioural economics and nudge theory was discovered. This work, promulgated by Dan Ariely’s popular book, Predictably Irrational, supported by Richard Thaler and Cass Sunstein’s publication Nudge outlines how behavioural economics may soon ­become an essential part of an ­information professional’s arsenal.

These two publications opened the eyes of many to the world of “nudging”. By ­leveraging behavioural economics and choice architecture, key concepts in nudging, one health service organisation in the UK is able to use subtle nudges to influence the decisions people make across its clinical services.

What is nudging and how does it work?

For those unfamiliar with the term nudge, it is a subtle push that aims to alter a person’s behaviour without really being noticed. Instead of forbidding choices, or using overt incentives, a nudge acts more like a “light breeze that our mind catches”, pushing us into a specific and preferable direction.

Thaler and Sunstein define a nudge as: “A nudge is any aspect of the choice ­architecture that alters people’s behaviour in a predictable way without forbidding any options or significantly changing their economic incentives. To count as a mere nudge, the intervention must be easy and cheap to avoid.”

Nudging is a method that responds to impulsive behaviour in people. Nudging is directed at influencing human behaviour positively, but does not and could not force a particular choice. All options remain available to ensure that behaviour is still free to an individual’s own choice.

Musical stairs

Think of stairs versus escalators. One policy guru designed musical stairs to encourage the general public to opt for the healthier choice. Everyone who chose the stairs got to enjoy their very own musical composition too.

Choice architecture

Nudging is part of “choice architecture”, which can be defined as the deliberate design of the work environment of people, where the designer is aware of the choices people make continuously in that environment. Within the concept of choice architecture, a nudge is a friendly push in the right direction. According to Thaler and Sunstein, most people ­automatically choose the default option. ­Nudging uses this fact and ensures that this option is supportive to the needs and goals of the organisation.

Health and wellness is one of the most popular applications of choice architecture and behavioural economics. In one study, a research team tried to nudge the staff at Massachusetts General Hospital in the US to avoid less healthy choices in the hospital cafeteria.

They used a three light system, red, yellow, and green, labelling unhealthy options such as pizza and soft drinks with the red light, and salads or vegetables with green lights. They put healthier options at eye level, and red light choices on lower shelves. The numbers show how successful this approach has been. Green item sales increased from 41 per cent to 46 per cent, red items were down from 24 per cent to 21 per cent. For beverages alone, sales for cold drinks associated with the green light increased from 52 per cent to 60 per cent, and red saw a drop from 27 per cent to 18 per cent. Two years after implementing these changes, red beverage purchases were down by an encouraging ­total of 39 per cent.

Introducing digital resilience

So how does South Yorkshire NHS Trust, a prominent exponent of behavioural ­economics to improve security training, use nudging in the health service to tackle the problem of limited digital literacy? How can the Trust help busy clinicians acquire new skills and enhance security protection, particularly against social engineering attacks and other forms of criminality that include cybercrime? With 6,500 employees and over 100 ­information systems, South Yorkshire NHS faces a myriad of cyber security risks. Whilst Wannacry was successfully managed during May 2017 there is an imperative for the organisation to build effective security standards and services.

The Trust seeks to build skills to ­enhance digital resilience. Digital resilience is a fundamental change in understanding and accepting the true relationship between technology and risk. Cyber risk is actually business risk, and always has been. Digital resilience is part of someone’s personality that develops from spending time online and facing the challenges out there. It means you recognise when you’re at risk online, and that you know what to do.

A resilient employee is more likely to stay safe if anything bad happens, and benefit from the opportunities the online world provides.

Policy approach

The Trust wanted to recast its approach to training and development to build digital resilience. The organisation pursued two key areas where the Trust has tried to nudge people towards better behaviours to protect against cyber security risks.

1. Nano-learning – training is a huge problem in the NHS with staff often too busy with clinical care to attend class sessions or jump into online training. By partnering with a training provider, a pilot has been launched to test the concept of nano-learning.

This is an approach to cover the myriad of NHS security issues by breaking the material down into small chunks, consumed on ­demand over the course of the annual clinical training window.

Nano-learning is about dividing a course into its key parts, simplifying the language and delivering to a staff member’s inbox. The nano-learning will focus on one issue, use relevant examples and utilises professional quality video and audio production.

The videos are three to four minutes long, and employ graphics and a dose of humour to leaven the potentially driest material. Staff have a set duration for consuming the material before a report is issued to supervising managers.

2. Nudge marketing – it’s important to keep in mind two principals when applying nudging to marketing:

• Nudging involves seeking to create new habits, as many staff traits are a function of ingrained (bad) habits. Therefore, nudging is best suited to adopting a new product, not brand preference.
• Nudging works most effectively when it is used for positive ends in line with choice architecture, creating a win-win situation for both organisations and individuals.

Within the NHS, we have extended nudging across a number of policy areas, including Nudge Communications.

Changing challenging behaviour in the work place is tough. Organisations often use different methods to bring about ­positive behavioural changes to meet corporate objectives. A strict form is to impose rules, including the exclusion of perceived negative behaviours including smoking in the workplace. Sometimes imposing rules can work, but it is not suitable for more sophisticated and potentially complex changes.

Nudging the organisation and employee

With a few quick interventions, South Yorkshire NHS has persuaded employees to show the desired behaviour, particularly with regard to cyber security practices, including protecting against phishing or social engineering. Workplace nudging distinguishes itself from other interventions by a combination of the following features:

1. Quick, clear action

Workplace nudging is an intervention that can deliver quick results. A simple intervention in any organisation rewards positive behaviours, or triggers the ­curiosity of the employee and excites them about trying something new.

2. People-oriented

The South Yorkshire approach focuses on people and workplace nudging. Nudging does not focus on the abstract, but on people’s behaviour in the workplace. The key question is how can any organisation make it easier, or if possible, more fun for them to change the way they work?

South Yorkshire NHS found that taking a light-hearted approach to issues such as security and sharing some ­humorous stories helped staff understand its link to all services across the Trust.

 

3. Focus on objectives,

Workplace nudging allows quick and direct intervention. This is always done with a clear goal, and links to the objectives of the organisation. By specifically naming the desired organisational change and associated behaviour, South Yorkshire can then specifically choose an appropriate nudge.

So for cyber security, the Trust wanted to raise vigilance and encourage incident reporting. This led to a short training session on these issues that used espionage and James Bond references to encourage staff to be special agents for their own department.

Aligning objectives

It is important that a workplace nudge is always focused on the organisation’s overall plans and objectives. South Yorkshire has sought to improve communication and collaboration across practices as part of a wider campaign of improvement.

Major change often leads to active resistance by employees and the Trust found that anxiety among employees reduced the effectiveness of change initiatives. Workplace nudging at South Yorkshire area is always about small changes, which are not mandatory. The employees are tempted to try out new ways of working, supported when undertaking change, and given a chance to provide feedback.

The initial results are extremely positive and South Yorkshire will ­continue to nudge its employees ­towards better and better cyber ­security practices.