---

Nudge Ideas for Implementation in Medical Institutions

Nudges are targeted prompts that influence behavior in a predictable way by addressing cognitive routines and decision-making habits, without relying on prohibitions or coercion. They are based on insights from behavioral psychology and aim to make desired behavior in everyday settings easier and more likely to occur [1].

As part of the MedISA project, practice-oriented nudge ideas were developed that may be suitable for use in medical institutions to support Information Security Awareness (ISA). These ideas were designed based on participatory workshops with physicians and nursing staff and with particular consideration for practical applicability in a university hospital setting. A systematic quantitative evaluation of these measures is still pending.

The 56 nudge examples presented here are structured according to the MINDSPACE categories (Messenger, Incentives, Norms, Defaults, Salience & Priming, Affect, Commitment, Ego; cf. [2]) and address various psychological mechanisms. They were developed with a focus on critical workflows in medical contexts and are intended to provide impulses for practical implementation.

Each nudge is assigned to one of the MINDSPACE dimensions. For each dimension, relevant critical workflows are identified, potential types of intervention are outlined, and a specific nudge idea is proposed. These examples are intended as inspiration and must always be adapted to the specific organizational context and the professional realities of the target group in order to be effective and contextually appropriate."

---

Messenger
Behavior is influenced by who communicates the information.

Critical Workflows

Managers do not take an active role in communicating information security. Employees perceive low commitment because the topic is not consistently communicated or exemplified by authoritative figures.

Possible Interventions

Involve managers as visible role models; regular communication on the topic in team meetings; training sessions led by credible multipliers from everyday clinical practice.

Possible Nudges

M1: ISA Team Meeting

The unit manager opens each team meeting with a short ISA-related example from daily practice and expresses appreciation for secure behavior.

M2: ISA Fact Check

Once a week, a senior physician sends out a brief email titled “ISA Fact Check” containing a concrete case from practice (e.g. a forgotten logout or a data protection incident).

M3: QM Security Tip

The quality management officer regularly sends emails with brief security tips, accompanied by the message “One click protects patients.”

M4: ISA Morning Briefing

In the morning briefing, the team lead includes a short weekly information segment on data security, accompanied by praise or feedback.

M5: ISA Figures at Staff Assembly

At the staff assembly, the board or management presents real figures on open accounts and highlights concrete risks for patients.

M6: ISA Poster on Duty Schedule

A colored poster is attached to the printed duty schedule featuring a personal statement from the unit manager on the importance of information security.

M7: Thank You Letter from Clinic Management

A hand-signed letter from the hospital management is distributed to all units with the message “We see your contribution to security and thank you personally.”

---

Incentives
Reactions to incentives are shaped by predictable mental shortcuts, such as the strong tendency to avoid losses. Incentives can involve both rewards and penalties.

Critical Workflows

Employees do not perceive a personal or collective benefit from secure behavior. Obvious advantages or rewards are lacking, which reduces motivation.

Possible Interventions

Team competitions with small rewards; positive reinforcement for correct behavior (e.g. small gifts or public praise); gamification of security goals.

Possible Nudges

I1: ISA Challenge

The team with the most logouts wins a small prize each month.

I2: Holiday Dinner for Secure Unit

The unit with the best results receives a shared holiday dinner or a contribution toward a team outing.

I3: Thank-You Box for Zero Incidents

Small thank-you boxes with snacks and drinks are given to teams that had no information security incidents in the past month.

I4: Hospital Newsletter with Team Photo

The hospital newsletter features an article about units demonstrating exemplary security behavior, including a team photo.

I5: Data Protection Champion Sticker

Stickers or small plaques labeled ""Data Protection Champion"" are placed on computers or team carts.

I6: ISA Bonus Points for Reports

Individuals receive ISA bonus points for each correctly reported situation, redeemable for small rewards.

I7: Ranking in the Newsletter

A ranking is published in the newsletter showing which unit achieved the most consecutive days of secure work.

---

Norms
Behavior is strongly influenced by the (expected) behavior of others.

Critical Workflows

In everyday clinical work, information security rules are often neglected because norms and standards are unclear or not internalized. New employees tend to adopt existing problematic routines.

Possible Interventions

Identifying and promoting role models within teams; integrating ISA topics into onboarding processes; addressing the topic during shift handovers; regular feedback sessions on secure behavior.

Possible Nudges

N1: Team Pillar Quote

Photos of key team members are displayed on the unit board along with a personal quote about their approach to information security.

N2: Welcome Package

New staff members receive a welcome package that includes clear behavioral guidelines and messages such as “This is how we do things on this unit.”

N3: Mentoring System

A mentoring system pairs new employees with particularly security-conscious colleagues for the first few weeks.

N4: Praise in Meetings

Weekly team meetings include public recognition of those who demonstrated consistently secure behavior the previous week.

N5: Badge for Role Models

Key team members receive small pins or stickers on their name badges to visibly identify them as role models.

N6: Reflection on Incidents

Real-life violations are discussed in team meetings, accompanied by the question, “How can we prevent this together in the future?”

N7: Best Practice Posters

A series of posters presents best-practice cases from the hospital, including short interviews.

---

Defaults
People often “go with the flow” and choose preselected or offered options, meaning they are likely to choose the default setting when one is provided.

Critical Workflows

Technical systems allow insecure behaviors (e.g. no automatic logout, no screen lock). As a result, staff are not guided toward secure behavior.

Possible Interventions

Technical defaults such as automatic logout after 3 minutes; mandatory screen lock; reduced reliance on active security behavior.

Possible Nudges

D1: Automatic Logout on Inactivity

All workstations are configured to automatically log out after three minutes of inactivity.

D2: Preconfigured Secure Communication Software

Communication software with a secure transmission standard is preinstalled and set as the default.

D3: Contactless Login with Auto-Logout

Login is performed using a personal contactless access card that also triggers automatic logout when removed.

D4: Device Lock on Location Change

Mobile devices automatically lock when leaving the ward area.

D5: Uniform Logout Icons

Logout icons are designed uniformly and positioned identically across all devices to facilitate automatic behavior.

D6: Touch Logout with LED Color

Touch logout buttons on mobile devices are marked with an LED color code.

D7: Default Double-Sided Printing

Print jobs are preset to double-sided printing in order to reduce data protection risks.

---

Salience & Priming
Behavior is influenced by being drawn to new or seemingly relevant stimuli, or by unconscious cues that prime certain actions.

Critical Workflows

In the hectic routine of clinical work, security risks are often not top of mind because information security cues are either placed inconspicuously or not designed for the situation. However, the work environment offers many opportunities to steer behavior unconsciously in a safer direction through targeted cues.

Possible Interventions

Purposeful design of the environment using noticeable temporary cues at high-traffic locations, such as rotating mini-posters, table displays, or color-coded symbols, can effectively bring information security into awareness. Visual cues are especially effective when placed directly at relevant points of action and when repeated, embedded in routines, or combined with sensory signals to unconsciously promote secure behavior.

Possible Nudges

S&P1: ""Are You Logged Out?"" Sticker on Screen

Red stickers labeled “Are you logged out?” are placed directly on the screen bezel to visually remind staff when leaving their workstation.

S&P2: One Minute Wonder on Mirror

Weekly rotating “One Minute Wonder” posters featuring real risk or error examples are placed on restroom mirrors and encourage conscious behavior.

S&P3: Stickers on Coffee Machines

In break rooms, humorous stickers on coffee machines say “No coffee without logout,” subtly reinforcing the security message.

S&P4: Pop-up with Security Tip

When logging in, a short pop-up appears with a security tip like “One click protects more than you think.”

S&P5: QR Code on ID Badge

The staff ID badge features a QR code linking to a 30-second mini-training on data protection basics.

S&P6: Visual Logout Timer on Desktop

A visual timer on the desktop shows how long a workstation has been active without logout.

S&P7: QR Code Stickers with Security Rules

QR code stickers providing quick access to security rule tips are placed at key information security locations.

---

Affect
Decisions are shaped by emotions, meaning that emotional reactions to a situation can influence actions.

Critical Workflows

Lack of personal responsibility and emotional connection to information security violations.

Possible Interventions

Present emotionally resonant case studies (e.g. unauthorized access to patient data); encourage reflection on personal responsibility during meetings; visualize potential consequences.

Possible Nudges

A1: Poster with Real Incident

A poster describes an anonymized case in which an employee was exposed due to a forgotten logout.

A2: Video with Patient on Data Security

In a video, a patient explains how she felt when her data was left unprotected and viewable.

A3: Sticker with Data Privacy Question

Stickers at workstations ask, “Would you want someone to see your data?”

A4: Reflection Cards During Breaks

During breaks, reflection cards are available with the question, “What if this affected your family?”

A5: Mirror Sticker on Personal Impact

Small mirrors in break rooms or staff restrooms display a subtle sticker asking, “If it were your health data, would you want someone to talk about it?”

A6: Comic Posters with Consequences

Comic-style posters illustrate everyday mistakes with consequences, such as “The Forgotten Logout.”

A7: Logout Sound Effect

A friendly sound effect plays upon successful logout, positively reinforcing the action.

---

Commitment
People strive to remain true to their public commitments and tend to follow through on actions accordingly.

Critical Workflows

Signatures or training participation are perceived as mere formalities, lacking genuine commitment or reflection.

Possible Interventions

Binding team goals; personal pledges or agreements within teams; integration into goal-setting discussions with supervisors.

Possible Nudges

C1: Signature During Onboarding

During onboarding, new employees sign a commitment to information security, which is regularly reaffirmed.

C2: Red Sticker Board in Staff Room

A board in the staff room anonymously tracks how often individuals forget to log out by marking incidents with a red sticker each day.

C3: Security Card with Checkboxes

Employees receive a small laminated card for their coat pocket labeled “My Daily Security Ritual,” with checkboxes on the back to track behavior goals.

C4: Team Code Word Reminder

The team agrees on a shared, subtle code word or gesture to gently remind colleagues about secure behavior, for example, “Window open?” as a cue for forgotten logout.

C5: Team Mini-Agreements Displayed

Units create their own mini-agreements on information security and display them visibly in the team area.

C6: Logout Field on Handover Forms

Handover documentation includes a field where the last logout is recorded.

C7: Online Quiz with Certificate

All employees complete an online quiz and receive a certificate as a visible symbol of their commitment to information security.

---

Ego
The ego motivates people to act in ways that help maintain or enhance a positive self-image.

Critical Workflows

Secure behavior is not associated with a positive self-image. Recognition for responsible action within the team is lacking.

Possible Interventions

Positive reinforcement of responsible behaviors; highlighting role models; competitions such as "ISA Hero of the Week"; team challenges with visibility on the intranet.

Possible Nudges

E1: Hero of the Month

Once a month, one team member is recognized for particularly thoughtful behavior, such as reporting a security risk.

E2: ISA Badge

Upon request, employees may add an ISA badge or symbol to team rosters, shift schedules, or email signatures if they participated in a voluntary information security training.

E3: Notice on Medical Reports

Monitors, printed reports, or report folders feature a discreet yet visible message: “You quickly recognize irregularities in patients. Information security begins with the same level of attention.”

E4: Smiley Terminal for Self-Assessment

At the end of their shift, employees assess their data security behavior using a smiley terminal asking, “How securely did you handle sensitive data today?” A short message like “Thank you for taking responsibility” appears after positive responses.

E5: Desk Sign with Message

A small desk sign reads: “Security doesn’t start with IT, it starts with your own actions.”

E6: Mirror with Reputation Message

In locker rooms, a mirror displays the message: “You're not just protecting sensitive data, you're protecting your reputation.”

E7: Sticker on ID Badge

A subtle sticker on the staff ID badge reads: “Information security is my standard.”

---

References:

Title:The Definition of Nudge and Libertarian Paternalism: Does the Hand Fit the Glove?

Authors:P. G. Hansen

DOI:10.1017/S1867299X00005468
Year:2016

Title:Your hospital needs you: Eliciting positive cybersecurity behaviours from healthcare staff

Authors:D. Branley-Bell et al.

DOI:10.51381/adrs.v3i1.51
Year:2020