Skip to main content
Log in

Transforming Healthcare Cybersecurity from Reactive to Proactive: Current Status and Future Recommendations

  • Systems-Level Quality Improvement
  • Published:
Journal of Medical Systems Aims and scope Submit manuscript

Abstract

The recent rise in cybersecurity breaches in healthcare organizations has put patients’ privacy at a higher risk of being exposed. Despite this threat and the additional danger posed by such incidents to patients’ safety, as well as operational and financial threats to healthcare organizations, very few studies have systematically examined the cybersecurity threats in healthcare. To lay a firm foundation for healthcare organizations and policymakers in better understanding the complexity of the issue of cybersecurity, this study explores the major type of cybersecurity threats for healthcare organizations and explains the roles of the four major players (cyber attackers, cyber defenders, developers, and end-users) in cybersecurity. Finally, the paper discusses a set of recommendations for the policymakers and healthcare organizations to strengthen cybersecurity in their organization.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. HealthIT (2018). Benefits of Electronic Health Records (EHRs). Retrieved from https://www.healthit.gov/providers-professionals/benefits-electronic-health-records-ehrs

  2. American Hospital Association (n.d.). Cybersecurity; Cybersecurity vulnerabilities and intrusions pose risks for every hospital, and its reputation. Retrieved from https://www.aha.org/advocacy/leveraging-technology/cybersecurity

  3. Department of Health and Human Services (2013). Summary of the HIPAA privacy rule. Retrieved from https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/.

  4. Uma, M., & Padmavathi, G. (2013). A Survey on Various Cyber Attacks and their Classification. International journal of Network Security, 15(5), 390–396.

    Google Scholar 

  5. Filkins, B. (2014). Health Care Cyberthreat report: Widespread compromises detected, compliance nightmare on horizon. SANS Norse. Retrieved from https://www.sans.org/reading-room/whitepapers/analyst/health-care-cyberthreat-report-widespread-compromises-detected-compliance-nightmare-horizon-34735

  6. Berger, D. W. (2016). Breach Report 2015: Protected health information (PHI). Redspin. Retrieved from https://www.redspin.com/resources/download/breach-report-2015-protected-health-information-phi/

  7. McCue, A. (2008). Beware the insider security threat, CIO jury. Retrieved from http://www.silicon.com/management/cio-insights/2008/04/17/bewaretheinsider-security-threat-39188671/

  8. Perakslis, E. D. (2014). Cybersecurity in health care. N Engl J Med, 371(5), 395–397. Retrieved from https://pdfs.semanticscholar.org/286f/f60b6740da758bb47340d83ca409c72fc906.pdf

    Article  CAS  Google Scholar 

  9. Akpan, A. (2016). Has health care hacking become an epidemic? The Public Broadcasting Service. Retrieved from https://www.pbs.org/newshour/science/has-health-care-hacking-become-an-epidemic

  10. Chicago Tribune (2017). Homeland Security warns that certain heart devices can be hacked. Retrieved from http://www.chicagotribune.com/lifestyles/health/ct-cybersecurity-flaw-in-heart-devices-20170111-story.html

  11. Jalali, M. S., Razak, S., Gordon, W., Perakslis, E., & Madnick, S. (2019). Health care and cybersecurity: bibliometric analysis of the literature. Journal of medical Internet research, 21(2), e12644.

    Article  Google Scholar 

  12. Jouini, M., Rabai, L. B. A., & Aissa, A. B. (2014). Classification of security threats in information systems. Procedia Computer Science, 32, 489–496.

    Article  Google Scholar 

  13. Unite States Computer Emergency Readiness Team (2009). Security Tips (ST04–015): Understanding Denial-of-Service Attacks. Retrieved from https://www.us-cert.gov/ncas/tips/ST04-015

  14. Nigrin, D. J. (2014). When “Hacktivists” Target Your Hospital. New England Journal of Medicine 371(5), 393–395. Retrieved from https://doi.org/10.1056/NEJMp1407326

    Article  PubMed  Google Scholar 

  15. Long, M.C. (2016). Attack and Defend: Linux privilege escalation techniques in 2016. The SANS Institute. Retrieved from https://www.sans.org/reading-room/whitepapers/testing/attack-defend-linux-privilege-escalation-techniques-2016-37562

  16. Piscitello, D. (2016). What is Privilege Escalation? Retrieved from https://www.icann.org/news/blog/what-is-privilege-escalation

  17. Lab, K. (n.d.). Man in the Middle Attack -Kaspersky Daily. Retrieved from https://www.kaspersky.com/blog/man-in-the-middle-attack/1613/

  18. Cain, C. (2014). Analyzing Man-in-the-Browser (MITB) Attacks. SANS Institute. https://www.sans.org/reading-room/whitepapers/forensics/analyzing-man-in-the-browser-mitb-attacks-35687

  19. Langer, G. (2017). Cybersecurity Issues in Healthcare Information Technology. J Digit Imaging 30(1):117–125. doi: https://doi.org/10.1007/s10278-016-9913-x

    Article  PubMed  Google Scholar 

  20. Encyclopedia Britannica (n.d.). Cryptography. Encyclopedia Britannica online. Retrieved from https://www.britannica.com/topic/cryptography

  21. Cho, A. (2014). Quantum spy games. Science, 343, 482–283. DOI:https://doi.org/10.1126/science.343.6170.482

    Article  CAS  PubMed  Google Scholar 

  22. Williams, P. A., & Woodward, A. J. (2015). Cybersecurity vulnerabilities in medical devices: a complex environment and multifaceted problem. Medical Devices (Auckland, N.Z.), 8, 305–316 https://doi.org/10.2147/MDER.S50048

    Article  Google Scholar 

  23. Unite States Computer Emergency Readiness Team (2015). Vulnerability Note VU#630239: Epiphany cardio server is vulnerable to SQL and LDAP injection. Retrieved from https://www.kb.cert.org/vuls/id/630239

  24. Federal Trade Commission (2015). Consumer Information; Malware. Retrieved from https://www.consumer.ftc.gov/articles/0011-malware

  25. Cisco Systems, Inc. (n.d.). What Is the Difference: Viruses, Worms, Trojans, and Bots? Retrieved from https://www.cisco.com/c/en/us/about/security-center/virus-differences.html

  26. Virus. (n.d.). In Merriam-Webster’s dictionary. Retrieved from https://www.merriam-webster.com/dictionary/virus

  27. HealthITSecurity (2017). NY Computer Virus Raises Healthcare Data Security Concerns. Retrieved from https://healthitsecurity.com/news/erie-county-medical-center-continues-four-day-battle-with-virus

  28. Symantec (2016). What is the difference between viruses, worms, and Trojans? Retrieved from https://support.symantec.com/en_US/article.TECH98539.html

  29. Davis, J. (2017). Alaska DHSS facing potential breach after two Trojan malware attacks. Retrieved from http://www.healthcareitnews.com/news/alaska-dhss-facing-potential-breach-after-two-trojan-malware-attacks

  30. Spyware. (n.d.). In Merriam-Webster’s dictionary. Retrieved from https://www.merriam-webster.com/dictionary/spyware

  31. Unite States Computer Emergency Readiness Team (2009). Security Tip (ST04–016): Recognizing and avoiding spyware. Retrieved from https://www.us-cert.gov/ncas/tips/ST04-016

  32. National Institute of Standards and Technology (NIST) (2013). Glossary of key information security terms. doi: https://doi.org/10.6028/NIST.IR.729r2. Retrieved from https://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf

  33. Sharma, R. & Purohit, M. (2018). Emerging Cyber Threats and the Challenges Associated with them. International Research Journal of Engineering and Technology (IRJET) 05, 02. Retrieved from https://www.irjet.net/archives/V5/i2/IRJET-V5I2127.pdf

    Google Scholar 

  34. Ehrenfeld, J. M. (2017). WannaCry, Cybersecurity and Health Information Technology: A time to act. Journal of Medical Systems, 41(7), 104. Retrieved from https://doi.org/10.1007/s10916-017-0752-1

  35. US-CERT (n.d.). Incident Reporting System. Retrieved from https://www.us-cert.gov/report-phishing

  36. Hummel, R. (2017). Securing Against the Most Common Vectors of Cyber Attacks. SANS Institute. Retrieved from https://www.sans.org/reading-room/whitepapers/riskmanagement/securing-common-vectors-cyber-attacks-37995

    Google Scholar 

  37. The Federal Bureau of Investigation (2009). Spear Phishing. Retrieved from https://www.fbi.gov/news/stories/2009/april/spearphishing_040109

  38. Davis, J. (2017). Hackers breach New York’s largest provider with phishing attacks. Retrieved from http://www.healthcareitnews.com/news/hackers-breach-new-yorks-largest-provider-phishing-attacks)

  39. Hacker. (2016). In Butterfield, A., & Ngondi, G.(Eds.), A Dictionary of Computer Science. : Oxford University Press. Retrieved from http://www.oxfordreference.com/view/10.1093/acref/9780199688975.001.0001/acref-9780199688975-e-2283.

  40. Ethical hacker (2010). In Stevenson, A., & Lindberg, C.(Eds.), New Oxford American Dictionary. : Oxford University Press. Retrieved http://www.oxfordreference.com/view/10.1093/acref/9780195392883.001.0001/m_en_us1444244.

  41. Fischer, E. A. (2016). Cybersecurity Issues and Challenges: In Brief. Congressional Research Service. Retrieved from https://pdfs.semanticscholar.org/65e3/4c9bb7330fcfec378394b5d308b6a323947d.pdf

    Google Scholar 

  42. Goderdzishvili, N. (2010). Legal Assessment of Cyber Attacks on Georgia, Data Exchange Agency Ministry of Justice of Georgia. Retrieved from https://pdfs.semanticscholar.org/ba7b/234738e80b027240e9bfd837bfba61c13e17.pdf

    Google Scholar 

  43. Winkler, I. & Hayden, L. (2005). Social engineering through human intelligence. The Information Systems Security Association Journal 6–8

  44. Baker, W., Goudie, M., Hutton, A., Hylender, C. D., Niemantsverdriet, J., Novak, C., … Tippett, P (2010). 2010 Data Breach Investigation Report: A study conducted by the Verizon RISK Team in cooperation with the United States Secret Service. Retrieved from http://www.verizonenterprise.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf

  45. American National Standards Institute (2012). The financial impact of breached protected health information: A Business Case for Enhanced PHI Security. Retrieved from https://webstore.ansi.org/phi/

  46. Camp, L. J. (2011). Reconceptualizing the role of security user. Daedalus, 140(4), 93–107. Retrieved from https://www.mitpressjournals.org/doi/abs/10.1162/DAED_a_00117

  47. Filkins, B. (2014). New Threats Drive Improved Practices: State of Cybersecurity in Health Care Organizations. SANS Institute. Retrieved from https://www.sans.org/reading-room/whitepapers/analyst/threats-drive-improved-practices-state-cybersecurity-health-care-organizations-35652

    Google Scholar 

  48. Compliance Specialists Inc. [CSeye] (2015). 5 Mistakes in Training the Workforce on Healthcare Privacy and Security. Retrieved from http://www.cseye.biz/single-post/2015/06/08/Title-of-Something-That-Happened-Place-Holder?request_appointment=1

  49. Evans, M.,Maglaras, L. A., He, Y. & Janickle, H. (n.d.). Human Behaviour as an aspect of Cyber Security Assurance. Retrieved from https://arxiv.org/ftp/arxiv/papers/1601/1601.03921.pdf

  50. SANS Institute (2014). Cybersecurity Professional Trends: A SANS Survey. Retrieved from https://www.sans.org/reading-room/whitepapers/analyst/cybersecurity-professional-trends-survey-34615

  51. U.S. Bureau of Labor Statistics (2018). Information Security Analysts : Occupational Outlook Handbook. Retrieved from https://www.bls.gov/ooh/computer-and-information-technology/information-security-analysts.htm

  52. Conn, J (2017). Low pay hinders healthcare's hunt for cyber cops. Modern Healthcare. Retrieved from http://www.modernhealthcare.com/article/20170121/MAGAZINE/301219984

    Google Scholar 

  53. National Institute of Standards and Technology [NIST] (2017). Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1. Retrieved from https://www.nist.gov/cyberframework/draft-version-11

  54. Zorabedian, J. (2014). How malware works: Anatomy of drive-by download web attack. Retrieved from https://news.sophos.com/en-us/2014/03/26/how-malware-works-anatomy-of-a-drive-by-download-web-attack-infographic/

  55. Rowe, D. C., Lunt, B. M. & Ekstrom, J. J. (2011). The Role of Cyber-Security in Information Technology Education. SIGITE’11, West Point, New York, USA. DoI:https://doi.org/10.1145/2047594.2047628

  56. US Department OF Homeland Security (n.d.). Software Assurance. Retrieved from https://www.us-cert.gov/sites/default/files/publications/infosheet_SoftwareAssurance.pdf

  57. New Jersey Cybersecurity and Communications Integration Cell (2017). WannaCry. Retrieved from https://www.cyber.nj.gov/threat-profiles/ransomware-variants/wannacry

  58. National Institute of Standard (n.d.). NVD - NVD Dashboard. Retrieved from https://nvd.nist.gov/general/nvd-dashboard

  59. Morgan, S. (2015). Is Poor Software Development the Biggest Cyber Threat? Retrieved from https://www.csoonline.com/article/2978858/application-security/is-poor-software-development-the-biggest-cyber-threat.html

  60. Bird, J., Johnson, E., & Kim, F. (2015). 2015 State of Application Security: Closing the Gap. Retrieved from https://www.sans.org/reading-room/whitepapers/analyst/2015-state-application-security-closing-gap-35942

  61. Teto, J. K., Bearden, R. & Lo, D. C. (2017). The Impact of Defensive Programming on I/O Cybersecurity Attacks retrieved from http://delivery.acm.org/10.1145/3080000/3077571/p102-teto.pdf?ip=141.225.16.235&id=3077571&acc=NO%20RULES&key=EDE12515F121C113%2E4D4702B0C3E38B35%2E4D4702B0C3E38B35%2E4D4702B0C3E38B35&__acm__=1521740112_a902a525895ff5c658edb3ccef9eb07e

  62. Mancilla, D., Moczygemba J., Fenton S & Biedermann, S. (2014). Chapter 11 Security for Health Information in Biedermann, S., & Fenton, S. H. (Eds.), Introduction to Healthcare Informatics. AHiMA.

  63. Miliard, M. (2018). How does blockchain actually work for healthcare? Healthcare IT News April 13, 2017 Retrieved from http://www.healthcareitnews.com/author/mike-miliard

    Google Scholar 

  64. Miliard, M. (2018). Blockchain faces tough roadblocks in healthcare. Healthcare IT News April 13, 2017. Retrieved from http://www.healthcareitnews.com/author/mike-miliard

    Google Scholar 

  65. Bhuyan, S. S., Bailey-DeLeeuw, S., Wyant, D. K., & Chang, C. F. (2016). Too Much or Too Little? How Much Control Should Patients Have Over EHR Data?. Journal of Medical Systems, 40(7), 174.

    Article  Google Scholar 

  66. Schwalbe, K., & Furlong, D. (2013). Healthcare project management. Schwalbe Publishing.

  67. Duncan, M., Rishel, W., Kleinberg, K., & Klein, J. (2001). A common sense approach to HIPAA. GartnerGroup. Retrieved from http://alecpalmer.tripod.com/HTMLobj-211/Gartner_Report.pdf

  68. Schneier, B. (2018). Schneier on Security. Retrieved from https://www.schneier.com/books/secrets_and_lies/pref.html

  69. Caralli, R. A., Allen, J. H., & White, D. W. (2010). CERT Resilience Management Model: A Maturity Model for Managing Operational Resilience. Addison-Wesley Professional.

  70. Pyke, G. (2013). Risk assessment and management. In McCormick, K. and Gugerty, G., (Ed.), Healthcare Information Technology. McGraw Hill pp 589–610.

  71. Carroll, R., & Norris, G. (2011). Chapter 1 enterprise risk management in healthcare - the basics in Roberta Carroll (Editor) risk management handbook for health care organizations, volume 1. John Wiley & Sons.

  72. International Risk Management Institute (2018). Cyber and privacy insurance. Retrieved from https://www.irmi.com/term/insurance-definitions/cyber-and-privacy

  73. Vaughan, E. J.,& Vaughan, T.M. (1995). Essentials of insurance: A risk management perspective. Wiley. pp 34–37. Retrieved from https://www.wiley.com/en-us/Essentials+of+Insurance%3A+A+Risk+Management+Perspective%2C+3rd+Edition-p-9780470128961

  74. Bensaou, M., & Earl, M. (1998). The right mind-set for managing information technology. Harvard Business Review, 76(5), 118–28

  75. Baker, D. (2015). Chapter 10 “Trustworthy Systems for Safe and Private Healthcare” in Saba, Virginia, and Kathleen McCormick (Eds). Essentials of nursing informatics second ed. McGraw Hill Professional.

  76. American Hospital Association (2018). Top six actions to manage hospital cybersecurity risks. Retrieved from https://www.aha.org/system/files/2017-12/aha-cyber-top6.pdf

  77. National Institute of Standards and Technology (2018). Cybersecurity framework. Retrieved from https://www.nist.gov/cyberframework

  78. Peretti K. & Burgess C. (2018). FDA issues final cybersecurity guidance October 10, 2014. Retrieved from https://www.alston.com/-/media/files/insights/publications/2014/10/icyber-alerti-fda-issues-final-cybersecurity-guida/files/view-alert-as-pdf/fileattachment/14818fdacybersecurity.pdf

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Soumitra Sudip Bhuyan.

Ethics declarations

FedEx Institute of Technology University of Memphis funded this study. For this type of study, formal consent is not required.

Human and Animal Studies

This article does not contain any studies with human participants or animals performed by any of the authors.

Conflict of Interest

The authors have no conflict of interest to declare.

Additional information

This article is part of the Topical Collection on Systems-Level Quality Improvement

Glossary

Cryptographic attack

An attack carried out with the intention of revealing information that has been concealed.

Cyber-attack

The act of intentionally disrupting data information.

Data breach

This is when information is lost, stolen, displaced, hacked, or communicated to unofficial recipients.

Denial-of-Services (DoS)

An attack that aims to flood a network with traffic in order to disrupt service and prevent users from accessing network resources.

Malicious Software or Malware

A group of programs that are designed to harm or compromise a computer system without the permission of the user.

Man in the Middle (MITM) or Eavesdropping

A reconnaissance attack in which an intruder intercepts communication between two parties. The attacker eavesdrops on the contents communicated by secretly acting as an intermediary in the information exchange.

Phishing

The use of social engineering to trick individuals or organizations into either divulging information or perform an activity harmful to their computer.

Privilege escalation

Attacks driven by the goal of achieving a higher level of access to a network or program; they are usually executed by exploiting vulnerabilities in a program or network.

Spyware

A software that is installed on a computer without the user’s knowledge and transmits information about the user’s computer activities over the Internet.

SQL Injections Exploit

Attack that exploit vulnerabilities in SQL to execute malicious “payloads” (harmful SQL statements) that make the data servers divulge information.

Trojans

A type of malware designed to appear as useful, legitimate software.

Virus

A common malware that self-propagates without the permission of the user and infects other computers.

Worms

A type of malware that does not rely on a host file to run, self-replicate, or propagate.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Bhuyan, S.S., Kabir, U., Escareno, J.M. et al. Transforming Healthcare Cybersecurity from Reactive to Proactive: Current Status and Future Recommendations. J Med Syst 44, 98 (2020). https://doi.org/10.1007/s10916-019-1507-y

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s10916-019-1507-y

Keywords

Navigation