Abstract
The recent rise in cybersecurity breaches in healthcare organizations has put patients’ privacy at a higher risk of being exposed. Despite this threat and the additional danger posed by such incidents to patients’ safety, as well as operational and financial threats to healthcare organizations, very few studies have systematically examined the cybersecurity threats in healthcare. To lay a firm foundation for healthcare organizations and policymakers in better understanding the complexity of the issue of cybersecurity, this study explores the major type of cybersecurity threats for healthcare organizations and explains the roles of the four major players (cyber attackers, cyber defenders, developers, and end-users) in cybersecurity. Finally, the paper discusses a set of recommendations for the policymakers and healthcare organizations to strengthen cybersecurity in their organization.
Similar content being viewed by others
References
HealthIT (2018). Benefits of Electronic Health Records (EHRs). Retrieved from https://www.healthit.gov/providers-professionals/benefits-electronic-health-records-ehrs
American Hospital Association (n.d.). Cybersecurity; Cybersecurity vulnerabilities and intrusions pose risks for every hospital, and its reputation. Retrieved from https://www.aha.org/advocacy/leveraging-technology/cybersecurity
Department of Health and Human Services (2013). Summary of the HIPAA privacy rule. Retrieved from https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/.
Uma, M., & Padmavathi, G. (2013). A Survey on Various Cyber Attacks and their Classification. International journal of Network Security, 15(5), 390–396.
Filkins, B. (2014). Health Care Cyberthreat report: Widespread compromises detected, compliance nightmare on horizon. SANS Norse. Retrieved from https://www.sans.org/reading-room/whitepapers/analyst/health-care-cyberthreat-report-widespread-compromises-detected-compliance-nightmare-horizon-34735
Berger, D. W. (2016). Breach Report 2015: Protected health information (PHI). Redspin. Retrieved from https://www.redspin.com/resources/download/breach-report-2015-protected-health-information-phi/
McCue, A. (2008). Beware the insider security threat, CIO jury. Retrieved from http://www.silicon.com/management/cio-insights/2008/04/17/bewaretheinsider-security-threat-39188671/
Perakslis, E. D. (2014). Cybersecurity in health care. N Engl J Med, 371(5), 395–397. Retrieved from https://pdfs.semanticscholar.org/286f/f60b6740da758bb47340d83ca409c72fc906.pdf
Akpan, A. (2016). Has health care hacking become an epidemic? The Public Broadcasting Service. Retrieved from https://www.pbs.org/newshour/science/has-health-care-hacking-become-an-epidemic
Chicago Tribune (2017). Homeland Security warns that certain heart devices can be hacked. Retrieved from http://www.chicagotribune.com/lifestyles/health/ct-cybersecurity-flaw-in-heart-devices-20170111-story.html
Jalali, M. S., Razak, S., Gordon, W., Perakslis, E., & Madnick, S. (2019). Health care and cybersecurity: bibliometric analysis of the literature. Journal of medical Internet research, 21(2), e12644.
Jouini, M., Rabai, L. B. A., & Aissa, A. B. (2014). Classification of security threats in information systems. Procedia Computer Science, 32, 489–496.
Unite States Computer Emergency Readiness Team (2009). Security Tips (ST04–015): Understanding Denial-of-Service Attacks. Retrieved from https://www.us-cert.gov/ncas/tips/ST04-015
Nigrin, D. J. (2014). When “Hacktivists” Target Your Hospital. New England Journal of Medicine 371(5), 393–395. Retrieved from https://doi.org/10.1056/NEJMp1407326
Long, M.C. (2016). Attack and Defend: Linux privilege escalation techniques in 2016. The SANS Institute. Retrieved from https://www.sans.org/reading-room/whitepapers/testing/attack-defend-linux-privilege-escalation-techniques-2016-37562
Piscitello, D. (2016). What is Privilege Escalation? Retrieved from https://www.icann.org/news/blog/what-is-privilege-escalation
Lab, K. (n.d.). Man in the Middle Attack -Kaspersky Daily. Retrieved from https://www.kaspersky.com/blog/man-in-the-middle-attack/1613/
Cain, C. (2014). Analyzing Man-in-the-Browser (MITB) Attacks. SANS Institute. https://www.sans.org/reading-room/whitepapers/forensics/analyzing-man-in-the-browser-mitb-attacks-35687
Langer, G. (2017). Cybersecurity Issues in Healthcare Information Technology. J Digit Imaging 30(1):117–125. doi: https://doi.org/10.1007/s10278-016-9913-x
Encyclopedia Britannica (n.d.). Cryptography. Encyclopedia Britannica online. Retrieved from https://www.britannica.com/topic/cryptography
Cho, A. (2014). Quantum spy games. Science, 343, 482–283. DOI:https://doi.org/10.1126/science.343.6170.482
Williams, P. A., & Woodward, A. J. (2015). Cybersecurity vulnerabilities in medical devices: a complex environment and multifaceted problem. Medical Devices (Auckland, N.Z.), 8, 305–316 https://doi.org/10.2147/MDER.S50048
Unite States Computer Emergency Readiness Team (2015). Vulnerability Note VU#630239: Epiphany cardio server is vulnerable to SQL and LDAP injection. Retrieved from https://www.kb.cert.org/vuls/id/630239
Federal Trade Commission (2015). Consumer Information; Malware. Retrieved from https://www.consumer.ftc.gov/articles/0011-malware
Cisco Systems, Inc. (n.d.). What Is the Difference: Viruses, Worms, Trojans, and Bots? Retrieved from https://www.cisco.com/c/en/us/about/security-center/virus-differences.html
Virus. (n.d.). In Merriam-Webster’s dictionary. Retrieved from https://www.merriam-webster.com/dictionary/virus
HealthITSecurity (2017). NY Computer Virus Raises Healthcare Data Security Concerns. Retrieved from https://healthitsecurity.com/news/erie-county-medical-center-continues-four-day-battle-with-virus
Symantec (2016). What is the difference between viruses, worms, and Trojans? Retrieved from https://support.symantec.com/en_US/article.TECH98539.html
Davis, J. (2017). Alaska DHSS facing potential breach after two Trojan malware attacks. Retrieved from http://www.healthcareitnews.com/news/alaska-dhss-facing-potential-breach-after-two-trojan-malware-attacks
Spyware. (n.d.). In Merriam-Webster’s dictionary. Retrieved from https://www.merriam-webster.com/dictionary/spyware
Unite States Computer Emergency Readiness Team (2009). Security Tip (ST04–016): Recognizing and avoiding spyware. Retrieved from https://www.us-cert.gov/ncas/tips/ST04-016
National Institute of Standards and Technology (NIST) (2013). Glossary of key information security terms. doi: https://doi.org/10.6028/NIST.IR.729r2. Retrieved from https://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf
Sharma, R. & Purohit, M. (2018). Emerging Cyber Threats and the Challenges Associated with them. International Research Journal of Engineering and Technology (IRJET) 05, 02. Retrieved from https://www.irjet.net/archives/V5/i2/IRJET-V5I2127.pdf
Ehrenfeld, J. M. (2017). WannaCry, Cybersecurity and Health Information Technology: A time to act. Journal of Medical Systems, 41(7), 104. Retrieved from https://doi.org/10.1007/s10916-017-0752-1
US-CERT (n.d.). Incident Reporting System. Retrieved from https://www.us-cert.gov/report-phishing
Hummel, R. (2017). Securing Against the Most Common Vectors of Cyber Attacks. SANS Institute. Retrieved from https://www.sans.org/reading-room/whitepapers/riskmanagement/securing-common-vectors-cyber-attacks-37995
The Federal Bureau of Investigation (2009). Spear Phishing. Retrieved from https://www.fbi.gov/news/stories/2009/april/spearphishing_040109
Davis, J. (2017). Hackers breach New York’s largest provider with phishing attacks. Retrieved from http://www.healthcareitnews.com/news/hackers-breach-new-yorks-largest-provider-phishing-attacks)
Hacker. (2016). In Butterfield, A., & Ngondi, G.(Eds.), A Dictionary of Computer Science. : Oxford University Press. Retrieved from http://www.oxfordreference.com/view/10.1093/acref/9780199688975.001.0001/acref-9780199688975-e-2283.
Ethical hacker (2010). In Stevenson, A., & Lindberg, C.(Eds.), New Oxford American Dictionary. : Oxford University Press. Retrieved http://www.oxfordreference.com/view/10.1093/acref/9780195392883.001.0001/m_en_us1444244.
Fischer, E. A. (2016). Cybersecurity Issues and Challenges: In Brief. Congressional Research Service. Retrieved from https://pdfs.semanticscholar.org/65e3/4c9bb7330fcfec378394b5d308b6a323947d.pdf
Goderdzishvili, N. (2010). Legal Assessment of Cyber Attacks on Georgia, Data Exchange Agency Ministry of Justice of Georgia. Retrieved from https://pdfs.semanticscholar.org/ba7b/234738e80b027240e9bfd837bfba61c13e17.pdf
Winkler, I. & Hayden, L. (2005). Social engineering through human intelligence. The Information Systems Security Association Journal 6–8
Baker, W., Goudie, M., Hutton, A., Hylender, C. D., Niemantsverdriet, J., Novak, C., … Tippett, P (2010). 2010 Data Breach Investigation Report: A study conducted by the Verizon RISK Team in cooperation with the United States Secret Service. Retrieved from http://www.verizonenterprise.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf
American National Standards Institute (2012). The financial impact of breached protected health information: A Business Case for Enhanced PHI Security. Retrieved from https://webstore.ansi.org/phi/
Camp, L. J. (2011). Reconceptualizing the role of security user. Daedalus, 140(4), 93–107. Retrieved from https://www.mitpressjournals.org/doi/abs/10.1162/DAED_a_00117
Filkins, B. (2014). New Threats Drive Improved Practices: State of Cybersecurity in Health Care Organizations. SANS Institute. Retrieved from https://www.sans.org/reading-room/whitepapers/analyst/threats-drive-improved-practices-state-cybersecurity-health-care-organizations-35652
Compliance Specialists Inc. [CSeye] (2015). 5 Mistakes in Training the Workforce on Healthcare Privacy and Security. Retrieved from http://www.cseye.biz/single-post/2015/06/08/Title-of-Something-That-Happened-Place-Holder?request_appointment=1
Evans, M.,Maglaras, L. A., He, Y. & Janickle, H. (n.d.). Human Behaviour as an aspect of Cyber Security Assurance. Retrieved from https://arxiv.org/ftp/arxiv/papers/1601/1601.03921.pdf
SANS Institute (2014). Cybersecurity Professional Trends: A SANS Survey. Retrieved from https://www.sans.org/reading-room/whitepapers/analyst/cybersecurity-professional-trends-survey-34615
U.S. Bureau of Labor Statistics (2018). Information Security Analysts : Occupational Outlook Handbook. Retrieved from https://www.bls.gov/ooh/computer-and-information-technology/information-security-analysts.htm
Conn, J (2017). Low pay hinders healthcare's hunt for cyber cops. Modern Healthcare. Retrieved from http://www.modernhealthcare.com/article/20170121/MAGAZINE/301219984
National Institute of Standards and Technology [NIST] (2017). Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1. Retrieved from https://www.nist.gov/cyberframework/draft-version-11
Zorabedian, J. (2014). How malware works: Anatomy of drive-by download web attack. Retrieved from https://news.sophos.com/en-us/2014/03/26/how-malware-works-anatomy-of-a-drive-by-download-web-attack-infographic/
Rowe, D. C., Lunt, B. M. & Ekstrom, J. J. (2011). The Role of Cyber-Security in Information Technology Education. SIGITE’11, West Point, New York, USA. DoI:https://doi.org/10.1145/2047594.2047628
US Department OF Homeland Security (n.d.). Software Assurance. Retrieved from https://www.us-cert.gov/sites/default/files/publications/infosheet_SoftwareAssurance.pdf
New Jersey Cybersecurity and Communications Integration Cell (2017). WannaCry. Retrieved from https://www.cyber.nj.gov/threat-profiles/ransomware-variants/wannacry
National Institute of Standard (n.d.). NVD - NVD Dashboard. Retrieved from https://nvd.nist.gov/general/nvd-dashboard
Morgan, S. (2015). Is Poor Software Development the Biggest Cyber Threat? Retrieved from https://www.csoonline.com/article/2978858/application-security/is-poor-software-development-the-biggest-cyber-threat.html
Bird, J., Johnson, E., & Kim, F. (2015). 2015 State of Application Security: Closing the Gap. Retrieved from https://www.sans.org/reading-room/whitepapers/analyst/2015-state-application-security-closing-gap-35942
Teto, J. K., Bearden, R. & Lo, D. C. (2017). The Impact of Defensive Programming on I/O Cybersecurity Attacks retrieved from http://delivery.acm.org/10.1145/3080000/3077571/p102-teto.pdf?ip=141.225.16.235&id=3077571&acc=NO%20RULES&key=EDE12515F121C113%2E4D4702B0C3E38B35%2E4D4702B0C3E38B35%2E4D4702B0C3E38B35&__acm__=1521740112_a902a525895ff5c658edb3ccef9eb07e
Mancilla, D., Moczygemba J., Fenton S & Biedermann, S. (2014). Chapter 11 Security for Health Information in Biedermann, S., & Fenton, S. H. (Eds.), Introduction to Healthcare Informatics. AHiMA.
Miliard, M. (2018). How does blockchain actually work for healthcare? Healthcare IT News April 13, 2017 Retrieved from http://www.healthcareitnews.com/author/mike-miliard
Miliard, M. (2018). Blockchain faces tough roadblocks in healthcare. Healthcare IT News April 13, 2017. Retrieved from http://www.healthcareitnews.com/author/mike-miliard
Bhuyan, S. S., Bailey-DeLeeuw, S., Wyant, D. K., & Chang, C. F. (2016). Too Much or Too Little? How Much Control Should Patients Have Over EHR Data?. Journal of Medical Systems, 40(7), 174.
Schwalbe, K., & Furlong, D. (2013). Healthcare project management. Schwalbe Publishing.
Duncan, M., Rishel, W., Kleinberg, K., & Klein, J. (2001). A common sense approach to HIPAA. GartnerGroup. Retrieved from http://alecpalmer.tripod.com/HTMLobj-211/Gartner_Report.pdf
Schneier, B. (2018). Schneier on Security. Retrieved from https://www.schneier.com/books/secrets_and_lies/pref.html
Caralli, R. A., Allen, J. H., & White, D. W. (2010). CERT Resilience Management Model: A Maturity Model for Managing Operational Resilience. Addison-Wesley Professional.
Pyke, G. (2013). Risk assessment and management. In McCormick, K. and Gugerty, G., (Ed.), Healthcare Information Technology. McGraw Hill pp 589–610.
Carroll, R., & Norris, G. (2011). Chapter 1 enterprise risk management in healthcare - the basics in Roberta Carroll (Editor) risk management handbook for health care organizations, volume 1. John Wiley & Sons.
International Risk Management Institute (2018). Cyber and privacy insurance. Retrieved from https://www.irmi.com/term/insurance-definitions/cyber-and-privacy
Vaughan, E. J.,& Vaughan, T.M. (1995). Essentials of insurance: A risk management perspective. Wiley. pp 34–37. Retrieved from https://www.wiley.com/en-us/Essentials+of+Insurance%3A+A+Risk+Management+Perspective%2C+3rd+Edition-p-9780470128961
Bensaou, M., & Earl, M. (1998). The right mind-set for managing information technology. Harvard Business Review, 76(5), 118–28
Baker, D. (2015). Chapter 10 “Trustworthy Systems for Safe and Private Healthcare” in Saba, Virginia, and Kathleen McCormick (Eds). Essentials of nursing informatics second ed. McGraw Hill Professional.
American Hospital Association (2018). Top six actions to manage hospital cybersecurity risks. Retrieved from https://www.aha.org/system/files/2017-12/aha-cyber-top6.pdf
National Institute of Standards and Technology (2018). Cybersecurity framework. Retrieved from https://www.nist.gov/cyberframework
Peretti K. & Burgess C. (2018). FDA issues final cybersecurity guidance October 10, 2014. Retrieved from https://www.alston.com/-/media/files/insights/publications/2014/10/icyber-alerti-fda-issues-final-cybersecurity-guida/files/view-alert-as-pdf/fileattachment/14818fdacybersecurity.pdf
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
FedEx Institute of Technology University of Memphis funded this study. For this type of study, formal consent is not required.
Human and Animal Studies
This article does not contain any studies with human participants or animals performed by any of the authors.
Conflict of Interest
The authors have no conflict of interest to declare.
Additional information
This article is part of the Topical Collection on Systems-Level Quality Improvement
Glossary
- Cryptographic attack
-
An attack carried out with the intention of revealing information that has been concealed.
- Cyber-attack
-
The act of intentionally disrupting data information.
- Data breach
-
This is when information is lost, stolen, displaced, hacked, or communicated to unofficial recipients.
- Denial-of-Services (DoS)
-
An attack that aims to flood a network with traffic in order to disrupt service and prevent users from accessing network resources.
- Malicious Software or Malware
-
A group of programs that are designed to harm or compromise a computer system without the permission of the user.
- Man in the Middle (MITM) or Eavesdropping
-
A reconnaissance attack in which an intruder intercepts communication between two parties. The attacker eavesdrops on the contents communicated by secretly acting as an intermediary in the information exchange.
- Phishing
-
The use of social engineering to trick individuals or organizations into either divulging information or perform an activity harmful to their computer.
- Privilege escalation
-
Attacks driven by the goal of achieving a higher level of access to a network or program; they are usually executed by exploiting vulnerabilities in a program or network.
- Spyware
-
A software that is installed on a computer without the user’s knowledge and transmits information about the user’s computer activities over the Internet.
- SQL Injections Exploit
-
Attack that exploit vulnerabilities in SQL to execute malicious “payloads” (harmful SQL statements) that make the data servers divulge information.
- Trojans
-
A type of malware designed to appear as useful, legitimate software.
- Virus
-
A common malware that self-propagates without the permission of the user and infects other computers.
- Worms
-
A type of malware that does not rely on a host file to run, self-replicate, or propagate.
Rights and permissions
About this article
Cite this article
Bhuyan, S.S., Kabir, U., Escareno, J.M. et al. Transforming Healthcare Cybersecurity from Reactive to Proactive: Current Status and Future Recommendations. J Med Syst 44, 98 (2020). https://doi.org/10.1007/s10916-019-1507-y
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s10916-019-1507-y