Top

BMC Medical Informatics and Decision Making

Published in:

Open Access 01-12-2019 | Research article

The state of research on cyberattacks against hospitals and available best practice recommendations: a scoping review

Authors: Salem T. Argaw, Nefti-Eboni Bempong, Bruce Eshaya-Chauvin, Antoine Flahault

Published in: BMC Medical Informatics and Decision Making | Issue 1/2019

Abstract

Background

The health sector has quickly become a target for cyberattacks. Hospitals are especially sensitive to these sorts of attacks as any disruption in operations or even disclosure of patient personal information can have far-reaching consequences. The objective of this study was to map the available literature on cyberattacks on hospitals and to identify the different domains of research, while extracting the recommendations and guidelines put forth in the literature.

Methods

Four databases (PubMed, Web of Science, ProQuest, and Scopus) were searched using standardized and adapted search syntax in order to identify relevant manuscripts published between 1997 and 2017. These were screened by two reviewers and included or excluded based on inclusion and exclusion criteria. Data from articles were then extracted and analyzed.

Results

The search identified 818 records of which 97 were included. Of the 97, 32% were published in 2017 while around 40% of the articles were published prior to the last three years. Six domains of research emerged through the analysis, which are included here: context and trends in cybersecurity (27.8%), connected medical devices and equipment (29.9%), hospital information systems (14.4%), raising awareness and lessons learned (6.2%), information security methodology (15.4%), and specific types of attacks (6.2%).

Conclusion

There is a generally growing interest in the research field, but the available literature remains limited in number. There are important aspects of cybersecurity (e.g. cloud storage and access management) as well as specific medical fields that rely on various medical devices that have been neglected. Recommendations are available, but comprehensive guidelines and standardized best practice measures are still necessary.

Available only for authorised users

Health Care in Danger: Making the Case. Geneva: International Committee of the Red Cross; 2011. 4–22.

Long S. The cyber attack - from the POV of the CEO - Hancock regional hospital. Hancock Health 2018. https://www.hancockregionalhospital.org/2018/01/cyber-attack-pov-ceo/. Accessed 21 Feb 2018.

Bisson D. Hollywood hospital pays $17,000 to ransomware attackers. The State of Security 2016. https://www.tripwire.com/state-of-security/latest-security-news/hollywood-hospital-pays-17000-to-ransomware-attackers/. Accessed 20 Feb 2018.

Hughes O. Norway healthcare cyber-attack could be biggest of its kind. Digital Health. 2018; https://www.digitalhealth.net/2018/01/norway-healthcare-cyber-attack-could-be-biggest/. Accessed 21 Feb 2018.

Muchai C, Kimani K, Mwangi M, Shiyayo B, Ndegwa D, Kaimba B, et al. Kenya Cyber Security Report 2015. Nairobi, Kenya: Serianu; 2015. 8–45.

*Williams P, Woodward A. Cybersecurity vulnerabilities in medical devices: a complex environment and multifaceted problem. Med Devices Evid Res. 2015; doi:https://doi.org/10.2147/MDER.S50048.

Protecting Your Networks from Ransomware. Washington, D.C.: The United States Department of Justice; 2016. 2–8.

2017 Global Threat Intelligence Report. 77% of all ransomware detected in four industries - Business & Professional Services. Health Care and Retail. NTTSecurity: Government; 2017. https://www.nttsecurity.com/en-us/about/press-releases/detail/2017-global-threat-intelligence-report-77-of-all-ransomware-detected-in-four-industries---business-professional-services-government-health-care-and-retail. Accessed 15 May 2018

*Susło R, Trnka J, Drobnik J. Current threats to medical data security in family doctors’ practices. Fam Med Prim Care Rev. 2017;19:313–318.CrossRef

10.

*Martin G, Martin P, Hankin C, Darzi A, Kinross J. Cybersecurity and healthcare: how safe are we? BMJ. 2017; doi:https://doi.org/10.1136/BMJ.J3179.

11.

*Kruse CS, Frederick B, Jacobson T, Monticone DK. Cybersecurity in healthcare: A systematic review of modern threats and trends. Technol Heal Care. 2017;25:1–10.CrossRef

12.

Ponemon Institute Study. “The Cyber Resilient Organization: Learning to Thrive Against Threats”. Traverse City: Ponemon Institute; 2017. p. 1–33.

13.

Huang J-W, Hou T-W. A cost-effective add-on-value card-assisted firewall over Taiwan’s NHI VPN framework. Med Inform Internet Med. 2007;32:103–16.CrossRef

14.

*Kim L. Cybersecurity awareness: Protecting data and patients. Nursing 2018 2017;47:65–67.CrossRef

15.

*Dyer O. Hackers demand ransom to release encrypted US medical records. BMJ. 2016; doi:https://doi.org/10.1136/BMJ.I1876.

16.

*Millard WB. Where Bits and Bytes Meet Flesh and Blood. Ann Emerg Med. 2017; doi:https://doi.org/10.1016/j.annemergmed.2017.07.008.

17.

Waegemann CP. IT security: developing a response to increasing risks. Int J Biomed Comput. 1996;43:5–8.CrossRef

18.

*Khan SI, Hoque ASML. Digital Health Data: A Comprehensive Review of Privacy and Security Risks and Some Recommendations. Comput Sci J Mold. 2016;24:273–292.

19.

Silver JK, Binder DS, Zubcevik N, Zafonte RD. Healthcare hackathons provide educational and innovation opportunities: a case study and best practice recommendations. J Med Syst. 2016. https://doi.org/10.1007/s10916-016-0532-3.

20.

Alvarez M. Security trends in the healthcare industry. Somers: IBM; 2017. p. 2–18.

21.

*Luna R, Rhine E, Myhra M, Sullivan R, Kruse CS. Cyber threats to health information systems: A systematic review. Technol Health Care. 2016;24:1–9.CrossRef

22.

Arksey H, O’Malley L. Scoping studies: towards a methodological framework. Int J Soc Res Methodol. 2005;8:19–32.CrossRef

23.

Levac D, Colquhoun H, O’Brien KK. Scoping studies: advancing the methodology. Int J Nurs Stud. 2010. https://doi.org/10.1186/1748-5908-5-69.

24.

Moher D, Liberati A, Tetzlaff J, Altman DG, Group TP. Preferred reporting items for systematic reviews and meta-analyses: the PRISMA statement (reprinted from annals of internal medicine). Phys Ther. 2009;89:873–80.PubMed

25.

*Thiel S, Mitchell J, Williams J. Coordination or Collision? The Intersection of Diabetes Care, Cybersecurity, and Cloud-Based Computing. J Diabetes Sci Technol. 2017;11:195–197.CrossRef

26.

*Mansfield-Devine S. Leaks and ransoms – the key threats to healthcare organisations. Netw Secur. 2017;2017:14–19.

27.

*Rajamäki J, Pirinen R. Towards the cyber security paradigm of ehealth: Resilience and design aspects. AIP Conf Proc 1836. 2017; doi: https://doi.org/10.1063/1.4981969.

28.

*Chee WSA. It Security in Biomedical Imaging Informatics: the Hidden Vulnerability. J Mech Med Biol. 2007;07:101–106.CrossRef

29.

*Smith FL. Malware and Disease: Lessons from Cyber Intelligence for Public Health Surveillance. Heal Secur. 2016;14:305–314.CrossRef

30.

*Harries D, Yellowlees PM. Cyberterrorism: is the U.S. healthcare system safe? Telemed J E Health. 2013;19:61–66.CrossRef

31.

*Jones RW, Katzis K. Cybersecurity and the Medical Device Product Development Lifecycle. Stud Health Technol Inform. 2017;238:76–239.

32.

*Klonoff DC. Cybersecurity for Connected Diabetes Devices. J Diabetes Sci Technol. 2015;9:1143–1147.CrossRef

33.

*Sackner-Bernstein J. Design of Hack-Resistant Diabetes Devices and Disclosure of Their Cyber Safety. J Diabetes Sci Technol. 2017;11:198–202.CrossRef

34.

*Alvarenga A, Tanev G. Cybersecurity Risk Assessment Framework that Integrates Value-Sensitive Design. Technol Innov Manag Rev. 2017;7:32.

35.

*Ondiege B, Clarke M, Mapp G. Exploring a New Security Framework for Remote Patient Monitoring Devices. Computers. 2017;6:11.CrossRef

36.

*Tanev G, Apiafi R. A Value Blueprint Approach to Cybersecurity in Networked Medical Devices. Technol Innov Manag Rev. 2015;5:17–25.CrossRef

37.

*Katzis K, Jones RW, Despotou G. The challenges of balancing safety and security in implantable medical devices. Stud Health Technol Inform. 2016;226:25–28.PubMed

38.

*Altawy R, Youssef AM. Security Tradeoffs in Cyber Physical Systems: A Case Study Survey on Implantable Medical Devices. IEEE Access. 2016;4:959–979.CrossRef

39.

*FDA issues reminder on cybersecurity for networked medical devices. Biomedical instrumentation & technology/Association for the Advancement of Medical Instrumentation. 2010;Suppl:4.

40.

*Moses V, Korah I. Lack of security of networked medical equipment in radiology. Am J Roentgenol. 2015;204:343–353.CrossRef

41.

*Ransford B, Kramer DB, Foo Kune D, Auto de Medeiros J, Yan C, Xu W, et al. Cybersecurity and medical devices: A practical guide for cardiac electrophysiologists. Pacing Clin Electrophysiol. 2017;40:913–917.CrossRef

42.

*Dimitrova TD. Risk and Protection of Medical Information Systems. Elektron Ir Elektrotechnika. 2010;9:109–112.

43.

*Goldschmidt PG. HIT and MIS: implications of health information technology and medical information systems. Commun ACM. 2005;48:68.CrossRef

44.

*Hajrahimi N, Dehaghani SMH, Sheikhtaheri A. Health information security: a case study of three selected medical centers in iran. Acta Inform Med. 2013;21:42–45.CrossRef

45.

*Kruse CS, Smith B, Vanderlinden H, Nealand A. Security Techniques for the Electronic Health Records. J Med Syst. 2017;41:127.CrossRef

46.

*Hasan R, Winslett M, Sion R. Requirements of Secure Storage systems for healthcare records. In: Secure Data Management - 4th VLDB Workshop, SDM 2007, Proceedings. Springer-Verlag Berlin Heidlberg; 2007. p. 174–180.

47.

*Kierkegaard P. Medical data breaches: Notification delayed is notification denied. Comput Law Secur Rev. 2012;28:163–183.CrossRef

48.

*Page A, Kocabas O, Soyata T, Aktas M, Couderc JP. Cloud-Based Privacy-Preserving Remote ECG Monitoring and Surveillance. Ann Noninvasive Electrocardiol. 2015; doi: https://doi.org/10.1111/anec.12204

49.

*Bamiah MA, Brohi SN, Chuprat S, Ab Manan J Lail. Trusted cloud computing framework for healthcare sector. J Comput Sci. 2014;10:240–250.CrossRef

50.

*Pycroft L, Boccard SG, Owen SLF, Stein JF, Fitzgerald JJ, Green AL, et al. Brainjacking: Implant Security Issues in Invasive Neuromodulation. Elsevier. 2016; doi:https://doi.org/10.1016/j.wneu.2016.05.010.

51.

*Lenzer J. Hackers demand $10m for eight million medical records they are holding hostage. BMJ. 2012; doi:b1917\rhttps://doi.org/10.1136/bmj.b1917.

52.

*Ehrenfeld JM. WannaCry, Cybersecurity and Health Information Technology: A Time to Act. J Med Syst. 2017;41:104.CrossRef

53.

*Kramer DB, Baker M, Ransford B, Molina-Markham A, Stewart Q, Fu K, et al. Security and Privacy Qualities of Medical Devices: An Analysis of FDA Postmarket Surveillance. PLoS One. 2012; doi:https://doi.org/10.1371/journal.pone.0040200.

54.

*Drevin L, Kruger H, Bell AM, Steyn T. A linguistic approach to information security awareness education in a healthcare environment. In: Bishop M, Futcher L, Miloslavskaya N, Theocharidou M, (eds) Information Security Education for a Global Digital Society. WISE 2017. IFIP Advances in Information and Communication Technology, vol 503. Springer, Cham; 2017.

55.

*Jarrett MP. Cybersecurity—A Serious Patient Care Concern. JAMA. 2017;318:1319.CrossRef

56.

*Masys DR, Baker DB. Patient-Centered Access to Secure Systems Online (PCASSO): a secure approach to clinical data access via the World Wide Web. AMIA Symp Proc. 1997;340–343.

57.

*Ries JE, Asaro P V, Guillen A, Ivanova J. The futility of common firewall policies: an experimental demonstration. AMIA Symp Proc. 2000;699–703.

58.

*Sankaranarayanan S, Udayasuriyan V. Biometric Secured Electronic Health Record. Int J E-Health Med Commun. 2016;7:1–27.

59.

*Swanson SE. Access management: Living with firewalls. J Hosp Librariansh. 2001;1:25–40.

60.

*Lechler T, Wetzel S. Conceptualizing the silent risk of inadvertent information leakages. Comput Electr Eng. 2017;58:67–75.CrossRef

61.

*Kalyango ST, Maiga G. A technique for strengthening weak passwords in electronic medical record systems. Lect Notes Comput Sci. 2012; doi:https://doi.org/10.1007/978-3-642-53956-5.

62.

*Faysel MA. Evaluation of a Cyber Security System for Hospital Network. Stud Health Technol Inform. 2015;216:915.PubMed

63.

*Pope J. Ransomware: Minimizing the Risks. Innov Clin Neurosci. 2016;13:37–40.PubMedPubMedCentral

64.

*Wright A, Aaron S, Bates DW. The Big Phish: Cyberattacks Against U.S. Healthcare Systems. J Gen Intern Med. 2016;31:1115–1118.CrossRef

65.

*Langer SG. Cyber-Security Issues in Healthcare Information Technology. J Digit Imaging. 2017;30:117–125.CrossRef

66.

*Armstrong DG, Kleidermacher DN, Klonoff DC, Slepian MJ. Cybersecurity Regulation of Wireless Devices for Performance and Assurance in the Age of “Medjacking”. J Diabetes Sci Technol. 2016;10:435–438.CrossRef

67.

*Webb T, Dayal S. Building the wall: Addressing cybersecurity risks in medical devices in the U.S.A. and Australia. Comput Law Secur Rev. 2017;33:559–563.CrossRef

68.

*Williams PAH. When trust defies common security sense. Health Informatics J. 2008;14:211–221.CrossRef

69.

*Sittig DF, Singh H. A Socio-Technical Approach to Preventing, Mitigating, and Recovering from Ransomware Attacks. Appl Clin Inform. 2016;7:624–632.CrossRef

70.

*Caruso RD. Part 1. Firewalls, Antivirus Software, and Internet Security Suites. Radiographics. 2003;23:1329–1337.CrossRef

71.

*Parah SA, Sheikh JA, Ahad F, Loan NA, Bhat GM. Information hiding in medical images: a robust medical image watermarking system for E-healthcare. Multimed Tools Appl. 2017;76:10599–10633.CrossRef

72.

*Kumari PV, Thanushkodi K. A Secure Fast 2D-Discrete Fractional Fourier Transform Based Medical Image Compression Using Hybrid Encoding Technique. 2013 Int Conf Curr Trends Eng Technol. 2013;1–7.

73.

*Keese J, Motzo L. Pro-active approach to malware for healthcare information and imaging systems. Int Congr Ser. 2005;1281:943–947.CrossRef

74.

*Kramer DB, Fu K. Cybersecurity Concerns and Medical Devices Lessons from a Pacemaker Advisory. JAMA. 2017;318:2077–2078.CrossRef

75.

*O’Keeffe DT, Maraka S, Basu A, Keith-Hynes P, Kudva YC. Cybersecurity in Artificial Pancreas Experiments. Diabetes Technol Ther. 2015;17:664–666.CrossRef

76.

*Britton KE, Britton-Colonnese JD. Privacy and Security Issues Surrounding the Protection of Data Generated by Continuous Glucose Monitors. J Diabetes Sci Technol. 2017;11:216–219.CrossRef

77.

*Elhai JD, Frueh BC. Security of Electronic Mental Health Communication and Record-Keeping in the Digital Age. J Clin Psychiatry. 2015;77:22–27.

78.

*Kwon J, Johnson ME. Security practices and regulatory compliance in the healthcare industry. J Am Med Informatics Assoc. 2013;20:44–51.CrossRef

79.

*Liu C-H, Chung Y-F, Chen T-S, Wang S-D. The Enhancement of Security in Healthcare Information Systems. J Med Syst. 2012;36:1673–1688.CrossRef

80.

*Koppel R, Smith S, Blythe J, Kothari V. Workarounds to Computer Access in Healthcare Organizations: You Want My Password or a Dead Patient? Stud Health Technol Inform. 2015;208:215–220.PubMed

81.

*Liebowitz J, Schaller R. Biological Warfare: Tampering with implantable medical devices. IT Prof. 2015; doi: https://doi.org/10.1109/MITP.2015.82

82.

*Loughlin S, Fu K, Gee T, Gieras I, Hoyme K, Rajagopalan SR, et al. A roundtable discussion: Safeguarding information and resources against emerging cybersecurity threats. Biomed Instrum Technol. 2014;48:8–17.

83.

*Billingsley L, McKee SA. Cybersecurity in the Clinical Setting: Nurses’ Role in the Expanding “Internet of Things”. J Contin Educ Nurs. 2016;47:347–349.CrossRef

84.

*Rios B. Cybersecurity expert: Medical devices have “a long way to go”. Biomed Instrum Technol. 2015;49:197–200.CrossRef

85.

*Cheong IR, Kidd MR. Safe practices in cyberspace: a medical perspective on computer viruses. Med J Aust. 1997;166:44–46.PubMed

86.

*Cohen IG, Hoffman S, Adashi EY. Your Money or Your Patient’s Life? Ransomware and Electronic Health Records. Ann Intern Med. 2017; doi:https://doi.org/10.7326/M17-1312.

87.

*Jensen RD, Copeland S, Domas S, Hampton R, Hoyme K, Jump M, et al. A Roundtable Discussion: Thawing Out Healthcare Technology’s ‘Special Snowflake’ Cybersecurity Challenges. Biomed Instrum Technol. 2017;51:10–16.

88.

*Kasurinen J. Usability Issues of Virtual Reality Learning Simulator in Healthcare and Cybersecurity. Procedia Comput Sci. 2017;119:341–349.CrossRef

89.

*Hyman WA. The integrating the healthcare environment-PCD-MEM medical device cyber security white paper: An overview. J Clin Eng. 2012;37:24–28.CrossRef

90.

*Seymour DM, McCall KR, DiPaola L. Security and interconnection of medical devices to healthcare networks. Int Congr Ser. 2004;1268 C:131–134.CrossRef

91.

*Burleson W, Clark SS, Ransford B, Fu K. Design challenges for secure implantable medical devices. Proc 49th Annu Des Autom Conf - DAC ‘12. 2012; doi:https://doi.org/10.1145/2228360.2228364.

92.

*Zhang M, Raghunathan A, Jha NK. Trustworthiness of Medical Devices and Body Area Networks. Proc IEEE. 2014;102:1174–1188.CrossRef

93.

*Busdicker M, Upendra P. The Role of Healthcare Technology Management in Facilitating Medical Device Cybersecurity. Biomed Instrum Technol. 2017;51:19–25.CrossRef

94.

*Sametinger J, Rozenblit J, Lysecky R, Ott P. Security challenges for medical devices. Commun ACM. 2015;58:74–82.CrossRef

95.

*Coronado AJ, Wong TL. Healthcare cybersecurity risk management: Keys to an effective plan. Biomed Instrum Technol. 2014;48:26–30.CrossRef

96.

*Burns AJ, Johnson ME, Honeyman P. A Brief Chronology of Medical Device Security. Commun ACM. 2016; doi:https://doi.org/10.1145/2890488

97.

*Leavitt N. Researchers Fight to Keep Implanted Medical Devices Safe from Hackers. Computer. 2010;43:11–14.CrossRef

98.

*Fu K. Inside risks Reducing risks of implantable medical devices. Commun ACM. 2009;52:25.CrossRef

99.

*Fu K, Blum J. Controlling for cybersecurity risks of medical device software. Commun ACM. 2013; doi: https://doi.org/10.2345/0899-8205-48.s1.38

100.

*Stine I, Rice M, Dunlap S, Pecarina J. A cyber risk scoring system for medical devices. Int J Crit Infrastruct Prot. 2017;19:32–46.CrossRef

101.

*Rauti S, Lahtiranta J, Parisod H, Hyrynsalmi S, Salanterä S, Aromaa ME, et al. A Proxy-Based Solution for Asynchronous Telemedical Systems. Int J E-Health Med Commun. 2017;8:70–83.CrossRef

102.

*He Y, Johnson, C. Improving the redistribution of the security lessons in healthcare: An evaluation of the Generic Security Template. Int J Med Inform. 2015;84:941–949.CrossRef

103.

*Kamoun F, Nicho M. Human and Organizational Factors of Healthcare Data Breaches. Int J Healthc Inf Syst Informatics. 2014;9:42–60.CrossRef

104.

*Szewczak EJ, Snodgrass CR. Business Associates in the National Health Information Network: Implications for Medical Information Privacy. Int J E-Business Res. 2009;5:48–62.CrossRef

105.

*Agaku IT, Adisa AO, Ayo-Yusuf OA, Connolly GN. Concern about security and privacy, and perceived control over collection and use of health information are related to withholding of health information from healthcare providers. J Am Med Informatics Assoc. 2014;21:374–378.CrossRef

106.

*Diamantopoulou V, Angelopoulos K, Flake J, Praitano A, Ruiz JF, Jurjens J, et al. Privacy Data management and awareness for public adminstrations: a case study from the healthcare domain. In: 5th Annual Privacy Forum, APF 2017. Springer International Publishing; 2017. p. 192–209.

107.

*Bhatti R, Grandison T. Towards improved privacy policy coverage in healthcare using policy refinement. In: Secure Data Management - 4th VLDB Workshop, SDM 2007, Proceedings. Springer-Verlag Berlin Heidlberg; 2007. p. 158–73.

108.

*Chien J-C, Wang J-P, Cho C-L, Chong F-C. Security Biosignal Transmission Based on Face Recognition for Telemedicine. Biomed Eng Appl Basis Commun. 2007;19:63–69.CrossRef

109.

*Leetz W. Patching off-the-shelf software used in medical information systems. Int Congr Ser. 2005;1281:954–958.CrossRef

110.

*Wu F, Eagles S. Cybersecurity for medical device manufacturers: Ensuring safety and functionality. Biomed Instrum Technol. 2016;50:23–34.CrossRef

111.

*Medlin BD, Cazier JA, Foulk DP. Analyzing the Vulnerability of U.S. Hospitals to Social Engineering Attacks: How Many of Your Employees Would Share Their Password? Int J Inf Secur Priv. 2008;2:71–83.CrossRef

112.

*Rose R V., Kass JS. Mitigating Cybersecurity Risks. Contin Lifelong Learn Neurol. 2017;23:553–556.CrossRef

Title: The state of research on cyberattacks against hospitals and available best practice recommendations: a scoping review
Authors: Salem T. Argaw
Nefti-Eboni Bempong
Bruce Eshaya-Chauvin
Antoine Flahault
Publication date: 01-12-2019
Publisher: BioMed Central
Published in: BMC Medical Informatics and Decision Making / Issue 1/2019
Electronic ISSN: 1472-6947
DOI: https://doi.org/10.1186/s12911-018-0724-5

At a glance: The ONWARDS insulin icodec trials

Springer Medicine

The state of research on cyberattacks against hospitals and available best practice recommendations: a scoping review

Abstract

Background

Methods

Results

Conclusion

At a glance: The ONWARDS insulin icodec trials

Springer Medicine

Abstract

Background

Methods

Results

Conclusion

Please log in to get access to this content

Other articles of this Issue 1/2019

Promoting healthy teenage behaviour across three European countries through the use of a novel smartphone technology platform, PEGASO fit for future: study protocol of a quasi-experimental, controlled, multi-Centre trial

Risk factor analysis of device-related infections: value of re-sampling method on the real-world imbalanced dataset

Treatment recommendations to cancer patients in the context of FDA guidance for next generation sequencing

Considering patient safety in autonomous e-mental health systems – detecting risk situations and referring patients back to human care

Evaluating the implementation of a personal health record for chronic primary and secondary care: a mixed methods approach

On the interpretability of machine learning-based model for predicting hypertension