Top

BMC Medical Informatics and Decision Making

Published in:

Open Access 01-12-2020 | Review

Cybersecurity of Hospitals: discussing the challenges and working towards mitigating the risks

Authors: Salem T. Argaw, Juan R. Troncoso-Pastoriza, Darren Lacey, Marie-Valentine Florin, Franck Calcavecchia, Denise Anderson, Wayne Burleson, Jan-Michael Vogel, Chana O’Leary, Bruce Eshaya-Chauvin, Antoine Flahault

Published in: BMC Medical Informatics and Decision Making | Issue 1/2020

Excerpt

The increasing incorporation of technology into the health field is leading to greater precision in healthcare; however, advancements in cybersecurity measures are still required. According to a 2016 report by IBM and the Ponemon Institute, the frequency of data breaches in the healthcare industry has been rising since 2010 [1], and it is now among the sectors most targeted by cyberattacks globally [2]. Due to its immutability, the information accessed through health data breaches is of particular interest to criminals [3]. Blood type, past surgeries and diagnoses, and other personal health information are contained in an individual’s medical file. As these records include private data such as name, date of birth, insurance and health provider information, as well as health and genetic information, it is not possible to restore privacy or to reverse psychosocial harm when private data are compromised. …

Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data. Traverse City: Ponemon Institute LLC; 2016. p. 1–50. https://www.ponemon.org/local/upload/file/Sixth%20Annual%20Patient%20Privacy%20%26%20Data%20Security%20Report%20FINAL%206.pdf.

Martin G, Martin P, Hankin C, Darzi A, Kinross J. Cybersecurity and healthcare: how safe are we? BMJ. 2017. https://doi.org/10.1136/BMJ.J3179.

Alvarez M. Security trends in the healthcare industry. Somers: IBM; 2017. p. 2–18.

Millard WB. Where bits and bytes meet flesh and blood. Ann Emerg Med. 2017. https://doi.org/10.1016/j.annemergmed.2017.07.008.

Argaw ST, Bempong N, Eshaya-Chauvin B, Flahault A. The state of research on cyberattacks against hospitals and available best practice recommendations: a scoping review. BMC Med Inform Decis Mak. 2019;5:1–11.

Ganten D, Silva JG, Regateiro F, et al. Science Has to Take Responsibility . 10 Years World Health Summit — The Road to Better Health for All; 2018. p. 6. https://doi.org/10.3389/fpubh.2018.00314.CrossRef

Humer C, Finkle J. Your medical record is worth more to hackers than your credit card. Reuters. 2014. https://www.reuters.com/article/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924. Accessed 27 Apr 2018.

Luna R, Rhine E, Myhra M, Sullivan R, Kruse CS. Cyber threats to health information systems: a systematic review. Technol Health Care. 2016;24:1–9.CrossRef

Health Insurance Portability and Accountability Act of 1996. Office of the Assistant Secretary for Planning and Evaluation. https://aspe.hhs.gov/report/health-insurance-portability-and-accountability-act-1996. Accessed 29 May 2018.

10.

The Impact of HIPAA and HITECH. Mountain View: Symantec corperation; 2010. p. 1–7.

11.

Regulation 2016/679 of the European parliament and the Council of the European Union. Brussels: Off J Eur Communities; 2016: 1–88.

12.

EPFL IRGC. Governance of trust in precision medicine. Lausanne: EPFL International Risk Governance Center; 2018. p. 1–24.

13.

Bradley N, Alvarez M, McMillen D, Craig S. Reviewing a year of serious data breaches, major attacks and new vulnerabilities: Analysis of cyber attack and incident data from IBM’s worldwide security services operations. Somers: IBM X-Force® Res 2016 Cyber Secur Intell Index. 2016: 1–19. 2017.

14.

Cost of Data Breach Study, Global Overview. Traverse City: Ponemon Institute LLC; 2017. p. 1–34. https://www.ponemon.org/library/2017-cost-of-data-breach-study-united-states.

15.

Steffen S. Hackers hold German hospital data hostage. DW. 2016. http://www.dw.com/en/hackers-hold-german-hospital-data-hostage/a-19076030. Accessed 20 Feb 2018.

16.

Zorz Z. Crypto ransomware hits German hospitals. Help Net Security 2016. https://www.helpnetsecurity.com/2016/02/26/crypto-ransomware-hits-german-hospitals/. .

17.

Khandelwal S. Nearly half of the Norway population exposed in HealthCare data breach. The Hacker News 2018. https://thehackernews.com/2018/01/healthcare-data-breach.html. Accessed 21 Feb 2018.

18.

Hughes O. Norway healthcare cyber-attack could be biggest of its kind. Digital Health. 2018. https://www.digitalhealth.net/2018/01/norway-healthcare-cyber-attack-could-be-biggest/. Accessed 21 Feb 2018.

19.

Irwin L. Breach at Norway’s largest healthcare authority was a disaster waiting to happen. IT Governance Blog 2018. https://www.itgovernance.eu/blog/en/breach-at-norways-largest-healthcare-authority-was-a-disaster-waiting-to-happen/. Accessed 21 Feb 2018.

20.

Warwick A. Norwegian healthcare breach alert failed GDPR requirements. Computer Weekly 2018. http://www.computerweekly.com/news/252433538/Norwegian-healthcare-breach-alert-failed-GDPR-requirements. Accessed 21 Feb 2018.

21.

Secureworks Counter Threat Unit Threat Intelligence. SamSam Ransomware campaigns. Secureworks. 2018. https://www.secureworks.com/research/samsam-ransomware-campaigns. Accessed 29 May 2018.

22.

Long S. The cyber attack - from the POV of the CEO - Hancock regional hospital. Hancock Health 2018. https://www.hancockregionalhospital.org/2018/01/cyber-attack-pov-ceo/. Accessed 21 Feb 2018.

23.

Hughes O. Hancock regional hospital back online after paying hackers $55,000. Digital Health 2018. https://www.digitalhealth.net/2018/01/hancock-regional-hospital-back-online/. Accessed 21 Feb 2018.

24.

Laudon KC, Jane P. Laudon. IT Infrastructure and Emerging Technologies. In: Management Information Systems: Managing The Digital Firm. 10th edition. Prentice Hall; 2008. https://paginas.fe.up.pt/~als/mis10e/ch5/chpt5-2bullettext.htm. Accessed 16 Apr 2018.

25.

A guide to service asset and configuration management. Oxford: UCSIA ITIL; 2014. p. 1–9. https://www.academia.edu/29873674/ITIL_guide_to_SA_and_CM_management_pdf.

26.

Voldal D. A practical methodology for implementing a patch management process. Swansea: SANS Inst Inf Secur Read Room; 2003. p. 1–14.

27.

A guide to change management. Oxford: UCSIA ITIL; 2017. p. 1–4. https://docuri.com/download/itila-guide-to-change-management-pdf_59c1e978f581710b286d4333_pdf.

28.

The CIS Critical security controls for effective cyber defense. 2016. https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.

29.

Centricity Down After Applying Windows Updates. Quatris health. 2016. http://www.quatris.com/messagecenter/centricity-services-update-centricity-applying-windows-updates/. Accessed 30 May 2018.

30.

Tanev G, Apiafi R. A Value Blueprint Approach to Cybersecurity in Networked Medical Devices. Technol Innov Manag Rev. 2015;5(6):17–25. https://doi.org/10.22215/timreview/903.

31.

Alvarenga A, Tanev G. Cybersecurity risk assessment framework that integrates value-sensitive design. Technol Innov Manag Rev. 2017;7:32–43. .

32.

Moses V, Korah I. Lack of security of networked medical equipment in radiology. Am J Roentgenol. 2015;204:343–53.CrossRef

33.

Software as a Medical Device ( SAMD ): Clinical Evaluation Guidance for Industry and Food and Drug Administration Staff. 2017. https://www.fda.gov/media/100714/download. Accessed 7 Oct 2019.

34.

Medical Device Safety Action Plan. Silver Spring: FDA; 2018. 1-18. 2017 HIMSS Cybersecurity survey. Chicago: HIMSS; 2017. p. 5–37.

35.

Khan SI, Hoque ASML. Digital health data: a comprehensive review of privacy and security risks and some recommendations. Comput Sci J Mold. 2016;24:273–92.

36.

Protecting Your Networks from Ransomware. Washington, DC: The United States Department of Justice; 2016. p. 2–8. https://www.justice.gov/criminal-ccips/file/872771/download.

37.

Liveri D, Sarri A, Skouloudi C. Security and resilience in eHealth: security challenges and risks. ENISA. 2015. https://doi.org/10.2824/217830.

38.

EPFL IRGC. Governing cybersecurity risks and benefits of the.

39.

Internet of Things. Connected medical & health devices and connected vehicles. Workshop report. Lausanne: EPFL International Risk Governance Center; 2017. p. 6–29.

40.

Framework for Improving Critical Infrastructure Cybersecurity Note to Readers on the Update. Gaithersburg: National Institute of Standards; 2018. p. 1–44. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.

41.

Ondiege B, Clarke M, Mapp G. Exploring a new security framework for remote patient monitoring devices. Computers. 2017;6:11.CrossRef

42.

Pycroft L, Boccard SG, Owen SLF, Stein JF, Fitzgerald JJ, Green AL, et al. Brainjacking: implant security issues in invasive Neuromodulation. Elsevier; 2016. https://doi.org/10.1016/j.wneu.2016.05.010.CrossRef

43.

Wagner S. Les données médicales d'une centaines de patients des HUG accessibles sur internet. https://www.ictjournal.ch/news/2019-10-04/les-donnees-medicales-dune-centaines-de-patients-des-hug-accessibles-sur-internet. Accessed 7 Oct 2019.

44.

Kruse CS, Frederick B, Jacobson T, Monticone DK. Cybersecurity in healthcare: a systematic review of modern threats and trends. Technol Heal Care. 2017;25:1–10.CrossRef

45.

Cybersecurity. The protection of data and systems in networks that connect to the Internet - 10 Best Practices for the Small Healthcare Environment. Washington: Department of Health and Human Service; 2010. p. 5–21.

46.

Ehrenfeld JM. WannaCry, Cybersecurity and Health Information Technology: A Time to Act. J Med Syst. 2017;41:104.CrossRef

47.

Sittig DF, Singh H. A socio-technical approach to preventing, mitigating, and recovering from Ransomware attacks. Appl Clin Inform. 2016;7:624–32.CrossRef

48.

Langer SG. Cyber-security issues in healthcare information technology. J Digit Imaging. 2017;30:117–25.CrossRef

49.

Kim L. Cybersecurity awareness: Protecting data and patients. Nursing 2018. 2017;47:65–7.

50.

Palmaers T. Implementing a vulnerability management process. Swansea: SANS Inst Inf Secur Read Room; 2013. p. 1–21.

51.

Rochford O, Young G, Lawson C. Predicts 2017: Threat and vulnerability management. Stamford: Gartner; 2016. 1–6.

52.

New Report Connects Privileged Account Exploitation to Advanced Cyber Attacks. CyberArk. 2013. https://www.cyberark.com/press/new-report-connects-privileged-account-exploitation-advanced-cyber-attacks/. Accessed 23 Apr 2018.

53.

Wright A, Aaron S, Bates DW. The big phish: Cyberattacks against U.S. healthcare systems. J Gen Intern Med. 2016;31:1115–8.CrossRef

54.

Harries D, Yellowlees PM. Cyberterrorism: is the U.S. healthcare system safe? Telemed J E Health. 2013;19:61–6.CrossRef

55.

Strategies to Mitigate Cyber Security Incidents – Mitigation Details. ASD Australian Signals Directorate. 2017. https://www.asd.gov.au/infosec/top-mitigations/mitigations-2017-details.htm. Accessed 30 Jan 2018.

56.

Health Care Industry Cybersecurity Task Force Report on Improving Cybersecurity in the Health Care Industry. Washington: Department of Health and Human Service; 2017. 1–87.

57.

Le Bris A, El Asri W. State of Cybersecurity & Cyber Threats in healthcare organizations: applied Cybersecurity strategy for managers. Cergy: ESSEC Bus Sch; 2017. p. 1–13.

58.

SMART Hospitals. ENISA; 2013. https://doi.org/10.2824/28801.CrossRef

59.

Cybersecurity and Hospitals. Four Questions Every Hospital Leader Should Ask in Order to Prepare for and Manage Cybersecurity Risks. Chicago: America Hopital Association; 2015. p. 1–15.

60.

Williams P, Woodward A. Cybersecurity vulnerabilities in medical devices: a complex environment and multifaceted problem. Med Devices Evid Res. 2015. https://doi.org/10.2147/MDER.S50048.

61.

Healthcare and Public Health Sector-Specific Plan. Washington: Department of Homeland Security; 2015. p. 1–53. https://www.cisa.gov/sites/default/files/publications/nipp-ssp-healthcare-public-health-2015-508.pdf.

62.

Piggin R. Cybersecurity of medical devices - addressing patient safety and the security of patient health information. London: BSI; 2017. p. 3–22.

63.

The Directive on security of network and information systems (NIS Directive). European Commission. 2016. https://ec.europa.eu/digital-single-market/en/network-and-information-security-nis-directive. Accessed 20 Jun 2018.

64.

DPPH18. https://dpph18.epfl.ch/. Accessed 30 May 2018.

65.

Bost R, Popa R, Tu S, Goldwasser S. Machine Learning Classification over Encrypted Data. NDSS; 2015. https://doi.org/10.14722/ndss.2015.23241.CrossRef

66.

Dowlin N, Gilad-Bachrach R, Laine K, Lauter K, Naehrig M, Wernsing J. CryptoNets: Applying neural networks to Encrypted data with high throughput and accuracy. Proc 33rd Int Conf Int Conf Mach Learn. 2016;48:201–10.

67.

Costan V, Devadas S. Intel SGX explained. IACR Cryptol ePrint Arch. 2016;2016:86.

68.

Corrigan-Gibbs H, Boneh D. Prio: private, robust, and scalable computation of aggregate statistics. Boston: NSDI; 2017. p. 259–82.

69.

Froelicher D, Egger P, Sousa JS, Raisaro JL, Huang Z, Mouchet C, et al. UnLynx: a decentralized system for privacy-conscious data sharing. Proc Priv Enhancing Technol. 2017. https://doi.org/10.1515/popets-2017-0047.

70.

Kokoris-Kogias E, Jovanovic P, Gasser L, Gailly N, Syta E. OmniLedger: a secure, scale-out, decentralized ledger via Sharding. IEEE Symp Secur Priv. 2018. https://doi.org/10.1109/SP.2018.000-5.

71.

Raisaro JL, Troncoso-Pastoriza JR, Misbach M, Sousa JS, Pradervand S, Missiaglia E, et al. MedCo: Enabling Privacy-Conscious Exploration of Distributed Clinical and Genomic Data. Orlando: 4th Int Work Genome Priv Secur; 2017. p. 1–21.

72.

Classify Your Medical Device - Is The Product A Medical Device? 2018. https://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/Overview/ClassifyYourDevice/ucm051512.htm. Accessed 25 Apr 2018.

73.

Kotz D, Gunter CA, Kumar S, Weiner JP. Privacy and security in Mobile health: a research agenda. Computer. 2016;49:22–30.CrossRef

74.

US hospitals turn away patients as ransomware strike. 2019. https://www.bbc.com/news/technology-49905226. Accessed 5 Oct 2019.

Title: Cybersecurity of Hospitals: discussing the challenges and working towards mitigating the risks
Authors: Salem T. Argaw
Juan R. Troncoso-Pastoriza
Darren Lacey
Marie-Valentine Florin
Franck Calcavecchia
Denise Anderson
Wayne Burleson
Jan-Michael Vogel
Chana O’Leary
Bruce Eshaya-Chauvin
Antoine Flahault
Publication date: 01-12-2020
Publisher: BioMed Central
Published in: BMC Medical Informatics and Decision Making / Issue 1/2020
Electronic ISSN: 1472-6947
DOI: https://doi.org/10.1186/s12911-020-01161-7

At a glance: The ONWARDS insulin icodec trials

Springer Medicine

Cybersecurity of Hospitals: discussing the challenges and working towards mitigating the risks

Excerpt

At a glance: The ONWARDS insulin icodec trials

Springer Medicine

Excerpt

Please log in to get access to this content

Other articles of this Issue 1/2020

Can mobile health apps replace GPs? A scoping review of comparisons between mobile apps and GP tasks

A stratification method based on clustering for the minimization of data masking effect in signal detection

Multi-criteria analysis in the health area: selection of the most appropriate triage system for the emergency care units in natal

Home blood pressure data visualization for the management of hypertension: designing for patient and physician information needs

The role of text messaging intervention in Inner Mongolia among patients with type 2 diabetes mellitus: a randomized controlled trial

The costs outweigh the benefits: seeing side-effects online may decrease adherence to statins