1
|
Lippi G, Akhvlediani S, Cadamuro J, Danese E, García de Guadiana Romualdo L, Delacour H, Favaloro EJ, Favresse J, Henry BM, Jovicic S, Kütt M, Moreno Y Banuls L, Ozben T, Peretz A, Perovic A, Thachil J, Yucel D, Plebani M. EFLM Task Force Preparation of Labs for Emergencies (TF-PLE) recommendations for reinforcing cyber-security and managing cyber-attacks in medical laboratories. Clin Chem Lab Med 2024; 0:cclm-2024-0803. [PMID: 39008654 DOI: 10.1515/cclm-2024-0803] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Received: 07/10/2024] [Accepted: 07/10/2024] [Indexed: 07/17/2024]
Abstract
The healthcare systems are a prime target for cyber-attacks due to the sensitive nature of the information combined with the essential need for continuity of care. Medical laboratories are particularly vulnerable to cyber-attacks for a number of reasons, including the high level of information technology (IT), computerization and digitization. Based on reliable and widespread evidence that medical laboratories may be inadequately prepared for cyber-terrorism, a panel of experts of the Task Force Preparation of Labs for Emergencies (TF-PLE) of the European Federation of Clinical Chemistry and Laboratory Medicine (EFLM) has recognized the need to provide some general guidance that could help medical laboratories to be less vulnerable and better prepared for the dramatic circumstance of a disruptive cyber-attack, issuing a number of consensus recommendations, which are summarized and described in this opinion paper.
Collapse
Affiliation(s)
- Giuseppe Lippi
- Section of Clinical Biochemistry, 19051 University of Verona , Verona, Italy
| | - Salome Akhvlediani
- Department of Clinical Laboratory and Microbiology, Acad. O. Gudushauri National Medical Center, Tbilisi, Georgia
| | - Janne Cadamuro
- Department of Laboratory Medicine, University Hospital Salzburg, Paracelsus Medical University, Salzburg, Austria
| | - Elisa Danese
- Section of Clinical Biochemistry, 19051 University of Verona , Verona, Italy
| | | | - Herve Delacour
- Department of Laboratory Medicine, Begin Military Teaching Hospital, Saint-Mandé, France
| | - Emmanuel J Favaloro
- Haematology, NSW Health Pathology, Sydney Centres for Thrombosis and Haemostasis, ICPMR, Westmead Hospital, Sydney, Australia
| | - Julien Favresse
- Services of Clinical Biology, Clinic Saint-Luc, Bouge, Belgium
| | - Brandon M Henry
- Clinical Laboratory, Division of Nephrology and Hypertension, Cincinnati Children's Hospital Medical Center, Cincinnati, OH, USA
| | - Snezana Jovicic
- Department for Medical Biochemistry, Faculty of Pharmacy, University of Belgrade, Belgrade, Serbia
| | - Marge Kütt
- Laboratory of Diagnostics Division, North Estonia Medical Centre Foundation, Talinn, Estonia
| | | | - Tomris Ozben
- Department of Medical Biochemistry, Faculty of Medicine, Akdeniz University, Antalya, Türkiye
| | - Avi Peretz
- The Clinical Microbiology Laboratory, Tzafon Medical Center, Affiliated With Azrieli Faculty of Medicine, Bar Ilan University, Safed, Israel
| | - Antonija Perovic
- Medical Biochemistry Laboratory, Health Care Institution Glavić, Dubrovnik, Croatia
| | - Jecko Thachil
- Immune Thrombocytopenic Purpura (ITP) Clinic, Haematology Department, Manchester University NHS Foundation Trust - Manchester Royal Infirmary, Manchester, UK
| | - Dogan Yucel
- Department of Medical Biochemistry, Lokman Hekim University, Ankara, Türkiye
| | - Mario Plebani
- Department of Medicine, University of Padova, Padova, Italy
| |
Collapse
|
2
|
Gunawardene AN, Schmuter G. Teaching the Limitations of Large Language Models in Medical School. JOURNAL OF SURGICAL EDUCATION 2024; 81:625. [PMID: 38365565 DOI: 10.1016/j.jsurg.2024.01.008] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [MESH Headings] [Track Full Text] [Subscribe] [Scholar Register] [Received: 01/15/2024] [Accepted: 01/15/2024] [Indexed: 02/18/2024]
Affiliation(s)
- Araliya N Gunawardene
- Dr. Kiran C. Patel College of Allopathic Medicine, Nova Southeastern University, Fort Lauderdale, Florida.
| | | |
Collapse
|
3
|
O'Brien N, Fernandez Crespo R, O'Driscoll F, Prendergast M, Chana D, Darzi A, Ghafur S. Usability and Feasibility Evaluation of a Web-Based and Offline Cybersecurity Resource for Health Care Organizations (The Essentials of Cybersecurity in Health Care Organizations Framework Resource): Mixed Methods Study. JMIR Form Res 2024; 8:e50968. [PMID: 38603777 PMCID: PMC11046383 DOI: 10.2196/50968] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Received: 08/04/2023] [Revised: 02/07/2024] [Accepted: 02/08/2024] [Indexed: 04/13/2024] Open
Abstract
BACKGROUND Cybersecurity is a growing challenge for health systems worldwide as the rapid adoption of digital technologies has led to increased cyber vulnerabilities with implications for patients and health providers. It is critical to develop workforce awareness and training as part of a safety culture and continuous improvement within health care organizations. However, there are limited open-access, health care-specific resources to help organizations at different levels of maturity develop their cybersecurity practices. OBJECTIVE This study aims to assess the usability and feasibility of the Essentials of Cybersecurity in Health Care Organizations (ECHO) framework resource and evaluate the strengths, weaknesses, opportunities, and threats associated with implementing the resource at the organizational level. METHODS A mixed methods, cross-sectional study of the acceptability and usability of the ECHO framework resource was undertaken. The research model was developed based on the technology acceptance model. Members of the Imperial College Leading Health Systems Network and other health care organizations identified through the research teams' networks were invited to participate. Study data were collected through web-based surveys 1 month and 3 months from the date the ECHO framework resource was received by the participants. Quantitative data were analyzed using R software (version 4.2.1). Descriptive statistics were calculated using the mean and 95% CIs. To determine significant differences between the distribution of answers by comparing results from the 2 survey time points, 2-tailed t tests were used. Qualitative data were analyzed using Microsoft Excel. Thematic analysis used deductive and inductive approaches to capture themes and concepts. RESULTS A total of 16 health care organizations participated in the study. The ECHO framework resource was well accepted and useful for health care organizations, improving their understanding of cybersecurity as a priority area, reducing threats, and enabling organizational planning. Although not all participants were able to implement the resource as part of information computing technology (ICT) cybersecurity activities, those who did were positive about the process of change. Learnings from the implementation process included the usefulness of the resource for raising awareness and ease of use based on familiarity with other standards, guidelines, and tools. Participants noted that several sections of the framework were difficult to operationalize due to costs or budget constraints, human resource limitations, leadership support, stakeholder engagement, and limited time. CONCLUSIONS The research identified the acceptability and usability of the ECHO framework resource as a health-focused cybersecurity resource for health care organizations. As cybersecurity in health care organizations is everyone's responsibility, there is potential for the framework resource to be used by staff with varied job roles. Future research needs to explore how it can be updated for ICT staff and implemented in practice and how educational materials on different aspects of the framework could be developed.
Collapse
Affiliation(s)
- Niki O'Brien
- Institute of Global Health Innovation, Imperial College London, London, United Kingdom
| | | | - Fiona O'Driscoll
- Institute of Global Health Innovation, Imperial College London, London, United Kingdom
| | - Mabel Prendergast
- Institute of Global Health Innovation, Imperial College London, London, United Kingdom
| | - Deeph Chana
- Institute for Security Science and Technology, Imperial College London, London, United Kingdom
| | - Ara Darzi
- Institute of Global Health Innovation, Imperial College London, London, United Kingdom
| | - Saira Ghafur
- Institute of Global Health Innovation, Imperial College London, London, United Kingdom
| |
Collapse
|
4
|
Chao KY, Liu SH, Chou CC, Chen CI, Cheng W. Legalization of marijuana or not? Opinions from over 38,000 residents in Taiwan. BMC Public Health 2023; 23:1954. [PMID: 37814243 PMCID: PMC10563234 DOI: 10.1186/s12889-023-16834-x] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [MESH Headings] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Received: 07/27/2023] [Accepted: 09/25/2023] [Indexed: 10/11/2023] Open
Abstract
BACKGROUND Marijuana is legal in many Western countries and Thailand. In Taiwan, Marijuana remains a category-2 narcotic; however, some legislative candidates recently advocated legalization of medical marijuana. This study surveyed a large sample of Taiwanese to gain a better understanding of the public's knowledge and attitudes towards legalizing marijuana. METHODS This cross-sectional mixed-methods study included demographic data and responses to a survey questionnaire, "Knowledge and Attitudes of Legalizing Marijuana" (KALM). The survey included 15 statements about four categories: public health, social impact, medical applications of THC (Δ9-tetrahydrocannabinol), and legal and tax consequences; and two yes/no questions about medical use and legalization of marijuana. Knowledge was scored as disagree = 0, no knowledge = 2, or agree = 4; attitude was scored from 0 = very unimportant to 4 = very important. Responses to an open-ended question asking for additional comments/concerns were analysed with content analysis. The survey was conducted from February 15 to March 1, 2023. RESULTS Data were analysed from 38,502 respondents, aged 15 to > 56 years. Most were female (67.1%) and parents (76.4%). Scores were higher for respondents who were parents, religious, ≥ 36 years of age, had a high-income status, no history of substance abuse, knowledge of medical marijuana, and did not support legalization of marijuana. Medical personnel had greater knowledge of marijuana, but their attitude indicated they viewed legalization as less important. In the open-ended question, many respondents requested more information about marijuana be provided to the public before considering legalization. CONCLUSIONS Taiwanese respondents considered legalization of marijuana a significant concern, especially as it relates to impacts on public health.
Collapse
Affiliation(s)
- Kuo-Yu Chao
- Department of Nursing, Chang Gung University of Science and Technology, Taoyuan, Taiwan
- Division of Colon and Rectal Surgery, Chang Gung Memorial Hospital, Taoyuan, Taiwan
| | - Shu-Hsiang Liu
- School of Nursing, National Taipei University of Nursing and Health Sciences, Taipei, Taiwan
| | - Chih-Chiang Chou
- Department of Psychiatry, Centro Hospitalar Conde de São Januário, Macau SAR, China
| | - Ching-I Chen
- Department of Psychiatry, Kee-Lung Hospital, Ministry of Health and Welfare, KeeLung, Taiwan
| | - Wei Cheng
- School of Nursing, National Taipei University of Nursing and Health Sciences, Taipei, Taiwan.
- Department of Pathology, Kee-Lung Hospital, Ministry of Health and Welfare, 268, Xin 2nd Road, Xinyi District, KeeLung, 201203, Taiwan.
- Department of Nursing, Deh Yu College of Nursing and Health, Kee-Lung, Taiwan.
| |
Collapse
|
5
|
Dameff C, Tully J, Chan TC, Castillo EM, Savage S, Maysent P, Hemmen TM, Clay BJ, Longhurst CA. Ransomware Attack Associated With Disruptions at Adjacent Emergency Departments in the US. JAMA Netw Open 2023; 6:e2312270. [PMID: 37155166 PMCID: PMC10167570 DOI: 10.1001/jamanetworkopen.2023.12270] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [MESH Headings] [Grants] [Track Full Text] [Journal Information] [Submit a Manuscript] [Subscribe] [Scholar Register] [Received: 10/28/2022] [Accepted: 03/26/2023] [Indexed: 05/10/2023] Open
Abstract
Importance Cyberattacks on health care delivery organizations are increasing in frequency and sophistication. Ransomware infections have been associated with significant operational disruption, but data describing regional associations of these cyberattacks with neighboring hospitals have not been previously reported, to our knowledge. Objective To examine an institution's emergency department (ED) patient volume and stroke care metrics during a month-long ransomware attack on a geographically proximal but separate health care delivery organization. Design, Setting, and Participants This before and after cohort study compares adult and pediatric patient volume and stroke care metrics of 2 US urban academic EDs in the 4 weeks prior to the ransomware attack on May 1, 2021 (April 3-30, 2021), as well as during the attack and recovery (May 1-28, 2021) and 4 weeks after the attack and recovery (May 29 to June 25, 2021). The 2 EDs had a combined mean annual census of more than 70 000 care encounters and 11% of San Diego County's total acute inpatient discharges. The health care delivery organization targeted by the ransomware constitutes approximately 25% of the regional inpatient discharges. Exposure A month-long ransomware cyberattack on 4 adjacent hospitals. Main Outcomes and Measures Emergency department encounter volumes (census), temporal throughput, regional diversion of emergency medical services (EMS), and stroke care metrics. Results This study evaluated 19 857 ED visits at the unaffected ED: 6114 (mean [SD] age, 49.6 [19.3] years; 2931 [47.9%] female patients; 1663 [27.2%] Hispanic, 677 [11.1%] non-Hispanic Black, and 2678 [43.8%] non-Hispanic White patients) in the preattack phase, 7039 (mean [SD] age, 49.8 [19.5] years; 3377 [48.0%] female patients; 1840 [26.1%] Hispanic, 778 [11.1%] non-Hispanic Black, and 3168 [45.0%] non-Hispanic White patients) in the attack and recovery phase, and 6704 (mean [SD] age, 48.8 [19.6] years; 3326 [49.5%] female patients; 1753 [26.1%] Hispanic, 725 [10.8%] non-Hispanic Black, and 3012 [44.9%] non-Hispanic White patients) in the postattack phase. Compared with the preattack phase, during the attack phase, there were significant associated increases in the daily mean (SD) ED census (218.4 [18.9] vs 251.4 [35.2]; P < .001), EMS arrivals (1741 [28.8] vs 2354 [33.7]; P < .001), admissions (1614 [26.4] vs 1722 [24.5]; P = .01), patients leaving without being seen (158 [2.6] vs 360 [5.1]; P < .001), and patients leaving against medical advice (107 [1.8] vs 161 [2.3]; P = .03). There were also significant associated increases during the attack phase compared with the preattack phase in median waiting room times (21 minutes [IQR, 7-62 minutes] vs 31 minutes [IQR, 9-89 minutes]; P < .001) and total ED length of stay for admitted patients (614 minutes [IQR, 424-1093 minutes] vs 822 minutes [IQR, 497-1524 minutes]; P < .001). There was also a significant increase in stroke code activations during the attack phase compared with the preattack phase (59 vs 102; P = .01) as well as confirmed strokes (22 vs 47; P = .02). Conclusions and Relevance This study found that hospitals adjacent to health care delivery organizations affected by ransomware attacks may see increases in patient census and may experience resource constraints affecting time-sensitive care for conditions such as acute stroke. These findings suggest that targeted hospital cyberattacks may be associated with disruptions of health care delivery at nontargeted hospitals within a community and should be considered a regional disaster.
Collapse
Affiliation(s)
- Christian Dameff
- Department of Emergency Medicine, University of California, San Diego
- Department of Biomedical Informatics, University of California, San Diego
- Department of Computer Science and Engineering, University of California, San Diego
| | - Jeffrey Tully
- Department of Anesthesiology, University of California, San Diego
| | - Theodore C. Chan
- Department of Emergency Medicine, University of California, San Diego
| | | | - Stefan Savage
- Department of Computer Science and Engineering, University of California, San Diego
| | - Patricia Maysent
- Office of the University of California, San Diego Health Chief Executive Officer, University of California, San Diego
| | - Thomas M. Hemmen
- Department of Neurosciences, University of California, San Diego
| | - Brian J. Clay
- Department of Biomedical Informatics, University of California, San Diego
- Office of the University of California, San Diego Health Chief Executive Officer, University of California, San Diego
| | - Christopher A. Longhurst
- Department of Biomedical Informatics, University of California, San Diego
- Office of the University of California, San Diego Health Chief Executive Officer, University of California, San Diego
| |
Collapse
|
6
|
Patel AU, Williams CL, Hart SN, Garcia CA, Durant TJS, Cornish TC, McClintock DS. Cybersecurity and Information Assurance for the Clinical Laboratory. J Appl Lab Med 2023; 8:145-161. [PMID: 36610432 DOI: 10.1093/jalm/jfac119] [Citation(s) in RCA: 1] [Impact Index Per Article: 1.0] [Reference Citation Analysis] [Abstract] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Received: 06/18/2022] [Accepted: 10/26/2022] [Indexed: 01/09/2023]
Abstract
BACKGROUND Network-connected medical devices have rapidly proliferated in the wake of recent global catalysts, leaving clinical laboratories and healthcare organizations vulnerable to malicious actors seeking to ransom sensitive healthcare information. As organizations become increasingly dependent on integrated systems and data-driven patient care operations, a sudden cyberattack and the associated downtime can have a devastating impact on patient care and the institution as a whole. Cybersecurity, information security, and information assurance principles are, therefore, vital for clinical laboratories to fully prepare for what has now become inevitable, future cyberattacks. CONTENT This review aims to provide a basic understanding of cybersecurity, information security, and information assurance principles as they relate to healthcare and the clinical laboratories. Common cybersecurity risks and threats are defined in addition to current proactive and reactive cybersecurity controls. Information assurance strategies are reviewed, including traditional castle-and-moat and zero-trust security models. Finally, ways in which clinical laboratories can prepare for an eventual cyberattack with extended downtime are discussed. SUMMARY The future of healthcare is intimately tied to technology, interoperability, and data to deliver the highest quality of patient care. Understanding cybersecurity and information assurance is just the first preparative step for clinical laboratories as they ensure the protection of patient data and the continuity of their operations.
Collapse
Affiliation(s)
- Ankush U Patel
- Department of Laboratory Medicine and Pathology, Mayo Clinic, Rochester, MN
| | - Christopher L Williams
- Department of Pathology, University of Oklahoma Health Sciences Center, Oklahoma City, OK
| | - Steven N Hart
- Department of Laboratory Medicine and Pathology, Mayo Clinic, Rochester, MN
| | | | - Thomas J S Durant
- Department of Laboratory Medicine, Yale School of Medicine, New Haven, CT
| | - Toby C Cornish
- Department of Pathology, University of Colorado School of Medicine, Aurora, CO
| | - David S McClintock
- Department of Laboratory Medicine and Pathology, Mayo Clinic, Rochester, MN
| |
Collapse
|
7
|
Neprash HT, McGlave CC, Cross DA, Virnig BA, Puskarich MA, Huling JD, Rozenshtein AZ, Nikpay SS. Trends in Ransomware Attacks on US Hospitals, Clinics, and Other Health Care Delivery Organizations, 2016-2021. JAMA HEALTH FORUM 2022; 3:e224873. [PMID: 36580326 PMCID: PMC9856685 DOI: 10.1001/jamahealthforum.2022.4873] [Citation(s) in RCA: 12] [Impact Index Per Article: 6.0] [Reference Citation Analysis] [Abstract] [Track Full Text] [Figures] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 12/30/2022] Open
Abstract
Importance Anecdotal evidence suggests that health care delivery organizations face a growing threat from ransomware attacks that are designed to disrupt care delivery and may consequently threaten patient outcomes. Objective To quantify the frequency and characteristics of ransomware attacks on health care delivery organizations. Design, Setting, and Participants This cohort study used data from the Tracking Healthcare Ransomware Events and Traits database to examine the number and characteristics of ransomware attacks on health care delivery organizations from 2016 to 2021. Logistic and negative binomial regression quantified changes over time in the characteristics of ransomware attacks that affected health care delivery organizations. Main Outcomes and Measures Date of ransomware attack, public reporting of ransomware attacks, personal health information (PHI) exposure, status of encrypted/stolen data following the attack, type of health care delivery organization affected, and operational disruption during the ransomware attack. Results From January 2016 to December 2021, 374 ransomware attacks on US health care delivery organizations exposed the PHI of nearly 42 million patients. From 2016 to 2021, the annual number of ransomware attacks more than doubled from 43 to 91. Almost half (166 [44.4%]) of ransomware attacks disrupted the delivery of health care, with common disruptions including electronic system downtime (156 [41.7%]), cancellations of scheduled care (38 [10.2%]), and ambulance diversion (16 [4.3%]). From 2016 to 2021, ransomware attacks on health care delivery organizations increasingly affected large organizations with multiple facilities (annual marginal effect [ME], 0.08; 95% CI, 0.05-0.10; P < .001), exposed the PHI of more patients (ME, 66 385.8; 95% CI, 3400.5-129 371.2; P = .04), were less likely to be restored from data backups (ME, -0.04; 95% CI, -0.06 to -0.01; P = .002), were more likely to exceed mandatory reporting timelines (ME, 0.06; 95% CI, 0.03-0.08; P < .001), and increasingly were associated with delays or cancellations of scheduled care (ME, 0.02; 95% CI, 0-0.05; P = .02). Conclusions and Relevance This cohort study of ransomware attacks documented growth in their frequency and sophistication. Ransomware attacks disrupt care delivery and jeopardize information integrity. Current monitoring/reporting efforts provide limited information and could be expanded to potentially yield a more complete view of how this growing form of cybercrime affects the delivery of health care.
Collapse
Affiliation(s)
- Hannah T. Neprash
- University of Minnesota, School of Public Health, Minneapolis, Minnesota
| | - Claire C. McGlave
- University of Minnesota, School of Public Health, Minneapolis, Minnesota
| | - Dori A. Cross
- University of Minnesota, School of Public Health, Minneapolis, Minnesota
| | - Beth A. Virnig
- University of Florida, College of Public Health and Health Professions, Gainesville, Florida
| | | | - Jared D. Huling
- University of Minnesota, School of Public Health, Minneapolis, Minnesota
| | | | - Sayeh S. Nikpay
- University of Minnesota, School of Public Health, Minneapolis, Minnesota
| |
Collapse
|
8
|
Investigation into Phishing Risk Behaviour among Healthcare Staff. INFORMATION 2022. [DOI: 10.3390/info13080392] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/17/2022] Open
Abstract
A phishing attack is one of the less complicated ways to circumvent sophisticated technical security measures. It is often used to exploit psychological (as as well as other) factors of human users to succeed in social engineering attacks including ransomware. Guided by the state-of-the-arts in a phishing simulation study in healthcare and after deeply assessing the ethical dilemmas, an SMSbased phishing simulation was conducted among healthcare workers in Ghana. The study adopted an in-the-wild study approach alongside quantitative and qualitative surveys. From the state-of-the art studies, the in-the-wild study approach was the most commonly used method as compared to laboratory-based experiments and statistical surveys because its findings are generally reliable and effective. The attack results also showed that 61% of the targeted healthcare staff were susceptible, and some of the healthcare staff were not victims of the attack because they prioritized patient care and were not susceptible to the simulated phishing attack. Through structural equation modelling, the workload was estimated to have a significant effect on self-efficacy risk (r = 0.5, p-value = 0.05) and work emergency predicted a perceived barrier in the reverse direction at a substantial level of r = −0.46, p-value = 0.00. Additionally, Pearson’s correlation showed that the perceived barrier was a predictor of self-reported security behaviour in phishing attacks among healthcare staff. As a result, various suggestions including an extra workload balancing layer of security controls in emergency departments and better security training were suggested to enhance staff’s conscious care behaviour.
Collapse
|
9
|
Wasserman L, Wasserman Y. Hospital cybersecurity risks and gaps: Review (for the non-cyber professional). Front Digit Health 2022; 4:862221. [PMID: 36033634 PMCID: PMC9403058 DOI: 10.3389/fdgth.2022.862221] [Citation(s) in RCA: 12] [Impact Index Per Article: 6.0] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Download PDF] [Figures] [Journal Information] [Subscribe] [Scholar Register] [Received: 01/25/2022] [Accepted: 07/07/2022] [Indexed: 11/13/2022] Open
Abstract
Background Healthcare is facing a growing threat of cyberattacks. Myriad data sources illustrate the same trends that healthcare is one of the industries with the highest risk of cyber infiltration and is seeing a surge in security incidents within just a few years. The circumstances thus begged the question: are US hospitals prepared for the risks that accompany clinical medicine in cyberspace? Objective The study aimed to identify the major topics and concerns present in today's hospital cybersecurity field, intended for non-cyber professionals working in hospital settings. Methods Via structured literature searches of the National Institutes of Health's PubMed and Tel Aviv University's DaTa databases, 35 journal articles were identified to form the core of the study. Databases were chosen for accessibility and academic rigor. Eighty-seven additional sources were examined to supplement the findings. Results The review revealed a basic landscape of hospital cybersecurity, including primary reasons hospitals are frequent targets, top attack methods, and consequences hospitals face following attacks. Cyber technologies common in healthcare and their risks were examined, including medical devices, telemedicine software, and electronic data. By infiltrating any of these components of clinical care, attackers can access mounds of information and manipulate, steal, ransom, or otherwise compromise the records, or can use the access to catapult themselves to deeper parts of a hospital's network. Issues that can increase healthcare cyber risks, like interoperability and constant accessibility, were also identified. Finally, strategies that hospitals tend to employ to combat these risks, including technical, financial, and regulatory, were explored and found to be weak. There exist serious vulnerabilities within hospitals' technologies that many hospitals presently fail to address. The COVID-19 pandemic was used to further illustrate this issue. Conclusions Comparison of the risks, strategies, and gaps revealed that many US hospitals are unprepared for cyberattacks. Efforts are largely misdirected, with external-often governmental-efforts negligible. Policy changes, e.g., training employees in cyber protocols, adding advanced technical protections, and collaborating with several experts, are necessary. Overall, hospitals must recognize that, in cyber incidents, the real victims are the patients. They are at risk physically and digitally when medical devices or treatments are compromised.
Collapse
|
10
|
Gioulekas F, Stamatiadis E, Tzikas A, Gounaris K, Georgiadou A, Michalitsi-Psarrou A, Doukas G, Kontoulis M, Nikoloudakis Y, Marin S, Cabecinha R, Ntanos C. A Cybersecurity Culture Survey Targeting Healthcare Critical Infrastructures. Healthcare (Basel) 2022; 10:healthcare10020327. [PMID: 35206941 PMCID: PMC8871847 DOI: 10.3390/healthcare10020327] [Citation(s) in RCA: 3] [Impact Index Per Article: 1.5] [Reference Citation Analysis] [Abstract] [Track Full Text] [Download PDF] [Figures] [Journal Information] [Subscribe] [Scholar Register] [Received: 01/07/2022] [Revised: 01/31/2022] [Accepted: 02/07/2022] [Indexed: 01/27/2023] Open
Abstract
Recent studies report that cybersecurity breaches noticed in hospitals are associated with low levels of personnel’s cybersecurity awareness. This work aims to assess the cybersecurity culture in healthcare institutions from middle- to low-income EU countries. The evaluation process was designed and performed via anonymous online surveys targeting individually ICT (internet and communication technology) departments and healthcare professionals. The study was conducted in 2019 for a health region in Greece, with a significant number of hospitals and health centers, a large hospital in Portugal, and a medical clinic in Romania, with 53.6% and 6.71% response rates for the ICT and healthcare professionals, respectively. Its findings indicate the necessity of establishing individual cybersecurity departments to monitor assets and attitudes while underlying the importance of continuous security awareness training programs. The analysis of our results assists in comprehending the countermeasures, which have been implemented in the healthcare institutions, and consequently enhancing cybersecurity defense, while reducing the risk surface.
Collapse
Affiliation(s)
- Fotios Gioulekas
- 5th Regional Health Authority of Thessaly & Sterea, Mezourlo, 411 10 Larissa, Greece; (F.G.); (E.S.); (A.T.); (K.G.)
| | - Evangelos Stamatiadis
- 5th Regional Health Authority of Thessaly & Sterea, Mezourlo, 411 10 Larissa, Greece; (F.G.); (E.S.); (A.T.); (K.G.)
| | - Athanasios Tzikas
- 5th Regional Health Authority of Thessaly & Sterea, Mezourlo, 411 10 Larissa, Greece; (F.G.); (E.S.); (A.T.); (K.G.)
| | - Konstantinos Gounaris
- 5th Regional Health Authority of Thessaly & Sterea, Mezourlo, 411 10 Larissa, Greece; (F.G.); (E.S.); (A.T.); (K.G.)
| | - Anna Georgiadou
- Decision Support Systems Laboratory, National Technical University of Athens, 15 780 Zografou, Greece; (A.M.-P.); (G.D.); (M.K.); (C.N.)
- Correspondence:
| | - Ariadni Michalitsi-Psarrou
- Decision Support Systems Laboratory, National Technical University of Athens, 15 780 Zografou, Greece; (A.M.-P.); (G.D.); (M.K.); (C.N.)
| | - Georgios Doukas
- Decision Support Systems Laboratory, National Technical University of Athens, 15 780 Zografou, Greece; (A.M.-P.); (G.D.); (M.K.); (C.N.)
| | - Michael Kontoulis
- Decision Support Systems Laboratory, National Technical University of Athens, 15 780 Zografou, Greece; (A.M.-P.); (G.D.); (M.K.); (C.N.)
| | - Yannis Nikoloudakis
- Department of Electrical & Computer Engineering, Hellenic Mediterranean University, 710 04 Heraklion, Greece;
| | - Sergiu Marin
- Polaris Medical Clinica de Tratament si Recuperare, Str. Principală, 407062 Suceagu, Romania;
| | - Ricardo Cabecinha
- Hospital do Espírito Santo de Évora, EPE, Largo Senhor da Pobreza, 7000-811 Évora, Portugal;
| | - Christos Ntanos
- Decision Support Systems Laboratory, National Technical University of Athens, 15 780 Zografou, Greece; (A.M.-P.); (G.D.); (M.K.); (C.N.)
| |
Collapse
|
11
|
Cybersecurity Enterprises Policies: A Comparative Study. SENSORS 2022; 22:s22020538. [PMID: 35062504 PMCID: PMC8778887 DOI: 10.3390/s22020538] [Citation(s) in RCA: 5] [Impact Index Per Article: 2.5] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Download PDF] [Figures] [Subscribe] [Scholar Register] [Received: 11/15/2021] [Revised: 12/26/2021] [Accepted: 01/06/2022] [Indexed: 02/04/2023]
Abstract
Cybersecurity is a critical issue that must be prioritized not just by enterprises of all kinds, but also by national security. To safeguard an organization’s cyberenvironments, information, and communication technologies, many enterprises are investing substantially in cybersecurity these days. One part of the cyberdefense mechanism is building an enterprises’ security policies library, for consistent implementation of security controls. Significant and common cybersecurity policies of various enterprises are compared and explored in this study to provide robust and comprehensive cybersecurity knowledge that can be used in various enterprises. Several significant common security policies were identified and discussed in this comprehensive study. This study identified 10 common cybersecurity policy aspects in five enterprises: healthcare, finance, education, aviation, and e-commerce. We aimed to build a strong infrastructure in each business, and investigate the security laws and policies that apply to all businesses in each sector. Furthermore, the findings of this study reveal that the importance of cybersecurity requirements differ across multiple organizations. The choice and applicability of cybersecurity policies are determined by the type of information under control and the security requirements of organizations in relation to these policies.
Collapse
|
12
|
Rizzoni F, Magalini S, Casaroli A, Mari P, Dixon M, Coventry L. Phishing simulation exercise in a large hospital: A case study. Digit Health 2022; 8:20552076221081716. [PMID: 35321019 PMCID: PMC8935590 DOI: 10.1177/20552076221081716] [Citation(s) in RCA: 1] [Impact Index Per Article: 0.5] [Reference Citation Analysis] [Abstract] [Track Full Text] [Download PDF] [Figures] [Journal Information] [Subscribe] [Scholar Register] [Received: 10/01/2021] [Accepted: 01/30/2022] [Indexed: 11/21/2022] Open
Abstract
Background Phishing is a major threat to the data and infrastructure of healthcare organizations and many cyberattacks utilize this socially engineered pathway. Phishing simulation is used to identify weaknesses and risks in the human defences of organizations. There are many factors influencing the difficulty of detecting a phishing email including fatigue and the nature of the deceptive message. Method A major Italian Hospital with over 6000 healthcare staff performed a phishing simulation as part of its annual training and risk assessment. Three campaigns were launched at approx. 4-month intervals, to compare staff reaction to a general phishing email and a customized one. Results The results show that customization of phishing emails makes them much more likely to be acted on. In the first campaign, 64% of staff did not open the general phish, significantly more than the 38% that did not open the custom phish. A significant difference was also found for the click rate, with significantly more staff clicking on the custom phish. However, the campaigns could not be run as intended, due to issues raised within the organization. Conclusions Phishing simulation is useful but not without its limitations. It requires contextual knowledge, skill and experience to ensure that it is effective. The exercise raised many issues within the Hospital. Successful, ethical phishing simulations require coordination across the organization, precise timing and lack of staff awareness. This can be complex to coordinate. Misleading messages containing false threats or promises can cause a backlash from staff and unions. The effectiveness of the message is dependent on the personalization of the message to current, local events. The lessons learned can be useful for other hospitals.
Collapse
Affiliation(s)
- Fabio Rizzoni
- Data Protection Office, Fondazione Policlinico Gemelli, Italy
| | - Sabina Magalini
- Department of Surgery, Catholic University of the Sacred Heart, Italy
| | - Alessandra Casaroli
- Information Communication Technology Service, Fondazione Policlinico Gemelli, Italy
| | - Pasquale Mari
- Department of Surgery, Catholic University of the Sacred Heart, Italy
| | - Matt Dixon
- Department of Psychology, Northumbria University, UK
| | | |
Collapse
|
13
|
Georgiadou A, Michalitsi-Psarrou A, Gioulekas F, Stamatiadis E, Tzikas A, Gounaris K, Doukas G, Ntanos C, Landeiro Ribeiro L, Askounis D. Hospitals' Cybersecurity Culture during the COVID-19 Crisis. Healthcare (Basel) 2021; 9:1335. [PMID: 34683015 PMCID: PMC8544388 DOI: 10.3390/healthcare9101335] [Citation(s) in RCA: 1] [Impact Index Per Article: 0.3] [Reference Citation Analysis] [Abstract] [Key Words] [Grants] [Track Full Text] [Download PDF] [Figures] [Journal Information] [Subscribe] [Scholar Register] [Received: 08/25/2021] [Revised: 09/30/2021] [Accepted: 10/01/2021] [Indexed: 11/23/2022] Open
Abstract
The coronavirus pandemic led to an unprecedented crisis affecting all aspects of the concurrent reality. Its consequences vary from political and societal to technical and economic. These side effects provided fertile ground for a noticeable cyber-crime increase targeting critical infrastructures and, more specifically, the health sector; the domain suffering the most during the pandemic. This paper aims to assess the cybersecurity culture readiness of hospitals' workforce during the COVID-19 crisis. Towards that end, a cybersecurity awareness webinar was held in December 2020 targeting Greek Healthcare Institutions. Concepts of cybersecurity policies, standards, best practices, and solutions were addressed. Its effectiveness was evaluated via a two-step procedure. Firstly, an anonymous questionnaire was distributed at the end of the webinar and voluntarily answered by attendees to assess the comprehension level of the presented cybersecurity aspects. Secondly, a post-evaluation phishing campaign was conducted approximately four months after the webinar, addressing non-medical employees. The main goal was to identify security awareness weaknesses and assist in drafting targeted assessment campaigns specifically tailored to the health domain needs. This paper analyses in detail the results of the aforementioned approaches while also outlining the lessons learned along with the future scientific routes deriving from this research.
Collapse
Affiliation(s)
- Anna Georgiadou
- Decision Support Systems Laboratory, National Technical University of Athens, Iroon Polytechniou 9, 15780 Athens, Greece; (A.M.-P.); (G.D.); (C.N.); (D.A.)
| | - Ariadni Michalitsi-Psarrou
- Decision Support Systems Laboratory, National Technical University of Athens, Iroon Polytechniou 9, 15780 Athens, Greece; (A.M.-P.); (G.D.); (C.N.); (D.A.)
| | - Fotios Gioulekas
- 5th Regional Health Authority of Thessaly & Sterea, Mezourlo, 41110 Larissa, Greece; (F.G.); (E.S.); (A.T.); (K.G.)
| | - Evangelos Stamatiadis
- 5th Regional Health Authority of Thessaly & Sterea, Mezourlo, 41110 Larissa, Greece; (F.G.); (E.S.); (A.T.); (K.G.)
| | - Athanasios Tzikas
- 5th Regional Health Authority of Thessaly & Sterea, Mezourlo, 41110 Larissa, Greece; (F.G.); (E.S.); (A.T.); (K.G.)
| | - Konstantinos Gounaris
- 5th Regional Health Authority of Thessaly & Sterea, Mezourlo, 41110 Larissa, Greece; (F.G.); (E.S.); (A.T.); (K.G.)
| | - Georgios Doukas
- Decision Support Systems Laboratory, National Technical University of Athens, Iroon Polytechniou 9, 15780 Athens, Greece; (A.M.-P.); (G.D.); (C.N.); (D.A.)
| | - Christos Ntanos
- Decision Support Systems Laboratory, National Technical University of Athens, Iroon Polytechniou 9, 15780 Athens, Greece; (A.M.-P.); (G.D.); (C.N.); (D.A.)
| | - Luís Landeiro Ribeiro
- Projeto Desenvolvimento Manutenção Formação e Consultadoria-PDMFC, Rua Fradesso da Silveira n. 4, Piso 1 B, 1300-609 Lisbon, Portugal;
| | - Dimitris Askounis
- Decision Support Systems Laboratory, National Technical University of Athens, Iroon Polytechniou 9, 15780 Athens, Greece; (A.M.-P.); (G.D.); (C.N.); (D.A.)
| |
Collapse
|
14
|
Abstract
Librarians adopted and utilized web-based Google suite applications as a method of collaborating with each other on projects, research, and professional association membership duties. However, as cybercriminals have begun to exploit these tools to infect healthcare networks with ransomware, many hospital IT departments have blocked access to Google applications. This paper provides a background on security risks to healthcare institutions and possible alternatives to Google applications hospital librarians can use to continue collaborating.
Collapse
|
15
|
Nifakos S, Chandramouli K, Nikolaou CK, Papachristou P, Koch S, Panaousis E, Bonacina S. Influence of Human Factors on Cyber Security within Healthcare Organisations: A Systematic Review. SENSORS 2021; 21:s21155119. [PMID: 34372354 PMCID: PMC8348467 DOI: 10.3390/s21155119] [Citation(s) in RCA: 21] [Impact Index Per Article: 7.0] [Reference Citation Analysis] [Abstract] [Key Words] [MESH Headings] [Track Full Text] [Download PDF] [Figures] [Subscribe] [Scholar Register] [Received: 06/29/2021] [Revised: 07/15/2021] [Accepted: 07/16/2021] [Indexed: 01/05/2023]
Abstract
Background: Cybersecurity is increasingly becoming a prominent concern among healthcare providers in adopting digital technologies for improving the quality of care delivered to patients. The recent reports on cyber attacks, such as ransomware and WannaCry, have brought to life the destructive nature of such attacks upon healthcare. In complement to cyberattacks, which have been targeted against the vulnerabilities of information technology (IT) infrastructures, a new form of cyber attack aims to exploit human vulnerabilities; such attacks are categorised as social engineering attacks. Following an increase in the frequency and ingenuity of attacks launched against hospitals and clinical environments with the intention of causing service disruption, there is a strong need to study the level of awareness programmes and training activities offered to the staff by healthcare organisations. Objective: The objective of this systematic review is to identify commonly encountered factors that cybersecurity postures of a healthcare organisation, resulting from the ignorance of cyber threat to healthcare. The systematic review aims to consolidate the current literature being reported upon human behaviour resulting in security gaps that mitigate the cyber defence strategy adopted by healthcare organisations. Additionally, the paper also reviews the organisational risk assessment methodology implemented and the policies being adopted to strengthen cybersecurity. Methods: The topic of cybersecurity within healthcare and the clinical environment has attracted the interest of several researchers, resulting in a broad range of literature. The inclusion criteria for the articles in the review stem from the scope of the five research questions identified. To this end, we conducted seven search queries across three repositories, namely (i) PubMed®/MED-LINE; (ii) Cumulative Index to Nursing and Allied Health Literature (CINAHL); and (iii) Web of Science (WoS), using key words related to cybersecurity awareness, training, organisation risk assessment methodologies, policies and recommendations adopted as counter measures within health care. These were restricted to around the last 12 years. Results: A total of 70 articles were selected to be included in the review, which addresses the complexity of cybersecurity measures adopted within the healthcare and clinical environments. The articles included in the review highlight the evolving nature of cybersecurity threats stemming from exploiting IT infrastructures to more advanced attacks launched with the intent of exploiting human vulnerability. A steady increase in the literature on the threat of phishing attacks evidences the growing threat of social engineering attacks. As a countermeasure, through the review, we identified articles that provide methodologies resulting from case studies to promote cybersecurity awareness among stakeholders. The articles included highlight the need to adopt cyber hygiene practices among healthcare professionals while accessing social media platforms, which forms an ideal test bed for the attackers to gain insight into the life of healthcare professionals. Additionally, the review also includes articles that present strategies adopted by healthcare organisations in countering the impact of social engineering attacks. The evaluation of the cybersecurity risk assessment of an organisation is another key area of study reported in the literature that recommends the organisation of European and international standards in countering social engineering attacks. Lastly, the review includes articles reporting on national case studies with an overview of the economic and societal impact of service disruptions encountered due to cyberattacks. Discussion: One of the limitations of the review is the subjective ranking of the authors associated to the relevance of literature to each of the research questions identified. We also acknowledge the limited amount of literature that focuses on human factors of cybersecurity in health care in general; therefore, the search queries were formulated using well-established cybersecurity related topics categorised according to the threats, risk assessment and organisational strategies reported in the literature.
Collapse
Affiliation(s)
- Sokratis Nifakos
- Department of Learning, Informatics, Management and Ethics, Karolinska Institutet, 171 77 Solna, Sweden; (P.P.); (S.K.); (S.B.)
- Correspondence: ; Tel.: +46-73-7121-475
| | - Krishna Chandramouli
- School of Electronic Engineering and Computer Science, Queen Mary University of London, London E1 4NS, UK;
| | | | - Panagiotis Papachristou
- Department of Learning, Informatics, Management and Ethics, Karolinska Institutet, 171 77 Solna, Sweden; (P.P.); (S.K.); (S.B.)
| | - Sabine Koch
- Department of Learning, Informatics, Management and Ethics, Karolinska Institutet, 171 77 Solna, Sweden; (P.P.); (S.K.); (S.B.)
| | - Emmanouil Panaousis
- School of Computing and Mathematical Sciences, University of Greenwich, London SE10 9LS, UK;
| | - Stefano Bonacina
- Department of Learning, Informatics, Management and Ethics, Karolinska Institutet, 171 77 Solna, Sweden; (P.P.); (S.K.); (S.B.)
| |
Collapse
|
16
|
Yeng PK, Szekeres A, Yang B, Snekkenes EA. Mapping the Psychosocialcultural Aspects of Healthcare Professionals' Information Security Practices: Systematic Mapping Study. JMIR Hum Factors 2021; 8:e17604. [PMID: 34106077 PMCID: PMC8235336 DOI: 10.2196/17604] [Citation(s) in RCA: 7] [Impact Index Per Article: 2.3] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Figures] [Journal Information] [Subscribe] [Scholar Register] [Received: 12/24/2019] [Revised: 07/25/2020] [Accepted: 04/04/2021] [Indexed: 11/19/2022] Open
Abstract
Background Data breaches in health care are on the rise, emphasizing the need for a holistic approach to mitigation efforts. Objective The purpose of this study was to develop a comprehensive framework for modeling and analyzing health care professionals’ information security practices related to their individual characteristics, such as their psychological, social, and cultural traits. Methods The study area was a hospital setting under an ongoing project called the Healthcare Security Practice Analysis, Modeling, and Incentivization (HSPAMI) project. A literature review was conducted for relevant theories and information security practices. The theories and security practices were used to develop an ontology and a comprehensive framework consisting of psychological, social, cultural, and demographic variables. Results In the review, a number of psychological, social, and cultural theories were identified, including the health belief model, protection motivation theory, theory of planned behavior, and social control theory, in addition to some social demographic variables, to form a comprehensive set of health care professionals’ characteristics. Furthermore, an ontology was developed from these theories to systematically organize the concepts. The framework, called the psychosociocultural (PSC) framework, was then developed from the various combined psychological and sociocultural attributes of the ontology. The Human Aspect of Information Security Questionnaire was adopted as a comprehensive tool for gathering staff security practices as mediating variables in the framework. Conclusions Data breaches occur often in health care today. This frequency has been attributed to the lack of experience of health care professionals in information security, the lack of development of conscious care security practices, and the lack of motivation to incentivize health care professionals. The frequent data breaches in health care threaten the mutual trust between health care professionals and patients, which implicitly impacts the quality of the health care service. The modeling and analysis of health care professionals’ security practices can be conducted with the PSC framework by combining methods of statistical survey, observations, and interviews in relation to PSC variables, such as perceptions (perceived benefits, perceived threats, and perceived barriers) or psychological traits, social factors, cultural factors, and social demographics.
Collapse
Affiliation(s)
- Prosper Kandabongee Yeng
- Department of Information Security and Communication Technology, Norwegian University of Science and Technology, Gjøvik, Norway
| | - Adam Szekeres
- Department of Information Security and Communication Technology, Norwegian University of Science and Technology, Gjøvik, Norway
| | - Bian Yang
- Department of Information Security and Communication Technology, Norwegian University of Science and Technology, Gjøvik, Norway
| | - Einar Arthur Snekkenes
- Department of Information Security and Communication Technology, Norwegian University of Science and Technology, Gjøvik, Norway
| |
Collapse
|
17
|
|
18
|
Abstract
Objective
: To give an overview of recent research and to propose a selection of best papers published in 2019 in the field of Clinical Information Systems (CIS).
Method
: Each year, we apply a systematic process to retrieve articles for the CIS section of the IMIA Yearbook of Medical Informatics. For six years now, we use the same query to find relevant publications in the CIS field. Each year we retrieve more than 2,000 papers. As CIS section editors, we categorize the retrieved articles in a multi-pass review to distill a pre-selection of 15 candidate best papers. Then, Yearbook editors and external reviewers assess the selected candidate best papers. Based on the review results, the IMIA Yearbook Editorial Committee chooses the best papers during the selection meeting. We used text mining, and term co-occurrence mapping techniques to get an overview of the content of the retrieved articles.
Results
: We carried out the query in mid-January 2020 and retrieved a de-duplicated result set of 2,407 articles from 1,023 different journals. This year, we nominated 14 papers as candidate best papers, and three of them were finally selected as best papers in the CIS section. As in previous years, the content analysis of the articles revealed the broad spectrum of topics covered by CIS research.
Conclusions
: We could observe ongoing trends, as seen in the last years. Patient benefit research is in the focus of many research activities, and trans-institutional aggregation of data remains a relevant field of work. Powerful machine-learning-based approaches, that use readily available data now often outperform human-based procedures. However, the ethical perspective of this development often comes too short in the considerations. We thus assume that ethical aspects will and should deliver much food for thought for future CIS research.
Collapse
Affiliation(s)
- W O Hackl
- Institute of Medical Informatics, UMIT - Private University of Health Sciences, Medical Informatics and Technology, Hall in Tirol, Austria
| | - A Hoerbst
- Medical Technologies Department, MCI - The Entrepreneurial School, Innsbruck, Austria
| | | |
Collapse
|
19
|
Jampen D, Gür G, Sutter T, Tellenbach B. Don’t click: towards an effective anti-phishing training. A comparative literature review. HUMAN-CENTRIC COMPUTING AND INFORMATION SCIENCES 2020. [DOI: 10.1186/s13673-020-00237-7] [Citation(s) in RCA: 17] [Impact Index Per Article: 4.3] [Reference Citation Analysis] [Abstract] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 01/26/2023]
Abstract
AbstractEmail is of critical importance as a communication channel for both business and personal matters. Unfortunately, it is also often exploited for phishing attacks. To defend against such threats, many organizations have begun to provide anti-phishing training programs to their employees. A central question in the development of such programs is how they can be designed sustainably and effectively to minimize the vulnerability of employees to phishing attacks. In this paper, we survey and categorize works that consider different elements of such programs via a clearly laid-out methodology, and identify key findings in the technical literature. Overall, we find that researchers agree on the answers to many relevant questions regarding the utility and effectiveness of anti-phishing training. However, we identified influencing factors, such as the impact of age on the success of anti-phishing training programs, for which mixed findings are available. Finally, based on our comprehensive analysis, we describe how a well-founded anti-phishing training program should be designed and parameterized with a set of proposed research directions.
Collapse
|
20
|
Priestman W, Anstis T, Sebire IG, Sridharan S, Sebire NJ. Phishing in healthcare organisations: threats, mitigation and approaches. BMJ Health Care Inform 2020; 26:bmjhci-2019-100031. [PMID: 31488498 PMCID: PMC7062337 DOI: 10.1136/bmjhci-2019-100031] [Citation(s) in RCA: 15] [Impact Index Per Article: 3.8] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Download PDF] [Journal Information] [Subscribe] [Scholar Register] [Received: 04/28/2019] [Revised: 08/15/2019] [Accepted: 08/22/2019] [Indexed: 11/24/2022] Open
Abstract
Introduction Healthcare data have significant value as a potential target for hackers. Phishing is a method of exploitation for malicious reasons using targeted communications (email/messaging). This study reports on an internal evaluation targeting hospital staff and summarises peer-reviewed literature regarding phishing and healthcare. Methods An assessment was performed as part of cybersecurity activity during a designated test period using multiple credential harvesting approaches through staff email. We also searched the medical-related literature to identify relevant phishing-related publications. Results During the 1-month testing period, the organisation received 858 200 emails: 139 400 (16%) marketing, 18 871 (2%) identified as potential threats. Of 143 million internet transactions, around 5 million (3%) were suspected threats. 468 employee email addresses were identified from public data and targeted through phishing using a range of payloads including attachments and malicious links; however, no credentials were recovered or malicious files downloaded. Several hospital employees were, however, identified on social media profiles, including some tricked into accepting false friend requests. Discussion Healthcare organisations are increasingly moving to digital systems, but healthcare professionals have limited awareness of threats. Increasing emphasis on ‘cyberhygiene’ and information governance through mandatory training increases understanding of these risks. While no credentials were harvested in this study, since up to 5% of emails/internet traffic are suspicious, the need for robust firewalls, cybersecurity infrastructure, IT policies and, most importantly of all, staff training, is emphasised. Conclusion Hospitals receive a significant volume of potentially malicious emails. While many staff appear to be aware of phishing and respond appropriately, ongoing education is required across the spectrum of cybersecurity, with specific emphasis around ‘leakage’ of information on social media.
Collapse
Affiliation(s)
- Ward Priestman
- DRIVE (Digital Research, Informatics and Virtual Environments), Great Ormond Street Hospital for Children / NIHR GOSH BRC, London, UK
| | - Tony Anstis
- DRIVE (Digital Research, Informatics and Virtual Environments), Great Ormond Street Hospital for Children / NIHR GOSH BRC, London, UK
| | - Isabel G Sebire
- DRIVE (Digital Research, Informatics and Virtual Environments), Great Ormond Street Hospital for Children / NIHR GOSH BRC, London, UK
| | - Shankar Sridharan
- DRIVE (Digital Research, Informatics and Virtual Environments), Great Ormond Street Hospital for Children / NIHR GOSH BRC, London, UK
| | | |
Collapse
|
21
|
Jalali MS, Bruckes M, Westmattelmann D, Schewe G. Why Employees (Still) Click on Phishing Links: Investigation in Hospitals. J Med Internet Res 2020; 22:e16775. [PMID: 32012071 PMCID: PMC7005690 DOI: 10.2196/16775] [Citation(s) in RCA: 31] [Impact Index Per Article: 7.8] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Figures] [Journal Information] [Subscribe] [Scholar Register] [Received: 10/23/2019] [Revised: 12/11/2019] [Accepted: 12/16/2019] [Indexed: 12/25/2022] Open
Abstract
Background Hospitals have been one of the major targets for phishing attacks. Despite efforts to improve information security compliance, hospitals still significantly suffer from such attacks, impacting the quality of care and the safety of patients. Objective This study aimed to investigate why hospital employees decide to click on phishing emails by analyzing actual clicking data. Methods We first gauged the factors that influence clicking behavior using the theory of planned behavior (TPB) and integrating trust theories. We then conducted a survey in hospitals and used structural equation modeling to investigate the components of compliance intention. We matched employees’ survey results with their actual clicking data from phishing campaigns. Results Our analysis (N=397) reveals that TPB factors (attitude, subjective norms, and perceived behavioral control), as well as collective felt trust and trust in information security technology, are positively related to compliance intention. However, compliance intention is not significantly related to compliance behavior. Only the level of employees’ workload is positively associated with the likelihood of employees clicking on a phishing link. Conclusions This is one of the few studies in information security and decision making that observed compliance behavior by analyzing clicking data rather than using self-reported data. We show that, in the context of phishing emails, intention and compliance might not be as strongly linked as previously assumed; hence, hospitals must remain vigilant with vulnerabilities that cannot be easily managed. Importantly, given the significant association between workload and noncompliance behavior (ie, clicking on phishing links), hospitals should better manage employees’ workload to increase information security. Our findings can help health care organizations augment employees’ compliance with their cybersecurity policies and reduce the likelihood of clicking on phishing links.
Collapse
Affiliation(s)
- Mohammad S Jalali
- Massachusetts General Hospital Institute for Technology Assessment, Harvard Medical School, Boston, MA, United States.,Massachusetts Institute of Technology Sloan School of Management, Cambridge, MA, United States
| | - Maike Bruckes
- Center for Management, University of Muenster, Muenster, Germany
| | | | - Gerhard Schewe
- Center for Management, University of Muenster, Muenster, Germany
| |
Collapse
|
22
|
|