HEALTHCARE CYBERSECURITY THREAT CONTEXT AND MITIGATION OPPORTUNITIES
With the rapid increase in cybersecurity incidents around the globe, no business or industry is hidden from cybercriminals' crosshairs. Cyber-attacks are evolving and becoming more complex each day, causing much damage to different financial and reputational sectors.
The health sector (including healthcare technology) is increasingly digitized and continues to offer life-critical services. It continues to improve diagnosis, treatment, and patient care with state-of-the-art technologies. However, cybercriminals continue to exploit vulnerabilities and exfiltrate confidential patient data and other confidential information. The health care sector offers cybercriminals a rich source of confidential data and is very easy to exploit as the defense and security controls are weak. Because of the growing number of threats associated with the health sector, it is essential to understand how health care practitioners - along with concerned critical Information Technology (IT) teams - can take steps to improve the cybersecurity posture of this industry and help reduce the attack surface.
Hence, this paper discusses a critical approach to analyze the current cybersecurity challenges faced by the health care sector and relevant mitigation and other scholarly articles and research papers.
Hathaliya, J.J. and Tanwar, S. (2020). An Exhaustive Survey on Security and Privacy Issues in Healthcare 4.0. Computer Communications, 153, pp. 311–335. doi: https://doi.org/10.1016/j.comcom.2020.02.018.
Besenyő, J., Krisztina Márton & Ryan Shaffer (2021) Hospital Attacks Since 9/11: An Analysis of Terrorism Targeting Healthcare Facilities and Workers, Studies in Conflict & Terrorism, DOI: 10.1080/1057610X.2021.1937821.
Swasey, K. (2020). Insufficient healthcare cybersecurity invites ransomware attacks and sale of phi on the dark web. Center for Anticipatory Intelligence Student Research Reports.
Saheed, Y. K., & Arowolo, M. O. (2021). Efficient Cyber Attack Detection on the Internet of Medical Things-Smart Environment Based on Deep Recurrent Neural Network and Machine Learning Algorithms. IEEE Access, 9, 161546–161554. https://doi.org/10.1109/access.2021.3128837.
2022 Data Breach Investigations Report. (2022.). Verizon Business. https://www.verizon.com/business/resources/reports/dbir/. Accessed: 2023-02-24
Cost of a data breach 2022. (2022). IBM - Deutschland | IBM. https://www.ibm.com/reports/data-breach. Accessed: 2023-02-24
Abraham, C., Chatterjee, D., & Sims, R. R. (2019). Muddling through cybersecurity: Insights from the US healthcare industry. Business horizons, 62(4), 539-548.
U.S. Department of Health & Human Services - Office for Civil Rights. (accessed for 2020 data.). U.S. Department of Health & Human Services - Office for Civil Rights. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf. Accessed: 2023-02-24
Notice of Data Security Incident. (n.d.). CommonSpirit Health | Compassionate Care for Our Communities. https://www.commonspirit.org/update/notice-of-data-security-incident. Accessed: 2023-02-24
Notice of Data Security Incident - Shields Health. (n.d.). Shields Health. https://shields.com/notice-of-data-security-incident/. Accessed: 2023-02-24
Advocate Aurora says 3M patients' health data possibly exposed through tracking technologies. (n.d.). Fierce Healthcare. https://www.fiercehealthcare.com/health-tech/advocate-aurora-health-data-breach-revealed-pixels-protected-health-information-3. Accessed: 2023-02-24
Health Insurance Portability and Accountability Act of 1996 (HIPAA) | CDC. (1996) Centers for Disease Control and Prevention. https://www.cdc.gov/phlp/publications/topic/hipaa.html. Accessed: 2023-02-24
Health Information Technology (IT). (n.d.). NIST. https://www.nist.gov/healthcare. Accessed: 2023-02-24
ISO 27799:2016(en) Health informatics — Information security management in health using ISO/IEC 27002. (2016). Online Browsing Platform (OBP).https://www.iso.org/obp/ui/#iso:std:iso:27799:ed-2:v1:en. Accessed: 2023-02-24
Health sector. (2014). ENISA. https://www.enisa.europa.eu/topics/critical-information-infrastructures-and-services/health. Accessed: 2023-02-24
Fines / Penalties - General Data Protection Regulation (GDPR). (2016.). General Data Protection Regulation (GDPR). https://gdpr-info.eu/issues/fines-penalties/#:~:text=83(4)%20GDPR%20sets%20forth,to%20that%20used%20in%20Art. Accessed: 2023-02-24
Thamer, N., & Alubady, R. (2021). A Survey of Ransomware Attacks for Healthcare Systems: Risks, Challenges, Solutions and Opportunity of Research. In: 2021 1st Babylon International Conference on Information Technology and Science (BICITS) (pp. 210-216)
© 2020 Security Science Journal. All rights reserved