Abstract
Cybersecurity attacks have been steadily increasing in the healthcare sector over the past decade. Health data is a valuable source of reliable and permanent personal information making it an attractive target. Institutions that have faced limited cybersecurity funding must now augment their approach to combat this threat. The Internet of Things (IoT) refers to the connection of physical operational devices to digital networks allowing for communication between devices. In the healthcare setting, this includes patient monitoring, diagnostics, and even robotic surgery devices. This increased connectivity increases the importance of agile and robust cybersecurity measures. A progressive approach must involve collaboration between information technology, clinical, and administrative leaders to be successful. Adequate protection of patient data and the integrity of digital infrastructure must be a priority mandate at the enterprise level.
Balancing cybersecurity risk in healthcare settings: Addressing end user concerns and fostering shared ownership
The healthcare industry is increasingly reliant on digital technologies to enhance patient care and improve operational efficiency. However, this digital transformation comes with inherent cybersecurity risks. Healthcare data is reliable and accurate. It also tends to contain multiple permanent patient identifiers that cannot be reset. 1 These features make it attractive to cybercriminals in comparison to other sectors. Additionally, the criticality of healthcare systems has led to state sponsored cyberattacks in attempts to leverage the disruptive chaos that ensues. 1 Healthcare systems are also seen as inherently less secure and a softer target for attack. As a result, cybersecurity attacks have increased significantly over the past decade and healthcare now represents one of the most targeted sectors. 2 As healthcare Information Technology (IT) systems become increasingly complex and integrated, proactive solutions must be implemented to protect assure both patient privacy and system functioning. Unfortunately, many clinical end users of IT technology have historically found security measures disruptive to their workflows. Balancing risks with end user concerns regarding functionality is a critical challenge. To address this challenge effectively, healthcare organizations must educate and establish a shared ownership system for security between IT professionals and clinicians. This article examines the importance of striking a balance between cybersecurity risk and functionality in healthcare settings and explores strategies for creating a culture of shared responsibility.
Understanding the cybersecurity landscape in healthcare
Healthcare organizations are prime targets for cyberattacks due to the high value of the sensitive patient data they hold. Healthcare data is by far the most valuable type of data on the black market. 3 Successful cyberattacks in healthcare can have severe consequences, such as compromised patient privacy, disrupted healthcare services, and even patient harm. “Meaningful use” legislation in the United States has led to a rapid increase in the use of Information Technology, but unfortunately, the resources around cybersecurity have not been commensurate. Combined with the increasing connectedness of medical devices into the Internet of Things, cyberattacks have led healthcare systems to cancel procedures and divert patients among other disruptions. 4 Many clinicians still view cyberattacks as a low risk threat in Canada, but almost a third of all organizations in Canada have been victim to a data breach. 5
Cyberattackers have also been able to exploit the rapidly changing landscape of healthcare work since the start of the COVID-19 pandemic. Remote work, virtual care, and electronic consultation have all created new targets for cybercriminals. 5 Physicians are largely independent contractors, privileged to work in their respective healthcare settings. They commonly use their own devices which increases the complexities around endpoint device management which is the factor that most contributes to an organizations overall cybersecurity. Healthcare workers have also experienced tremendous workload pressures which increases their vulnerability to breaches such as phishing attacks. Many outdated monitoring devices are being connected to networks with limited support to patch security vulnerabilities. 6 All of this is contributing to an environment replete with challenges but also opportunity.
There is an obvious need for improvement. In this quest, it is crucial to ensure that robust cybersecurity measures do not hinder the functionality and usability of healthcare systems. Healthcare professionals need efficient and accessible technology to deliver quality care. Ensuring both security and functionality can coexist in an environment of limited resources requires shared efforts between technical, administrative, and clinical leaders.
Internet of Things
The IoT is the connection of everyday devices to digital networks. It has allowed for almost any device, including medical devices, to be improved simply by connecting it to a network. 7 In the healthcare setting, this has allowed for hospital and clinic-based devices such as Intensive Care Unit monitors and anaesthesia equipment to directly interface with existing network systems. 8 Additionally, devices are now available to patients to monitor things like blood pressure and blood glucose levels. While there is great potential for these systems to improve care and communication, it also provides an additional avenue for criminals to exploit. Using these devices as entry points could allow for significant private information to be obtained. The IoT also represents a latent security threat with the potential for compromised data to be documented or exchanged. Such a threat could compromise critical are provision infrastructure by changing medical device settings or erroneously documenting patient status unbeknownst to the care team. 8 Adding in devices that patients use on external networks further complicates the challenges around cybersecurity.
Educating end users on cybersecurity risks
Humans remain the weakest link in cybersecurity. 2 Clinician satisfaction with their Electronic Health Record (EHR) is most strongly tied to three factors, shared governance, customizability, and expertise. 9 This closely mirrors Pink’s theory of engagement with central themes of autonomy, mastery, and purpose. 10 In this example, shared governance and autonomy have clear parallels as do mastery and education. While this study addresses EHRs in general, it stands to reason that how we manage cybersecurity should reflect this evidence. Any efforts to improve security must begin with users, and any such efforts must have shared ownership as a core tenet. To establish a shared ownership system for security, it is essential to educate end users, including both IT professionals and clinicians, about cybersecurity risks and their roles in mitigating those risks.
Training programs: Healthcare organizations should implement regular training programs to educate employees on cybersecurity best practices. These programs should cover topics such as strong password management, recognizing phishing attempts, secure data handling, and device security. 2 Tailor the training programs to meet the diverse needs and technical proficiency levels of different user groups, including clinicians and staff.
These training programs should be developed under governance that includes IT professionals, administrators, and clinicians. They must be appropriately resourced and relevant to the intended targets. While reasonable to make them mandatory, in the current healthcare climate of limited health human resources, innovative options including asynchronous learning should be considered. Simulation has also been used as it resonates with clinicians who use it elsewhere in their training and can identify latent safety threats. 4 Training must also ensure that all connected devices in the IoT are considered as potential access points, rather than focusing solely on traditional computers and networks.
Communication channels: Open and transparent communication between IT professionals and end users is crucial for fostering a culture of security awareness and collaboration. Establish dedicated channels including regular newsletters, e-mail updates, or intranet portals. While these channels can be effective, it is important to tailor the communication approach to the local context to ensure the broadest reach. This engagement can be used to share information about emerging cyberthreats, provide guidance on secure practices, and address end user concerns. Encourage feedback and create an environment where employees feel comfortable reporting potential security risks. It is also important to foster engagement by communicating the rationale of how various security measures reduce organizational risks, particularly when these measures have direct impacts on workflows.
Communication between IT and privacy is also important. While they are separate disciplines, this partnership can help guide strategies around data access, disclosures, and acceptable use of data. 11 This can help foster cybersecurity as part of the broader organizational strategy around informatics and data management.
Collaboration between information technology, management, and clinicians
Effective collaboration between IT professionals and clinicians is essential to strike a balance between cybersecurity risk and functionality. The following strategies promote collaboration and shared ownership:
Involvement of clinicians in security decision-making: Including clinicians in security-related discussions and decisions helps them understand the importance of cybersecurity and allows them to provide valuable input on implementing security measures without disrupting patient care. Engaging clinicians in risk assessments, policy development, and technology selection ensures that security measures align with clinical workflows and address their concerns effectively. This shared ownership allows for security practices to become part of a shared “digital hygiene.” 11
User-centric security solutions: The scale and techniques used in cyberattacks are constantly evolving. With criminals becoming increasingly sophisticated in their approaches, our response must be equally sophisticate and proactive. In addition to addressing human factors, automated security products are required that integrate at the enterprise level. 4 In designing these systems, IT professionals should prioritize user-centric security solutions that integrate seamlessly into existing clinical workflows. Consider usability, efficiency, and practicality when implementing security measures. Engage end users in the selection and testing of security tools and technologies to ensure they are comfortable with the changes and understand how these solutions enhance both security and functionality. This is another area where simulation testing can be leveraged in ensuring seamless integration. It is essential that those procuring security solutions have access and understanding to those whose work is affected by the solutions to provide feedback before broad implementation.
Training for clinicians: IT professionals should provide specialized training for clinicians to increase their awareness of security risks specific to their roles. This training should focus on secure data sharing, mobile device security, secure communication platforms, and incident response protocols. Offering training sessions with real-life scenarios and case studies can help clinicians understand the potential consequences of security breaches and their role in preventing them.
Engage IT teams in cybersecurity plan: As new devices are procured that add connectivity to the IoT, IT teams must be engaged to ensure integration not only with current systems, but also with the overall enterprise cybersecurity plan. Such standards should also be published and easily accessible so those responsible for procurement can easily determine whether prospective vendors will meet these requirements.
Building a culture of shared ownership
Creating a culture of shared ownership for security involves engaging and empowering all stakeholders within the healthcare organization. The following strategies promote a culture of shared responsibility:
Leadership support: Strong support from organizational leaders is critical in fostering a culture of security. 9 Leaders should actively promote the importance of cybersecurity, allocate sufficient resources for security initiatives, and demonstrate their commitment by adhering to secure practices. Beyond being an inconvenience, security must be viewed by all leadership levels as integral to organizational operations and systems integrity. By leading by example, leaders encourage all employees, including IT professionals and clinicians, to prioritize cybersecurity.
Rewards and recognition: Incentivizing and recognizing good cybersecurity practices can motivate IT professionals and clinicians to actively participate in security efforts. Consider implementing a reward system that acknowledges individuals or teams who demonstrate exceptional commitment to security. This can range from public recognition to career advancement opportunities. Celebrating success stories and sharing them internally can inspire others to embrace their role in security. This is also an opportunity to reinforce to clinicians the direct impacts that attacks can have on patients and their privacy, and therefore how cybersecurity plays a fundamental role in upholding our responsibility to patient privacy.
Continuous evaluation and improvement: Regular assessment and evaluation of security measures and processes are crucial to identify gaps and make necessary improvements. Conduct periodic security audits, vulnerability assessments, and penetration testing to identify vulnerabilities and address them promptly. Encourage employees to report security incidents or near-misses, and establish a continuous improvement cycle to learn from such incidents and implement corrective measures.
There must also be opportunities for clinicians and other employees to provide feedback around systems that impede workflows. Technical departments should have regular and ad hoc mechanisms, with special attention to new technical deployments. These concerns must flow through an effective governance that has broad representation. Where necessary, alternate solutions may need to be sought or improved change management may be required. In particular, as there are increased demands to integrate devices that now connect to the IoT, departments must be agile in their ability to engage with teams to determine how to safely deploy into clinical spaces and balance risks and benefits of increasing connectivity with risk to the enterprise cybersecurity plan.
Conclusion
Balancing cybersecurity risk in healthcare settings with end user concerns around functionality requires a proactive and collaborative approach. As more devices are added to healthcare networks, increased diligence is required by all parties to ensure a cohesive strategy around security can be maintained. By educating end users about cybersecurity risks, involving clinicians in decision-making processes, and fostering a culture of shared ownership, healthcare organizations can create a secure environment while maintaining the functionality required for delivering high quality patient care. Ultimately, it is the combined effort of IT professionals, clinicians, and organizational leaders that will ensure the successful mitigation of cyberthreats and the protection of patient data in healthcare settings.
Footnotes
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
Funding: The author(s) received no financial support for the research, authorship, and/or publication of this article.
Ethical approval: Institutional Review Board approval was not required.
ORCID iD
Matthew Clarke https://orcid.org/0009-0002-7387-3286
References
- 1.Martin G, Martin P, Hankin C, Darzi A, Kinross J. Cybersecurity and healthcare: how safe are we? BMJ. Published on-line 2017. doi: 10.1136/bmj.j3179 [DOI] [PubMed]
- 2.Argaw ST, Troncoso-Pastoriza JR, Lacey D, et al. Cybersecurity of hospitals: discussing the challenges and working towards mitigating the risks. BMC Med Inf Decis Making. 2020;20(1). doi: 10.1186/s12911-020-01161-7 [DOI] [PMC free article] [PubMed] [Google Scholar]
- 3.Protecting your networks from what is ransomware ransomware? https://www.justice.gov/criminal-ccips/file/872771/download. Accessed May 31, 2023.
- 4.Millard WB. Where bits and bytes meet flesh and blood. Ann Emerg Med. 2017;70(3). doi: 10.1016/j.annemergmed.2017.07.008 [DOI] [Google Scholar]
- 5.He Y, Aliyu A, Evans M, Luo C. Health care cybersecurity challenges and solutions under the climate of COVID-19: scoping review. J Med Internet Res. 2021;23(4):e21747. [DOI] [PMC free article] [PubMed] [Google Scholar]
- 6.Solomon H. Management, lack of money blamed for poor cybersecurity at Canadian Hospitals: it world Canada news. IT World Canada - information Technology news on products, services and issues for CIOs, IT managers and network admins. https://www.itworldcanada.com/article/management-lack-of-money-blamed-for-poor-cybersecurity-at-canadian-hospitals/527412#:∼:text=Management%2Clack0ofmoneyblamedforpoorcybersecurityatCanadianhospitals,-HowardSolomon&text=Thebiggestimpedimenttoimproving,caregistry. February 21, 2023. Accessed May 31, 2023.
- 7.Abouzakhar N, Jones A, Angelopoulou O. Internet of things security: a review of risks and threats to healthcare sector. 2017 IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData) (pp. 373-378). IEEE. [Google Scholar]
- 8.Cartwright AJ. The elephant in the room: cybersecurity in healthcare. J Clin Monit Comput. 2023:1-10. https://link.springer.com/article/10.1007/s10877-023-01013-5 [DOI] [PMC free article] [PubMed] [Google Scholar]
- 9.KLAS Reseach , Arch Collaborative. Arch Collaborative: EHR Optimization. 2021. https://klasresearch.com/arch-collaborative. Accessed May 30, 2023. [Google Scholar]
- 10.Pink DH. Drive: The Surprising Truth about What Motivates US. Canongate Books; 2018. [Google Scholar]
- 11.What’s new in the HICP 2023 edition - hhs.gov. 2023. https://405d.hhs.gov/Documents/405d-hicp-highlight.pdf. Accessed May 31, 2023.