Shaden S. Al Aqeeli,Mznah A. Al-Rodhaan,Yuan Tian,Abdullah M. Al-Dhelaan

DOI: https://doi.org/10.4236/etsn.2018.71001

2018-01-01

E-Health Telecommunication Systems and Networks

Abstract:In the healthcare domain, protecting the electronic health record (EHR) is crucial for preserving the privacy of the patient. To help protect the sensitive data, access control mechanisms can be utilized to restrict access to only legitimate users. However, an issue arises when the authorized users abuse their access privileges and violate privacy preferences of the patients. While traditional access control schemes fall short of defending against the misbehavior of authorized users, risk-aware access control models can provide adaptable access to the system resources based on assessing the risk of an access request. When an access request is deemed risky, but within acceptable thresholds, risk mitigation strategies can be exploited to minimize the risk calculated. This paper proposes a risk-aware, privacy-preserving risk mitigation approach that can be utilized in the healthcare domain. The risk mitigation approach controls the patient’s medical data that can be exposed to healthcare professionals, according to their trust level as well as the risk incurred of such data exposure, by developing a novel Risk Measure formula. The developed Risk Measure is proven to manage the risk effectively. Furthermore, Risk Mitigation Data Disclosure algorithms, RIMIDI0 and RIMIDI1, which utilize the developed risk measures, are proposed. Experimental results show the feasibility and effectiveness of the proposed method in preserving the privacy preferences of the patient. Since the proposed approach exposes the patient’s data that are relevant to the undergoing medical procedure while preserving the privacy preferences, positive outcomes can be realized, which will ultimately bring forth quality healthcare services.

Swati Jain,Arunabha Mukhopadhyay,Saloni Jain

DOI: https://doi.org/10.1080/10919392.2023.2244386

IF: 2.2368

2023-08-12

Journal of Organizational Computing and Electronic Commerce

Abstract:The healthcare sector is prone to Distributed Denial-of-Service and Ransomware attacks owing to unsecured networks and software. This results in stalling of outpatient and inpatient operations of a hospital. In this study, we propose an H-CRAM model that computes the risk of a cyber-attack based on the threat appraisal component of the Protection Motivation Theory (PMT) using multinomial logistic regression. We also hypothesize that training the healthcare staff, implementing IT governance, and intervening technology will decrease the probability of the occurrence of a cyber threat. The severity of the risk is computed using Collective Risk Modelling. Next, based on the coping appraisal component of PMT, Rational Choice Theory, and NIST guidelines, we propose that the CIO of a healthcare firm should first reduce the cyber-risk by investing in encrypting Electronic Health Records, Security Incident and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) tools. Then pass the residual cyber risk to a cyber insurer.

computer science, information systems, interdisciplinary applications

Rajesh Keshavrao Deshmukh,Mohit Shrivastav

DOI: https://doi.org/10.70135/seejph.vi.769

2024-09-02

Abstract:India and other Asian nations are seeing an unparalleled pace of advancement in the modernisation of their healthcare systems. In this endeavour, information technology is crucial. Though the healthcare industry has made great progress, information security is still lagging behind the protection requirements attained in technologically developed nations such as the United States and the United Kingdom. This study is an honest attempt to pinpoint vulnerabilities and dangers in the field of cybersecurity and offers a few targeted remedies in three main domains: risks, vulnerabilities, and IoMT. Using a qualitative research methodology, this research culminates in the creation of a security maturity model for Indian healthcare. Furthermore, in light of these attacks, the well-known National Institute of Standards and Technology (NIST) risk assessment system and its guiding principles are examined. Evaluating the risks intrinsic to these hacks analytically becomes crucial given the comparatively low information risk management maturity levels in Asian healthcare organisations. While several nations in Asia and throughout the world are battling the COVID-19 outbreak, cybercriminals have been attempting to spread misinformation about vaccines. Additionally, some people and organisations are attempting to undermine specific vaccines in order to promote their COVID-19 treatments. Hacking research data, virus testing, and clinical studies that reveal side effects or possible issues are of particular interest to profit-seeking businesses. The secure methodology for identifying network attacks is suggested by this study.

Tom Mahler,Erez Shalom,Arnon Makori,Yuval Elovici,Yuval Shahar

DOI: https://doi.org/10.1007/s10278-021-00562-y

IF: 4.903

2022-02-17

Journal of Digital Imaging

Abstract:Medical imaging devices (MIDs) are exposed to cyber-security threats. Currently, a comprehensive, efficient methodology dedicated to MID cyber-security risk assessment is lacking. We propose the Threat identification, ontology-based Likelihood, severity Decomposition, and Risk assessment (TLDR) methodology and demonstrate its feasibility and consistency with existing methodologies, while being more efficient, providing details regarding the severity components, and supporting organizational prioritization and customization. Using our methodology, the impact of 23 MIDs attacks (that were previously identified) was decomposed into six severity aspects. Four Radiology Medical Experts (RMEs) were asked to assess these six aspects for each attack. The TLDR methodology’s external consistency was demonstrated by calculating paired T-tests between TLDR severity assessments and those of existing methodologies (and between the respective overall risk assessments, using attack likelihood estimates by four healthcare cyber-security experts); the differences were insignificant, implying externally consistent risk assessment. The TLDR methodology’s internal consistency was evaluated by calculating the pairwise Spearman rank correlations between the severity assessments of different groups of two to four RMEs and each of their individual group members, showing that the correlations between the severity rankings, using the TLDR methodology, were significant (P < 0.05), demonstrating that the severity rankings were internally consistent for all groups of RMEs. Using existing methodologies, however, the internal correlations were insignificant for groups of less than four RMEs. Furthermore, compared to standard risk assessment techniques, the TLDR methodology is also sensitive to local radiologists’ preferences, supports a greater level of flexibility regarding risk prioritization, and produces more transparent risk assessments.

radiology, nuclear medicine & medical imaging

Patrizia Heinl,Andrius Patapovas,Michael Pilgermann

2024-09-19

Abstract:Cyber attacks on the healthcare industry can have tremendous consequences and the attack surface expands continuously. In order to handle the steadily rising workload, an expanding amount of analog processes in healthcare institutions is digitized. Despite regulations becoming stricter, not all existing infrastructure is sufficiently protected against cyber attacks. With an increasing number of devices and digital processes, the system and network landscape becomes more complex and harder to manage and therefore also more difficult to protect. The aim of this project is to introduce an AI-enabled platform that collects security relevant information from the outside of a health organization, analyzes it, delivers a risk score and supports decision makers in healthcare institutions to optimize investment choices for security measures. Therefore, an architecture of such a platform is designed, relevant information sources are identified, and AI methods for relevant data collection, selection, and risk scoring are explored.

Cryptography and Security

Martin Dart,Mohiuddin Ahmed

DOI: https://doi.org/10.1177/20552076231191095

2023-01-01

Digital Health

Abstract:Purpose This paper proposes a novel cyber security risk governance framework and ontology for large Australian healthcare providers, using the structure and simplicity of the Unified Modelling Language (UML). This framework is intended to mitigate impacts from the risk areas of: (1) cyber-attacks, (2) incidents, (3) data breaches, and (4) data disclosures. Methods Using a mixed-methods approach comprised of empirical evidence discovery and phenomenological review, existing literature is sourced to confirm baseline ontological definitions. These are supplemented with Australian government reports, professional standards publications and legislation covering cyber security, data breach reporting and healthcare governance. Historical examples of healthcare cyber security incidents are reviewed, and a cyber risk governance UML presented to manage the defined problem areas via a single, simplified ontological diagram. Results A clear definition of ‘cyber security’ is generated, along with the ‘CYBER-AIDD’ risk model. Specific examples of cyber security incidents impacting Australian healthcare are confirmed as N = 929 over 5 years, with human factors the largest contributor. The CYBER-AIDD UML model presents a workflow across four defined classes, providing a clear approach to implementing the controls required to mitigate risks against verified threats. Conclusions The governance of cyber security in healthcare is complex, in part due to a lack of clarity around key terms and risks, and this is contributing to consistently poor operational outcomes. A focus on the most essential avenues of risk, using a simple UML model, is beneficial in describing these risks and designing governance controls around them.

public, environmental & occupational health,health care sciences & services,medical informatics,health policy & services

Gustavo Gonzalez-Granadillo,Sofia Anna Menesidou,Dimitrios Papamartzivanos,Ramon Romeu,Diana Navarro-Llobet,Caxton Okoh,Sokratis Nifakos,Christos Xenakis,Emmanouil Panaousis

DOI: https://doi.org/10.3390/s21165493

IF: 3.9

2021-08-15

Sensors

Abstract:Addressing cyber and privacy risks has never been more critical for organisations. While a number of risk assessment methodologies and software tools are available, it is most often the case that one must, at least, integrate them into a holistic approach that combines several appropriate risk sources as input to risk mitigation tools. In addition, cyber risk assessment primarily investigates cyber risks as the consequence of vulnerabilities and threats that threaten assets of the investigated infrastructure. In fact, cyber risk assessment is decoupled from privacy impact assessment, which aims to detect privacy-specific threats and assess the degree of compliance with data protection legislation. Furthermore, a Privacy Impact Assessment (PIA) is conducted in a proactive manner during the design phase of a system, combining processing activities and their inter-dependencies with assets, vulnerabilities, real-time threats and Personally Identifiable Information (PII) that may occur during the dynamic life-cycle of systems. In this paper, we propose a cyber and privacy risk management toolkit, called AMBIENT (Automated Cyber and Privacy Risk Management Toolkit) that addresses the above challenges by implementing and integrating three distinct software tools. AMBIENT not only assesses cyber and privacy risks in a thorough and automated manner but it also offers decision-support capabilities, to recommend optimal safeguards using the well-known repository of the Center for Internet Security (CIS) Controls. To the best of our knowledge, AMBIENT is the first toolkit in the academic literature that brings together the aforementioned capabilities. To demonstrate its use, we have created a case scenario based on information about cyber attacks we have received from a healthcare organisation, as a reference sector that faces critical cyber and privacy threats.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Shamsul Huda,Md Rezaul Islam,Jemal Abawajy,Vinay Naga Vamsi Kottala,Shafiq Ahmad

DOI: https://doi.org/10.3390/s24165282

2024-08-15

Abstract:This paper presents a comprehensive and evidence-based cyber-risk assessment approach specifically designed for Medical Cyber Physical Systems (MCPS)- and Internet-of-Medical Devices (IoMT)-based collaborative digital healthcare systems, which leverage Federated Identity Management (FIM) solutions to manage user identities within this complex environment. While these systems offer advantages like easy data collection and improved collaboration, they also introduce new security challenges due to the interconnected nature of devices and data, as well as vulnerabilities within the FIM and the lack of robust security in IoMT devices. To proactively safeguard the digital healthcare system from cyber attacks with potentially life-threatening consequences, a comprehensive and evidence-based cyber-risk assessment is crucial for mitigating these risks. To this end, this paper proposes a novel cyber-risk assessment approach that leverages a three-dimensional attack landscape analysis, encompassing existing IT infrastructure, medical devices, and Federated Identity Management protocols. By considering their interconnected vulnerabilities, the approach recommends tailored security controls to prioritize and mitigate critical risks, ultimately enhancing system resilience. The proposed approach combines established industry standards like Cyber Resilience Review (CRR) asset management and NIST SP 800-30 for a comprehensive assessment. We have validated our approach using threat modeling with attack trees and detailed attack sequence diagrams on a diverse range of IoMT and MCPS devices from various vendors. The resulting evidence-based cyber-risk assessments and corresponding security control recommendations will significantly support healthcare professionals and providers in improving both patient and medical device safety management within the FIM-enabled healthcare ecosystem.

Mishall Al-Zubaidie,Zhongwei Zhang,Ji Zhang

DOI: https://doi.org/10.48550/arXiv.1902.08686

2019-02-23

Abstract:Providing a mechanism to authenticate users in healthcare applications is an essential security requirement to prevent both external and internal attackers from penetrating patients' identities and revealing their health data. Many schemes have been developed to provide authentication mechanisms to ensure that only legitimate users are authorized to connect, but these schemes still suffer from vulnerable security. Various attacks expose patients' data for malicious tampering or destruction. Transferring health-related data and information between users and the health centre makes them exposed to penetration by adversaries as they may move through an insecure channel. In addition, previous mechanisms have suffered from the poor protection of users' authentication information. To ensure the protection of patients' information and data, we propose a scheme that authenticates users based on the information of both the device and the legitimate user. In this paper, we propose a Robust Authentication Model for Healthcare Users (RAMHU) that provides mutual authentication between server and clients. This model utilizes an Elliptic Curve Integrated Encryption Scheme (ECIES) and PHOTON to achieve strong security and a good overall performance. RAMHU relies on multi pseudonyms, physical address, and one-time password mechanisms to authenticate legitimate users. Moreover, extensive informal and formal security analysis with the automated validation of Internet security protocols and applications (AVISPA) tool demonstrates that our model offers a high level of security in repelling a wide variety of possible attacks.

Cryptography and Security

Konstantinos Lampropoulos,Apostolis Zarras,Eftychia Lakka,Polyanthi Barmpaki,Kostas Drakonakis,Manos Athanatos,Herve Debar,Andreas Alexopoulos,Aristeidis Sotiropoulos,George Tsakirakis,Nikos Dimakopoulos,Dimitris Tsolovos,Matthias Pocs,Michalis Smyrlis,Ioannis Basdekis,Georgios Spanoudakis,Ovidiu Mihaila,Bogdan Prelipcean,Eliot Salant,Sotiris Athanassopoulos,Petros Papachristou,Ioannis Ladakis,John Chang,Evangelos Floros,Konstantinos Smyrlis,Rouven Besters,Pietro Randine,Karianna Fjeld Lovaas,John Cooper,Iulia Ilie,Gabriel Danciu,Marwan Darwish Khabbaz

2023-10-16

Abstract:The healthcare sector is increasingly vulnerable to cyberattacks due to its growing digitalization. Patient data, including medical records and financial information, are at risk, potentially leading to identity theft and patient safety concerns. The European Union and other organizations identify key areas for healthcare system improvement, yet the industry still grapples with inadequate security practices. In response, the HEIR project offers a comprehensive cybersecurity approach, promoting security features from various regulatory frameworks and introducing tools such as the Secure Healthcare Framework and Risk Assessment for Medical Applications (RAMA). These measures aim to enhance digital health security and protect sensitive patient data while facilitating secure data access and privacy-aware techniques. In a rapidly evolving threat landscape, HEIR presents a promising framework for healthcare cybersecurity.

Cryptography and Security

Sreejith Gopinath,Aspen Olmsted

DOI: https://doi.org/10.48550/arXiv.2202.06108

2022-02-12

Cryptography and Security

Abstract:Healthcare information systems deal with a large amount of Personally Identifiable Information related to patients like dates of birth and social security numbers, patients health information and history, and financial information like credit card details and bank accounts. Most healthcare institutions purchase information systems from commercial vendors and have minimal inhouse expertise required to maintain these systems. Most institutions lack the expertise required to research evolving threats and maintain a tough security posture. We propose a risk transference based system architecture that moves sensitive data outside the system boundary, into data stores that are managed with stringent and efficient security protocols.

Ana Paula Beck da Silva Etges,Veronique Grenon,Ming Lu,Ricardo Bertoglio Cardoso,Joana Siqueira de Souza,Francisco José Kliemann Neto,Elaine Aparecida Felix

DOI: https://doi.org/10.1186/s12913-018-3400-7

2018-07-24

Abstract:Background: The first phase of an enterprise risk management (ERM) program is the identification of risks. Accurate identification is essential to a proactive and effective ERM function. The authors identified a lack of such risk identification in the literature and in practical cases when interviewing the chief risk officers from healthcare organizations. A risk inventory specific to healthcare organizations that includes detailed risk scenarios and risk impacts currently does not exist. Thus, the objective of this research is to develop an enterprise risk inventory for healthcare organizations to create a common understanding of how each type of risk impacts a healthcare organization. Method: ERM guidelines and data from 15 interviews with chief risk officers were analyzed to create the risk inventory. The identified risks were confirmed through a survey of risk managers from a range of global healthcare organizations during the ASHRM conference in 2017. Descriptive statistics were developed and cluster analysis was performed using the survey results. Results: The risk inventory includes 28 risks and their specific risk scenarios. Cyberattack was ranked as the principal risk by the participants, followed by sentinel events and risks associated with human capital management (organizational culture, use of electronic medical records and physician wellness). The data analysis showed that the specific characteristics of the survey participants, such as the length of time working in risk management, the size of the organization, and the presence of a school of medicine, do not impact an individual's opinion of the importance of the risks identified. A personal background in risk management (clinical or enterprise) was a characteristic that showed a small difference in the perceived importance of the risks from the proposed risk inventory. Conclusions: In addition to defining specific risk scenarios, the enterprise risk inventory presented in this research can contribute to guiding the risk identification phase of an ERM program and thereby support the development of a risk culture. Patient data security in hospitals that operate with high levels of technology is fundamental to delivering high quality and safe care to patients. At the top of the risk ranking, the identification of cyberattacks reflects the importance that healthcare risk managers place on this risk by allocating time and other resources. Exploring opportunities to improve cyber risk management and evaluating the benefits of using the risk inventory at the beginning of the risk identification phase in an ERM program are suggestions for future studies.

Cartwright, Anthony James

DOI: https://doi.org/10.1007/s10877-023-01013-5

IF: 1.977

2023-04-24

Journal of Clinical Monitoring and Computing

Abstract:Cybersecurity has seen an increasing frequency and impact of cyberattacks and exposure of Protected Health Information (PHI). The uptake of an Electronic Medical Record (EMR), the exponential adoption of Internet of Things (IoT) devices, and the impact of the COVID-19 pandemic has increased the threat surface presented for cyberattack by the healthcare sector. Within healthcare generally and, more specifically, within anaesthesia and Intensive Care, there has been an explosion in wired and wireless devices used daily in the care of almost every patient—the Internet of Medical Things (IoMT); ventilators, anaesthetic machines, infusion pumps, pacing devices, organ support and a plethora of monitoring modalities. All of these devices, once connected to a hospital network, present another opportunity for a malevolent party to access the hospital systems, either to gain PHI for financial, political or other gain or to attack the systems directly to cause erroneous monitoring, altered settings of any device and even to access the EMR via this IoMT window. This exponential increase in the IoMT and the increasing wireless connectivity of anaesthesia and ICU devices as well as implantable devices presents a real and present danger to patient safety. There has, at the same time, been a chronic underfunding of cybersecurity in healthcare. This lack of cybersecurity investment has left the sector exposed, and with the monetisation of PHI, the introduction of technically unsecure IoT devices for monitoring and direct patient care, the healthcare sector is presenting itself for further devastating cyberattacks or breaches of PHI. Coupled with the immense strain that the COVID-19 pandemic has placed on healthcare and the changes in working patterns of many caregivers, this has further amplified the exposure of the sector to cyberattacks.

anesthesiology

Federico Stirano,Francesco Lubrano,Giacomo Vitali,Fabrizio Bertone,Giuseppe Varavallo,Paolo Petrucci

DOI: https://doi.org/10.1007/978-3-030-69781-5_10

2021-01-01

Abstract:Abstract Healthcare is one of the most peculiar between all Critical Infrastructures due to its context and role in the society. The characteristics of openness and pervasive usage of IT systems and connected devices make it particularly exposed to both physical threats, such as theft and unauthorized access to restricted areas, and cyber attacks, like the notorious wannacry ransomware that abruptly disrupted the British National Health System in May 2017. Even the recent COVID-19 pandemic period has been negatively characterized by an increase of both physical and cyber incidents that specifically targeted hospitals and undermined an essential public service like healthcare. Effective security solutions are necessary in order to protect and enhance the resiliency of the Critical Infrastructures. This paper presents the work being developed in the context of the SAFECARE H2020 project, that specifically considers the requirements for security of hospitals. A particular focus is given to the asset management that consider cross-domain aspects of security, like the physical location and virtual connections that link different components of a hospital. This allows advanced knowledge that enables to infer and forewarn of possible elaborated cyber-physical kill chains . This is particularly important and useful during crisis, as allows to have a holistic overview of the status of the hospital and the potential impacts of one or more incidents to the critical assets. The description and simulation of an attack scenario is also given, together with the description of the messages exchanged by the security systems and the information made available to security operators.

Tom Mahler,Yuval Elovici,Yuval Shahar

DOI: https://doi.org/10.48550/arXiv.2002.06938

2020-02-17

Abstract:As technology advances towards more connected and digital environments, medical devices are becoming increasingly connected to hospital networks and to the Internet, which exposes them, and thus the patients using them, to new cybersecurity threats. Currently, there is a lack of a methodology dedicated to information security risk assessment for medical devices. In this study, we present the Threat identification, ontology-based Likelihood, severity Decomposition, and Risk integration (TLDR) methodology for information security risk assessment for medical devices. The TLDR methodology uses the following steps: (1) identifying the potentially vulnerable components of medical devices, in this case, four different medical imaging devices (MIDs); (2) identifying the potential attacks, in this case, 23 potential attacks on MIDs; (3) mapping the discovered attacks into a known attack ontology - in this case, the Common Attack Pattern Enumeration and Classifications (CAPECs); (4) estimating the likelihood of the mapped CAPECs in the medical domain with the assistance of a panel of senior healthcare Information Security Experts (ISEs); (5) computing the CAPEC-based likelihood estimates of each attack; (6) decomposing each attack into several severity aspects and assigning them weights; (7) assessing the magnitude of the impact of each of the severity aspects for each attack with the assistance of a panel of senior Medical Experts (MEs); (8) computing the composite severity assessments for each attack; and finally, (9) integrating the likelihood and severity of each attack into its risk, and thus prioritizing it. The details of steps six to eight are beyond the scope of the current study; in the current study, we had replaced them by a single step that included asking the panel of MEs [in this case, radiologists], to assess the overall severity for each attack and use it as its severity...

Cryptography and Security,Computers and Society

Ricardo M. Czekster,Paul Grace,César Marcon,Fabiano Hessel,Silvio C. Cazella

DOI: https://doi.org/10.3390/app13137406

2023-06-22

Applied Sciences

Abstract:Modern medical devices connected to public and private networks require additional layers of communication and management to effectively and securely treat remote patients. Wearable medical devices, for example, can detect position, movement, and vital signs; such data help improve the quality of care for patients, even when they are not close to a medical doctor or caregiver. In healthcare environments, these devices are called Medical Internet-of-Things (MIoT), which have security as a critical requirement. To protect users, traditional risk assessment (RA) methods can be periodically carried out to identify potential security risks. However, such methods are not suitable to manage sophisticated cyber-attacks happening in near real-time. That is the reason why dynamic RA (DRA) approaches are emerging to tackle the inherent risks to patients employing MIoT as wearable devices. This paper presents a systematic literature review of RA in MIoT that analyses the current trends and existing approaches in this field. From our review, we first observe the significant ways to mitigate the impact of unauthorised intrusions and protect end-users from the leakage of personal data and ensure uninterrupted device usage. Second, we identify the important research directions for DRA that must address the challenges posed by dynamic infrastructures and uncertain attack surfaces in order to better protect users and thwart cyber-attacks before they harm personal (e.g., patients’ home) and institutional (e.g., hospital or health clinic) networks.

materials science, multidisciplinary,engineering,chemistry,physics, applied

Fotios Gioulekas,Evangelos Stamatiadis,Athanasios Tzikas,Konstantinos Gounaris,Anna Georgiadou,Ariadni Michalitsi-Psarrou,Georgios Doukas,Michael Kontoulis,Yannis Nikoloudakis,Sergiu Marin,Ricardo Cabecinha,Christos Ntanos

DOI: https://doi.org/10.3390/healthcare10020327

2022-02-09

Abstract:Recent studies report that cybersecurity breaches noticed in hospitals are associated with low levels of personnel's cybersecurity awareness. This work aims to assess the cybersecurity culture in healthcare institutions from middle- to low-income EU countries. The evaluation process was designed and performed via anonymous online surveys targeting individually ICT (internet and communication technology) departments and healthcare professionals. The study was conducted in 2019 for a health region in Greece, with a significant number of hospitals and health centers, a large hospital in Portugal, and a medical clinic in Romania, with 53.6% and 6.71% response rates for the ICT and healthcare professionals, respectively. Its findings indicate the necessity of establishing individual cybersecurity departments to monitor assets and attitudes while underlying the importance of continuous security awareness training programs. The analysis of our results assists in comprehending the countermeasures, which have been implemented in the healthcare institutions, and consequently enhancing cybersecurity defense, while reducing the risk surface.

Raul Luna,Emily Rhine,Matthew Myhra,Ross Sullivan,Clemens Scott Kruse

DOI: https://doi.org/10.3233/THC-151102

Abstract:Background: Recent legislation empowering providers to embrace the electronic exchange of health information leaves the healthcare industry increasingly vulnerable to cybercrime. The objective of this systematic review is to identify the biggest threats to healthcare via cybercrime. Objective: The rationale behind this systematic review is to provide a framework for future research by identifying themes and trends of cybercrime in the healthcare industry. Methods: The authors conducted a systematic search through the CINAHL, Academic Search Complete, PubMed, and ScienceDirect databases to gather literature relative to cyber threats in healthcare. All authors reviewed the articles collected and excluded literature that did not focus on the objective. Results: Researchers selected and examined 19 articles for common themes. The most prevalent cyber-criminal activity in healthcare is identity theft through data breach. Other concepts identified are internal threats, external threats, cyber-squatting, and cyberterrorism. Conclusions: The industry has now come to rely heavily on digital technologies, which increase risks such as denial of service and data breaches. Current healthcare cyber-security systems do not rival the capabilities of cyber criminals. Security of information is a costly resource and therefore many HCOs may hesitate to invest what is required to protect sensitive information.

Sarvesh Kumar,Mohammed Abdul Wajeed,Rajashekhar Kunabeva,Nripendra Dwivedi,Prateek Singhal,Sajjad Shaukat Jamal,Reynah Akwafo

DOI: https://doi.org/10.1155/2022/3564436

2022-03-19

Abstract:It is a new online service paradigm that allows consumers to exchange their health data. Health information management software allows individuals to control and share their health data with other users and healthcare experts. Patient health records (PHR) may be intelligently examined to predict patient criticality in healthcare systems. Unauthorized access, privacy, security, key management, and increased keyword query search time all occur when personal health records (PHR) are moved to a third-party semitrusted server. This paper presents security measures for cloud-based personal health records (PHR). The cost of keeping health records on a hospital server grows. This is particularly true in healthcare. As a consequence, keeping PHRs in the cloud helps healthcare institutions save money on infrastructure. The proposed security solutions include an optimized rule-based fuzzy inference system (ORFIS) to determine the patient's criticality. Patients are classified into three groups (sometimes known as protective rings) based on their severity: very critical, less critical, and normal. In trials using the UCI machine learning archive, the new ORFIS outperformed existing fuzzy inference approaches in detecting the criticality of PHR. Using a graph-based access policy and anonymous authentication with a NoSQL database in a private cloud environment improves data storage and retrieval efficiency, granularity of data access, and response time.

Ying He,Efpraxia Zamani,Iryna Yevseyeva,Cunjin Luo

DOI: https://doi.org/10.2196/41748

2023-04-25

Abstract:Background: Health information systems (HISs) are continuously targeted by hackers, who aim to bring down critical health infrastructure. This study was motivated by recent attacks on health care organizations that have resulted in the compromise of sensitive data held in HISs. Existing research on cybersecurity in the health care domain places an imbalanced focus on protecting medical devices and data. There is a lack of a systematic way to investigate how attackers may breach an HIS and access health care records. Objective: This study aimed to provide new insights into HIS cybersecurity protection. We propose a systematic, novel, and optimized (artificial intelligence-based) ethical hacking method tailored specifically for HISs, and we compared it with the traditional unoptimized ethical hacking method. This allows researchers and practitioners to identify the points and attack pathways of possible penetration attacks on the HIS more efficiently. Methods: In this study, we propose a novel methodological approach to ethical hacking in HISs. We implemented ethical hacking using both optimized and unoptimized methods in an experimental setting. Specifically, we set up an HIS simulation environment by implementing the open-source electronic medical record (OpenEMR) system and followed the National Institute of Standards and Technology's ethical hacking framework to launch the attacks. In the experiment, we launched 50 rounds of attacks using both unoptimized and optimized ethical hacking methods. Results: Ethical hacking was successfully conducted using both optimized and unoptimized methods. The results show that the optimized ethical hacking method outperforms the unoptimized method in terms of average time used, the average success rate of exploit, the number of exploits launched, and the number of successful exploits. We were able to identify the successful attack paths and exploits that are related to remote code execution, cross-site request forgery, improper authentication, vulnerability in the Oracle Business Intelligence Publisher, an elevation of privilege vulnerability (in MediaTek), and remote access backdoor (in the web graphical user interface for the Linux Virtual Server). Conclusions: This research demonstrates systematic ethical hacking against an HIS using optimized and unoptimized methods, together with a set of penetration testing tools to identify exploits and combining them to perform ethical hacking. The findings contribute to the HIS literature, ethical hacking methodology, and mainstream artificial intelligence-based ethical hacking methods because they address some key weaknesses of these research fields. These findings also have great significance for the health care sector, as OpenEMR is widely adopted by health care organizations. Our findings offer novel insights for the protection of HISs and allow researchers to conduct further research in the HIS cybersecurity domain.