Skip to main page content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Access keys NCBI Homepage MyNCBI Homepage Main Content Main Navigation
. 2018 May 28;20(5):e10059.
doi: 10.2196/10059.

Cybersecurity in Hospitals: A Systematic, Organizational Perspective

Mohammad S Jalali  1 Jessica P Kaiser  1
Affiliations

Cybersecurity in Hospitals: A Systematic, Organizational Perspective

Mohammad S Jalali et al. J Med Internet Res. .

Abstract

Background: Cybersecurity incidents are a growing threat to the health care industry in general and hospitals in particular. The health care industry has lagged behind other industries in protecting its main stakeholder (ie, patients), and now hospitals must invest considerable capital and effort in protecting their systems. However, this is easier said than done because hospitals are extraordinarily technology-saturated, complex organizations with high end point complexity, internal politics, and regulatory pressures.

Objective: The purpose of this study was to develop a systematic and organizational perspective for studying (1) the dynamics of cybersecurity capability development at hospitals and (2) how these internal organizational dynamics interact to form a system of hospital cybersecurity in the United States.

Methods: We conducted interviews with hospital chief information officers, chief information security officers, and health care cybersecurity experts; analyzed the interview data; and developed a system dynamics model that unravels the mechanisms by which hospitals build cybersecurity capabilities. We then use simulation analysis to examine how changes to variables within the model affect the likelihood of cyberattacks across both individual hospitals and a system of hospitals.

Results: We discuss several key mechanisms that hospitals use to reduce the likelihood of cybercriminal activity. The variable that most influences the risk of cyberattack in a hospital is end point complexity, followed by internal stakeholder alignment. Although resource availability is important in fueling efforts to close cybersecurity capability gaps, low levels of resources could be compensated for by setting a high target level of cybersecurity.

Conclusions: To enhance cybersecurity capabilities at hospitals, the main focus of chief information officers and chief information security officers should be on reducing end point complexity and improving internal stakeholder alignment. These strategies can solve cybersecurity problems more effectively than blindly pursuing more resources. On a macro level, the cyber vulnerability of a country's hospital infrastructure is affected by the vulnerabilities of all individual hospitals. In this large system, reducing variation in resource availability makes the whole system less vulnerable-a few hospitals with low resources for cybersecurity threaten the entire infrastructure of health care. In other words, hospitals need to move forward together to make the industry less attractive to cybercriminals. Moreover, although compliance is essential, it does not equal security. Hospitals should set their target level of cybersecurity beyond the requirements of current regulations and policies. As of today, policies mostly address data privacy, not data security. Thus, policy makers need to introduce policies that not only raise the target level of cybersecurity capabilities but also reduce the variability in resource availability across the entire health care system.

Keywords: computer simulation; cybersecurity; hospitals; organizational models.

PubMed Disclaimer

Conflict of interest statement

Conflicts of Interest: None declared.

Figures

Figure 1
Figure 1
Stock and flow diagram of hospital cybersecurity capabilities.
Figure 2
Figure 2
Cybersecurity capability development with a balancing feedback loop.
Figure 3
Figure 3
Balancing feedback loop of need for stronger capabilities.
Figure 4
Figure 4
Addition of end point complexity to capability development model.
Figure 5
Figure 5
Introduction of internal stakeholder alignment variable.
Figure 6
Figure 6
Impact of intravulnerabilities on intervulnerabilities and attractiveness of hospitals system to cybercriminals.
Figure 7
Figure 7
Effects of stakeholder alignment on pressures to improve capabilities over time (a); trends of successful cybercriminals’ activity given the variability in internal stakeholder alignment (b); the variability in end point complexity (c); and the variability in resource availability (d). All y-axes are fractions, changing between zero and one representing lowest and highest possible level, respectively.
Figure 8
Figure 8
Rate of successful cyber incidents based on target level of cybersecurity capabilities and stakeholder alignment and resource availability.
See this image and copyright information in PMC

References

    1. Perakslis ED. Cybersecurity in health care. N Engl J Med. 2014 Jul 31;371(5):395–7. doi: 10.1056/NEJMp1404358. - DOI - PubMed
    1. Claunch D, McMillan M. Determining the right level for your IT security investment. Healthc Financ Manage. 2013 May;67(5):100–3. - PubMed
    1. Ponemon Institute Sixth annual benchmark study on privacy & security of healthcare data https://www.ponemon.org/local/upload/file/Sixth%20Annual%20Patient%20Pri... .
    1. Kruse C, Frederick B, Jacobson T, Monticone D. Cybersecurity in healthcare: a systematic review of modern threats and trends. Technol Health Care. 2017;25(1):1–10. doi: 10.3233/THC-161263.THC1263 - DOI - PubMed
    1. Smet M. Cost characteristics of hospitals. Soc Sci Med. 2002 Sep;55(6):895–906. - PubMed

Publication types