The state of research on cyberattacks against hospitals and available best practice recommendations: a scoping review
- 437 Downloads
The health sector has quickly become a target for cyberattacks. Hospitals are especially sensitive to these sorts of attacks as any disruption in operations or even disclosure of patient personal information can have far-reaching consequences. The objective of this study was to map the available literature on cyberattacks on hospitals and to identify the different domains of research, while extracting the recommendations and guidelines put forth in the literature.
Four databases (PubMed, Web of Science, ProQuest, and Scopus) were searched using standardized and adapted search syntax in order to identify relevant manuscripts published between 1997 and 2017. These were screened by two reviewers and included or excluded based on inclusion and exclusion criteria. Data from articles were then extracted and analyzed.
The search identified 818 records of which 97 were included. Of the 97, 32% were published in 2017 while around 40% of the articles were published prior to the last three years. Six domains of research emerged through the analysis, which are included here: context and trends in cybersecurity (27.8%), connected medical devices and equipment (29.9%), hospital information systems (14.4%), raising awareness and lessons learned (6.2%), information security methodology (15.4%), and specific types of attacks (6.2%).
There is a generally growing interest in the research field, but the available literature remains limited in number. There are important aspects of cybersecurity (e.g. cloud storage and access management) as well as specific medical fields that rely on various medical devices that have been neglected. Recommendations are available, but comprehensive guidelines and standardized best practice measures are still necessary.
KeywordsCyberattacks Hospital cybersecurity Medical device security Cybersecurity recommendations
Electronic Health Records
Electronic Medical Records
Food and Drug Administration
Hospital Information System
International Electrotechnical Commission
Institute of Electrical and Electronics Engineers
National Health Services
Preferred Reporting Items for Systematic Reviews and Meta-Analysis
Violence against hospitals—manifested in physical attacks against patients, workers, and facilities  as well as in cyberattacks on hospitals—has been on the rise worldwide. Cyber violence has especially become rampant in recent years, affecting numerous hospitals in high-income countries such as the United States (US) [2, 3] as well as Norway  and even becoming a concern for lower-middle income countries such as Kenya . Cyberattacks include a variety of threats from brute force and Denial-of-Service attacks to the use of phishing and malware or social engineering methods to compromise security .
Whilst a ransomware is only one type of malware threatening health facilities, a report by the US Department of Justice revealed that an average of 4000 ransomware attacks occurred daily across different sectors in 2016—a 300% increase since 2015 . Another report revealed that the health field was among the top three sectors most affected by ransomware worldwide . Besides ransomware, there has also been a four-fold increase in the number of malicious computer software attacks in the last two years  and the health sector has become one of the most targeted sectors globally .
This is a growing concern as hospitals worldwide are becoming increasingly dependent on their hospital information systems for administrative, financial, and medical operations—with the use of connected medical devices, cloud storage services, and network systems simultaneous rising. There is a widespread understanding of the need to balance utility and efficacy with privacy and security in innovation; however, technology is bolstering more quickly than the creation, application, and update of security measures . The reality is that healthcare is lagging behind other sectors in securing data as well as in developing comprehensive employee training programs—even if findings show the latter as the most stressed strategy against breaches in the literature [11, 12, 13, 14].
Additionally, the healthcare sector is especially vulnerable to attacks because the nature of the work makes it extremely sensitive to any disruption in its services. A delay in hospital operations—much less a halt—can have devastating consequences on patient safety. A ransomware attack on Hollywood Presbyterian Medical Center in Los Angeles caused cancellations of procedures and redirection of in-coming ambulances over the span of 10 days [15, 16]. A different attack, on the British National Health Service (NHS), had similar effects on hospitals as well as additional debilitating effects on radiology and blood-product refrigeration of hospitals .
These sort of attacks heighten risks to patient safety as providers lose access to virtual records of comorbidities, allergies, and existing prescriptions [6, 7]. In addition to these effects on health delivery, breach and disclosure of sensitive health information can have detrimental effects on an individual’s social and professional life  as well as expose the patient to the risks of blackmailing . Moreover, cybercriminals can commit a range of crimes from identity theft to medical fraud with patients’ personally identifiable information . At the other end, the financial consequences to hospitals are substantial with direct costs from patient compensation and regulation fines as well as the long-term financial consequences that follow damage to their facilities’ reputation . On a larger scale, the consequences of interrupted care delivery can affect the larger hospital network (i.e. spreading into ambulance, pharmacy, and health insurance company operations).
When considering the motives behind such attacks, financial gain is a reoccurring topic. The information accessed through health data breaches is of particular interest as it is highly valued on the dark web ; medical records are even worth more than social security numbers . Additionally, since these records include dates of birth, residential addresses, and health information, the stolen data is durable and widely applicable to criminal activities . Other motives include nation state (state sponsored), terrorist, retribution, and hacktivist interests  and sources of attacks can be external with local or remote actors and internal through deliberate or inadvertent acts .
What are the domains of research previously emphasized in the literature on cybersecurity of hospitals?
What recommendations are put forth by the available literature?
This review was conducted using the methodological framework for scoping reviews proposed by Arksey and O’Malley  in conjunction with the advancements recommended by Levac et al. . While this scoping review is not registered, it adheres to the Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA) Guidelines  where applicable.
Within this review, discussion of cybersecurity did not include non-malicious cybersecurity breaches. The focus was to concentrate specifically on cyber threats and cyberattacks targeted against hospitals. Additionally, the cybersecurity of hospitals included the cybersecurity of connected medical devices, hospital information systems (HIS), and health records. However, publications related to mHealth cybersecurity were considered out of the scope of this review, as mobile devices do not directly constitute the hospital infrastructure.
In order to broadly capture existing work, relevant literature was gathered using the following four search engines (pertinent databases have been listed in conjunction): PubMed (MEDLINE), Web of Science, ProQuest (CINAHL), and Scopus (EMBASE, Compendex). These were selected after brief analysis of previous work and preliminary search results. Searches were initially conducted in October 2017 and later updated in March 2018.
The methodology began with the identification of pertinent key terms and pre-existing keywords through preliminary searches. Terms related to hospitals, medical devices, HIS, electronic health records (EHR), and electronic medical records (EMR) were gathered along with terms pertaining to cyberattacks and cyber threats. Pertinent terms were selected after two separate internal discussions and then strung together with Boolean operators ([AND], [OR]). After several rounds of trial and error as well as discussion, a search syntax was established and then adapted to each database (see Additional file 1 for an example). Other records were later identified and included through methods such as hand searching and snowballing.
Selection of studies
After the identification phase of the PRISMA four-phase flow diagram , two reviewers separately screened all records for relevance using bibliographic data (i.e. title, type of publications, abstracts). Duplicated records were excluded and full-texts were then retrieved for review. If full-text versions were not initially available, articles were acquired through the interlibrary loan system.
The inclusion and exclusion criteria, which had been discussed and established following the preliminary search, were then applied to assess eligibility. Records in English published between January 01, 1997 and December 31, 2017 in peer-reviewed journals were selected for inclusion. Study location or country of publication did not affect inclusion—apart from country biases that may already exist in the databases. Primary literature, literature reviews, and editorial material as well as conference proceedings published in peer-reviewed journals were all included. Studies reporting qualitative and quantitative findings were equally selected.
Data collection, extraction, and analysis
The full-texts of the selected articles were read and relevant data was then extracted into a standardized data extraction chart. Extracted data items included the source of the article, study design, title, author(s), year of publication, journal, author(s)‘s affiliation(s), funding source(s), area of focus, important findings, and pertinent recommendations. The aim of each study as well as a summary of the article was also integrated into the data extraction chart. Citations were organized using the Mendeley Reference Management Software.
The selected articles were categorized based on their study design after operational definitions were established (see Additional file 2). Additionally, the theme of the 97 articles were identified through analysis of the full-texts. These themes were then classified in order to identify common research domains. These domains were based upon exiting research topics in the field but were developed to capture the entirety of the scope of the field’s literature into concise categories.
The literature identification phase resulted in 818 records: 795 (163 from PubMed, 173 from Web of Science, 134 from ProQuest, and 325 from Scopus) were identified through the selected databases before the deduplication step and 23 records were later identified through methods such as hand searching and snowballing. These records were screened, unduplicated, and assessed for eligibility. Subsequently, 97 articles were selected for inclusion into the review (see Fig. 1). Publications included in this scoping review have been marked with an asterisk (*) in the references section.
Investigation into funding sources revealed that 21 of the publications (21.6%) received at least part of their funding from governmental agencies such as the National Science Foundation or National Institutes of Health, while three publications used funding from companies, personal resources, or university consortiums. 74 of the 97 (76.3%) claimed no funding sources or did not report any. (See Additional file 3.) This was followed up with an analysis of the researchers behind the publications. It was found that universities and other teaching institutions were at least partly involved in the publication of 71 articles, while organizations and companies were at least partly behind 14 articles. The remaining articles came at least partly from researchers at insurance companies, government agencies, law firms, and research institutions among other sources (see Additional file 4).
Study designs and identified research domains
The literature is composed of various study designs. Ten of the articles (10.3%) are descriptive studies, 31 (31.9%) are summative reports, 28 (28.9%) are editorials, 20 (20.6%) are technical papers, 5 (5.2%) are literary reviews, and 3 (3.1%) are experimental studies. (See Additional file 2 for details and operational definitions).
Identified domains of research and types of studies
Brief description of research domain
Number of articles
Study design with reference
Context and trends in cybersecurity
Explores context of the field, formulates definitions of pertinent terms, offers generalized recommendations, and describes trends in cybersecurity.
- Technical paper 
Connected medical devices and equipment
Discusses the development, research, and security of connected medical devices and equipment (includes implantable and wearable devices found in neurology, cardiology, endocrinology, mental health, and radiology)
Hospital information systems (HIS)
Offers methods for evaluating HIS, discusses security concerns of electronic health records, and proposes specific recommendations. Also includes discussions on data security and cloud-based storage.
- Editorial 
- Experimental study 
Raising awareness and lessons learned
Discusses previous attacks and lessons learned, as well as training programs for various players. Also proposes and evaluates methods for the dissemination of information.
Information security methodology
Discusses network security, multifactor authentication, encryption, password protection, updates and others.
Specific types of attacks (i.e. ransomware, phishing, and social engineering attacks)
Offers definitions, background information, and recommendations specific to these attack types in the context of hospitals.
- Summative report 
Domains of research
Context and trends in cybersecurity
A subset (27.8%) of the literature offers generalized discussion and description of cyber threats and attacks—the terms associated with the field, infrastructure of cyber defense (in terms of agencies and regulations)—and offers strategies for security. These articles track the evolution of cybercrime in the health field [21, 25] while exploring some motives for attacks, such as monetary drivers , and discussing probable consequences and challenges associated with the cybersecurity of hospitals . Among the challenges raised is the limited budget of hospitals and the eminent priority to provide care to patients [10, 28]. One article in particular discusses patient’s continued trust in the healthcare system and the increasing frequency of cyberattacks . There is also discussion on the effect of compartmentalization of nation’s healthcare systems into public and private entities, and how this affects security and differs from other public health surveillance systems [10, 26, 29, 30]. Several general recommendations are also made for hospitals [10, 16, 28, 30]. The articles in this domain include literature reviews, descriptive studies, summative reports, editorials, and a technical paper.
Connected medical devices and equipment
The security of connected medical devices and equipment was a major focus in the literature (29.9%). Study designs vary from experimental studies, technical papers, summative reports, and editorials. The articles discuss the FDA pre-market and post-market guidelines for medical devices, the British Standards Institution recommendations, and relevant IEC documents among several other sources of recommendations and guidelines [31, 32]. In addition, some of the articles propose frameworks for cybersecurity and blueprints for value-based presentation of security measures in the lifecycle and development of medical devices [33, 34, 35, 36]. Others discuss the tradeoffs of safety and security with availability and utility when weighting the advantages to patients’ quality of life with associated risks of connected medical devices [37, 38]. There is also discussions on the shared—as well as individual—responsibilities of manufacturers and user facilities for the security of these device [31, 34, 36, 39, 40]. In addition, some articles discuss the various sources of vulnerabilities in devices and equipment and analyze different cybersecurity research methods [6, 41].
Hospital information systems
Publications within this research domain encompasses 14.4% of the literature body. It includes articles from all of the study design categories identified in the review. The security concerns of HIS are discussed as well as the challenges of using widespread health information technology [42, 43]. One article presents a model for evaluating and comparing HIS at different hospitals and applies it to local healthcare facilities in Iran . Other articles propose security techniques for EHR systems such as various types of firewalls, cryptography and cloud computing methodologies among others [45, 46]. Data security, storage, and specifically cloud-based storage are also prevalent topics of discussion in this domain [45, 46, 47, 48, 49]. The literature presents data storage requirement and recommendations including but not limited to confidentiality and access control, integrity of data, availability and performance, and support for long retention and secure migration .
Raising awareness and lessons learned
With research revealing that humans are among the weakest link in cybersecurity [35, 50], the importance of raising awareness among end users is stressed throughout domains. Six (6.2%) of the selected articles—descriptive studies and editorials—focus specifically on this topic. A significant portion of the discussion in this domain is on previous attacks [51, 52] and lessons learned—emphasizing the importance of information sharing methodology . Practical recommendations were also proposed for end users such as always changing the password on new devices, using strong passwords, refraining from leaving devices unattended, and avoiding connecting to public WiFi services . More generally, hospitals are advised to enact mock exercises for providers and other hospital staff annually—integrating lessons learned from recent attacks . In one article, researchers used a vocabulary and scenario-based test to evaluate hospital staff’s current understanding of cybersecurity in order to offer relevant and appropriate training . While these sorts of engaging practices are recommended in order to keep staff vigilant, it is crucial for hospitals to have the leadership, governance, and information technology (IT) staff for cybersecurity .
Information security methodology
The third most prevalent research domain—making up 15.4% of the literature body—is information security methodology. These publications are technical papers and summative reports. Definitions, methods, and general information are discussed on a wide array of specific topics such as network security, multifactor authentication, security of medical imaging, password protection, and patching systems [56, 57, 58, 59]. Recommendations and techniques are also proposed in these articles for reducing data leakage , strengthening end users’ passwords , as well as utilizing intrusion prevention systems .
Specific types of attacks (i.e. ransomware, phishing, and social engineering attacks)
A small portion (6.2%) of the selected articles focus specifically on phishing, social engineering, and ransomware attacks. These articles are summative reports, descriptive studies, and several editorials that focus on describing and defining the attack type, recounting previous episodes of attacks, and proposing recommendations for mitigating risks. Cybersecurity events such as the February 2016 Hollywood Presbyterian Medical Center ransomware attack in Los Angeles, California and the March 2016 Medstar Health ransomware attack in Maryland, Baltimore as well as several phishing attacks are explored [63, 64].
Among the recommendations found in the 97 selected articles, researchers state that organizations should allocate more resources and funding to IT security [18, 57] and should define the cybersecurity duties of employees . In addition, key guidelines are put forth that recommend risk assessment methods, intrusion prevention services and penetration testing, loss of data as well as log monitoring systems, firewall implementation, network auditing, and privilege restrictions as well as methods for regularly checking critical server files [30, 65].
On the topic of connected medical devices, recommendations were put forth for companies to implement reasonable measures such as access control on devices and security testing beyond the developmental phase . They are also asked to enforce antivirus scans and the use of firewalls , and to have reporting mechanisms that users can apply to communicate cybersecurity issues . Regulators are asked to propose best practices, but balance encouraging security with burdensome regulations . Other researchers propose an independent nonprofit organization composed of medical, industry, and academic experts be charged with developing standards for device cybersecurity . Furthermore, providers are advised to collaborate with security experts and to hold high standards of security research methods . Additional recommendations emphasize information sharing systems as well as hospital risk management and contingency planning that takes medical devices into account .
Hospitals are additionally advised to develop training programs that are at least annually re-evaluated and amended based on recent events. Training is recommended in privacy policies, data leakage prevention, and workplace social media use, but is especially stressed in digital hygiene—good practices of digital security such as choosing strict privacy settings and strong password protection. End users should not use the same password for multiple accounts, trust suspicious emails, or leave computers unattended. Healthcare organizations are also advised to set and enforce proper policy for password protection and sharing of information. These training programs are to be developed with consideration of the perspectives and level of digital experience of a multidisciplinary team (i.e. providers, IT specialists, hospital managers) in order to truly be effective . It is also recommended that hospitals should run IT security drills and mock system recovery exercises in order to keep all members vigilant [65, 69].
Specific recommendations are made for phishing attempts and social engineering attacks such as the need for specialized training programs for these attack types and others, filtering of both emails and websites, enforcement of frequent password changes—at the cost of convenience—and reasonable limitations on access to data . Similar recommendations were put forth for ransomware attacks along with regular and (ideally, real-time offline) backups, encryption of sensitive data, and technical safeguards such as up-to-date antivirus software, automated patches, pop-up blockers, and prevention of USB usage [63, 69]. Along these lines, de-identification and data encryption, minimization of requested data, and deletion of unnecessary data are emphasized all throughout. In addition, the literature recommends timely update of third-party software and strict limits on downloads from untrusted sources. The possibility of national level health data warehouses was also discussed, but with a focus on the security and privacy measures that would be required beforehand .
There is an increase in the pace of publication following 2012 with an exponential rise after 2016. This escalation in research pace may be related to the 2016 Hollywood Presbyterian ransomware attack, which was the first highly publicized cyberattack incident against a hospital. There were several other incidents following this, but the importance of cybersecurity in hospitals took the headlines once again in May 2017 when the WannaCry ransomware attack affected the NHS hospitals. There is reason to believe that the rate of publications will continue to grow as hospitals turn their attention to fortifying their cybersecurity systems [9, 26].
The review also revealed some breadth in the research field with publications focusing on various research domains (six identified) and medical specialties, but an overall lack of quantity of available literature. For instance, while topics such as health data encryption are explored, methodological and more real-world operational studies on the topic would have been expected. Other areas of research that were neglected in relation to the cybersecurity of connected medical devices, for example, are security of cloud storage, the use of USB ports, and the topic of identity and access management as well as ethics. Similarly, while medical specialties such as neurology , radiology [40, 70, 71, 72, 73], cardiology [41, 48, 74], endocrinology [25, 32, 33, 75, 76], and mental health  are represented, they are in the minority of the selected articles.
Analysis of study designs also demonstrates a large proportion of editorials (nearly 29%) and summative reports (nearly 32%). These documents focused on raising awareness and the general knowledge base of readers. This reveals that the target audience of these publications was a broad group of actors non-specialized in information security (i.e. clinicians, hospital administration staff, management teams, and policymakers). This finding illustrates that cybersecurity of hospitals is the concern of a larger and multidisciplinary group and that security measures cannot be successful without the active participation of the various professionals in a hospital. The finding also indicates that there may be further need for methodological studies specifically in information security.
Investigation into funding sources was made to explore conflicts of interests or the presence and possible influence of companies and industry representatives in the research field. However, companies directly funded only 1% of the publications and only around 14% of the research was at least partly conducted by companies or organizations. Nevertheless, there may be a stronger presence of cybersecurity companies, for example, in the research field than is depicted in academic, peer-reviewed journals, which was the scope of this paper.
Of the six research domains that emerged in this scoping review, the cybersecurity of connected medical devices and equipment presented as the most prevalent research area in the literature (29.9% of the selected articles). This may be as the security of connected devices is particularly challenging. These devices are discrete systems that necessitate integration into the hospital IT infrastructure and become ubiquitous in the network, but that often lack inherent protection in the form of firewall or antivirus due to power supply limitations [6, 11]. Connected devices and equipment are a large part of hospital operations and thus, their security is a vital topic.
This review provides an up-to-date analysis on current research domains and available recommendations on the cybersecurity of hospitals. While there are two systematic reviews [11, 21] previously published in the field of cybersecurity in healthcare, they were focused on identifying trends in the number of cyberattacks on healthcare and themes in cybercrime, respectively. There has not been a review that investigates the body of literature on cyberattacks against hospitals or that assembles the recommendations put forth. This scoping review yielded an overview of the relatively new and quickly growing literature body and was able to cope with the pace of publications. A systematic follow-up could expand on these research domains and refine subject headings further.
There are a few limitations to this study. Selection of publications was limited to articles available in the English language, which could have excluded several important publications from countries with advanced cybersecurity methodology. Along the same lines, articles in peer-reviewed journals not listed in the four databases selected could have also been unintentionally excluded. This is also a field in which industry representatives outside of academia are highly engaged and limiting the review’s scope to peer-reviewed academic journals could have excluded additional relevant publications.
The objective of this study was to identify and map the scientific literature on cyberattacks on hospitals and to describe the different areas of research in this literature. Six domains of research (context and trends in cybersecurity, connected medical devices and equipment, hospital information systems, raising awareness and lessons learned, information security methodology, and specific types of attacks) were developed to map the literature. These domains of research can be refined and developed by the field in the future. While 97 articles were identified from the past two decades and studied, it was apparent that there was an overall lack of quantity in publications. However, the review indicated a generally growing interest in the production of studies and recommendations on the topic. As the frequency of cyber threats continues to grow, the value of comprehensive guidelines and standardized best practice measures will become unequivocal.
The authors would like to thank Kristen Namigai, Institute of Global Health at the University of Geneva, for her contribution in the initial phase of this review. They would also like to thank the initial members of the seventh edition of the Geneva Health Forum M8 Alliance Expert Meeting Group on Cybersecurity in Healthcare for their valuable feedback on a primitive version.
The authors received no financial support for the research, authorship, and/or publication of this article.
Availability of data and materials
All data generated or analyzed during this study are included in this published article and its additional files.
A.F. conceived the presented idea and directed the project. A.F., B.E., and S.A. designed the study and developed the search syntax. S.A. and N.B. screened, selected, and analyzed records to be included in the review. S.A. drafted the manuscript and all authors critically revised all subsequent versions for intellectual content. All authors have approved the final version and agree to be accountable for the work.
Ethics approval and consent to participate
Consent for publication
The authors declare that they have no competing interests.
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
- 1.Health Care in Danger: Making the Case. Geneva: International Committee of the Red Cross; 2011. 4–22.Google Scholar
- 2.Long S. The cyber attack - from the POV of the CEO - Hancock regional hospital. Hancock Health 2018. https://www.hancockregionalhospital.org/2018/01/cyber-attack-pov-ceo/. Accessed 21 Feb 2018.
- 3.Bisson D. Hollywood hospital pays $17,000 to ransomware attackers. The State of Security 2016. https://www.tripwire.com/state-of-security/latest-security-news/hollywood-hospital-pays-17000-to-ransomware-attackers/. Accessed 20 Feb 2018.
- 4.Hughes O. Norway healthcare cyber-attack could be biggest of its kind. Digital Health. 2018; https://www.digitalhealth.net/2018/01/norway-healthcare-cyber-attack-could-be-biggest/. Accessed 21 Feb 2018.
- 5.Muchai C, Kimani K, Mwangi M, Shiyayo B, Ndegwa D, Kaimba B, et al. Kenya Cyber Security Report 2015. Nairobi, Kenya: Serianu; 2015. 8–45.Google Scholar
- 6.*Williams P, Woodward A. Cybersecurity vulnerabilities in medical devices: a complex environment and multifaceted problem. Med Devices Evid Res. 2015; doi: https://doi.org/10.2147/MDER.S50048.
- 7.Protecting Your Networks from Ransomware. Washington, D.C.: The United States Department of Justice; 2016. 2–8.Google Scholar
- 8.2017 Global Threat Intelligence Report. 77% of all ransomware detected in four industries - Business & Professional Services. Health Care and Retail. NTTSecurity: Government; 2017. https://www.nttsecurity.com/en-us/about/press-releases/detail/2017-global-threat-intelligence-report-77-of-all-ransomware-detected-in-four-industries---business-professional-services-government-health-care-and-retail. Accessed 15 May 2018
- 10.*Martin G, Martin P, Hankin C, Darzi A, Kinross J. Cybersecurity and healthcare: how safe are we? BMJ. 2017; doi: https://doi.org/10.1136/BMJ.J3179.
- 12.Ponemon Institute Study. “The Cyber Resilient Organization: Learning to Thrive Against Threats”. Traverse City: Ponemon Institute; 2017. p. 1–33.Google Scholar
- 15.*Dyer O. Hackers demand ransom to release encrypted US medical records. BMJ. 2016; doi: https://doi.org/10.1136/BMJ.I1876.
- 16.*Millard WB. Where Bits and Bytes Meet Flesh and Blood. Ann Emerg Med. 2017; doi: https://doi.org/10.1016/j.annemergmed.2017.07.008.
- 18.*Khan SI, Hoque ASML. Digital Health Data: A Comprehensive Review of Privacy and Security Risks and Some Recommendations. Comput Sci J Mold. 2016;24:273–292.Google Scholar
- 19.Silver JK, Binder DS, Zubcevik N, Zafonte RD. Healthcare hackathons provide educational and innovation opportunities: a case study and best practice recommendations. J Med Syst. 2016. https://doi.org/10.1007/s10916-016-0532-3.
- 20.Alvarez M. Security trends in the healthcare industry. Somers: IBM; 2017. p. 2–18.Google Scholar
- 23.Levac D, Colquhoun H, O’Brien KK. Scoping studies: advancing the methodology. Int J Nurs Stud. 2010. https://doi.org/10.1186/1748-5908-5-69.
- 26.*Mansfield-Devine S. Leaks and ransoms – the key threats to healthcare organisations. Netw Secur. 2017;2017:14–19.Google Scholar
- 27.*Rajamäki J, Pirinen R. Towards the cyber security paradigm of ehealth: Resilience and design aspects. AIP Conf Proc 1836. 2017; doi: https://doi.org/10.1063/1.4981969.
- 31.*Jones RW, Katzis K. Cybersecurity and the Medical Device Product Development Lifecycle. Stud Health Technol Inform. 2017;238:76–239.Google Scholar
- 34.*Alvarenga A, Tanev G. Cybersecurity Risk Assessment Framework that Integrates Value-Sensitive Design. Technol Innov Manag Rev. 2017;7:32.Google Scholar
- 39.*FDA issues reminder on cybersecurity for networked medical devices. Biomedical instrumentation & technology/Association for the Advancement of Medical Instrumentation. 2010;Suppl:4.Google Scholar
- 42.*Dimitrova TD. Risk and Protection of Medical Information Systems. Elektron Ir Elektrotechnika. 2010;9:109–112.Google Scholar
- 46.*Hasan R, Winslett M, Sion R. Requirements of Secure Storage systems for healthcare records. In: Secure Data Management - 4th VLDB Workshop, SDM 2007, Proceedings. Springer-Verlag Berlin Heidlberg; 2007. p. 174–180.Google Scholar
- 48.*Page A, Kocabas O, Soyata T, Aktas M, Couderc JP. Cloud-Based Privacy-Preserving Remote ECG Monitoring and Surveillance. Ann Noninvasive Electrocardiol. 2015; doi: https://doi.org/10.1111/anec.12204
- 50.*Pycroft L, Boccard SG, Owen SLF, Stein JF, Fitzgerald JJ, Green AL, et al. Brainjacking: Implant Security Issues in Invasive Neuromodulation. Elsevier. 2016; doi: https://doi.org/10.1016/j.wneu.2016.05.010.
- 51.*Lenzer J. Hackers demand $10m for eight million medical records they are holding hostage. BMJ. 2012; doi:b1917\r https://doi.org/10.1136/bmj.b1917.
- 53.*Kramer DB, Baker M, Ransford B, Molina-Markham A, Stewart Q, Fu K, et al. Security and Privacy Qualities of Medical Devices: An Analysis of FDA Postmarket Surveillance. PLoS One. 2012; doi: https://doi.org/10.1371/journal.pone.0040200.
- 54.*Drevin L, Kruger H, Bell AM, Steyn T. A linguistic approach to information security awareness education in a healthcare environment. In: Bishop M, Futcher L, Miloslavskaya N, Theocharidou M, (eds) Information Security Education for a Global Digital Society. WISE 2017. IFIP Advances in Information and Communication Technology, vol 503. Springer, Cham; 2017.Google Scholar
- 56.*Masys DR, Baker DB. Patient-Centered Access to Secure Systems Online (PCASSO): a secure approach to clinical data access via the World Wide Web. AMIA Symp Proc. 1997;340–343.Google Scholar
- 57.*Ries JE, Asaro P V, Guillen A, Ivanova J. The futility of common firewall policies: an experimental demonstration. AMIA Symp Proc. 2000;699–703.Google Scholar
- 58.*Sankaranarayanan S, Udayasuriyan V. Biometric Secured Electronic Health Record. Int J E-Health Med Commun. 2016;7:1–27.Google Scholar
- 59.*Swanson SE. Access management: Living with firewalls. J Hosp Librariansh. 2001;1:25–40.Google Scholar
- 61.*Kalyango ST, Maiga G. A technique for strengthening weak passwords in electronic medical record systems. Lect Notes Comput Sci. 2012; doi: https://doi.org/10.1007/978-3-642-53956-5.
- 72.*Kumari PV, Thanushkodi K. A Secure Fast 2D-Discrete Fractional Fourier Transform Based Medical Image Compression Using Hybrid Encoding Technique. 2013 Int Conf Curr Trends Eng Technol. 2013;1–7.Google Scholar
- 77.*Elhai JD, Frueh BC. Security of Electronic Mental Health Communication and Record-Keeping in the Digital Age. J Clin Psychiatry. 2015;77:22–27.Google Scholar
- 81.*Liebowitz J, Schaller R. Biological Warfare: Tampering with implantable medical devices. IT Prof. 2015; doi: https://doi.org/10.1109/MITP.2015.82
- 82.*Loughlin S, Fu K, Gee T, Gieras I, Hoyme K, Rajagopalan SR, et al. A roundtable discussion: Safeguarding information and resources against emerging cybersecurity threats. Biomed Instrum Technol. 2014;48:8–17.Google Scholar
- 86.*Cohen IG, Hoffman S, Adashi EY. Your Money or Your Patient’s Life? Ransomware and Electronic Health Records. Ann Intern Med. 2017; doi: https://doi.org/10.7326/M17-1312.
- 87.*Jensen RD, Copeland S, Domas S, Hampton R, Hoyme K, Jump M, et al. A Roundtable Discussion: Thawing Out Healthcare Technology’s ‘Special Snowflake’ Cybersecurity Challenges. Biomed Instrum Technol. 2017;51:10–16.Google Scholar
- 91.*Burleson W, Clark SS, Ransford B, Fu K. Design challenges for secure implantable medical devices. Proc 49th Annu Des Autom Conf - DAC ‘12. 2012; doi: https://doi.org/10.1145/2228360.2228364.
- 96.*Burns AJ, Johnson ME, Honeyman P. A Brief Chronology of Medical Device Security. Commun ACM. 2016; doi: https://doi.org/10.1145/2890488
- 99.*Fu K, Blum J. Controlling for cybersecurity risks of medical device software. Commun ACM. 2013; doi: https://doi.org/10.2345/0899-8205-48.s1.38
- 106.*Diamantopoulou V, Angelopoulos K, Flake J, Praitano A, Ruiz JF, Jurjens J, et al. Privacy Data management and awareness for public adminstrations: a case study from the healthcare domain. In: 5th Annual Privacy Forum, APF 2017. Springer International Publishing; 2017. p. 192–209.Google Scholar
Open AccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made. The Creative Commons Public Domain Dedication waiver (http://creativecommons.org/publicdomain/zero/1.0/) applies to the data made available in this article, unless otherwise stated.