Abstract
Understanding healthcare cybersecurity is crucial for anyone who interacts with computer systems or medical devices. Patient safety is directly tied to cybersecurity. Patient data must be protected in order to ensure that the data has confidentiality, integrity, and availability. The key to understanding healthcare cybersecurity is through awareness. Because healthcare cybersecurity is always changing, it is essential to raise awareness about these developments. But, in spite of the dynamic landscape, certain constants remain the same. To this end, it is vital to understand the historical context, as the past is the best indicator of future trends. This chapter aims to provide a solid historical foundation as well as current and timely information on the cybersecurity threat landscape within the healthcare vertical.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
NIST. Computer security resource center: glossary. Available from: https://csrc.nist.gov/glossary/term/cybersecurity
- 2.
Bitsight. Cybersecurity Vs. Information Security: Is There A Difference? Available from: https://www.bitsight.com/blog/cybersecurity-vs-information-security
- 3.
Critical & Infrastructure Security Agency CISA. Available from: https://www.us-cert.gov/ncas/tips/ST04-001
- 4.
HealthIT.gov. 2011 Edition. Available from: https://www.healthit.gov/topic/certification-ehrs/2011-edition
- 5.
HIMSS. 2021 Healthcare Cybersecurity Survey. Available from: www.himss.org/cybersurvey
- 6.
FBI. FBI, This Week: Reveton Ransomware. Available from: https://www.fbi.gov/audio-repository/news-podcasts-thisweek-reveton-ransomware/view
- 7.
NJCCIC. NJCCIC Ransomware Variants. Available from: https://www.cyber.nj.gov/threat-center/threatprofiles/ransomware-variants/</Emphasis>
- 8.
FBI. Ransomware. Available from: https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/ransomware
- 9.
Roger A. Grimes. CSO. 9 types of malware and how to recognize them. Available from: https://www.csoonline.com/article/2615925/security-your-quick-guide-to-malware-types.html
- 10.
SANS. Physical Security and Why It is Important. Available from: https://www.sans.org/reading-room/whitepapers/physical/physical-security-important-37120
- 11.
Sucuri Blog. Password Attacks 101. Available from: https://blog.sucuri.net/2020/01/password-attacks-101.html
- 12.
United States Department of Homeland Security. A Lifeline: Patient Safety and Cybersecurity. Available from: https://www.dhs.gov/sites/default/files/publications/ia/ia_vulnerabilities-healthcare-it-systems.pdf
- 13.
National Initiative for Cybersecurity Careers and Studies. Creating a Password. Available from: https://niccs.us-cert.gov/sites/default/files/documents/pdf/ncsam_creatingapassword_508.pdf
- 14.
Help Net Security. The password reuse problem is a ticking time bomb. https://www.helpnetsecurity.com/2019/11/12/password-reuse-problem/
- 15.
Kaspersky. Brute Force Attack: What you need to know to keep your passwords safe. Available from: https://www.kaspersky.com/resource-center/definitions/brute-force-attack
- 16.
United States Department of Homeland Security. National Infrastructure Protection Plan: Healthcare and Public Health Sector. Available from: https://www.dhs.gov/xlibrary/assets/nipp_snapshot_health.pdf
- 17.
United States Department of Homeland Security Cybersecurity & Infrastructure Security Agency. Available from: https://www.cisa.gov/critical-infrastructure-sectors
- 18.
United States Department of Health and Human Services. Healthcare and Public Health Sector-Specific Plan. https://www.phe.gov/Preparedness/planning/cip/Documents/2016-hph-ssp.pdf (Figure 8, page 12).
- 19.
MITRE. Cybersecurity standards. Available from: https://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-resources/standards
- 20.
Steve Alder. HIPAA Journal. Community Health Systems Cyber Attack Puts 4.5 M Patients at Risk. Available from: https://www.hipaajournal.com/community-health-systems-cyber-attack-puts-4-5m-patients-risk/
- 21.
NCCIC. National Cybersecurity and Communications Integration Center. What is WannaCry/WannaCrypt0r? Available from: https://www.us-cert.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_WannaCry_Ransomware_S508C.pdf
- 22.
Robert Lemos. Three Years After WannaCry, Ransomware Accelerating While Patching Still Problematic. DARKReading. Available from: https://www.darkreading.com/attacks-breaches/three-years-after-wannacry-ransomware-accelerating-while-patching-still-problematic/d/d-id/1337794
- 23.
Microsoft. Microsoft Security Bulletin MS17–017 Important. Security Update for Windows Kernel (4013081). Available from: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-017
- 24.
Washington Post. Russian military was behind “NotPetya” cyberattack in Ukraine, CIA concludes. Available from: https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html
- 25.
Wired. The Untold Story of NotPetya, the Most Devastating Cyberattack in History. Available from: https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
- 26.
Carnegie Mellon Software Engineering Institute. Insider Threat. Available from: https://www.sei.cmu.edu/research-capabilities/all-work/display.cfm?customel_datapageid_4050=21232
- 27.
Imprivata. 5 Types of Insider Threats in Healthcare—and How to Mitigate Them. Available from: https://www.imprivata.com/blog/5-types-of-insider-threats-in-healthcare-and-how-to-mitigate-them
- 28.
Phishing.org. History of Phishing. Available from: https://www.phishing.org/history-of-phishing
- 29.
United States Department of Homeland Security. 2018 Public-Private Analytic Exchange Program. Phishing: Don’t be Phooled! Available from: https://www.dhs.gov/sites/default/files/publications/2018_AEP_Vulnerabilities_of_Healthcare_IT_Systems.pdf (pp. 2–3).
- 30.
HIMSS. 2018 HIMSS Cybersecurity Survey. Available from: https://www.himss.org/sites/hde/files/d7/u132196/2018_HIMSS_Cybersecurity_Survey_Final_Report.pdf. HIMSS. 2019 HIMSS Cybersecurity Survey. Available from: https://www.himss.org/sites/hde/files/d7/u132196/2019_HIMSS_Cybersecurity_Survey_Final_Report.pdf
- 31.
NIST. Building an Information Technology Security Awareness and Training Program. Available from: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-50.pdf (pp. 8–9).
- 32.
Code of Federal Regulations. Administrative Safeguards. 45 CFR 164.308.
- 33.
The employer’s or organization’s policies and procedures should be adhered to and any questions should be directed to the information technology helpdesk, cybersecurity team, or the appropriate point of contact. Use caution when clicking on any links, opening any attachments, or responding to e-mails, social media messages, etc.
- 34.
Georgia Professional Tech Education. Staying Cyber-Safe While Teleworking. Available from: https://pe.gatech.edu/blog/industry-trends/staying-cyber-safe-while-teleworking
- 35.
Omnibus HIPAA Rulemaking. United States Department of Health and Human Services. Available from: https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/combined-regulation-text/omnibus-hipaa-rulemaking/index.html
- 36.
Business Associate Contracts. United States Department of Health and Human Services. Available from: https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html
- 37.
The Security Rule. United States Department of Health and Human Services. Available from: https://www.hhs.gov/hipaa/for-professionals/security/index.html
- 38.
Breach Notification Rule. United States Department of Health and Human Services. Available from: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
- 39.
Breach Notification Rule. United States Department of Health and Human Services. Available from: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
- 40.
SAMHSA. United States Department of Health and Human Services. Available from: https://www.samhsa.gov/about-us/who-we-are/laws-regulations/confidentiality-regulations-faqs
- 41.
State Health IT Privacy and Consent Laws and Policies. United States Department of Health and Human Services. Available from: https://www.healthit.gov/data/apps/state-health-it-privacy-and-consent-laws-and-policies
- 42.
Jill Arent. Comparison of Pennsylvania Confidentiality of HIV-Related Information Act (Act 148) and Federal Health Insurance Portability and Accountability Act. AIDS Law Project of Pennsylvania. Available from: http://www.aidslawpa.org/wp-content/uploads/2011/04/comparativechart.pdf
- 43.
Patrick Howell O’Neill. A patient has died after ransomware hackers hit a German hospital: This is the first ever case of a fatality being linked to a cyberattack. MIT Technology Review. Available from: https://www.technologyreview.com/2020/09/18/1008582/a-patient-has-died-after-ransomware-hackers-hit-a-german-hospital/
- 44.
NIST. Computer security resource center: glossary. Available from: https://csrc.nist.gov/glossary. Definitions are generally from this source, unless otherwise noted.
- 45.
United States Department of Health and Human Services. Breach Notification Rule. Available from: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
- 46.
National Institutes of Health. HIPAA Privacy Rule: Information for Researchers. Available from: https://privacyruleandresearch.nih.gov/pr_06.asp
- 47.
United States Department of Health and Human Services. Business Associate Contracts. Available from: https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html
- 48.
National Institutes of Health. HIPAA Privacy Rule: Information for Researchers. Available from: https://privacyruleandresearch.nih.gov/pr_06.asp
- 49.
Cybersecurity & Infrastructure Security Agency. Security Tip (ST04–015): Understanding Denial-of-Service Attacks. Available from: https://www.us-cert.gov/ncas/tips/ST04-015
- 50.
United States Department of Homeland Security. 2018 Public-Private Analytic Exchange Program. Phishing: Don’t be Phooled! Available from: https://www.dhs.gov/sites/default/files/publications/2018_AEP_Vulnerabilities_of_Healthcare_IT_Systems.pdf (p.2).
- 51.
NIST. Computer Security Incident Handling Guide (Special Publication No. 800–61 Rev. 2). Available from: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
- 52.
Health Care Industry Cybersecurity Task Force. Available from: https://www.phe.gov/Preparedness/planning/CyberTF/Documents/report2017.pdf
- 53.
Daniel Costa. Carnegie Mellon University Software Engineering Institute. CERT Definition of “Insider Threat”—Updated. Available from: https://insights.sei.cmu.edu/insider-threat/2017/03/cert-definition-of-insider-threat---updated.html
- 54.
Chapter 7: Fighting Cyber Threats to the Growing Economy. https://www.govinfo.gov/content/pkg/ERP-2018/pdf/ERP-2018-chapter7.pdf (p. 329).
- 55.
Daniel Costa. Carnegie Mellon University Software Engineering Institute. CERT Definition of “Insider Threat”—Updated. Available from: https://insights.sei.cmu.edu/insider-threat/2017/03/cert-definition-of-insider-threat---updated.html
- 56.
Double Octopus. The Secret Security Wiki. Password Spraying (Low and Spray). Available from: https://doubleoctopus.com/security-wiki/threats-and-tools/password-spraying/
- 57.
United States Department of Homeland Security. 2018 Public-Private Analytic Exchange Program. Phishing: Don’t be Phooled! Available from: https://www.dhs.gov/sites/default/files/publications/2018_AEP_Vulnerabilities_of_Healthcare_IT_Systems.pdf (p.2).
- 58.
Peter Tsai. Spiceworks. What is a ransomworm? History, concerns, and implications: Word of the Week. Available from: https://community.spiceworks.com/topic/1995594-what-is-a-ransomworm-history-concerns-and-implications-word-of-the-week
- 59.
Forcepoint. Shadow IT defined. Available from: https://www.forcepoint.com/cyber-edu/shadow-it
- 60.
United States Department of Homeland Security. 2018 Public-Private Analytic Exchange Program. Phishing: Don’t be Phooled! Available from: https://www.dhs.gov/sites/default/files/publications/2018_AEP_Vulnerabilities_of_Healthcare_IT_Systems.pdf (p.2).
- 61.
United States Department of Homeland Security. 2018 Public-Private Analytic Exchange Program. Phishing: Don’t be Phooled! Available from: https://www.dhs.gov/sites/default/files/publications/2018_AEP_Vulnerabilities_of_Healthcare_IT_Systems.pdf (p.2).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendices
Appendix 1: Answers to Review Questions
-
1.
What is cybersecurity?
The National Institute of Standards (NIST) defines cybersecurity as the “ability to protect or defend the use of cyberspace from cyberattacks.” Cybersecurity falls under the umbrella category of information security. Information security relates to the protection of information in whatever medium it may exist. Cybersecurity is a subset of information security and deals with information in electronic form (e.g., mobile devices, computer networks, servers, laptops, etc.). Cybersecurity involves the protecting of electronic information and assets from unauthorized access, use, and disclosure.
-
2.
What does patient safety have to do with cybersecurity?
Within a cyberattack scenario, an attack on integrity can lead to tampered or otherwise incorrect or inaccessible patient information. This, in turn, can pose a potentially significant risk to patient safety. This is especially true in an instance where the clinician may rely on the tampered/altered information and/or if the tampered/altered information relates to the delivery of critical medication (such as insulin in an infusion pump) for the patient, and/or a life-saving or life-sustaining medical device (whose operation and/or configuration may have been altered). Thus, cybersecurity (and especially integrity) and patient safety are intertwined.
Further, an attack on availability may lead to an asset, such as a computer system, device, network, and/or information being unavailable at a particular moment in time. Depending upon the timing and criticality of what needs to be accessed, this may pose a potentially significant patient safety problem for the patient, especially if the patient is in a critical situation (such as in the intensive care unit, in the operating room, or otherwise in need of emergency treatment).
For more information, please see DHS AEP—A Lifeline: Patient Safety & Cybersecurity—https://www.dhs.gov/sites/default/files/publications/ia/ia_vulnerabilities-healthcare-it-systems.pdf.
-
3.
What is the CIA triad and why is it important?
Cybersecurity involves the protecting of electronic information and assets from unauthorized access, use, and disclosure. There are three goals of cybersecurity, namely protecting the confidentiality, integrity, and availability of information. The three main objectives of cybersecurity are the confidentiality, integrity, and availability of information. All three are required in order for robust cybersecurity to be achieved. The failure of one or more of these components may mean that the business operations, clinical operations, and/or patient safety may be potentially placed in jeopardy.
-
4.
What is ransomware?
Ransomware is a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid.
-
5.
What is phishing?
Phishing means a social engineering tactic that is used to persuade individuals to provide sensitive information and/or take action through seemingly trustworthy communications. Phishing may take various forms, such as e-mail (e-mail phishing), social media (social phishing), phishing websites, voice calls (voice phishing), text messages (SMiShing), and the like.
-
6.
What is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act of 1996. As of this writing, the most current version of HIPAA is the HIPAA Omnibus Rule. There are three components to the HIPAA Omnibus Rule: HIPAA Privacy Rule, HIPAA Security Rule, and the Breach Notification Rule.
The HIPAA Privacy Rule sets forth permitted and required uses and disclosures of protected health information. The protected health information may exist in any form, including on paper, film, and in electronic form. Protected health information is a form of individually identifiable health information.
The HIPAA Security Rule sets forth requirements for electronic protected health information. In other words, the confidentiality, integrity, and availability of electronic protected health information must be maintained by covered entities and their business associates.
The HIPAA Breach Notification Rule, 45 CFR §§ 164.400–414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.
-
7.
Why is security awareness important?
Every organization can benefit from security awareness presentations and training. Through such efforts, individuals will learn about basic cyber hygiene (i.e., good security practices). Example topics for security awareness presentations and training include phishing, anti-virus software, maintaining good security practices while working from home or when traveling for work, and the like. (The difference between a security awareness presentation vs. training concerns depth. A more in-depth discussion of security awareness is usually provided during training, as opposed to listening to a mere presentation on the topic.) HIPAA also mandates security training for healthcare-covered entities and business associates.
Appendix 2: Definition of Key Terms
Administrative safeguard means a safeguard that is intended to protect the administrative aspects of securing an asset. For example, policies and procedures may be implemented to prevent, detect, contain, and correct security violations.
Anti-virus means a program specifically designed to detect many forms of malware and prevent them from infecting computers, as well as cleaning computers that have already been infected.
Asset means a resource that is valuable to an organization that must be protected.
Authentication means verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.
Availability means that information is made available as needed. When availability is compromised, this means that information is not available when it is needed.
Breach generally means an impermissible use or disclosure that compromises the security or privacy of the information.Footnote 44 While not all security incidents are breaches, some security incidents may rise to the level of a breach. Breach notification laws exist at the federal and state levels.
Business associate means a person or entity, who is not a member of the workforce and performs or assists in performing, for or on behalf of a covered entity, a function or activity regulated by HIPAA, including the Privacy Rule, involving the use or disclosure of individually identifiable health information, or that provides certain services to a covered entity that involve the use or disclosure of individually identifiable health information.Footnote 45
Business associate agreement means contracts that the covered entity is required to enter into with their business associates to ensure that the business associates will appropriately safeguard protected health information.Footnote 46 (Please note: a contract has the same meaning as an agreement.)
Compensating controls means the security and privacy controls implemented that provide equivalent or comparable protection for a system or organization.
Confidentiality means that information is protected by preventing the unauthorized disclosure of information. When confidentiality is compromised, this means that there has been an unauthorized disclosure of information.
Countermeasures means the protective measures prescribed to meet the security requirements (i.e., confidentiality, integrity, and availability) specified for an information system. Safeguards may include security features, management constraints, personnel security, and security of physical structures, areas, and devices. Countermeasures are synonymous with security controls.
Covered entity means (1) health plans, (2) healthcare clearinghouses, and (3) healthcare providers who electronically transmit any health information in connection with transactions for which the United States Department of Health and Human Services has adopted standards.Footnote 47
Critical infrastructure means essential services and related assets that underpin American society and serve as the backbone of the nation’s economy, security, and health.
Cyberattack means an attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.
Decryption means the process of changing ciphertext into plaintext using a cryptographic algorithm and key.
Defense-in-depth means that multiple safeguards are layered to protect an asset.
Denial of service (DoS) means an attack that occurs when legitimate users are unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor. DoS attacks can cost an organization both time and money while their resources and services are inaccessible.Footnote 48
Encryption means the process of changing plaintext into ciphertext using a cryptographic algorithm and key.
Firewall means a part of a computer system or network that is designed to block unauthorized access while permitting outward communication.
General phishing means a phishing attack that does not target specific individuals.Footnote 49
HIPAA Privacy Rule , 45 CFR Part 160 and Subparts A and E of Part 164, means national standards that have been established to protect individuals’ medical records and other personal health information (PHI) and applies to health plans, healthcare clearinghouses, and those healthcare providers that conduct certain healthcare transactions electronically. It is a HIPAA regulation. HIPAA Security Rule means security standards for the protection of electronic protected health Information that establish a national set of security standards for protecting certain health information that is held or transferred in electronic form (also known as electronic protected health information or ePHI).
Incident response means incident handling. Generally speaking, incident handling includes detection and analysis of an incident (e.g., whether an incident occurred and prioritizing the handling of the incident), containing, eradicating, recovering from an incident, and post-incident activity (such as gathering lessons learned).Footnote 50
Integrity means that information is protected by keeping it intact. When the integrity of information is compromised, this means that the information has been modified without authorization from its original form.
Internet of Things (IoT) means devices, sensors, and the like (but other than computers, smartphones, or tablets) that connect, communicate, or otherwise transmit information with or between each other via the Internet.
Legacy systems mean systems which may not have any ongoing support from the hardware and software vendor(s) that provided these solutions.Footnote 51
Malicious insider means individuals, such as employees, former employees, contractors, business associates, or business partners who has or had authorized access to an organization’s network, system, or information and who has intentionally exceeded or misused that access so as to negatively affect the confidentiality, integrity, or availability of the organization’s information or information systems.Footnote 52
Malware means a computer program that is covertly placed onto a computer or electronic device with the intent to compromise the confidentiality, integrity, or availability of data, applications, or operating systems. Common types of malware include viruses, worms, malicious mobile code, Trojan horses, rootkits, spyware, and some forms of adware.
Multi-factor authentication means authentication using two or more factors to achieve authentication. Factors include: (i) something you know (e.g., password/personal identification number (PIN)); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric).
Nation-state actors are cyber threat actors who are typically motivated by political, economic, technical, or military agendas and who may engage in industrial espionage. Nation-state actors are typically highly sophisticated cyber threat actors.Footnote 53
Negligent insider (also called an unintentional insider) means an individual, such as employees, former employees, contractors, business associates, or business partners who has or had authorized access to an organization’s network, system, or information and who, through action or inaction and without malicious intent, causes harm or substantially increases the likelihood of future serious harm to the confidentiality, integrity, or availability of the organization’s network, system, or information.Footnote 54
Password spraying means an attack that tries a few commonly used passwords on a large number of accounts.Footnote 55
Patch means a software component that, when installed, directly modifies files or device settings related to a different software component without changing the version number or release details for the related software component.
Phishing means a social engineering tactic that is used to persuade individuals to provide sensitive information and/or take action through seemingly trustworthy communications.Footnote 56 Phishing may take various forms, such as e-mail (e-mail phishing), social media (social phishing), phishing websites, voice calls (voice phishing), text messages (SMiShing), and the like.
Physical safeguard means a safeguard that is intended to protect physical security of an asset.
Protected health information (PHI) generally means information that is created, transmitted, received, or maintained by a covered entity or a business associate, including demographic information, related to the past, present, or future physical or mental health or condition of an individual, provision of healthcare to an individual, or past, present, or future payment for the provision of healthcare to an individual, together with certain identifiers (which may serve to identify the individual patient).
Ransomware is a type of malicious software or malware that denies access to a computer system and data and demands the payment of ransom.
Ransomworm means a type of computer worm that, upon infecting a new system, encrypts a victim’s data and holds it for ransom until payment is received.Footnote 57
Risk means a measure of the extent to which an entity is threatened by a potential circumstance or event, and typically is a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.
Safeguards (also referred to as countermeasures and controls) means actions, devices, procedures, techniques, or other measures that reduce the vulnerability of a system. Safeguards may be physical, technical, or administrative in nature.
Security awareness means initiatives that are designed to change behavior or otherwise reinforce good security practices of individual users.
Security incident means an occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.
Shadow IT means the use of systems, devices, applications, software, and services that are not authorized for use by the organization’s information technology department.Footnote 58
Spear-phishing means a targeted phishing attack.Footnote 59
Supply chain means the physical and informational resources required to deliver a good or service to the final consumer.
Technical controls (also referred to as security controls or technical security controls) means the security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system.
Technical safeguard means a safeguard that is intended to protect the cybersecurity of an asset.
Threat means any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
Trojan horse means a computer program that appears to have a useful function, but that also has a hidden and potentially malicious function that evades security mechanisms, sometimes by piggybacking on a legitimate process.
Vulnerability means a weakness in information systems, system security procedures, internal controls, or implementation/configuration of the same that may be exploited by a threat actor.
Whaling means a targeted phishing attack that is aimed at wealthy, powerful, or prominent individuals (e.g., C-suite executives such as chief financial officers (CFO) and chief executive officers (CEO), politicians, and celebrities).Footnote 60
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Kim, L. (2022). Cybersecurity: Ensuring Confidentiality, Integrity, and Availability of Information. In: Hübner, U.H., Mustata Wilson, G., Morawski, T.S., Ball, M.J. (eds) Nursing Informatics . Health Informatics. Springer, Cham. https://doi.org/10.1007/978-3-030-91237-6_26
Download citation
DOI: https://doi.org/10.1007/978-3-030-91237-6_26
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-91236-9
Online ISBN: 978-3-030-91237-6
eBook Packages: MedicineMedicine (R0)