Abstract
Healthcare has always generated vast amounts of data, but the advent and implementation of electronic health records (EHRs) have now digitized this data to make it available to all clinicians. The movement of digital data is superior to physical paper but also carries more risk to interception. Healthcare data privacy is taken seriously, and a robust legal framework is dedicated to protecting patient privacy. Over the past decade, the number of cyber-attacks on healthcare organizations has risen dramatically, violating patient privacy and interrupting clinical care. Swift payouts and decreased technical barriers have attracted nation-states and other nefarious characters to pursue cyber-attacks for monetary gain. Healthcare’s fainéant response is now shifting to become more proactive regarding information security and cybersecurity. It is incumbent on informaticians to understand why and how cybercriminals will attack and what must be done to bolster an organization’s defense.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Howell O’Neill P. A wave of ransomware hits US hospitals as coronavirus spikes. 2020. MIT Technology Review. https://www.technologyreview.com/2020/10/29/1011436/a-wave-of-ransomware-hits-us-hospitals-as-coronavirus-spikes/. Accessed 07 Feb 2022.
Howell O’Neill P. Ransomware did not kill a German Hospital patient. 2020. MIT Technology Review. https://www.technologyreview.com/2020/11/12/1012015/ransomware-did-not-kill-a-german-hospital-patient/. Accessed 07 Feb 2022.
Filkins B. Health care cyberthreat report. SANS Institute; 2014
Perakslis ED. Cybersecurity in health care. N Engl J Med. 2014;371(5):395–7. https://doi.org/10.1056/nejmp1404358.
Coventry L, Branley D. Cybersecurity in healthcare: a narrative review of trends, threats and ways forward. Maturitas. 2018;113:48–52. https://doi.org/10.1016/j.maturitas.2018.04.008.
Lucci S, Walsh T. Cybersecurity 101. J AHIMA. 2015;86(11):42–4.
Healthcare and Public Health Sector Coordinating Councils. Health industry cybersecurity practices: managing threats and protecting patients. 2018.
Kruse CS, Frederick B, Jacobson T, Monticone DK. Cybersecurity in healthcare: a systematic review of modern threats and trends. Technol Health Care. 2017;25(1):1–10. https://doi.org/10.3233/THC-161263.
Howard D, Harris CR. Cybersecurity: what leaders must know. Physician Leadersh J. 2019;6(4):49–53.
Field M. WannaCry cyber attack cost the NHS £92m as 19,000 appointments cancelled. 2018. https://www.telegraph.co.uk/technology/2018/10/11/wannacry-cyber-attack-cost-nhs-92m-19000-appointments-cancelled/. Accessed 8 Jun 2020.
Reed Abelson MG. Millions of anthem customers targeted in cyberattack. New York Times; 2015.
Zetter K. Why hospitals are the perfect targets for ransomware. 2016. https://www.wired.com/2016/03/ransomware-why-hospitals-are-the-perfect-targets/. Accessed 8 Jun 2020.
Fuentes MR. Cybercrime and other threats faced by the healthcare industry. Trend Micro; 2017
Ronquillo JG, Erik Winterholler J, Cwikla K, Szymanski R, Levy C. Health IT, hacking, and cybersecurity: national trends in data breaches of protected health information. JAMIA Open. 2018;1(1):15–9. https://doi.org/10.1093/jamiaopen/ooy019.
Martin G, Martin P, Hankin C, Darzi A, Kinross J. Cybersecurity and healthcare: how safe are we? BMJ. 2017; https://doi.org/10.1136/bmj.j3179.
Abraham C, Chatterjee D, Sims RR. Muddling through cybersecurity: insights from the US healthcare industry. Bus Horiz. 2019;62(4):539–48.
Jalali MS, Kaiser JP. Cybersecurity in hospitals: a systematic, organizational perspective. J Med Internet Res. 2018;20(5):e10059. https://doi.org/10.2196/10059.
Kosseff J. Defining cybersecurity law. Iowa L Rev. 2017;103:985.
Federal Trade Commission Act. Section 5: unfair or deceptive acts or practices. In: Reserve F, editor. Consumer compliance handbook. FederalReserve.gov; 2016.
Federal Trade Commission. Dental practice software provider settles FTC charges it misled customers about encryption of patient data. 2016.
Jarrett HM, Bailie MW. Prosecuting computer crimes. In: Justice Do, editor. Computer crime and intellectual property section criminal division. Office of Legal Education; 2010.
To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes. 1st ed. 2015.
HIPAA for professionals. 2017. https://www.hhs.gov/hipaa/for-professionals/index.html. Accessed 23 Dec 2020.
Spitzer J. HIPAA through the years: 5 biggest fines since 2008. 2018.
LLP QaB. Is your hospital subject to the Gramm-Leach-Bliley act? Lexology; 2018.
How to comply with the privacy of consumer financial information rule of the Gramm-Leach-Bliley act. 2002. https://www.ftc.gov/tips-advice/business-center/guidance/how-comply-privacy-consumer-financial-information-rule-gramm. Accessed 22 Dec 2020.
Institute LI: 15 U.S. Code § 6821 - privacy protection for customer information of financial institutions. 1999. https://www.law.cornell.edu/uscode/text/15/6821. Accessed 22 Dec 2020.
Annual report to congress on HIPAA privacy, security, and breach notification rule compliance. Submitted by the US Department of Health and Human Services Office for Civil Rights to the Senate Committee on Health, Education, Labor, and Pensions, House Committee on Ways and Means, and House Committee on Energy and Commerce in 2008 [document on the internet]. 2018.
FBI. Medical devices open to cyber threats. J AHIMA. 2015;86(11):13.
Modifications to the HIPAA privacy, security, enforcement, and breach notification rules under the health information technology for economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other modifications to the HIPAA rules. In: Office of Civil Rights DoHaHS, editor. Federal Register; 2013. p. 5566.
Notification of enforcement discretion regarding HIPAA civil money penalties. In: Services HaH, editor. Federal Register; 2019. pp. 18151–18153.
Kubben P, Dumontier M, Dekker A. Fundamentals of clinical data science. Springer Nature; 2019.
Bernadette M. Broccolo DFG, Ashley Winton. Does GDPR regulate clinical care delivery by US health care providers? The National Law Review. natlawreview.com: National Law Forum; 2018.
Guide to the GDPR. 2019.
Shachar C, Curfman G. Reconsidering health care fraud and abuse Laws. JAMA. 2020;324(17):1735. https://doi.org/10.1001/jama.2020.19795.
Report on improving cybersecurity in the health care industry. In: HHS, editor. 2017.
E-Prescribing. 2020. https://www.cms.gov/Medicare/E-Health/Eprescribing. Accessed 26 Dec 2020.
Electronic prescriptions for controlled substances. 2020. https://www.deadiversion.usdoj.gov/fed_regs/rules/2020/fr0421_3.htm. Accessed 26 Dec 2020.
Adrienne Fowler SG, Hodges J, Miller M. Compliance planning for California IoT security requirements. 2019.
Gabriel MH, Noblin A, Rutherford A, Walden A, Cortelyou-Ward K. Data breach locations, types, and associated characteristics among US hospitals. Am J Manag Care. 2018;24(2):78–84.
Liu V, Musen MA, Chou T. Data breaches of protected health information in the United States. JAMA. 2015;313(14):1471. https://doi.org/10.1001/jama.2015.2252.
Jouini M, Rabai LBA, Aissa AB. Classification of security threats in information systems. Procedia Comput Sci. 2014;32:489–96.
Bhuyan SS, Kabir UY, Escareno JM, Ector K, Palakodeti S, Wyant D, et al. Transforming healthcare cybersecurity from reactive to proactive: current status and future recommendations. J Med Syst. 2020;44(5):98. https://doi.org/10.1007/s10916-019-1507-y.
CISA. Understanding denial-of-service attacks. 2019. https://us-cert.cisa.gov/ncas/tips/ST04-015. Accessed 03 Jan 2020.
Ayala L. Cybersecurity for hospitals and healthcare facilities. Berkeley, CA; 2016.
Allen J. Privilege escalation attacks: types, examples, and prevention. Cybersecurity. purplesec.us; 2019.
ITsec Bureau. Intertrust Releases 2020 Security Report on Global mHealth App Threats. 2020 Sep 29. https://itsecuritywire.com/news/intertrust-releases-2020-security-report-on-global-mhealth-app-threats/. Accessed 07 Feb 2022.
Valli C. SQL injection - threats to medical systems: the issues and countermeasures. 2006.
CISA. Insider threat mitigation. 2018.
Cyber attacks: in the healthcare sector. Center for Internet Security; 2017.
Langer SG. Cyber-security issues in healthcare information technology. J Digit Imaging. 2017;30(1):117–25. https://doi.org/10.1007/s10278-016-9913-x.
Luo X, Brody R, Seazzu A, Burd S. Social engineering. Inf Resour Manag J. 2011;24(3):1–8. https://doi.org/10.4018/irmj.2011070101.
Mitnick KD, Simon WL, Wozniak S. The art of deception: controlling the human element of security. Wiley; 2003.
Priestman W, Anstis T, Sebire IG, Sridharan S, Sebire NJ. Phishing in healthcare organisations: threats, mitigation and approaches. BMJ Health & Care Informatics. 2019;26(1):e100031. https://doi.org/10.1136/bmjhci-2019-100031.
Gordon WJ, Wright A, Glynn RJ, Kadakia J, Mazzone C, Leinbach E, et al. Evaluation of a mandatory phishing training program for high-risk employees at a US healthcare system. J Am Med Inform Assoc. 2019;26(6):547–52. https://doi.org/10.1093/jamia/ocz005.
Gordon WJ, Wright A, Aiyagari R, Corbo L, Glynn RJ, Kadakia J, et al. Assessment of employee susceptibility to phishing attacks at US health care institutions. JAMA Netw Open. 2019;2(3):e190393. https://doi.org/10.1001/jamanetworkopen.2019.0393.
CISA. Ransomware. 2020.
CISA. Virus Basics. 2020.
National Institute for Standards and Technology. NIST Cybersecurity framework. https://www.nist.gov/cyberframework. Accessed 07 Feb 2022.
Strielkina A, Illiashenko O, Zhydenko M, Uzun D. Cybersecurity of healthcare IoT-based systems: regulation and case-oriented assessment. In: 2018 IEEE 9th international conference on dependable systems, services and technologies (DESSERT). IEEE; 2018. p. 67–73.
Landi H. 82% of healthcare organizations have experienced an IoT-focused cyberattack, survey finds. Fierce Healthcare; 2019.
Sun W, Cai Z, Li Y, Liu F, Fang S, Wang G. Security and privacy in the medical internet of things: a review. Secur Commun Netw. 2018;2018:5978636. https://doi.org/10.1155/2018/5978636.
Spaniel DE, Parham. The healthcare research security pandemic. Institute for Critical Infrastructure Technology; 2020.
Shackelford S, Bradner SO. Have you updated your toaster? Transatlantic approaches to governing the internet of everything. Hastings Law J. 2021;72:627–62.
Fruhlinger J. The Mirai botnet explained: how teen scammers and CCTV cameras almost brought down the internet. CSO: IDG Communications; 2018.
Gaynor M, Tuttle-Newhall J, Parker J, Patel A, Tang C. Adoption of blockchain in health care. J Med Internet Res. 2020;22(9):e17423. https://doi.org/10.2196/17423.
El-Gazzar R, Stendal K. Blockchain in health care: Hope or hype? J Med Internet Res. 2020;22(7):e17199. https://doi.org/10.2196/17199.
Pirtle C, Ehrenfeld J. Blockchain for healthcare: the next generation of medical records? J Med Syst. 2018;42(9):172. https://doi.org/10.1007/s10916-018-1025-3.
Lakhani KR, Iansiti M. The truth about blockchain. Harv Bus Rev. 2017;95(1):119–27.
Griggs KN, Ossipova O, Kohlios CP, Baccarini AN, Howson EA, Hayajneh T. Healthcare blockchain system using smart contracts for secure automated remote patient monitoring. J Med Syst. 2018;42(7):130. https://doi.org/10.1007/s10916-018-0982-x.
Zeadally S, Adi E, Baig Z, Khan IA. Harnessing artificial intelligence capabilities to improve cybersecurity. IEEE Access. 2020;8:23817–37.
Vähäkainu P, Lehto M. Artificial intelligence in the cyber security environment. ICCWS 2019 14th international conference on cyber warfare and security: ICCWS 2019: academic conferences and publishing limited; 2019. p. 431.
Rep. Bonamici S. 21st century cures act. 42 USC 201. In: Congress t, editor. Public law no: 114–255. Congress.gov: U.S. Government Publishing Office; 2016.
Office of the National Coordinator for Health Information Technology. About ONC’s cures act final rule: Empowering patients with their health record in a modern health IT economy. https://www.healthit.gov/curesrule/overview/about-oncs-curesact-final-rule. Accessed 01 Mar 2021.
Sequoia Project. Response to proposed hhs proposed rule: 21st century cures act: interoperability, information blocking, and the ONC Health IT Certification Program (RIN 0955-AA01). 2019. https://sequoiaproject.org/response-hhs-proposed-rule-21stcentury-cures-act-interoperability/. Accessed 01 Mar 2021.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter
Cite this chapter
McConomy, B.C., Leber, D.E. (2022). Cybersecurity in Healthcare. In: Finnell, J.T., Dixon, B.E. (eds) Clinical Informatics Study Guide. Springer, Cham. https://doi.org/10.1007/978-3-030-93765-2_17
Download citation
DOI: https://doi.org/10.1007/978-3-030-93765-2_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-93764-5
Online ISBN: 978-3-030-93765-2
eBook Packages: MedicineMedicine (R0)