Cybersecurity in Hospitals: An Evaluation Model
Abstract
:1. Introduction
2. Background
2.1. Cybersecurity in Hospitals
2.2. Cyber-Attack Types in Hospitals
2.2.1. Email Phishing Attack
2.2.2. Ransomware Attack
2.2.3. Loss or Theft of Equipment or Data
2.2.4. Insider, Accidental, or Intentional Data Loss
2.2.5. Attacks against Connected Medical Devices
2.3. Protecting Hospitals from Cyber-Attacks
3. Objective
4. Methodology
- Choosing the indicators that make up the evaluation model;
- Creating the model;
- Writing the model as a code in MATLAB;
- Testing the model using a set of data from three different hospitals;
- Analyzing the results and adjusting the model if needed;
- Validating the model and adjusting it as needed.
5. Evaluation Model
6. Dataset
7. Results
8. Discussion
8.1. Model Validation
8.2. Model Limitations
9. Conclusions and Future Works
Author Contributions
Funding
Data Availability Statement
Conflicts of Interest
Abbreviations
Symbol | Definition |
UT | User Training |
AM | Access Management |
BU | Backup System |
PP | Endpoint Protection |
EP | Email Protection |
UD | Updating Equipment |
MU | Medical Device Update |
CP | Cybersecuirty Policy |
NS | Hospital Network (HIS) Access |
MD | Medical Device Access |
W1–14 | Weights between 0 and 1 assigned according to measured importance in the required hospital |
References
- Goutam, R.K. Importance of Cyber Security. Int. J. Comput. Appl. 2015, 111, 4. [Google Scholar]
- Dummanaboyina, K.S.C. Cyber Security and Its Importance. Available online: https://www.researchgate.net/publication/347439655_CYBER_SECURITY_AND_ITS_IMPORTANCE (accessed on 23 March 2022).
- Jalali, M.S.; Kaiser, J.P. Cybersecurity in hospitals: A systematic, organizational perspective. J. Med. Internet Res. 2018, 20, e10059. [Google Scholar] [CrossRef] [PubMed] [Green Version]
- Argaw, S.T.; Troncoso-Pastoriza, J.R.; Lacey, D.; Florin, M.-V.; Calcavecchia, F.; Anderson, D.; Burleson, W.; Vogel, J.-M.; O’Leary, C.; Eshaya-Chauvin, B.; et al. Cybersecurity of Hospitals: Discussing the challenges and working towards mitigating the risks. BMC Med. Inform. Decis. Mak. 2020, 20, 1–11. [Google Scholar] [CrossRef] [PubMed]
- Saudi Food and Drug Authority (SFDA). Guidance to Medical Devices Cybersecurity for Healthcare Providers; SFDA: Riyadh, Saudi Arabia, 2019; pp. 1–9.
- Coventry, L.; Branley, D. Cybersecurity in healthcare: A narrative review of trends, threats and ways forward. Maturitas 2018, 113, 48–52. [Google Scholar] [CrossRef] [PubMed]
- US Department of Health and Human Services. Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients; US Department of Health and Human Services: Washington, DC, USA, 2020.
- Syiemlieh, P.; Khongsit, G.M.; Sharma, U.M.; Sharma, B. Phishing—An Analysis on the Types, Causes, Preventive Measuresand Case Studies in the Current Situation. IOSR J. Comput. Eng. 2015, 9, 2278–8727. [Google Scholar]
- Imaji, A.O. Ransomware Attacks: Critical Analysis, Threats, and Prevention Methods. Available online: https://www.researchgate.net/publication/332551447_Ransomware_Attacks_Critical_Analysis_Threats_and_Prevention_methods (accessed on 23 March 2022).
- Cheung, A.; Clayden, N.; Ocampo, W.; Kiplagat, L.; Kaufman, J.; Baylis, B.; Conly, J.M.; Ghali, W.A.; Ho, C.H.; Stelfox, H.T.; et al. Documentation and investigation of missing health care equipment: The need to safeguard high priced devices in health care institutions. J. Hosp. Adm. 2017, 6, 10. [Google Scholar] [CrossRef] [Green Version]
- Seh, A.H.; Zarour, M.; Alenezi, M.; Sarkar, A.K.; Agrawal, A.; Kumar, R.; Ahmad Khan, R. Healthcare Data Breaches: Insights and Implications. Healthcare 2020, 8, 133. [Google Scholar] [CrossRef] [PubMed]
- Skierka, I.M. The governance of safety and security risks in connected healthcare. In Proceedings of the Living in the Internet of Things: Cybersecurity of the IoT—2018, London, UK, 28–29 March 2018; pp. 1–12. [Google Scholar] [CrossRef]
- Tabasum, A.; Safi, Z.; AlKhater, W.; Shikfa, A. Cybersecurity Issues in Implanted Medical Devices. In Proceedings of the 2018 International Conference on Computer and Applications (ICCA), Beirut, Lebanon, 25–26 August 2018; pp. 1–9. [Google Scholar] [CrossRef]
- Almunawar, M.N.; Anshari, M. Health Information Systems (HIS): Concept and Technology. arXiv 2012, arXiv:1203.3923. [Google Scholar]
- Kim, J.; Lee, C.; Chang, H. The Development of a Security Evaluation Model Focused on Information Leakage Protection for Sustainable Growth. Sustainability 2020, 12, 10639. [Google Scholar] [CrossRef]
- Callejas-Cuervo, M.; Alarcon-Aldana, A.C.; Lopez, A.B. Security evaluation model for virtual learning environments. In Proceedings of the 2016 XI Latin American Conference on Learning Objects and Technology (LACLO), San Carlos, Costa Rica, 3–7 October 2016; pp. 1–6. [Google Scholar] [CrossRef]
Seq | Cybersecurity Measure | Description | Threat |
---|---|---|---|
1 | Regular Staff Training | This indicator makes sure that every employee has cyber security and threat training once yearly | Email Phishing Intentional, accidental, and unintentional data loss |
2 | Email Protection System | This indicator calculates how many spam filters are used for each received email | Email Phishing Ransomware |
3 | Endpoint Protection Systems | This indicator accounts for the size of unauthorized data transfers | Loss or theft of data |
4 | Access Management Policy | This indictor accounts for unauthorized access to the network | Ransomware Intentional, accidental, and unintentional data loss |
5 | Backup System | This indicator makes sure data are continuously backed up and that the size is increasing in every backup | Ransomware |
6 | Updated Equipment | This indicator accounts for every computer in the organization and their update status | Loss or theft of equipment |
7 | HIS access control | The health information system should not be accessed by unauthorized personnel [14]. This indicator accounts for unauthorized access. | Loss or theft of data |
8 | Implementing Cybersecurity Policy | This indicator accounts for the availability of a policy that discusses cybersecurity | All threats |
9 | Medical Devices Security | This indicator accounts for every medical device that is connected to the network and makes sure it is updated | Attacks against connected medical devices |
10 | Limiting Access to Medical Devices | This indicator accounts for unauthorized access to medical equipment | Attacks against connected medical devices |
Measure | Hospital | A | B | C |
---|---|---|---|---|
Number of Employees | 1500 | 700 | 4000 | |
Cyber Training Sessions yearly | 6 | 2 | 0 | |
Capacity of Sessions | 200 | 150 | 0 | |
Number of Data backups yearly | 12 | 2 | 6 | |
Size of Data in first backup of the year (GB) | 480 | 150 | 1000 | |
Increment of data every month (%) | 10% | 5% | 15% | |
Number of Spam filters applied (Up to 3) | 1 | 0 | 2 | |
Number of approved data transfers yearly | 100 | 50 | 650 | |
Average size of data in each transfer (MB) | 250 | 200 | 300 | |
Total size of transferred data yearly (MB) | 40,000 | 8000 | 785,000 | |
Number of approved network access instances | 1500 | 600 | 3850 | |
Total network access | 2300 | 1200 | 6500 | |
Number of non-medical electronic devices | 1700 | 900 | 6000 | |
Number of inventories of non-medical devices | 12 | 6 | 12 | |
Average number of Up-to-date non-medical devices in every inventory | 150 | 80 | 600 | |
Number of electronic medical devices | 3200 | 1600 | 10,000 | |
Number of inventories of medical devices | 12 | 4 | 12 | |
Average number of Up-to-date medical devices in every inventory | 300 | 250 | 550 | |
Number of employees who can access HIS | 1000 | 450 | 3000 | |
Actual access to HIS | 1300 | 500 | 2800 | |
Number of employees that access medical devices | 700 | 350 | 3600 | |
Actual access to medical devices | 500 | 400 | 3800 | |
Availability of Cybersecurity policy | Yes | No | Yes |
Hospital | Minimum Indicator | Maximum Indicator | Final Score |
---|---|---|---|
A | Email Protection System | Medical device access, Updating Medical and non-medical devices, and Cybersecurity Policy | 80.9% |
B | Cybersecurity Policy and Email Protection System | Endpoint Protection System | 50.2% |
C | Cybersecurity Training | Non-medical device Update and Access Management | 65.5% |
Model | Model 1 | Model 2 | Our Model |
---|---|---|---|
Number of factors | 26 indicators | 6 indicators | 10 indicators |
Number of trials | 3 Validation methods | 2 Systems | 3 Hospitals |
Type of results | The results are the factors that they use | Percentage | Percentage(score) |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Ahmed, M.A.; Sindi, H.F.; Nour, M. Cybersecurity in Hospitals: An Evaluation Model. J. Cybersecur. Priv. 2022, 2, 853-861. https://doi.org/10.3390/jcp2040043
Ahmed MA, Sindi HF, Nour M. Cybersecurity in Hospitals: An Evaluation Model. Journal of Cybersecurity and Privacy. 2022; 2(4):853-861. https://doi.org/10.3390/jcp2040043
Chicago/Turabian StyleAhmed, Mohammed A., Hatem F. Sindi, and Majid Nour. 2022. "Cybersecurity in Hospitals: An Evaluation Model" Journal of Cybersecurity and Privacy 2, no. 4: 853-861. https://doi.org/10.3390/jcp2040043
APA StyleAhmed, M. A., Sindi, H. F., & Nour, M. (2022). Cybersecurity in Hospitals: An Evaluation Model. Journal of Cybersecurity and Privacy, 2(4), 853-861. https://doi.org/10.3390/jcp2040043