Abstract
Cyber-attacks from internal and external bad actors have become increasingly pervasive in healthcare. It is estimated that the healthcare field made up about 24% of all the cyber-attacks in 2019. The total financial loss is estimated to be 6 billion dollars, about 7.13 million per attack, compared to $3.86 million in all other fields. Moreover, cyber-terrorist groups, such as SamSam, Conti, and WannaCry, do not just target one organization at a time. When they unleash their ransomware, it is on multiple organizations simultaneously and crosses state lines and country borders. Metropolitan Health Systems (MHS), a hospital system in Ohio, is one such hospital that has been a target for both external and internal cyber-attacks five times within the last eight years (2015 – 2023). The hospital and its third-party vendors have experienced data theft, leaving the hospital system vulnerable to future cyber-attacks. This case analysis defines the current problem, develops a risk management plan, and creates solutions for how MHS can plan for and mitigate any cyber-attacks in the future.
TopProblem Statement
Healthcare companies are at an increased risk of both cyber-attacks and internal security risks and there are multiple vulnerabilities within a hospital system where a cyber-attack can occur (see Figure 1):
- 1.
Network: the network integrates all the hospital systems together and is what makes it possible that two different doctors in two different locations can access the same record. Once infiltrated, a hacker gains control over all the hospital’s systems and individual computer stations (U.S. Department of Health and Human Services, 2021).
- 2.
Internet of Things (IoT): The IoT is, “… a network of physical devices, vehicles, appliances and other physical objects that are embedded with sensors, software and network connectivity that allows them to collect and share data” (IBM, n.d.). In a hospital system, these are the medical devices such as x-ray machines, surgery robots, MRI machines, etc. These devices become vulnerable because they lack their own security (U.S. Department of Health and Human Services, 2021 -a).
- 3.
Records Disposal: The Health Insurance Portability and Accountability Act (HIPPA), created by the Department of Health and Human Services, provides a national guidance on protecting individual medical records and any other personally identifiable information (U.S. Department of Health and Human Services, n.d.-b). While electronic health records (EHR) eliminates the need for printing and disposing of records via shredding, any method of record disposal is considered a vulnerability (U.S. Department of Health and Human Services, 2021 -a).
- 4.
Data Storage: Like records disposal, records storage is protected under the HIPPA privacy guidelines. Because record storage can be done onsite or with a third-party vendor, the privacy laws apply equally and makes it extremely attractive for hackers (U.S. Department of Health and Human Services, 2021-a).
- 5.
Remote Work: Remote work whether that is in the form of administrative duties being performed at home or a remote lab site, not following security protocols or when security patches do not reach all remote work sites opens chances for cyber-attacks (U.S. Department of Health and Human Services, 2021 -a).
- 6.
Personal Devices: Personal devices such as smartphones, iPads, or any other personal electronic device that are connected to the network automatically weaken security protocols. If the device is connected and has a virus, it can infect the entire network (U.S. Department of Health and Human Services, 2021 -a).
Key Terms in this Chapter
Cyber-Attacks: An electronic infiltration designed to steal organizational data.
Human Factors Theory: This theory helps the organization prepare their employees for the unexpected by providing them processes and systems that are designed to support them and will be altered when needed.
PESTLE Analysis: An Enterprise Risk Analysis tool that helps an organization view any potential issues when looking to grow. It can also be useful when trying to solve a risk management problem. PESTLE stands for Political, Economic, Sociological, Technological, Legal and Environmental.
Cultural Iceberg Model: An organizational cultural model designed to understand how the culture in an organization works.
Resilience Theory: This theory speaks to how well an organization will bounce back after a cyber-attack.
Ransomware: Electronic form of ransom. Cyber criminals install malware on a network server and steal electronic data. They require money paid to them to release the electronic data.
Maurer 3 Levels Resistance and Change Model: Change management model that helps define why employees fail to implement changes when requested/required by leadership.
Technology Adoption Model: An organizational tool that provides guidelines for when employees will follow the requirements and when they will not.
Theory of Planned Behavior: This theory looks at the motivation behind a deliberate behavior by looking at intentions and perceived control.
Security Risks: Any form of risk that results in loss of data.
Stages of Cyber-attack: These are the stages that organizations goes through after a cyber-attack occurs. The stages are Incidence, Recovery and Full Recovery.
Reputation: The organization’s brand that is familiar to customers. It can either be positive or negative. Negative reputation can lead to layoffs and closures.
Analytical Problem-Solving Approach – FEMA: An organizational problem-solving approach originally created by FEMA for emergency situations. This approach has five steps: Identify the problem, explore the alternatives, select an alternative, implement a solution, evaluate the situation.
Cultural Theory of Risk: This theory is predicated on employees will evaluate the risk of following a security protocol based upon their work culture.
Protection Motivation Theory: Based on fear appeals, by utilizing persuasive messages that tell someone what could happen if they do not follow a protocol, the employee is more likely to be afraid of the consequences and follow the requirements.
Electronic Health Records (EHR): An electronic form of record keeping that is utilized by hospitals, clinics, providers, healthcare companies and third-party vendors.