HEALTHCARE CYBERSECURITYLANDSCAPE: CHALLENGES, SOLUTIONS, ANDFUTURE DIRECTIONS
Keywords:
Healthcare Cybersecurity, Electronic Health Records (EHR), Telehealth Privacy, Employee Cybersecurity TrainingAbstract
The healthcare industry's reliance on digital technologies has increased in recent years. With electronic health records, telemedicine, and connected healthcare medical devices, there is more and more dependency now than before to provide better health outcomes to patients, improve operational efficiency, and bolster medical research. However, cyberattackers are exploiting the industry’s reliance on technology, as evident from the rapidly changing threat landscape. Ransomware, phishing, and data breaches have become commonplace. This article aims to explore the cybersecurity challenges specific to the healthcare sector and discuss practical solutions and best practices for preserving patient trust in the digital age.
By examining various aspects of healthcare cybersecurity, including EHR security, medical device security, telehealth privacy, and compliance with regulations, this article aims to provide insights and recommendations for healthcare organizations to strengthen their cybersecurity posture and safeguard patient data effectivel
References
A. K. Jha, D. W. Bates, C. Jenter, E. J. Orav, and R. Kaushal, "Electronic health records: use, barriers and satisfaction among physicians who care for black and Hispanic patients," Journal of Evaluation in Clinical Practice, vol. 15, no. 1, pp. 158-163, 2009, doi: 10.1111/j.1365-2753.2008.00975.x.
M. Meingast, T. Roosta, and S. Sastry, "Security and Privacy Issues with Health Care Information Technology," in 2006 International Conference of the IEEE Engineering in Medicine and Biology Society, 2006, pp. 5453-5458, doi: 10.1109/IEMBS.2006.260060.
C. S. Kruse, B. Frederick, T. Jacobson, and D. K. Monticone, "Cybersecurity in healthcare: A systematic review of modern threats and trends," Technology and Health Care, vol. 25, no. 1, pp. 1-10, 2017, doi: 10.3233/THC-161263.
K. K. Pandey and S. Pal, "Impact of Cyber Security in Healthcare: A Systematic Review," in 2020 International Conference on Computer Science, Engineering and Applications (ICCSEA), 2020, pp. 1-6, doi: 10.1109/ICCSEA49143.2020.9132893.
H. Landi, "Healthcare data breaches hit all-time high in 2021, impacting 45M people," Fierce Healthcare, 01-Feb-2022. [Online]. Available: https://www.fiercehealthcare.com/health-tech/healthcare-data-breaches-hit-all-time-high-2021-impacting-45m-people.
U.S. Department of Health and Human Services, "Health Insurance Portability and Accountability Act of 1996 (HIPAA)," 21-Aug-1996. [Online]. Available: https://www.hhs.gov/hipaa/index.html.
T. Althebyan, W. Al-Dubai, and M. Binsalleeh, "A Survey on Security and Privacy Issues in Healthcare Systems," in 2020 IEEE International Conference on Informatics, IoT, and Enabling Technologies (ICIoT), 2020, pp. 67-74, doi: 10.1109/ICIoT48696.2020.9089562.
J. L. Fernández-Alemán, I. C. Señor, P. Á. Calero Lozano, and A. T. Zamora, "Security and privacy in electronic health records: A systematic literature review," Journal of Biomedical Informatics, vol. 46, no. 3, pp. 541-562, 2013, doi: 10.1016/j.jbi.2012.12.003.
C. Esposito et al., "Cybersecurity Challenges and Solutions in Healthcare," IEEE Internet of Things Journal, 2021, doi: 10.1109/JIOT.2021.3101776.
A. Rezaeibagha and A. Susilo, "Cybersecurity in Electronic Health: Issues, Challenges and Recommended Policies," in Proceedings of the Future Technologies Conference (FTC) 2020, Volume 2, 2021, pp. 703-719, doi: 10.1007/978-3-030-63089-8_45.
B. Middleton, M. Bloomrosen, M. A. Dente, B. Hashmat, R. Koppel, J. M. Overhage, T. H. Payne, S. T. Rosenbloom, C. Weaver, and J. Zhang, "Enhancing patient safety and quality of care by improving the usability of electronic health record systems: recommendations from AMIA," Journal of the American Medical Informatics Association, vol. 20, no. e1, pp. e2-e8, 2013, doi: 10.1136/amiajnl-2012-001458.
K. Zafar, S. N. Syed, and M. M. Yousaf, "Cybersecurity Risks in Healthcare Information Systems: A Systematic Review," Security and Communication Networks, vol. 2021, pp. 1-18, 2021, doi: 10.1155/2021/6623959.
A. Appari and M. E. Johnson, "Information security and privacy in healthcare: current state of research," International Journal of Internet and Enterprise Management, vol. 6, no. 4, pp. 279-314, 2010, doi: 10.1504/IJIEM.2010.035624.
K. A. Kuhn and S. A. Lichtenstein, "Clinical Computing: Electronic Health Records and Medical Informatics," in Healthcare Information Management Systems: Cases, Strategies, and Solutions, K. A. Kuhn and S. A. Lichtenstein, Eds. Springer International Publishing, 2016, pp. 33-55, doi: 10.1007/978-3-319-20765-0_3.
A. L. Dunnand R. E. Mayer, "A review and synthesis of the research on patient portals: Evidence of impact on health outcomes, costs, and patient satisfaction," Journal of the American Medical Informatics Association, vol. 26, no. 10, pp. 1060-1072, 2019, doi: 10.1093/jamia/ocz055.
M. S. Jalali, M. J. Kaiser, M. Siegel, and S. Madnick, "The Internet of Things Promises New Benefits and Risks: A Systematic Analysis of Adoption Dynamics of IoT Products," IEEE Security & Privacy, vol. 17, no. 2, pp. 39-48, 2019, doi: 10.1109/MSEC.2018.2888780.
M. A. Sahi, H. Abbas, K. Saleem, X. Yang, A. Derhab, M. A. Orgun, W. Iqbal, I. Rashid, and A. Yaseen, "Privacy Preservation in e-Healthcare Environments: State of the Art and Future Directions," IEEE Access, vol. 6, pp. 464-478, 2018, doi: 10.1109/ACCESS.2017.2767561.
T. Althebyan, W. Al-Dubai, and M. Binsalleeh, "A Survey on Security and Privacy Issues in Healthcare Systems," in 2020 IEEE International Conference on Informatics, IoT, and Enabling Technologies (ICIoT), 2020, pp. 67-74, doi: 10.1109/ICIoT48696.2020.9089562.
M. Meingast, T. Roosta, and S. Sastry, "Security and Privacy Issues with Health Care Information Technology," in 2006 International Conference of the IEEE Engineering in Medicine and Biology Society, 2006, pp. 5453-5458, doi: 10.1109/IEMBS.2006.260060.
C. S. Kruse, B. Frederick, T. Jacobson, and D. K. Monticone, "Cybersecurity in healthcare: A systematic review of modern threats and trends," Technology and Health Care, vol. 25, no. 1, pp. 1-10, 2017, doi: 10.3233/THC-161263.
S. R. Moosavi, T. N. Gia, E. Nigussie, A. M. Rahmani, S. Virtanen, H. Tenhunen, and J. Isoaho, "End-to-end security scheme for mobility enabled healthcare Internet of Things," Future Generation Computer Systems, vol. 64, pp. 108-124, 2016, doi: 10.1016/j.future.2016.02.020.
Y. Yang, X. Zheng, W. Guo, X. Liu, and V. Chang, "Privacy-preserving smart IoT-based healthcare big data storage and self-adaptive access control system," Information Sciences, vol. 479, pp. 567-592, 2019, doi: 10.1016/j.ins.2018.02.005.
A. Rezaeibagha, A. Susilo, and X. Yi, "Classification of Security and Privacy Issues in Healthcare IoT," in 2020 IEEE International Conference on Informatics, IoT, and Enabling Technologies (ICIoT), 2020, pp. 50-57, doi: 10.1109/ICIoT48696.2020.9089560.
M. S. Jalali and J. P. Kaiser, "Cybersecurity in Hospitals: A Systematic, Organizational Perspective," Journal of Medical Internet Research, vol. 20, no. 5, p. e10059, 2018, doi: 10.2196/10059.
T. Althebyan, W. Al-Dubai, and M. Binsalleeh, "A Survey on Security and Privacy Issues in Healthcare Systems," in 2020 IEEE International Conference on Informatics, IoT, and Enabling Technologies (ICIoT), 2020, pp. 67-74, doi: 10.1109/ICIoT48696.2020.9089562.
M. Fotouhi, A. Causevic, K. Lundqvist, and M. Björkman, "Challenges and Opportunities for Securing Medical Cyber-Physical Systems," IEEE Access, vol. 8, pp. 28030-28043, 2020, doi: 10.1109/ACCESS.2020.2972339.
C. Esposito et al., "Cybersecurity Challenges and Solutions in Healthcare," IEEE Internet of Things Journal, 2021, doi: 10.1109/JIOT.2021.3101776.
A. Rezaeibagha and A. Susilo, "Cybersecurity in Electronic Health: Issues, Challenges and Recommended Policies," in Proceedings of the Future Technologies Conference (FTC) 2020, Volume 2, 2021, pp. 703-719, doi: 10.1007/978-3-030-63089-8_45.
C. Camara, P. Peris-Lopez, and J. Tapiador, "Security and Privacy Issues in Implantable Medical Devices: A Comprehensive Survey," Journal of Biomedical Informatics, vol. 55, pp. 272-289, 2015, doi: 10.1016/j.jbi.2015.04.007.
S. Torous, P. Jän, J. Keshavan, "COVID-19, mobile health and serious mental illness," Schizophrenia Research, vol. 218, pp. 36-37, 2020, doi: 10.1016/j.schres.2020.04.013.
J. Srinivasan, J. Das, and M. Alam, "Tele-healthcare Privacy and Security Issues," in 2020 International Conference on Computing and Information Technology (ICCIT-1441), 2020, pp. 1-4, doi: 10.1109/ICCIT-144147971.2020.9213794.
S. Adibi, "Privacy and security in telehealth," in Mobile Health Technologies: Methods and Protocols, D. Rahmani, Ed. Springer, 2021, pp. 165-178, doi: 10.1007/978-1-0716-0958-3_12.
V. Bhatia, N. Kaur, S. Sharma, and P. K. Singh, "Telehealth in the context of COVID-19: Enabling technology for optimum patient care," Journal of Interdisciplinary Dentistry, vol. 10, no. 2, pp. 80-84, 2020, doi: 10.4103/jid.jid_17_20.
A. Farouk, M. Alahmadi, S. Ghose, and A. Mashatan, "Blockchain platform for industrial healthcare: Vision and future opportunities," Computer Communications, vol. 154, pp. 223-235, 2020, doi: 10.1016/j.comcom.2020.02.058.
M. Argenziano et al., "Strengthening Healthcare Delivery with Remote Patient Monitoring in the Time of COVID-19," American Journal of Medical Quality, vol. 36, no. 6, pp. 468-469, 2021, doi: 10.1097/01.JMQ.0000735436.45284.57.
R. Chakraborty, J. Senapati, and A. Kalam, "Tele-healthcare Management System: An Approach towards Scalable, Reliable, and Secure Service," in 2021 Third International Conference on Intelligent Communication Technologies and Virtual Mobile Networks (ICICV), 2021, pp. 847-853, doi: 10.1109/ICICV50876.2021.9388507.
M. H. Baloch and A. Rehman, "Security and Privacy Issues in Telehealth," in 2021 International Conference on Digital Futures and Transformative Technologies (ICoDT2), 2021, pp. 1-6, doi: 10.1109/ICoDT252288.2021.9441595.
T. R. Peltier, "Social engineering: concepts and solutions," Information Systems Security, vol. 15, no. 5, pp. 13-21, 2006, doi: 10.1201/1086.1065898X/46353.15.5.20060901/95427.3.
H. Aldawood, G. Skinner, "A Critical Appraisal on Cyber Security and Its Implications for Potential Solutions in the Context of Saudi Arabia," International Journal of Advanced Computer Science and Applications (IJACSA), vol. 11, no. 7, 2020, doi: 10.14569/IJACSA.2020.0110763.
A. AlHogail, M. Mirza, G. AlBarakati, and A. AlSahaf, "Evaluating the Effectiveness of Security Awareness Training: A Phishing Exercise," in 2019 International Conference on Computer and Information Sciences (ICCIS), 2019, pp. 1-6, doi: 10.1109/ICCISci.2019.8716395.
H. Aldawood, G. Skinner, "Educating and raising awareness on cyber security social engineering: A literature review," in 2018 IEEE International Conference on Teaching, Assessment, and Learning for Engineering (TALE), 2018, pp. 62-68, doi: 10.1109/TALE.2018.8615162.
M. Alazab, S. Venkatraman, P. Watters, and M. Alazab, "Zero-day malware detection based on supervised learning algorithms of API call signatures," in Proceedings of the Ninth Australasian Data Mining Conference - Volume 121, 2011, pp. 171-182.
M. Bromiley, "Incident Response Capabilities in 2016: The 2016 SANS Incident Response Survey," SANS Institute, Jun. 2016.
A. Al-Fuqaha, M. Guizani, M. Mohammadi, M. Aledhari, and M. Ayyash, "Internet of Things: A Survey on Enabling Technologies, Protocols, and Applications," IEEE Communications Surveys & Tutorials, vol. 17, no. 4, pp. 2347-2376, 2015, doi: 10.1109/COMST.2015.2444095.
J. Deogirikar and A. Vidhate, "Security attacks in IoT: A survey," in 2017 International Conference on I-SMAC (IoT in Social, Mobile, Analytics and Cloud) (I-SMAC), 2017, pp. 32-37, doi: 10.1109/I-SMAC.2017.8058363.
F. A. Alaba, M. Othman, I. A. T. Hashem, and F. Alotaibi, "Internet of Things security: A survey," Journal of Network and Computer Applications, vol. 88, pp. 10-28, 2017, doi: 10.1016/j.jnca.2017.04.002.
M. Ammar, G. Russello, and B. Crispo, "Internet of Things: A survey on the security of IoT frameworks," Journal of Information Security and Applications, vol. 38, pp. 8-27, 2018, doi: 10.1016/j.jisa.2017.11.002.
T. Borgohain, A. Borgohain, U. Kumar, and S. Sanyal, "Authentication Systems in Internet of Things," arXiv:1502.00870 [cs], Feb. 2015.
M. Chernyshev, Z. Baig, O. Bello, and S. Zeadally, "Internet of Things (IoT): Research, Simulators, and Testbeds," IEEE Internet of Things Journal, vol. 5, no. 3, pp. 1637-1647, 2018, doi: 10.1109/JIOT.2017.2786639.
J. J. Trinckes, "The Health Insurance Portability and Accountability Act (HIPAA): A brief legal overview," Journal of Hospital Librarianship, vol. 3, no. 2, pp. 99-105, 2003, doi: 10.1300/J186v03n02_08.
U.S. Department of Health and Human Services, "Health Information Privacy," HHS.gov, Nov. 18, 2015. [Online]. Available: https://www.hhs.gov/hipaa/index.html.
K. M. Gatzlaff and K. A. McCullough, "The Effect of Data Breaches on Shareholder Wealth," Risk Management and Insurance Review, vol. 13, no. 1, pp. 61-83, 2010, doi: 10.1111/j.1540-6296.2010.01178.x.
G. Nahra, "HIPAA Security Compliance: A Framework for Electronic PHI," Journal of Health Care Compliance, vol. 7, no. 1, pp. 25-30, 2005.
U.S. Department of Health and Human Services, "Security Rule Guidance Material," HHS.gov, Nov. 06, 2015. [Online]. Available: https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html.
C. J. Hoofnagle, "HIPAA Audit Programs: An Analysis," SSRN Electronic Journal, 2005, doi: 10.2139/ssrn.755624.
J. P. Near and M. P. Miceli, "Organizational dissidence: The case of whistle-blowing," Journal of Business Ethics, vol. 4, no. 1, pp. 1-16, 1985, doi: 10.1007/BF00382668.
H. Löhr, A.-R. Sadeghi, and M. Winandy, "Securing the E-Health Cloud," in Proceedings of the 1st ACM International Health Informatics Symposium, New York, NY, USA, 2010, pp. 220-229, doi: 10.1145/1882992.1883024.
H. Takabi, J. B. D. Joshi, and G.-J. Ahn, "Security and Privacy Challenges in Cloud Computing Environments," IEEE Security Privacy, vol. 8, no. 6, pp. 24-31, 2010, doi: 10.1109/MSP.2010.186.
D. Chen and H. Zhao, "Data Security and Privacy Protection Issues in Cloud Computing," in 2012 International Conference on Computer Science and Electronics Engineering, 2012, vol. 1, pp. 647-651, doi: 10.1109/ICCSEE.2012.193.
R. Chandramouli, M. Iorga, and S. Chokhani, "Cryptographic key management issues and challenges in cloud services," in Secure Cloud Computing, New York, NY: Springer New York, 2014, pp. 1-30.
S. Alneyadi, E. Sithirasenan, and V. Muthukkumarasamy, "A Survey on Data Leakage Prevention Systems," Journal of Network and Computer Applications, vol. 62, pp. 137-152, 2016, doi: 10.1016/j.jnca.2016.01.008.
M. Henze, R. Hummen, R. Matzutt, and K. Wehrle, "A Trust Point-based Security Architecture for Sensor Data in the Cloud," in Trusted Cloud Computing, H. Krcmar, R. Reussner, and B. Rumpe, Eds. Cham: Springer International Publishing, 2014, pp. 77-106.
L. A. Gordon, M. P. Loeb, W. Lucyshyn, and R. Richardson, "2005 CSI/FBI computer crime and security survey," Computer Security Institute, 2005.
D. Tomaschek, "Best practices for handling a data breach," Network Security, vol. 2009, no. 7, pp. 12-15, 2009, doi: 10.1016/S1353-4858(09)70077-3.
J. Sarkar, A. Roy, and D. Sinha, "Breach Management System: An Efficient Security Incident Response Framework," in Mandal J., Sinha D., Bandopadhyay J. (eds) Contemporary Advances in Innovative and Applicable Information Technology. Advances in Intelligent Systems and Computing, vol 812. Springer, Singapore, 2019, pp. 107-115, doi: 10.1007/978-981-13-1540-4_10.
K. Kelly, "Incident management for IT departments: A high-level process guide," International Journal of Computer Science and Network Security, vol. 6, no. 1, pp. 1-8, 2006.
S.-Y. Chiou, S.-K. Huang, H.-T. Hsiao, and K.-C. Shen, "Data Loss Prevention and Endpoint Protection for Healthcare Security," in Ali M., Kwon T., Lee Y., Kim J. (eds) Security, Privacy, Trust, and Resource Management in Mobile and Wireless Communications. IGI Global, 2013, pp. 210-232, doi: 10.4018/978-1-4666-4691-9.ch011.
J. Vijayan, "Data breach recovery plans gaining importance," Computerworld, Dec. 03, 2007.
A. Rutkin, "Preparing for the Big One - [Cyber Security]," Engineering Technology, vol. 9, no. 4, pp. 70-73, 2014, doi: 10.1049/et.2014.0421.
M. Alotaibi and S. Furnell, "Assessing staff cybersecurity awareness in healthcare," in 2020 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), 2020, pp. 1-4, doi: 10.1109/CyberSA49311.2020.9139641.
T. R. Peltier, "Social engineering: concepts and solutions," Information Systems Security, vol. 15, no. 5, pp. 13-21, 2006, doi: 10.1201/1086.1065898X/46353.15.5.20060901/95427.3.
M. Alotaibi, S. Furnell, and N. Clarke, "Information security policies: a review of challenges and influencing factors," in 2016 11th International Conference for Internet Technology and Secured Transactions (ICITST), 2016, pp. 352-358, doi: 10.1109/ICITST.2016.7856729.
N. A. Khan, A. I. Brohi, and F. Jhanjhi, "A Comprehensive Survey on Cyber Training and Awareness Programs for Healthcare Sector," in 2021 1st International Conference on Artificial Intelligence and Data Analytics (CAIDA), 2021, pp. 191-196, doi: 10.1109/CAIDA51941.2021.9425137.
A. Taha, R. Trapero, J. Luna, and N. Suri, "Integrated Framework for Quantitative Assessment of Security & Resilience in Cyber-Physical Systems," arXiv:1701.00619 [cs], Jan. 2017.
M. Alshaikh, "Developing cybersecurity culture to influence employee behavior: A practice perspective," Computers & Security, vol. 98, p. 102003, 2020, doi: 10.1016/j.cose.2020.102003.
J. K. Brecht, J. Nowey, "A Closer Look at Information Security Policy," in Availability, Reliability and Security (ARES), 2013 Eighth International Conference on, 2013, pp. 399-403, doi: 10.1109/ARES.2013.53.
K. Rantos, K. Fysarakis, and C. Manifavas, "How effective is your security awareness program? An evaluation methodology," Information Security Journal: A Global Perspective, vol. 21, no. 6, pp. 328-345, 2012, doi: 10.1080/19393555.2012.747234.
Rai, Bipin Kumar. “PcBEHR: patient-controlled blockchain enabled electronic health records for healthcare 4.0.” Health Services and Outcomes Research Methodology 23 (2022): 80-102. Available: https://www.semanticscholar.org/paper/9c56a1218cee546b73dd0ac34eb524c155a03089
Orii, Lisa et al. “eHealth Data Security and Privacy: Perspectives from Diverse Stakeholders in Malawi.” Proceedings of the ACM on Human-Computer Interaction 8 (2024): 1 - 26. Available: https://www.semanticscholar.org/paper/eHealth-Data-Security-and-Privacy%3A-Perspectives-in-Orii-Feldacker/7326001f83fb9147b6b6c1c1f50218616f32af4a
Gopalan, S., Verma, R., & Jaswal, S. (2023). A Secure and Privacy Preserving Telehealth Solution in Fog Based Environment. 2023 3rd International Conference on Smart Data Intelligence (ICSMDI), 38-47. Available: https://www.semanticscholar.org/paper/249197db5c8c964a76726bcab7ee23dc3b7036ef
Benabderrahmane, Fatiha, Samir Selmane and Nardjes Bouchemal. “Enhancing Security in Healthcare IoT Systems: Mitigating Threats and Protecting Patient Data.” 2023 IEEE 11th International Conference on Systems and Control (ICSC) (2023): 141-146. Available: https://www.semanticscholar.org/paper/ee0018889f9dea046e5d687b7e5fad68d23eb602
Hallur, Sudhakar, Roopa R Kulkarni, Prashant P. Patavardhan and Vishweshkumar Aithal. “IoT Security Issues, Challenges, Threats, and Solutions in Healthcare Applications.” Integrating AI in IoT Analytics on the Cloud for Healthcare Applications (2022): n. pag. Available: https://www.semanticscholar.org/paper/c3da442b4fd2908da645a2327aaa0ebaa74e46c2
Patel, Alay, Devam Patel, Riya Kakkar, Parita Rajiv Oza, Smita Agrawal, Sudeep Tanwar, Ravi Sharma and Nagendar Yamsani. “Safeguarding the IoT: Taxonomy, security solutions, and future research opportunities.” Security and Privacy 7 (2023): n. pag. Available: https://www.semanticscholar.org/paper/8c02e2e433b96980d7badd0d2056ff58ec30b7f1
Tuomas Granlund, Juha Vedenpää, Vlad Stirbu, Tommi Mikkonen. “On Medical Device Cybersecurity Compliance in EU.” Arxiv, March 2021. Available: https://arxiv.org/abs/2103.06809
Harasymchuk, Oleh, Andrii Partyka, Elena Nyemkova and Yaroslav Sovyn. “An Integrated Approach to Cybersecurity and Cybercrime Investigation of Critical Infrastructure Through a Ransomware Incident Monitoring System.” Cybersecurity: Education, Science, Technique (2023): n. pag. Available: https://www.semanticscholar.org/paper/d0b5f510f88d38c5e6f76eea3b8bfd02a97e17e0
Mohammed, Zareef A.. “Data breach recovery areas: an exploration of organization's recovery strategies for surviving data breaches.” Organizational Cybersecurity Journal: Practice, Process and People (2021): n. pag. Available: https://www.semanticscholar.org/paper/2297ba27c0852840b8dbcfb1d83c8cb81da5464d
