Sage Journals: Discover world-class research

Abstract

This article emphasizes the importance of comprehensive cybersecurity education programs in the healthcare industry. The rapid development of technology in healthcare has brought numerous advantages, including electronic health records and telehealth services. However, these advancements also expose the healthcare industry to significant cybersecurity risks. The healthcare industry is an attractive target for cybercriminals due to the presence of sensitive personal and financial information. Current regulations, such as HIPAA and PIPEDA, are in place to protect patient information, but 95% of healthcare industry breaches result from human error. Healthcare organizations must prioritize robust cybersecurity measures and implement comprehensive education programs for all healthcare professionals. This article recommends tailoring educational content to different healthcare roles and incorporating ongoing learning and awareness as essential elements of cybersecurity education. Overall, it calls for a holistic approach to cybersecurity education in healthcare to protect patient information and mitigate cyberthreats.

Introduction

The rapid development of global technology has been advantageous for the healthcare industry. One of these advantages is the use of electronic health records for better data management, increased operational effectiveness, and all-around improved patient care. An additional advantage is the expansion of telehealth services, particularly during the pandemic, which has improved the effectiveness and accessibility of healthcare. With these amazing benefits comes significant cybersecurity risk, making healthcare susceptible to cyberattacks. The healthcare industry presents an attractive target for cybercriminals due to the presence of sensitive personal and financial information in health documents. The value of Personal Health Information (PHI) surpasses that of credit card information due to the inclusion of unique and unchanging personal identifiers, such as health numbers or date of birth. Exploiting this data can lead to identity theft and other fraudulent activities.^1-3 According to a report in 2018 by the Canadian Internet Registration Authority, it was estimated that PHI could be sold for around $1,000 on the dark web compared to credit card information, which is sold for as little as $5.⁴ The primary regulations currently in place to protect PHI are the Health Insurance Portability and Accountability Act (HIPAA) enacted in 1996 in the United States and the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, which govern the collection, use, and disclosure of personal information, including PHI.⁵ An important aspect to consider is that a staggering 95% of healthcare industry breaches result from human error.^6,7 This statistic highlights the critical role that staff members play in ensuring the security and protection of sensitive patient information, as compromising such data poses a significant threat to patient privacy and safety.

Considering this growing concern, healthcare organizations must recognize the inherent risks and prioritize robust cybersecurity measures to protect patient information and well-being.⁸ One effective cybersecurity measure is for health leaders to prioritize the implementation of comprehensive cybersecurity education programs that would equip staff with the necessary knowledge and skills to prevent and mitigate potential breaches, which are usually overlooked.⁹ These cybersecurity education programs should not be limited to Information Technology (IT) staff who are responsible for ensuring cybernetwork best practices but should encompass all healthcare professionals such as nurses, doctors, and allied health professionals. Health leaders are responsible for ensuring other professionals understand the broader mission of strengthening cybersecurity, recognizing that it extends beyond technology alone. These professionals, being the end-users, play a critical role as the weakest link in maintaining a secure environment. Therefore, imparting this awareness is essential, emphasizing their significance in safeguarding sensitive information and mitigating cyberthreats.^10-12

The main aim of this article is to emphasize the significance of developing and implementing comprehensive education programs covering the latest threats, risks, policies, and best practices to safeguard PHI. It underscores the critical role of ongoing education and reinforcement to keep healthcare staff updated with the dynamic cybersecurity landscape. The intended audience includes health leaders, IT professionals, and educators responsible for developing and delivering cybersecurity training programs in the healthcare industry.

Cybersecurity in the healthcare industry and why it should be strengthened

The National Cyber Threat Assessment conducted by the Canadian Communications Security Establishment (CSE) in November 2020 highlighted the significant challenges faced by the healthcare industry due to cyberattacks. These attacks have had a detrimental impact on the industry’s ability to provide essential services and protect sensitive data.¹³ Hospital data security breaches can cost a single hospital up to $7 million (USD) in fines, legal battles, and reputational damage.¹⁴ These breaches result in monetary losses and pose serious risks to patient privacy and institutional reputation, with potential harm to patients themselves.¹⁵ The Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP) publication was developed as a valuable resource for raising awareness and promoting effective cybersecurity practices within the healthcare industry. It aims to establish consistency in mitigating cybersecurity threats and enhancing overall security measures.^11,16

The 2021 study,¹⁷ conducted on a random sample of 1,000 U.S. employees across different sectors, revealed a concerning lack of awareness among healthcare staff regarding phishing and social engineering attacks. Only 16% of healthcare staff demonstrated a comprehensive understanding of phishing, and a mere 22% felt confident explaining cybersecurity risks to senior management. In comparison, the technology and finance sectors showed higher confidence levels, with 47% and 50%, respectively, expressing a strong grasp of cybersecurity risks. This lack of confidence hampers effective communication among healthcare professionals and stakeholders during suspected cyberattacks. Urgent cybersecurity education is needed in healthcare to combat phishing and social engineering. Additionally, transparent leadership and open communication will empower all stakeholders (medical staff, clinicians, patients, and healthcare authorities) to report cyberthreats and strengthen the digital defence.

Phishing attacks continue to be the most popular and effective tactic for cybercriminals. Phishing is using targeted e-mails to trick recipients into clicking malicious links or downloading malware to obtain sensitive information like usernames, passwords, or medical information.^18,19 Healthcare workers must be able to identify the tactics used in phishing attacks and other social engineering techniques, such as vishing (phone-based phishing), smishing (text-based phishing), and impersonation. The World Health Organization (WHO), being at the apex of the healthcare industry, has reported numerous unsuccessful phishing attempts aimed at obtaining passwords.²⁰ In Canada, there have been instances of phishing attacks related to COVID-19, such as sending individuals links to fake web sites pretending to be associated with the Canadian Emergency Response Benefit program.²¹ In response to these incidents, the Canadian federal government, specifically the Canadian Centre for Cyber Security, has issued alerts to raise awareness about the connection between the latest pandemic and cyberthreats, particularly targeting public health and healthcare organizations.¹³ These examples underscore the significance of phishing attacks in the healthcare sector and highlight the importance of implementing comprehensive educational programs to enhance cybersecurity for all healthcare staff, particularly those who handle sensitive information and are at higher risk for cyberattacks.

A comprehensive study¹⁸ was conducted over the course of one month to assess the ability of healthcare staff at a National Health Service Trust in identifying e-mail phishing attempts. The study involved the simulation of phishing attacks by sending deceptive e-mails to the staff. Surprisingly, only 2-3% of the e-mails were recognized as threats, indicating a significant lack of awareness among healthcare professionals. Extrapolating this data reveals the substantial potential risk of phishing in an organization with over 50 million Internet transactions and more than 100,000 e-mails annually. Additionally, the study found that employee e-mail addresses were easily obtained from publicly available sources, such as social media profiles, and some staff members fell victim to false friend requests. Although no credentials were obtained or malicious files downloaded, the phishing e-mails utilized various techniques, including attachments and malicious links. These findings highlight the urgent need for robust education programs that emphasize the risks associated with sharing or leaking information on social media and overall awareness among healthcare staff concerning phishing threats.

In May 2021, the Irish health system experienced a devastating Conti ransomware (a type of malware) attack that had far-reaching consequences.¹⁹ This attack affected over 80% of the organization's IT infrastructure, resulting in data theft and the complete shutdown of crucial systems essential for healthcare delivery and non-clinical systems like finance and procurement.²² Investigations revealed that the attack originated from a staff member unknowingly opening a malware-infected spreadsheet received via e-mail.²³ The impact of this attack was severe, as it took four months to fully recover and restore operations to normalcy. This incident highlights the urgent need for robust cybersecurity measures and employee education to prevent such devastating attacks in the future.

In a survey of over 600 healthcare professionals by Merlin International and the Ponemon Institute,²⁴ it was found that around half of the participants believed that “lack of employee awareness and training affects their ability to achieve a strong security posture.” Additionally, nearly three-fourths of the participants “cited insufficient staffing as the biggest obstacle to maintaining a fully effective security posture.”^24,25 These findings address the need for increased healthcare staff awareness and training via education programs to strengthen cybersecurity.

Developing and implementing comprehensive ongoing education programs to strengthen cybersecurity in healthcare

Cybersecurity in healthcare has been described as an act of responsibility for all¹⁹ including decision-makers who often view patient care and cybersecurity as separate and abstract domains, leading to fragmented decision-making. In Canada, patient care takes precedence over cybersecurity, leading decision-makers to view it as an abstract and separate concern, often seen as an IT problem rather than an integral part of healthcare.²¹ This disconnect and lack of attention to cybersecurity education of healthcare staff to address the clear link between human error and cybersecurity incidents has far-reaching implications, affecting patients, healthcare organizations, and professionals alike.^8,26 All healthcare staff must be HIPAA compliant and understand their role in safeguarding PHI against cyberthreats. HIPAA allows health leaders to customize compliance measures according to their staff’s needs, and this should be an ongoing process to keep up with evolving cybersecurity challenges. The Office for Civil Rights (OCR) risk analyses recommend conducting bi-annual training and monthly security updates to enhance employee education and awareness. Effective training programs should utilize various delivery methods, such as computer-based modules, classroom sessions, and team discussions, to foster a comprehensive understanding of cybersecurity practices. St. Luke’s University Health Network serves as an example of an organization that prioritizes ongoing education and compliance with HIPAA by regularly sharing scenario-based presentations with its staff. These presentations include real-world examples like the WannaCry and NotPetya attacks of 2017,^27,28 focusing the teaching points on phishing, malware defence, and URL security.²⁹ This approach has proven successful in strengthening employee knowledge and response to cybersecurity threats.²⁹

A study conducted in 2019 on stimulated phishing exercises revealed that over time, employee phishing click rates decreased with repeated stimulation, demonstrating the effectiveness of awareness as an educational tool to strengthen cybersecurity.³⁰ Another study by³¹ showed that infographics were useful in promoting awareness of cybersecurity and reducing the risk of falling into a phishing attack. Therefore, it is crucial for health leaders to establish awareness as the basis of cybersecurity education programs among healthcare professionals regarding the various types of cybersecurity threats, as this enhances their alertness and promotes proactive measures to mitigate risks.^32,33 To optimize the impact of cybersecurity education programs, health leaders should prioritize tailored initiatives that address the unique roles and responsibilities of healthcare professionals. Recognizing that different professionals may encounter varying levels of cybersecurity threats, customizing the educational content to their specific needs and challenges can significantly enhance the program's effectiveness. By customizing the program to different healthcare roles, organizations can provide targeted training and resources that directly address the unique cybersecurity risks faced by each professional group and stakeholder within the healthcare sector. This tailored approach ensures that the educational content is relevant, practical, and aligned with the specific threats encountered in their respective roles, resulting in maximum impact and a stronger overall cybersecurity readiness for the healthcare organization.

There is also a recommended shift towards prioritizing awareness over the current focus on training medical professionals in complex digital health technologies like artificial intelligence.¹⁹ This shift is necessary because artificial intelligence fails to address the crucial aspect of safeguarding PHI, the primary target during cyberattacks. While technical development is essential for strengthening cybersecurity, it is crucial to recognize that relying solely on technology is insufficient. An important aspect highlighted by³⁴ is the behaviour of healthcare professionals, particularly when it comes to repetitive tasks such as handling PHI. Repetition can lead to the formation of habits, which may result in unconscious behaviour and increase the risk of mistakes and, ultimately, data breaches. Additional factors like staff burnout and fatigue³⁵ can further contribute to unconscious behaviour and potential cybersecurity threat. To effectively tackle the challenges, health leaders must embrace a holistic approach to designing educational programs. This approach should encompass technical solutions and a strong emphasis on fostering technical and mental awareness among staff members. By combining technical measures with a focus on cultivating awareness and mindfulness, healthcare organizations can effectively mitigate security risks and create a safer environment for handling PHI.

The central objective of any educational program for healthcare staff should be to promote continued learning, technical skill enhancement and behavioural orientation that prioritize cybersecurity for the safeguard of PHI. Health leaders and policy-makers must acknowledge the significance of incorporating ongoing education and formal training focused on cybersecurity within health education initiatives.^36-38 However, it is noteworthy that only a limited amount of literature reports cybersecurity education as part of health policy;^39,40 In this context, the government has a crucial role to play in supporting and promoting the inclusion of cybersecurity education within the broader healthcare policy framework.⁴¹ They must enforce existing laws and rules to stop cybercriminals. The government and health leaders should work together to ensure these laws are followed, even across borders. By emphasizing continuous learning and incorporating cybersecurity education into health policy, healthcare organizations can significantly enhance the overall security readiness of their staff members. This proactive approach not only equips healthcare professionals with the essential knowledge and skills to effectively mitigate cyberattacks but also fosters a culture of cybersecurity awareness and accountability among all individuals working in the healthcare field, including allied health professionals. Additionally, health leaders should lead by example and participate in ongoing educational programs focused on cybersecurity. This top-down approach will have a ripple effect, influencing all staff members and reinforcing the importance of cybersecurity as a collective responsibility.

A practical approach to strengthening cybersecurity educational program is to use documented cyberattacks as case studies to educate healthcare staff about potential threats and their solutions. By analyzing past incidents, we can learn from them, prevent their reoccurrence, and take preventive measures to avoid similar attacks. Sharing information about cyberattacks within the healthcare industry is essential for strengthening cybersecurity practices, especially in large academic medical centres where the risk of PHI breaches is higher compared to other hospitals.⁴² A recent study⁴³ examined the effectiveness of e-mail warnings in reducing unauthorized access to PHI by hospital employees. The study found that only four employees repeated the offence after receiving an e-mail warning about accessing medical records without a valid work-related purpose, violating HIPAA regulations. Therefore, comprehensive ongoing education programs utilizing case studies of cyberattacks can strengthen healthcare cybersecurity awareness among staff and promote adherence to best practices.

Conclusion and recommendations

Countries worldwide have established specialized Computer Emergency Response Teams (CERTs) to aid healthcare organizations in addressing cybersecurity challenges effectively. Notable examples include CareCERT in the UK, OpenCERT Canada in Canada, U.S.-CERT in the United States, HelseCERT in Norway, and ZorgCERT in the Netherlands. These CERTs play a vital role in bolstering healthcare organizations' preparedness against cybersecurity threats. To further strengthen cybersecurity measures, healthcare organizations must prioritize regular and targeted training programs for their staff, making them an integral part of employees' Key Performance Indicators (KPIs). These programs should encompass routine knowledge assessments and simulated phishing exercises to keep employees up-to-date with the latest threats and foster a culture of vigilance. Additionally, cybersecurity modules should be incorporated into the curricula of health-related disciplines, empowering professionals to actively contribute to healthcare cybersecurity.

Equally important, health leaders need to provide resources and support to actively engage staff in cybersecurity education. Collaborating with security organizations and tailoring educational programs to different learning styles and educational levels ensures content is concise, easily understandable, and more effectively retained. By investing in robust educational initiatives, health leaders demonstrate their commitment to prioritizing cybersecurity, encouraging a proactive mindset throughout the organization.

A comprehensive and ongoing approach to cybersecurity education is recommended for all healthcare staff, tailored to their specific roles, and encompassing technical knowledge, risk awareness, and protection of protected health information. To bolster industry-wide cybersecurity practices, health leaders and policy-makers should integrate cybersecurity education into health policies and enforce existing laws to deter cybercriminals. Promoting information-sharing among organizations further enhances the overall cybersecurity posture. Cultivating a cybersecurity awareness and accountability culture is paramount to safeguarding patient information and maintaining trust in the healthcare system. By equipping healthcare staff with thorough cybersecurity knowledge, organizations can leverage them as valuable assets and the first line of defence against cyberthreats, ensuring safe patient care in the digital age.

Footnotes

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) received no financial support for the research, authorship, and/or publication of this article.

Ethical approval

Institutional Review Board approval was not required.

ORCID iD

Nma Jerry-Egemba

References

Koyame-Marsh

Marsh

. Data breaches and identity theft: Costs and responses. IOSR j. economics finance. 2014;5:36-45.

Sulleyman

. NHS cyber attack: Why stolen medical information is so much more valuable than financial data. Independent. 2017.

Patane

. My health information worth more than my credit card info? Anthony patane, CIO/HIPAA security officer, NRAD medical associates.

2018 Cybersecurity Survey Report, https://www.cira.ca/resources/cybersecurity/report/2018-cybersecurity-survey-report (2018).

The Personal Information Protection and Electronic Documents Act (PIPEDA), https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/

Reilly

. If 95% of Cyberattacks Are Due to Human Error, Why Have So Few Clinicians Been Trained to Avoid Them? Imprivata. https://www.imprivata.com/blog/if-95-cyber-attacks-are-due-human-error-why-have-so-few-clinicians-been-trained-avoid-them (Accessed: 12 September 2023).

Evans

Maglaras

, et al. HEART-IS: A novel technique for evaluating human error-related information security incidents. Comput Secur. 2019;80:74-89.

Nifakos

Chandramouli

Nikolaou

, et al. Influence of human factors on cyber security within healthcare organisations: A systematic review. Sensors. 2021;21:5119.

Javaid

Haleem

Singh

, et al. Towards insighting cybersecurity for healthcare domains: A comprehensive review of recent practices and trends. Cyber Security Appli. 2023;1:100016.

10.

Middaugh

. Cybersecurity attacks during a pandemic: It is not just IT's job. Medsurg Nurs. 2021;30:65-66.

11.

Chua

Pmp

. Cybersecurity in the healthcare industry. Physi Leade J. 2021;8(1).

12.

Spanakis

Bonomi

Sfakianakis

, et al. Cyberattacks and threats for healthcare–a multi-layer thread analysis. In: 2020 42nd Annual International Conference of the IEEE Engineering in Medicine & Biology Society (EMBC), 2020. IEEE:5705-5708.

13.

CcfC

. National Cyber Threat Assessment 2020; 2020. https://www.cyber.gc.ca/en/guidance/national-cyber-threat-assessment-2020. accessed November 16, 2020.

14.

Jalali

Kaiser

. Cybersecurity in hospitals: A systematic, organizational perspective. J Med Internet Res. 2018;20:e10059.

15.

Aijaz

Nazir

Anwar

. Classification of security attacks in Healthcare and associated cyber-harms. In: 2021 First International Conference on Advances in Computing and Future Communication Technologies (ICACFCT), 2021, December 16, IEEE:166-173.

16.

Claunch

McMillan

. Determining the right level for your IT security investment: A rural medical center facing threats of data breaches discovered that hospital IT security investments go beyond just dollars and cents. Healthc Financ Manag. 2013;67:100-104.

17.

McKeon

. Healthcare Employee Cybersecurity Training Is Lacking; 2021. Report Finds https://healthitsecurity.com/news/healthcare-employee-cybersecurity-training-is-lacking-report-finds

18.

Priestman

Anstis

Sebire

, et al. Phishing in healthcare organisations: threats, mitigation and approaches. BMJ health & care informatics. 2019;26(1):e100031.

19.

Saira

Arvind

Mike

. Cyberattacks are a permanent and substantial threat to health systems: Education must reflect that. Digital Health. 2022;8:20552076221104665.

20.

Cybersecurity (2023) World Health Organization. Available at: https://www.who.int/about/cyber-security. Accessed: 12 September 2023.

21.

Wilner

Luce

Ouellet

, et al. From public health to cyber hygiene: Cybersecurity and Canada’s healthcare sector. Int J. 2021;76:522-543.

22.

Conti

. Cyber Attack on the HSE; 2021. https://www.hse.ie/eng/services/publications/conti-cyberattack-on-the-hse-full-report.pdf

23.

Corera

. Irish Health cyber-attack could have been even worse, report says, BBC News. Available at: https://www.bbc.com/news/technology-59612917 (Accessed: 12 September 2023).

24.

International

. Merlin International & Ponemon Institute Cybersecurity Study Signals Dangerous Diagnosis for Healthcare Industry; 2018. https://www.businesswire.com/news/home/20180312005302/en/Merlin-International-Ponemon-Institute-Cybersecurity-Study-Signals

25.

Cascella

. Strengthening the Frontline: Cybersecurity Training for Healthcare Workers. MedPro Group. https://www.medpro.com/cybersecurity-training-for-healthcare-workers

26.

Azad

Bag

Ahmad

, et al. Sharing is Caring: a collaborative framework for sharing security alerts. Comput Commun. 2021;165:75-84.

27.

Trautman

Ormerod

. Wannacry, ransomware, and the emerging threat to corporations. Tenn L Rev. 2018;86:503.

28.

Kaminska

Broeders

Cristiano

. Limiting viral spread: automated cyber operations and the principles of distinction and discrimination in the Grey Zone. In: 2021 13th International Conference on Cyber Conflict (CyCon) 2021, May 25, IEEE:59-72.

29.

Snell

. Training Employees to Avoid Healthcare Data Security Threats; 2017. https://healthitsecurity.com/features/training-employees-to-avoid-healthcare-data-security-threats

30.

Gordon

Wright

Glynn

, et al. Evaluation of a mandatory phishing training program for high-risk employees at a US healthcare system. J Am Med Inf Assoc. 2019;26:547-552.

31.

Baillon

De Bruin

Emirmahmutoglu

, et al. Informing, simulating experience, or both: A field experiment on phishing risks. PLoS One. 2019;14:e0224216.

32.

Kamerer

Cybersecurity

MDD

. Nurses on the front line of prevention and education. J Nur Regula. 2020;10:48-53.

33.

Coventry

Branley-Bell

Sillence

, et al. Cyber-risk in healthcare: exploring facilitators and barriers to secure behaviour. In: HCI for Cybersecurity, Privacy and Trust: Second International Conference, HCI-CPT 2020, Held as Part of the 22nd HCI International Conference, HCII 2020, Copenhagen, Denmark, July 19–24, 2020, Proceedings 2020, pp. 105-122. Springer.

34.

Zafar

. Cybersecurity: Role of Behavioral Training in Healthcare. In Proceedings of the AMCIS 2016 Proceedings, 11–14 August 2016, San Diego, CA; 2016.

35.

Williams

Chaturvedi

Chakravarthy

. Cybersecurity risks in a pandemic. J Med Internet Res. 2020;22:e23692.

36.

Niki

Saira

Arvind

, et al. Cyberattacks are a permanent and substantial threat to health systems: education must reflect that. Digit Health. 2022;8:20552076221104665. doi:10.1177/20552076221104665

37.

McGowan

Cusack

Bloomrosen

. The future of health IT innovation and informatics: A report from AMIA’s 2010 policy meeting. J Am Med Inf Assoc. 2012;19:460-467. doi:10.1136/amiajnl-2011-000522

38.

Dawson

Thomson

. The future cybersecurity workforce: Going beyond technical skills for successful cyber performance. Front Psychol. 2018;9:744.

39.

Grande

Luna Marti

Feuerstein-Simon

, et al. Health policy and privacy challenges associated with digital technology. JAMA Netw Open. 2020;3:e208285-20200701. doi:10.1001/jamanetworkopen.2020.8285

40.

Farringer

. Maybe if we turn it off and then turn it back on again? Exploring health care reform as a means to curb cyber attacks. J Law Med Ethics. 2019;47:91-102.

41.

If Healthcare Doesn’t Strengthen its Cybersecurity, It Could Soon be in Critical Condition, https://www.weforum.org/agenda/2021/11/healthcare-cybersecurity/ (2021).

42.

Bai

Jiang

Flasher

. Hospital risk of data breaches. JAMA Intern Med. 2017;177:878-880.

43.