Cybersecurity risks and gaps in hospital clinical care: Summary review (for the non-cyber professional) (Preprint)

Abstract

Healthcare is facing a growing threat of cyberattacks. Myriad data sources illustrate the same trends that healthcare is one of the industries with the highest risk of cyber infiltration and is seeing the rate of security incidents surge within just a few years. The circumstances thus begged the question: are US hospitals prepared for the risks that accompany clinical medicine in cyberspace?

This study aimed to identify the major topics and concerns present in today’s hospital cybersecurity field, intended for the non-cyber professionals audience in hospital settings.

Via a structured literature search of the National Institutes of Health’s PubMed database (including the MEDLINE database) and Tel Aviv University’s DaTa database, 35 journal articles were identified to form the core of the study. 86 additional sources were examined to inform the study findings

The literature review revealed a basic landscape of hospital cybersecurity, including the top ten methods of attack, the primary reasons hospitals are frequent targets, and the consequences hospitals face following attacks. The cyber technologies common in clinical medicine, as well as their risks, were also examined, with the major categories highlighted being medical devices, telemedicine software, and electronic data. By infiltrating any of these three components of clinical care, cyber attackers can access a trove of valuable information and manipulate, steal, ransom, or otherwise compromise the records, or can use the access to catapult themselves to access other parts of a hospital’s network. Multiple secondary issues that can increase the cyber risks associated with devices, telemedicine, and electronic data were also identified. Finally, strategies that hospitals tend to employ to combat the cyber risks were explored and found to be subpar. There exist within hospitals’ cybersecurity measures serious vulnerabilities and gaps that many of today’s hospitals fail to address. The COVID-19 pandemic was used to further illustrate this issue.

Comparison of the risks, strategies, and gaps revealed that many hospitals in the US are unprepared for cybersecurity risks. The focus of their efforts are misdirected, with external - often governmental - efforts negligible. Policy changes, such as training employees in cyber protocols, adding advanced technical protections, and collaborating with a variety of experts, are necessary. Overall, hospitals must recognize that, in cyber incidents, the real victims are the patients. They are the ones at risk, physically and in information confidentiality, when medical devices, hospital equipment, or treatments are compromised.