Cyber Hygiene Methodology for Raising Cybersecurity and Data Privacy Awareness in Healthcare Organisations (Preprint)

Abstract

Cyber threats are increasing across all business sectors and the cost of cybersecurity and data privacy incidents is rising globally with healthcare being a prominent domain. In response to the ever-increasing threats, healthcare organisations are enhancing the technical measures with the use of cybersecurity controls (e.g., firewalls, secure configuration, patch management) that not only address the essential requirements for certification (e.g., ISO 27001, HCISPP) but also implement advanced solutions (e.g., incident management, supply chain security) for further protection. Ultimately, the goal of these controls is to protect and preserve the business continuity of patient services. Despite the need for technical controls, humans are evidently the weakest link in the cybersecurity posture of a healthcare organisation. This, in combination with the view that cybersecurity is as good as its weakest link, suggests that addressing human aspects of cybersecurity is a key step towards managing cyber-physical risks. In practice, healthcare organisations are requested to apply general cybersecurity and data privacy guidelines that focus on the human factor. However, there is limited literature on the methodologies and procedures which can assist healthcare organisations to successfully map these guidelines to specific controls (interventions), including awareness activities and training programs, with a measurable impact on personnel. To this end, tools and structured methodologies for assisting the higher management to select the minimum number of required controls that will be most effective on the healthcare workforce are highly desirable, but yet not available to healthcare personnel.

This paper introduces an exploratory Cyber Hygiene (CH) methodology that employs a unique survey-based risk assessment approach for raising cybersecurity and data privacy awareness of different employee groups in healthcare organisations. The proposed CH methodology considers the human aspects in the chain of cyber defence by focusing on the gaps and needs of individual employee groups. The main objective of the methodology is to identify the most effective strategy for managing cybersecurity and data privacy risks and recommend targeted human-centric controls (e.g., awareness activities, training programs, rewards, etc.) that are tailored to the organisation-specific needs (e.g., culture, personnel background, employee role and responsibilities, etc.) to implement the strategy. The recommended controls, which are selected from a larger set of candidate controls, ensure that cybersecurity and data privacy awareness are improved, while keeping the cost low due to the recommendation of the most effective combination of controls, which are, in most times, a subset of all the controls.

The development of the CH methodology relied on two key methods namely a cross-sectional exploratory survey study followed by a proposed risk-based approach survey analysis approach. First, the survey facilitated the collection of responses to extract knowledge and assess the needs and gaps of 4 different employee groups, i.e., i) Administrative; ii) Medical/Clinical; iii) IT/Technical; and iv) Executive/Security, across 3 European healthcare organisations (hospitals and research institutes). The online survey including 28 questions was released to describe the situation for all 4 employee groups at each organisation with respect to 7 types of cybersecurity and data privacy risks (i.e., risk categories). Each risk category is represented by an exclusive subset of questions. Next, we transcribed the responses to the proposed risk-based analysis approach to obtain insights about the risk levels per organisation, employee group, and risk category. In particular, 5 strategies were defined for managing the risks, while risks were discretized into a range of 1 to 5 with 1 representing lowest form of risk and 5 representing the highest, both from the employees’ perspective. We defined the procedures for quantifying the risk by means of the risk marking computed from the survey responses. This quantification of risk based on information gathered form survey responses enabled us to identify the most effective strategy ranging from Mitigation, Reduction, Monitoring, Checking, and Acceptance.

As a first result, a list of human-centric controls and implementation levels (e.g., quarterly personnel training with beginners’ level material) was created including a variety of controls categorised as Training, Awareness, Motivation, and Rewarding controls. These controls were associated with risk categories and were mapped to risk strategies for managing the risks related to all employee groups. Our mapping empowers the computation and subsequently recommendation of subsets of human-centric controls to implement the identified strategy for managing the overall risk of the healthcare organisation. An indicative example demonstrates the application of the exploratory CH methodology in a simple scenario. Finally, by applying the CH methodology in the healthcare sector we obtained results (i.e., risk markings, identified strategies to manage the risks, and recommended controls) for each of the 3 healthcare organisations, each employee group, as well as each risk category. For anonymization purposes, the organisations were assigned a random name identifier (HO1, HO2, and HO3). Indicative high-level findings include: i) Administrative and Medical/Clinical employees at HO3 have fewer high risks compared to HO1 and HO2. This implies that these employee groups at HO3 seem to better understand the general concepts of cyber hygiene and ii) Administrative and Medical/Clinical employees at HO1 and HO2 have medium-high risk evaluation in most risk categories. Thus, they are encouraged to adopt the controls recommended by our CH methodology to manage these risks and improve the situation with respect to the personnel’s cybersecurity and data privacy perception and behaviour.

In this paper we present an exploratory methodology for improving the CH perception and behaviour of personnel in the healthcare sector. The applicability and added value of the proposed CH methodology is demonstrated using real-life survey data collected from 3 European healthcare organisations. Our findings suggest that the adoption of a risk-based approach to quantify the risk associated with various human-related cybersecurity and data privacy threats facilitates the effective management of individual cybersecurity risks across different organisations and diverse employee groups within the same organisation, i.e., different organisations and/or employee groups face different risks. By applying the CH methodology, we provide the risk strategies together with the list of recommended human-centric controls for managing a wide range of cybersecurity and data privacy risks related to healthcare employees.