In the last decades, the significant diffusion of health information technology and electronic health records has increased the productivity of the healthcare sector with a positive impact on the quality of care. However, this process has exposed new vulnerabilities with more significant extension and integration of heterogeneous networks, more network-connected medical devices, more clinical data collected and handled, and more information technology (IT) users, often with a low level of IT literacy. As a consequence, the healthcare sector results even more attractive to threat agents than others, due to the high value of medical records in the black market and the longer time to discover a security incident, which usually gives enough time to exploit the stolen patient data.

In fact, in the last year, several healthcare records have been reported compromised. In 2018, healthcare had the highest number of breaches recorded, compared to other sectors. Healthcare falls short on a lot of security measures, such as non-compliance with the regulatory framework, growth of unmanaged IoT (Internet of Things) devices, vulnerable medical management apps, and difficulties of physical access controls.

In the healthcare sector, the main asset that cyber-attacks can directly hit is personal health information (PHI). Cyberattacks can render PHI not accessible, with reduction of quality of service or interruption of service and (temporary) unavailability of data. Theft of clinical data may infringe integrity (e.g. encryption or counterfeit) or confidentiality and privacy (e.g. data sold on the black market). In the supply chain, while the healthcare provider is the data controller, it often happens that the hardware/software provider plays the role of data processor for all data collected with its solutions. Thus, the consequences of a cyber incident can extend to the hardware/software provider.

Cyberattacks can indirectly hit other intangible assets, such as the “reputation”, “brand” and “key competencies and human capital”. In addition, additional expenses may be generated due to interruption of service, retrieval of the before-the-attack status, legal assistance, notification to the supervisory authority, breach notification to customers, actions for the recovery of lost customers and for the recovery from the loss of revenues. A procedure for the quantification of the value of the intangible assets has to be part of the adopted risk assessment methodology. A quantitative evaluation of the impact is of extreme importance in a sector like healthcare, where the average resources dedicated to cybersecurity are lower than other business sectors, giving to the organisation management a solid base on which it will be possible to decide if it is worth making the investment.

The analysis of the human factor impact in cybersecurity has highlighted a frequent mismatch between the rules imposed on employees by managers and their behaviour. The attitudes towards cybersecurity in different organisations seemed to differ from the expected correct behaviour. Operators show an excellent resistance of routines and habits, especially when shortening their work. Companies should minimize human vulnerabilities by designing security policies that consider the specific needs and constraints of the work activity and reduce the opportunities for conflicts between security and work efficiency objectives.

Key findings

  • High diffusion of health information technology and electronic health record has exposed new vulnerabilities due to heterogeneous networks, network-connected medical devices, increase of clinical data collected and handled, and of information technology users.
  • High interest of cybercrime to the healthcare sector due to the high value of medical records and longer time to discover a security incident compared to the financial sector, and fewer resources dedicated to cybersecurity in healthcare providers compared to other sectors.
  • Personal health information (PHI) is the main asset that cyber-attacks can directly hit.
  • Protection of confidentiality, privacy, integrity and availability of PHI to avoid scenarios where PHI is not accessible (unavailability of data) with reduced quality of service or PHI has been compromised due to data breaches with infringement of integrity or confidentiality/privacy.
  • In the risk assessment, it is fundamental to analyse the supply chain to evaluate how the impact of a cyber incident can propagate to other nodes of the supply chain.
  • In a sector where many IT users are not highly computer literate, the assessment of the human factor impact in cybersecurity is essential.
  • There is a need for greater awareness of healthcare personnel filling the mismatch between their attitude and their expected correct behaviour.
  • Companies should design security policies considering the specific needs and constraints of the work activity, thus reducing the opportunities for conflicts between security and work efficiency objectives.
  • Evaluation of the cascade effects following a cyber-attack can lead to discovering very high costs.
  • There is a need for a reliable quantitative risk assessment to convince healthcare managers to invest in cybersecurity in a sector where the average resources dedicated to cybersecurity are lower than other business sectors.
  • Organisations need to share cyber threat scenarios and related data, to invest more resources in cybersecurity, to consider the entire supply chain in the risk assessment, to consider the impact of human factors, and finally to have a common approach to European cybersecurity risk assessments.