Healthcare organizations depend on reliable digital information and communication infrastructures to collect, process, and store health data. These data can easily be provided to doctors for diagnosis, treatment, consultation or for monitoring their patients’ condition. On the other hand, patients can also have access to their own health data and use them anywhere, anytime. Although health data exchange is essential for providing better patient care, healthcare organizations are becoming vulnerable to cyber-attacks, causing data leakage or breach incidents. These attacks may affect patients’ privacy and health, as well as cause severe operational disruptions and economic losses for healthcare organizations.
The KIOS Research and Innovation Center of Excellence at the University of Cyprus participated in the CUREX H2020 EU-funded project, which addressed comprehensively the protection of the confidentiality and integrity of health data. Within the framework of this project, the KIOS research team used their expertise in cybersecurity-related issues and developed a Cyber Hygiene methodology for raising cybersecurity and data privacy awareness of different employee groups in healthcare organizations.
Human-Centric Cyber Hygiene Methodology
According to the CyberSecurity Forum, Cyber Hygiene refers to the activities that computer system administrators and users can undertake to improve their cybersecurity while online (https://cybersecurityforum.com/cybersecurity-faq/what-is-cyber-hygiene.htm). The KIOS CoE developed a survey-based risk assessment methodology for Cyber Hygiene, focusing on the gaps and needs of individual employee groups to identify the most effective strategy for managing cybersecurity and data privacy risks and recommend human-centric controls to implement the strategy.
The KIOS Cyber Hygiene methodology was applied to three major European healthcare organizations in the context of the CUREX project, two in Spain and one in Sweden, targeting four different employee groups (administrative personnel, medical professionals, IT, and executive staff).
It included the following five steps:
- Preparation of a survey questionnaire to focus on the needs and gaps of different employee groups at healthcare organizations. The questionnaire included single and multiple response questions related to awareness, agreement, adoption of Cyber Hygiene practices, knowledge, and satisfaction.
- Processing and analyzing the participants’ responses. The responses were analyzed per healthcare organization, employee group, risk category, as well as for specific survey questions.
- Identification of the most effective strategy to address each cybersecurity and data privacy risk.
- Recommendation of targeted human-centric controls, such as training sessions, awareness activities, and rewards, to implement the identified strategy.
- Application of the controls to the workforce to improve the level of cybersecurity and data privacy awareness.
According to the KIOS CoE Research Lecturer, Dr. Christos Laoudias, the findings suggest that administrative personnel and medical professionals at one of these organizations seem to have a better understanding of cyber hygiene. In contrast, the same group of employees at the other two organizations need to adopt the recommended controls (e.g., training sessions, awareness activities, rewards) selected from a pool of 19 candidate controls to manage various human-related cybersecurity and data privacy risks.
An interesting point, he continues, is the fact that, even though the employees in all groups across the three organizations are aware of several threats including “insider, accidental or intentional data loss”, “loss or theft of hardware” and “attacks against smart medical devices”, they are not aware of “social engineering attacks” (e.g., phishing emails), while only employees at one of the organizations are aware of “ransomware attacks”. These two attacks are the top-2 threats in healthcare according to the U.S Department of Health and Human Services.
From the findings, it was clear that all three healthcare institutions need to take actions and adopt the recommended controls with the appropriate implementation level to increase awareness, understanding, and use of cyber hygiene best practices among their employees.
The human – centric Cyber Hygiene methodology developed by the KIOS CoE is an outcome of the CUREX project, that increases employee confidence in identifying and handling cybersecurity and data privacy incidents, supports the management team in cyber defence decision-making, applies human-centric controls to mitigate risks, and reduces the cost due to service outages and data breaches.
This project received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 826404.