1
|
Dameff C, Tully J, Chan TC, Castillo EM, Savage S, Maysent P, Hemmen TM, Clay BJ, Longhurst CA. Ransomware Attack Associated With Disruptions at Adjacent Emergency Departments in the US. JAMA Netw Open 2023; 6:e2312270. [PMID: 37155166 PMCID: PMC10167570 DOI: 10.1001/jamanetworkopen.2023.12270] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [MESH Headings] [Grants] [Track Full Text] [Journal Information] [Submit a Manuscript] [Subscribe] [Scholar Register] [Received: 10/28/2022] [Accepted: 03/26/2023] [Indexed: 05/10/2023] Open
Abstract
Importance Cyberattacks on health care delivery organizations are increasing in frequency and sophistication. Ransomware infections have been associated with significant operational disruption, but data describing regional associations of these cyberattacks with neighboring hospitals have not been previously reported, to our knowledge. Objective To examine an institution's emergency department (ED) patient volume and stroke care metrics during a month-long ransomware attack on a geographically proximal but separate health care delivery organization. Design, Setting, and Participants This before and after cohort study compares adult and pediatric patient volume and stroke care metrics of 2 US urban academic EDs in the 4 weeks prior to the ransomware attack on May 1, 2021 (April 3-30, 2021), as well as during the attack and recovery (May 1-28, 2021) and 4 weeks after the attack and recovery (May 29 to June 25, 2021). The 2 EDs had a combined mean annual census of more than 70 000 care encounters and 11% of San Diego County's total acute inpatient discharges. The health care delivery organization targeted by the ransomware constitutes approximately 25% of the regional inpatient discharges. Exposure A month-long ransomware cyberattack on 4 adjacent hospitals. Main Outcomes and Measures Emergency department encounter volumes (census), temporal throughput, regional diversion of emergency medical services (EMS), and stroke care metrics. Results This study evaluated 19 857 ED visits at the unaffected ED: 6114 (mean [SD] age, 49.6 [19.3] years; 2931 [47.9%] female patients; 1663 [27.2%] Hispanic, 677 [11.1%] non-Hispanic Black, and 2678 [43.8%] non-Hispanic White patients) in the preattack phase, 7039 (mean [SD] age, 49.8 [19.5] years; 3377 [48.0%] female patients; 1840 [26.1%] Hispanic, 778 [11.1%] non-Hispanic Black, and 3168 [45.0%] non-Hispanic White patients) in the attack and recovery phase, and 6704 (mean [SD] age, 48.8 [19.6] years; 3326 [49.5%] female patients; 1753 [26.1%] Hispanic, 725 [10.8%] non-Hispanic Black, and 3012 [44.9%] non-Hispanic White patients) in the postattack phase. Compared with the preattack phase, during the attack phase, there were significant associated increases in the daily mean (SD) ED census (218.4 [18.9] vs 251.4 [35.2]; P < .001), EMS arrivals (1741 [28.8] vs 2354 [33.7]; P < .001), admissions (1614 [26.4] vs 1722 [24.5]; P = .01), patients leaving without being seen (158 [2.6] vs 360 [5.1]; P < .001), and patients leaving against medical advice (107 [1.8] vs 161 [2.3]; P = .03). There were also significant associated increases during the attack phase compared with the preattack phase in median waiting room times (21 minutes [IQR, 7-62 minutes] vs 31 minutes [IQR, 9-89 minutes]; P < .001) and total ED length of stay for admitted patients (614 minutes [IQR, 424-1093 minutes] vs 822 minutes [IQR, 497-1524 minutes]; P < .001). There was also a significant increase in stroke code activations during the attack phase compared with the preattack phase (59 vs 102; P = .01) as well as confirmed strokes (22 vs 47; P = .02). Conclusions and Relevance This study found that hospitals adjacent to health care delivery organizations affected by ransomware attacks may see increases in patient census and may experience resource constraints affecting time-sensitive care for conditions such as acute stroke. These findings suggest that targeted hospital cyberattacks may be associated with disruptions of health care delivery at nontargeted hospitals within a community and should be considered a regional disaster.
Collapse
Affiliation(s)
- Christian Dameff
- Department of Emergency Medicine, University of California, San Diego
- Department of Biomedical Informatics, University of California, San Diego
- Department of Computer Science and Engineering, University of California, San Diego
| | - Jeffrey Tully
- Department of Anesthesiology, University of California, San Diego
| | - Theodore C. Chan
- Department of Emergency Medicine, University of California, San Diego
| | | | - Stefan Savage
- Department of Computer Science and Engineering, University of California, San Diego
| | - Patricia Maysent
- Office of the University of California, San Diego Health Chief Executive Officer, University of California, San Diego
| | - Thomas M. Hemmen
- Department of Neurosciences, University of California, San Diego
| | - Brian J. Clay
- Department of Biomedical Informatics, University of California, San Diego
- Office of the University of California, San Diego Health Chief Executive Officer, University of California, San Diego
| | - Christopher A. Longhurst
- Department of Biomedical Informatics, University of California, San Diego
- Office of the University of California, San Diego Health Chief Executive Officer, University of California, San Diego
| |
Collapse
|
2
|
Patel AU, Williams CL, Hart SN, Garcia CA, Durant TJS, Cornish TC, McClintock DS. Cybersecurity and Information Assurance for the Clinical Laboratory. J Appl Lab Med 2023; 8:145-161. [PMID: 36610432 DOI: 10.1093/jalm/jfac119] [Citation(s) in RCA: 1] [Impact Index Per Article: 1.0] [Reference Citation Analysis] [Abstract] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Received: 06/18/2022] [Accepted: 10/26/2022] [Indexed: 01/09/2023]
Abstract
BACKGROUND Network-connected medical devices have rapidly proliferated in the wake of recent global catalysts, leaving clinical laboratories and healthcare organizations vulnerable to malicious actors seeking to ransom sensitive healthcare information. As organizations become increasingly dependent on integrated systems and data-driven patient care operations, a sudden cyberattack and the associated downtime can have a devastating impact on patient care and the institution as a whole. Cybersecurity, information security, and information assurance principles are, therefore, vital for clinical laboratories to fully prepare for what has now become inevitable, future cyberattacks. CONTENT This review aims to provide a basic understanding of cybersecurity, information security, and information assurance principles as they relate to healthcare and the clinical laboratories. Common cybersecurity risks and threats are defined in addition to current proactive and reactive cybersecurity controls. Information assurance strategies are reviewed, including traditional castle-and-moat and zero-trust security models. Finally, ways in which clinical laboratories can prepare for an eventual cyberattack with extended downtime are discussed. SUMMARY The future of healthcare is intimately tied to technology, interoperability, and data to deliver the highest quality of patient care. Understanding cybersecurity and information assurance is just the first preparative step for clinical laboratories as they ensure the protection of patient data and the continuity of their operations.
Collapse
Affiliation(s)
- Ankush U Patel
- Department of Laboratory Medicine and Pathology, Mayo Clinic, Rochester, MN
| | - Christopher L Williams
- Department of Pathology, University of Oklahoma Health Sciences Center, Oklahoma City, OK
| | - Steven N Hart
- Department of Laboratory Medicine and Pathology, Mayo Clinic, Rochester, MN
| | | | - Thomas J S Durant
- Department of Laboratory Medicine, Yale School of Medicine, New Haven, CT
| | - Toby C Cornish
- Department of Pathology, University of Colorado School of Medicine, Aurora, CO
| | - David S McClintock
- Department of Laboratory Medicine and Pathology, Mayo Clinic, Rochester, MN
| |
Collapse
|
3
|
Kim Y. Awareness of, attitudes towards, and practices of health information management professionals in South Korea relating to privacy of personal health information. HEALTH INF MANAG J 2023; 52:50-56. [PMID: 34476996 DOI: 10.1177/18333583211039384] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 01/19/2023]
Abstract
Background: While information and communication technology has continued to advance, privacy of personal health information (PHI) has remained a challenge for health information management (HIM) professionals. Objective: This study aims to examine the awareness, attitude and practice relating to PHI privacy among HIM professionals in South Korea. Method: A survey questionnaire was developed for the study based on critical appraisal of relevant literature and expert consensus. It was completed by a sample of 312 respondents who were members of the Korean Health Information Management Association, over the age of 21, and worked in a healthcare organisation. Demographic data and questionnaire items (assessed on a 5-point Likert-type scale) were analysed using descriptive statistics, t-tests and ANOVA. Results: Mean scores and SDs for awareness, attitude and practice related to PHI privacy were calculated: 4.21 (0.60) for awareness, 4.17 (0.60) for attitude and 4.31 (0.63) for practice. Significant positive correlations were found between awareness and attitude scores (r = 0.765, p < 0.01); awareness and practice scores (r = 0.585; p < 0.01); and attitude and action scores (r = 0.672; p < 0.01). HIM professionals' awareness, attitude, and practice towards PHI privacy differed significantly according to age, level of education, years of HIM experience, type of employment, main task, number of completed privacy education activities within the previous 3 years and whether or not they had signed a pledge of confidentiality on PHI. More highly-educated, full-time employed respondents, those who had completed a greater number of privacy education activities and had more experience as HIM professionals, achieved higher scores on awareness, attitude and practice than did other respondents. These differences were all statistically significant (p < 0.01). Conclusion: Although causality cannot be inferred from results of this study, findings suggest that there is a relationship between PHI being a core responsibility of HIM professionals and their subsequent awareness, attitude and practice to ensure its privacy and confidentiality. To improve privacy practice, educational efforts should be prioritised and supported at all levels, including national, organisational, individual, and by professional HIM associations.
Collapse
Affiliation(s)
- Yeaeun Kim
- 65483Catholic University of Pusan, South Korea
| |
Collapse
|
4
|
Protecting procedural care-cybersecurity considerations for robotic surgery. NPJ Digit Med 2022; 5:148. [PMID: 36127420 PMCID: PMC9489690 DOI: 10.1038/s41746-022-00693-8] [Citation(s) in RCA: 2] [Impact Index Per Article: 1.0] [Reference Citation Analysis] [Track Full Text] [Download PDF] [Journal Information] [Subscribe] [Scholar Register] [Received: 06/30/2022] [Accepted: 09/01/2022] [Indexed: 11/25/2022] Open
|
5
|
Jiang JX, Culbertson N, Bai G. Effectiveness of Email Warning on Reducing Hospital Employees' Unauthorized Access to Protected Health Information: A Nonrandomized Controlled Trial. JAMA Netw Open 2022; 5:e227247. [PMID: 35416994 PMCID: PMC9008494 DOI: 10.1001/jamanetworkopen.2022.7247] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [MESH Headings] [Track Full Text] [Figures] [Journal Information] [Submit a Manuscript] [Subscribe] [Scholar Register] [Indexed: 11/14/2022] Open
Abstract
This nonrandomized controlled trial evaluates whether email warnings for employees who access protected health information are associated with a reduction in subsequent unauthorized access.
Collapse
Affiliation(s)
| | | | - Ge Bai
- Johns Hopkins Carey Business School, Baltimore, Maryland
- Johns Hopkins Bloomberg School of Public Health, Baltimore, Maryland
| |
Collapse
|
6
|
Klokman VW, Barten DG, Peters NALR, Versteegen MGJ, Wijnands JJJ, van Osch FHM, Gaakeer MI, Tan ECTH, Boin A. A scoping review of internal hospital crises and disasters in the Netherlands, 2000-2020. PLoS One 2021; 16:e0250551. [PMID: 33901248 PMCID: PMC8075216 DOI: 10.1371/journal.pone.0250551] [Citation(s) in RCA: 4] [Impact Index Per Article: 1.3] [Reference Citation Analysis] [Abstract] [MESH Headings] [Grants] [Track Full Text] [Download PDF] [Figures] [Journal Information] [Subscribe] [Scholar Register] [Received: 10/22/2020] [Accepted: 04/11/2021] [Indexed: 11/19/2022] Open
Abstract
BACKGROUND Internal hospital crises and disasters (IHCDs) are events that disrupt the routine functioning of a hospital while threatening the well-being of patients and staff. IHCDs may cause hospital closure, evacuations of patients and loss of healthcare capacity. The consequences may be ruinous for local communities. Although IHCDs occur with regularity, information on the frequency and types of these events is scarcely published in the medical literature. However, gray literature and popular media reports are widely available. We therefore conducted a scoping review of these literature sources to identify and characterize the IHCDs that occurred in Dutch hospitals from 2000 to 2020. The aim is to develop a systematic understanding of the frequency of the various types of IHCDs occurring in a prosperous nation such as the Netherlands. METHODS A systematic scoping review of news articles retrieved from the LexisNexis database, Google, Google News, PubMed and EMBASE between 2000 and 2020. All articles mentioning the closure of a hospital department in the Netherlands were analyzed. RESULTS A total of 134 IHCDs were identified in a 20-year time period. Of these IHCDs, there were 96 (71.6%) emergency department closures, 76 (56.7%) operation room closures, 56 (41.8%) evacuations, 26 (17.9%) reports of injured persons, and 2 (1.5%) reported casualties. Cascading events of multiple failures transpired in 39 (29.1%) IHCDs. The primary causes of IHCDs (as reported) were information and communication technology (ICT) failures, technical failures, fires, power failures, and hazardous material warnings. An average of 6.7 IHCDs occurred per year. From 2000-2009 there were 32 IHCDs, of which one concerned a primary ICT failure. Of the 102 IHCDs between 2010-2019, 32 were primary ICT failures. CONCLUSIONS IHCDs occur with some regularity in the Netherlands and have marked effects on hospital critical care departments, particularly emergency departments. Cascading events of multiple failures transpire nearly a third of the time, limiting the ability of a hospital to stave off closure due to failure. Emergency managers should therefore prioritize the risk of ICT failures and cascading events and train hospital staff accordingly.
Collapse
Affiliation(s)
- Vincent W. Klokman
- Department of Emergency Medicine, VieCuri Medical Center, Venlo, The Netherlands
| | - Dennis G. Barten
- Department of Emergency Medicine, VieCuri Medical Center, Venlo, The Netherlands
| | | | | | | | - Frits H. M. van Osch
- Department of Clinical Epidemiology, VieCuri Medical Center, Venlo, The Netherlands
| | - Menno I. Gaakeer
- Department of Emergency Medicine, Admiraal de Ruyter Hospital, Goes, The Netherlands
| | - Edward C. T. H. Tan
- Department of Trauma Surgery and Emergency Medicine, Radboud University Medical Center, Nijmegen, The Netherlands
| | - Arjen Boin
- Department of Political Science, Leiden University, Leiden, The Netherlands
| |
Collapse
|
7
|
He Y, Aliyu A, Evans M, Luo C. Health Care Cybersecurity Challenges and Solutions Under the Climate of COVID-19: Scoping Review. J Med Internet Res 2021; 23:e21747. [PMID: 33764885 PMCID: PMC8059789 DOI: 10.2196/21747] [Citation(s) in RCA: 18] [Impact Index Per Article: 6.0] [Reference Citation Analysis] [Abstract] [Key Words] [MESH Headings] [Track Full Text] [Figures] [Journal Information] [Subscribe] [Scholar Register] [Received: 06/23/2020] [Revised: 12/08/2020] [Accepted: 02/21/2021] [Indexed: 01/14/2023] Open
Abstract
BACKGROUND COVID-19 has challenged the resilience of the health care information system, which has affected our ability to achieve the global goal of health and well-being. The pandemic has resulted in a number of recent cyberattacks on hospitals, pharmaceutical companies, the US Department of Health and Human Services, the World Health Organization and its partners, and others. OBJECTIVE The aim of this review was to identify key cybersecurity challenges, solutions adapted by the health sector, and areas of improvement needed to counteract the recent increases in cyberattacks (eg, phishing campaigns and ransomware attacks), which have been used by attackers to exploit vulnerabilities in technology and people introduced through changes to working practices in response to the COVID-19 pandemic. METHODS A scoping review was conducted by searching two major scientific databases (PubMed and Scopus) using the search formula "(covid OR healthcare) AND cybersecurity." Reports, news articles, and industry white papers were also included if they were related directly to previously published works, or if they were the only available sources at the time of writing. Only articles in English published in the last decade were included (ie, 2011-2020) in order to focus on current issues, challenges, and solutions. RESULTS We identified 9 main challenges in cybersecurity, 11 key solutions that health care organizations adapted to address these challenges, and 4 key areas that need to be strengthened in terms of cybersecurity capacity in the health sector. We also found that the most prominent and significant methods of cyberattacks that occurred during the pandemic were related to phishing, ransomware, distributed denial-of-service attacks, and malware. CONCLUSIONS This scoping review identified the most impactful methods of cyberattacks that targeted the health sector during the COVID-19 pandemic, as well as the challenges in cybersecurity, solutions, and areas in need of improvement. We provided useful insights to the health sector on cybersecurity issues during the COVID-19 pandemic as well as other epidemics or pandemics that may materialize in the future.
Collapse
Affiliation(s)
- Ying He
- School of Computer Science, University of Nottingham, Nottingham, United Kingdom
| | - Aliyu Aliyu
- School of Computer Science and Informatics, De Montfort University, Leicester, United Kingdom
| | - Mark Evans
- School of Computer Science and Informatics, De Montfort University, Leicester, United Kingdom
| | - Cunjin Luo
- School of Computer Science and Electronic Engineering, University of Essex, Colchester, United Kingdom
- Key Lab of Medical Electrophysiology, Ministry of Education, Institute of Cardiovascular Research, Southwest Medical University, Luzhou, China
| |
Collapse
|
8
|
Gordon WJ, Wright A, Glynn RJ, Kadakia J, Mazzone C, Leinbach E, Landman A. Evaluation of a mandatory phishing training program for high-risk employees at a US healthcare system. J Am Med Inform Assoc 2020; 26:547-552. [PMID: 30861069 DOI: 10.1093/jamia/ocz005] [Citation(s) in RCA: 28] [Impact Index Per Article: 7.0] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Received: 11/08/2018] [Revised: 12/21/2018] [Accepted: 01/21/2019] [Indexed: 11/12/2022] Open
Abstract
OBJECTIVE The study sought to understand the impact of a phishing training program on phishing click rates for employees at a single, anonymous US healthcare institution. MATERIALS AND METHODS We stratified our population into 2 groups: offenders and nonoffenders. Offenders were defined as those that had clicked on at least 5 simulated phishing emails and nonoffenders were those that had not. We calculated click rates for offenders and nonoffenders, before and after a mandatory training program for offenders was implemented. RESULTS A total of 5416 unique employees received all 20 campaigns during the intervention period; 772 clicked on at least 5 emails and were labeled offenders. Only 975 (17.9%) of our set clicked on 0 phishing emails over the course of the 20 campaigns; 3565 (65.3%) clicked on at least 2 emails. There was a decrease in click rates for each group over the 20 campaigns. The mandatory training program, initiated after campaign 15, did not have a substantial impact on click rates, and the offenders remained more likely to click on a phishing simulation. DISCUSSION Phishing is a common threat vector against hospital employees and an important cybersecurity risk to healthcare systems. Our work suggests that, under simulation, employee click rates decrease with repeated simulation, but a mandatory training program targeted at high-risk employees did not meaningfully decrease the click rates of this population. CONCLUSIONS Employee phishing click rates decrease over time, but a mandatory training program for the highest-risk employees did not decrease click rates when compared with lower-risk employees.
Collapse
Affiliation(s)
- William J Gordon
- Division of General Internal Medicine and Primary Care, Brigham and Women's Hospital, Boston, Massachusetts, USA.,Harvard Medical School, Boston, Massachusetts, USA.,Partners HealthCare, Boston, Massachusetts, USA
| | - Adam Wright
- Division of General Internal Medicine and Primary Care, Brigham and Women's Hospital, Boston, Massachusetts, USA.,Harvard Medical School, Boston, Massachusetts, USA.,Partners HealthCare, Boston, Massachusetts, USA
| | - Robert J Glynn
- Harvard Medical School, Boston, Massachusetts, USA.,Division of Preventive Medicine, Brigham and Women's Hospital, Boston, Massachusetts, USA.,Harvard T.H. Chan School of Public Health, Boston, Massachusetts, USA
| | | | | | | | - Adam Landman
- Harvard Medical School, Boston, Massachusetts, USA.,Partners HealthCare, Boston, Massachusetts, USA.,Department of Emergency Medicine, Brigham and Women's Hospital, Boston, Massachusetts, USA
| |
Collapse
|
9
|
|
10
|
Dameff C, Pfeffer MA, Longhurst CA. Cybersecurity implications for hospital quality. Health Serv Res 2019; 54:969-970. [PMID: 31506957 PMCID: PMC6736916 DOI: 10.1111/1475-6773.13202] [Citation(s) in RCA: 2] [Impact Index Per Article: 0.4] [Reference Citation Analysis] [MESH Headings] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 10/14/2023] Open
Affiliation(s)
- Christian Dameff
- Department of Emergency MedicineUniversity of California San DiegoSan DiegoCalifornia
| | - Michael A. Pfeffer
- Department of MedicineDavid Geffen School of Medicine at UCLALos AngelesCalifornia
| | - Christopher A. Longhurst
- Department of MedicineUniversity of California San DiegoSan DiegoCalifornia
- Department of PediatricsUniversity of California San DiegoSan DiegoCalifornia
| |
Collapse
|
11
|
Abstract
OBJECTIVES To more clearly define the landscape of digital medical devices subject to US Food and Drug Administration (FDA) oversight, this analysis leverages publicly available regulatory documents to characterise the prevalence and trends of software and cybersecurity features in regulated medical devices. DESIGN We analysed data from publicly available FDA product summaries to understand the frequency and recent time trends of inclusion of software and cybersecurity content in publicly available product information. SETTING The full set of regulated medical devices, approved over the years 2002-2016 included in the FDA's 510(k) and premarket approval databases. PRIMARY AND SECONDARY OUTCOME MEASURES The primary outcome was the share of devices containing software that included cybersecurity content in their product summaries. Secondary outcomes were differences in these shares (a) over time and (b) across regulatory areas. RESULTS Among regulated devices, 13.79% were identified as including software. Among these products, only 2.13% had product summaries that included cybersecurity content over the period studied. The overall share of devices including cybersecurity content was higher in recent years, growing from an average of 1.4% in the first decade of our sample to 5.5% in 2015 and 2016, the most recent years included. The share of devices including cybersecurity content also varied across regulatory areas from a low of 0% to a high of 22.2%. CONCLUSIONS To ensure the safest possible healthcare delivery environment for patients and hospitals, regulators and manufacturers should work together to make the software and cybersecurity content of new medical devices more easily accessible.
Collapse
Affiliation(s)
- Ariel Dora Stern
- Harvard Business School Technology and Operations Management, Boston, Massachusetts, USA
- Harvard-MIT Center for Regulatory Science, Boston, Massachusetts, USA
| | - William J Gordon
- Brigham and Women's Hospital Department of Medicine, Boston, Massachusetts, USA
- Harvard Medical School, Boston, Massachusetts, USA
| | - Adam B Landman
- Brigham and Women's Hospital Department of Medicine, Boston, Massachusetts, USA
| | - Daniel B Kramer
- Harvard Medical School, Boston, Massachusetts, USA
- Richard A. and Susan F. Smith Center for Outcomes Research in Cardiology, Beth Israel Deaconess Medical Center, Boston, Massachusetts, USA
| |
Collapse
|
12
|
Gordon WJ, Wright A, Aiyagari R, Corbo L, Glynn RJ, Kadakia J, Kufahl J, Mazzone C, Noga J, Parkulo M, Sanford B, Scheib P, Landman AB. Assessment of Employee Susceptibility to Phishing Attacks at US Health Care Institutions. JAMA Netw Open 2019; 2:e190393. [PMID: 30848810 PMCID: PMC6484661 DOI: 10.1001/jamanetworkopen.2019.0393] [Citation(s) in RCA: 25] [Impact Index Per Article: 5.0] [Reference Citation Analysis] [Abstract] [MESH Headings] [Grants] [Track Full Text] [Figures] [Journal Information] [Submit a Manuscript] [Subscribe] [Scholar Register] [Indexed: 12/02/2022] Open
Abstract
IMPORTANCE Cybersecurity is an increasingly important threat to health care delivery, and email phishing is a major attack vector against hospital employees. OBJECTIVE To describe the practice of phishing simulation and the extent to which health care employees are vulnerable to phishing simulations. DESIGN, SETTING, AND PARTICIPANTS Retrospective, multicenter quality improvement study of a convenience sample of 6 geographically dispersed US health care institutions that ran phishing simulations from August 1, 2011, through April 10, 2018. The specific institutions are anonymized herein for security and privacy concerns. EXPOSURES Simulated phishing emails received by employees at US health care institutions. MAIN OUTCOMES AND MEASURES Date of phishing campaign, campaign number, number of emails sent, number of emails clicked, and email content. Emails were classified into 3 categories (office related, personal, or information technology related). RESULTS The final study sample included 6 anonymized US health care institutions, 95 simulated phishing campaigns, and 2 971 945 emails, 422 062 of which were clicked (14.2%). The median institutional click rates for campaigns ranged from 7.4% (interquartile range [IQR], 5.8%-9.6%) to 30.7% (IQR, 25.2%-34.4%), with an overall median click rate of 16.7% (IQR, 8.3%-24.2%) across all campaigns and institutions. In the regression model, repeated phishing campaigns were associated with decreased odds of clicking on a subsequent phishing email (adjusted OR, 0.511; 95% CI, 0.382-0.685 for 6-10 campaigns; adjusted OR, 0.335; 95% CI, 0.282-0.398 for >10 campaigns). CONCLUSIONS AND RELEVANCE Among a sample of US health care institutions that sent phishing simulations, almost 1 in 7 simulated emails sent were clicked on by employees. Increasing campaigns were associated with decreased odds of clicking on a phishing email, suggesting a potential benefit of phishing simulation and awareness. With cyberattacks increasing against US health care systems, these click rates represent a major cybersecurity risk for hospitals.
Collapse
Affiliation(s)
- William J. Gordon
- Department of Medicine, Massachusetts General Hospital, Boston
- Division of General Internal Medicine and Primary Care, Brigham and Women’s Hospital, Boston, Massachusetts
- Partners HealthCare, Boston, Massachusetts
- Harvard Medical School, Boston, Massachusetts
| | - Adam Wright
- Division of General Internal Medicine and Primary Care, Brigham and Women’s Hospital, Boston, Massachusetts
- Partners HealthCare, Boston, Massachusetts
- Harvard Medical School, Boston, Massachusetts
| | - Ranjit Aiyagari
- Division of Pediatric Cardiology, Department of Pediatrics & Communicable Diseases, University of Michigan Medical School, Ann Arbor
| | - Leslie Corbo
- Department of Cybersecurity, Utica College, Utica, New York
| | - Robert J. Glynn
- Division of Preventive Medicine, Brigham and Women’s Hospital, Boston, Massachusetts
| | | | - Jack Kufahl
- Division of Information Assurance, University of Michigan Medical School, Ann Arbor
| | | | - James Noga
- Partners HealthCare, Boston, Massachusetts
| | - Mark Parkulo
- Center for Translational Informatics and Knowledge Management, Mayo Clinic, Jacksonville, Florida
| | - Brad Sanford
- Libraries and Information Technology Services: Enterprise Security, Emory University, Atlanta, Georgia
| | - Paul Scheib
- Information Services Division, Boston Children’s Hospital, Boston, Massachusetts
| | - Adam B. Landman
- Partners HealthCare, Boston, Massachusetts
- Harvard Medical School, Boston, Massachusetts
- Department of Emergency Medicine, Brigham and Women’s Hospital, Boston, Massachusetts
| |
Collapse
|
13
|
Jalali MS, Razak S, Gordon W, Perakslis E, Madnick S. Health Care and Cybersecurity: Bibliometric Analysis of the Literature. J Med Internet Res 2019; 21:e12644. [PMID: 30767908 PMCID: PMC6396074 DOI: 10.2196/12644] [Citation(s) in RCA: 54] [Impact Index Per Article: 10.8] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Figures] [Journal Information] [Subscribe] [Scholar Register] [Received: 10/31/2018] [Revised: 11/27/2018] [Accepted: 11/29/2018] [Indexed: 12/04/2022] Open
Abstract
Background Over the past decade, clinical care has become globally dependent on information technology. The cybersecurity of health care information systems is now an essential component of safe, reliable, and effective health care delivery. Objective The objective of this study was to provide an overview of the literature at the intersection of cybersecurity and health care delivery. Methods A comprehensive search was conducted using PubMed and Web of Science for English-language peer-reviewed articles. We carried out chronological analysis, domain clustering analysis, and text analysis of the included articles to generate a high-level concept map composed of specific words and the connections between them. Results Our final sample included 472 English-language journal articles. Our review results revealed that majority of the articles were focused on technology: Technology–focused articles made up more than half of all the clusters, whereas managerial articles accounted for only 32% of all clusters. This finding suggests that nontechnological variables (human–based and organizational aspects, strategy, and management) may be understudied. In addition, Software Development Security, Business Continuity, and Disaster Recovery Planning each accounted for 3% of the studied articles. Our results also showed that publications on Physical Security account for only 1% of the literature, and research in this area is lacking. Cyber vulnerabilities are not all digital; many physical threats contribute to breaches and potentially affect the physical safety of patients. Conclusions Our results revealed an overall increase in research on cybersecurity and identified major gaps and opportunities for future work.
Collapse
Affiliation(s)
- Mohammad S Jalali
- MGH Institute for Technology Assessment, Harvard Medical School, Boston, MA, United States.,Sloan School of Management, Massachusetts Institute of Technology, Cambridge, MA, United States
| | - Sabina Razak
- Sloan School of Management, Massachusetts Institute of Technology, Cambridge, MA, United States
| | - William Gordon
- Division of General Internal Medicine, Department of Medicine, Brigham & Women's Hospital, Boston, MA, United States.,Partners Healthcare, Boston, MA, United States.,Department of Dermatology, Harvard Medical School, Boston, MA, United States
| | - Eric Perakslis
- Department of Biomedical Informatics, Harvard Medical School, Boston, MA, United States
| | - Stuart Madnick
- Sloan School of Management, Massachusetts Institute of Technology, Cambridge, MA, United States
| |
Collapse
|
14
|
Abstract
This study evaluates the internal and external sources of and preventive steps for data breaches in health care organizations from 2009 to 2017.
Collapse
Affiliation(s)
| | - Ge Bai
- The Johns Hopkins Carey Business School, Washington, DC
| |
Collapse
|
15
|
Hamilton JG, Genoff Garzon M, Westerman JS, Shuk E, Hay JL, Walters C, Elkin E, Bertelsen C, Cho J, Daly B, Gucalp A, Seidman AD, Zauderer MG, Epstein AS, Kris MG. "A Tool, Not a Crutch": Patient Perspectives About IBM Watson for Oncology Trained by Memorial Sloan Kettering. J Oncol Pract 2019; 15:e277-e288. [PMID: 30689492 DOI: 10.1200/jop.18.00417] [Citation(s) in RCA: 20] [Impact Index Per Article: 4.0] [Reference Citation Analysis] [Abstract] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/20/2022] Open
Abstract
PURPOSE IBM Watson for Oncology trained by Memorial Sloan Kettering (WFO) is a clinical decision support tool designed to assist physicians in choosing therapies for patients with cancer. Although substantial technical and clinical expertise has guided the development of WFO, patients' perspectives of this technology have not been examined. To facilitate the optimal delivery and implementation of this tool, we solicited patients' perceptions and preferences about WFO. METHODS We conducted nine focus groups with 46 patients with breast, lung, or colorectal cancer with various treatment experiences: neoadjuvant/adjuvant chemotherapy, chemotherapy for metastatic disease, or systemic therapy through a clinical trial. In-depth qualitative and quantitative data were collected and analyzed to describe patients' attitudes and perspectives concerning WFO and how it may be used in clinical care. RESULTS Analysis of the qualitative data identified three main themes: patient acceptance of WFO, physician competence and the physician-patient relationship, and practical and logistic aspects of WFO. Overall, participant feedback suggested high levels of patient interest, perceived value, and acceptance of WFO, as long as it was used as a supplementary tool to inform their physicians' decision making. Participants also described important concerns, including the need for strict processes to guarantee the integrity and completeness of the data presented and the possibility of physician overreliance on WFO. CONCLUSION Participants generally reacted favorably to the prospect of WFO being integrated into the cancer treatment decision-making process, but with caveats regarding the comprehensiveness and accuracy of the data powering the system and the potential for giving WFO excessive emphasis in the decision-making process. Addressing patients' perspectives will be critical to ensuring the smooth integration of WFO into cancer care.
Collapse
Affiliation(s)
- Jada G Hamilton
- 1 Memorial Sloan Kettering Cancer Center; and Weill Cornell Medical College, New York, NY
| | - Margaux Genoff Garzon
- 1 Memorial Sloan Kettering Cancer Center; and Weill Cornell Medical College, New York, NY
| | - Joy S Westerman
- 1 Memorial Sloan Kettering Cancer Center; and Weill Cornell Medical College, New York, NY
| | - Elyse Shuk
- 1 Memorial Sloan Kettering Cancer Center; and Weill Cornell Medical College, New York, NY
| | - Jennifer L Hay
- 1 Memorial Sloan Kettering Cancer Center; and Weill Cornell Medical College, New York, NY
| | - Chasity Walters
- 1 Memorial Sloan Kettering Cancer Center; and Weill Cornell Medical College, New York, NY
| | - Elena Elkin
- 1 Memorial Sloan Kettering Cancer Center; and Weill Cornell Medical College, New York, NY
| | - Corinna Bertelsen
- 1 Memorial Sloan Kettering Cancer Center; and Weill Cornell Medical College, New York, NY
| | - Jessica Cho
- 1 Memorial Sloan Kettering Cancer Center; and Weill Cornell Medical College, New York, NY
| | - Bobby Daly
- 1 Memorial Sloan Kettering Cancer Center; and Weill Cornell Medical College, New York, NY
| | - Ayca Gucalp
- 1 Memorial Sloan Kettering Cancer Center; and Weill Cornell Medical College, New York, NY
| | - Andrew D Seidman
- 1 Memorial Sloan Kettering Cancer Center; and Weill Cornell Medical College, New York, NY
| | - Marjorie G Zauderer
- 1 Memorial Sloan Kettering Cancer Center; and Weill Cornell Medical College, New York, NY
| | - Andrew S Epstein
- 1 Memorial Sloan Kettering Cancer Center; and Weill Cornell Medical College, New York, NY
| | - Mark G Kris
- 1 Memorial Sloan Kettering Cancer Center; and Weill Cornell Medical College, New York, NY
| |
Collapse
|
16
|
Jalali MS, Russell B, Razak S, Gordon WJ. EARS to cyber incidents in health care. J Am Med Inform Assoc 2019; 26:81-90. [PMID: 30517701 PMCID: PMC7647158 DOI: 10.1093/jamia/ocy148] [Citation(s) in RCA: 22] [Impact Index Per Article: 4.4] [Reference Citation Analysis] [Abstract] [Key Words] [MESH Headings] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Received: 07/23/2018] [Revised: 10/15/2018] [Accepted: 10/18/2018] [Indexed: 11/12/2022] Open
Abstract
Background Connected medical devices and electronic health records have added important functionality to patient care, but have also introduced a range of cybersecurity concerns. When a healthcare organization suffers from a cybersecurity incident, its incident response strategies are critical to the success of its recovery. Objective In this article, we identify gaps in research concerning cybersecurity response plans in healthcare. Through a systematic literature review, we develop aggregated strategies that professionals can use to construct better response strategies in their organizations. Methods We reviewed journal articles on cyber incident response plans in healthcare published in PubMed and Web of Science. We sought to collect articles on the intersection of cybersecurity and healthcare that focused on incident response strategies. Results We identified and reviewed 13 articles for cybersecurity response recommendations. We then extracted information such as research methods, findings, and implications. Finally, we synthesized the recommendations into a framework of eight aggregated response strategies (EARS) that fall under managerial and technological categories. Conclusions We conducted a systematic review of the literature on cybersecurity response plans in healthcare and developed a novel framework for response strategies that could be deployed by healthcare organizations. More work is needed to evaluate incident response strategies in healthcare.
Collapse
Affiliation(s)
- Mohammad S Jalali
- MIT Sloan School of Management, Massachusetts Institute of Technology, Cambridge, Massachusetts, USA
| | - Bethany Russell
- MIT Sloan School of Management, Massachusetts Institute of Technology, Cambridge, Massachusetts, USA
| | - Sabina Razak
- MIT Sloan School of Management, Massachusetts Institute of Technology, Cambridge, Massachusetts, USA
| | - William J Gordon
- Division of General Internal Medicine, Department of Medicine, Brigham & Women’s Hospital, Boston, Massachusetts, USA
- Partners Healthcare, Boston, Massachusetts, USA
- Harvard Medical School, Harvard University, Boston, Massachusetts, USA
| |
Collapse
|
17
|
Georgiou A, Magrabi F, Hyppönen H, Wong ZSY, Nykänen P, Scott PJ, Ammenwerth E, Rigby M. The Safe and Effective Use of Shared Data Underpinned by Stakeholder Engagement and Evaluation Practice. Yearb Med Inform 2018; 27:25-28. [PMID: 29681039 PMCID: PMC6115216 DOI: 10.1055/s-0038-1641194] [Citation(s) in RCA: 3] [Impact Index Per Article: 0.5] [Reference Citation Analysis] [Abstract] [Track Full Text] [Download PDF] [Journal Information] [Subscribe] [Scholar Register] [Indexed: 11/30/2022] Open
Abstract
Objectives:
The paper draws attention to: i) key considerations involving the confidentiality, privacy, and security of shared data; and ii) the requirements needed to build collaborative arrangements encompassing all stakeholders with the goal of ensuring safe, secure, and quality use of shared data.
Method:
A narrative review of existing research and policy approaches along with expert perspectives drawn from the International Medical Informatics Association (IMIA) Working Group on Technology Assessment and Quality Development in Health Care and the European Federation for Medical Informatics (EFMI) Working Group for Assessment of Health Information Systems.
Results:
The technological ability to merge, link, re-use, and exchange data has outpaced the establishment of policies, procedures, and processes to monitor the ethics and legality of shared use of data. Questions remain about how to guarantee the security of shared data, and how to establish and maintain public trust across large-scale shared data enterprises. This paper identifies the importance of data governance frameworks (incorporating engagement with all stakeholders) to underpin the management of the ethics and legality of shared data use. The paper also provides some key considerations for the establishment of national approaches and measures to monitor compliance with best practice.
Conclusion:
Data sharing endeavours can help to underpin new collaborative models of health care which provide shared information, engagement, and accountability amongst all stakeholders. We believe that commitment to rigorous evaluation and stakeholder engagement will be critical to delivering health data benefits and the establishment of collaborative models of health care into the future.
Collapse
Affiliation(s)
- Andrew Georgiou
- Macquarie University, Australian Institute of Health Innovation, Sydney, Australia
| | - Farah Magrabi
- Macquarie University, Australian Institute of Health Innovation, Sydney, Australia
| | - Hannele Hyppönen
- National Institute for Health and Welfare, Information Department, Helsinki, Finland
| | | | - Pirkko Nykänen
- University of Tampere, Faculty of Natural Sciences, Tampere, Finland
| | - Philip J Scott
- University of Portsmouth, Centre for Healthcare Modelling and Informatics, Portsmouth, United Kingdom
| | - Elske Ammenwerth
- UMIT, University for Health Sciences, Medical Informatics and Technology, Institute of Medical Informatics, Hall in Tyrol, Austria
| | - Michael Rigby
- Keele University, School of Social Science and Public Policy, Keele, United Kingdom
| |
Collapse
|