Why Employees (Still) Click on Phishing Links: Investigation in Hospitals

Prompt injection attacks on vision language models in oncology

Vision-language artificial intelligence models (VLMs) possess medical knowledge and can be employed in healthcare in numerous ways, including as image interpreters, virtual scribes, and general decision support systems. However, here, we demonstrate that current VLMs applied to medical tasks exhibit a fundamental security flaw: they can be compromised by prompt injection attacks. These can be used to output harmful information just by interacting with the VLM, without any access to its parameters. We perform a quantitative study to evaluate the vulnerabilities to these attacks in four state of the art VLMs: Claude-3 Opus, Claude-3.5 Sonnet, Reka Core, and GPT-4o. Using a set of N = 594 attacks, we show that all of these models are susceptible. Specifically, we show that embedding sub-visual prompts in manifold medical imaging data can cause the model to provide harmful output, and that these prompts are non-obvious to human observers. Thus, our study demonstrates a key vulnerability in medical VLMs which should be mitigated before widespread clinical adoption.

Factors Influencing Telemedicine Adoption Among Health Care Professionals: Qualitative Interview Study

BACKGROUND

Telemedicine is transforming health care by enabling remote diagnosis, consultation, and treatment. Despite rapid adoption during the COVID-19 pandemic, telemedicine uptake among health care professionals (HCPs) remains inconsistent due to perceived risks and lack of tailored policies. Existing studies focus on patient perspectives or general adoption factors, neglecting the complex interplay of contextual variables and trust constructs influencing HCPs' telemedicine adoption. This gap highlights the need for a framework integrating risks, benefits, and trust in telemedicine adoption, while addressing health care's unique dynamics.

OBJECTIVE

This study aimed to adapt and extend the extended valence framework (EVF) to telemedicine, deconstructing factors driving adoption from an HCP perspective. Specifically, it investigated the nuanced roles of perceived risks, benefits, and trust referents (eg, technology, treatment, technology provider, and patient) in shaping behavioral intentions, while integrating contextual factors.

METHODS

We used a qualitative research design involving semistructured interviews with 14 HCPs experienced in offering video consultations. The interview data were analyzed with deductive and inductive coding based on the EVF. Two coders conducted the coding process independently, achieving an intercoder reliability of 86.14%. The qualitative content analysis aimed to uncover the nuanced perspectives of HCPs, identifying key risk and benefit dimensions and trust referents relevant to telemedicine adoption.

RESULTS

The study reveals the complex considerations HCPs have when adopting telemedicine. Perceived risks were multidimensional, including performance risks such as treatment limitations (mentioned by 7/14, 50% of the participants) and reliance on technical proficiency of patients (5/14, 36%), privacy risks related to data security (10/14, 71%), and time and financial risks associated with training (7/14, 50%) and equipment costs (4/14, 29%). Perceived benefits encompassed convenience through reduced travel time (5/14, 36%), improved care quality due to higher accessibility (8/14, 57%), and operational efficiency (7/14, 50%). Trust referents played a pivotal role; trust in technology was linked to functionality (6/14, 43%) and reliability (5/14, 36%), while trust in treatment depended on effective collaboration (9/14, 64%). Transparency emerged as a critical antecedent of trust across different referents, comprising disclosure, clarity, and accuracy. In addition, the study highlighted the importance of context-specific variables such as symptom characteristics (10/14, 71%) and prior professional experience with telemedicine (11/14, 79%).

CONCLUSIONS

This study expands the EVF for telemedicine, providing a framework integrating multidimensional risks, benefits, trust, and contextual factors. It advances theory by decomposing trust referents and transparency into actionable subdimensions and emphasizing context-specific variables. Practically, the findings guide stakeholders: policy makers should prioritize transparent regulations and data security, health care organizations should provide training and support for HCPs, and technology developers must design telemedicine solutions aligning with trust and usability needs. This understanding equips health care to address barriers, optimize adoption, and leverage telemedicine's potential for sustainable clinical integration.

Legal implications for clinicians in cybersecurity incidents: A review

Cybersecurity incidents in healthcare present significant legal implications for clinicians, necessitating careful consideration of technological advancements and regulatory frameworks. This literature examines the healthcare cybersecurity landscape, emphasizing clinicians' challenges, and legal responsibilities. It explores the impact of advanced technologies such as artificial intelligence and quantum computing, highlighting the potential benefits and risks, including biases and ethical dilemmas. The review addresses international regulatory differences, offering a comparative analysis of how various countries handle cybersecurity incidents. This analysis provides insights into best practices and identifies areas for improvement. Practical recommendations are provided, tailored to different healthcare settings, including large hospitals and small clinics, to enhance cybersecurity preparedness. Case studies illustrate real-world scenarios, offering practical guidance for clinicians in managing cybersecurity challenges. The review also identifies critical gaps in the literature, particularly concerning artificial intelligence ethics and international regulatory frameworks, suggesting specific areas for future research. These findings underscore the need for robust cybersecurity policies, comprehensive training for healthcare professionals, and a nuanced understanding of the legal landscape. This review informs policymakers, clinicians, and researchers about the evolving nature of cybersecurity challenges in healthcare, addressing key concerns raised by reviewers and contributing to a comprehensive understanding of the field.

Cyber Hygiene Methodology for Raising Cybersecurity and Data Privacy Awareness in Health Care Organizations: Concept Study

BACKGROUND

Cyber threats are increasing across all business sectors, with health care being a prominent domain. In response to the ever-increasing threats, health care organizations (HOs) are enhancing the technical measures with the use of cybersecurity controls and other advanced solutions for further protection. Despite the need for technical controls, humans are evidently the weakest link in the cybersecurity posture of HOs. This suggests that addressing the human aspects of cybersecurity is a key step toward managing cyber-physical risks. In practice, HOs are required to apply general cybersecurity and data privacy guidelines that focus on human factors. However, there is limited literature on the methodologies and procedures that can assist in successfully mapping these guidelines to specific controls (interventions), including awareness activities and training programs, with a measurable impact on personnel. To this end, tools and structured methodologies for assisting higher management in selecting the minimum number of required controls that will be most effective on the health care workforce are highly desirable.

OBJECTIVE

This study aimed to introduce a cyber hygiene (CH) methodology that uses a unique survey-based risk assessment approach for raising the cybersecurity and data privacy awareness of different employee groups in HOs. The main objective was to identify the most effective strategy for managing cybersecurity and data privacy risks and recommend targeted human-centric controls that are tailored to organization-specific needs.

METHODS

The CH methodology relied on a cross-sectional, exploratory survey study followed by a proposed risk-based survey data analysis approach. First, survey data were collected from 4 different employee groups across 3 European HOs, covering 7 categories of cybersecurity and data privacy risks. Next, survey data were transcribed and fitted into a proposed risk-based approach matrix that translated risk levels to strategies for managing the risks.

RESULTS

A list of human-centric controls and implementation levels was created. These controls were associated with risk categories, mapped to risk strategies for managing the risks related to all employee groups. Our mapping empowered the computation and subsequent recommendation of subsets of human-centric controls to implement the identified strategy for managing the overall risk of the HOs. An indicative example demonstrated the application of the CH methodology in a simple scenario. Finally, by applying the CH methodology in the health care sector, we obtained results in the form of risk markings; identified strategies to manage the risks; and recommended controls for each of the 3 HOs, each employee group, and each risk category.

CONCLUSIONS

The proposed CH methodology improves the CH perception and behavior of personnel in the health care sector and provides risk strategies together with a list of recommended human-centric controls for managing a wide range of cybersecurity and data privacy risks related to health care employees.

The impact of lecture playback speeds on concentration and memory

BACKGROUND

The information required to be learned and retained by medical students has continued to increase over the years. The stress that medical students face has already been highlighted in several studies, however, this in combination with a post-pandemic educational system subsequently generated a shift in medical education towards asynchronous streaming of daily lectures as part of the curriculum with variable playback speed options.

METHODS

This paper aims to study the effectiveness of playback speeds, principally that of 1.5x and 2x playback speeds. One objective of this study is to analyze the existing literature regarding how playback speeds may impact learning, and to highlight the need for additional research. It has become apparent that there is not enough literature to support the role that playback speeds have in concentration and/or long-term memory retention in medical students. Due to this lack of information on the topic, this paper additionally highlights a study conducted on second year medical students at one university to assess the associations that may exist between lecture playback speeds of 1.5x and 2x and concentration and long-term retention of memory.

RESULTS

Based on the data collected, it was found that there was no significant difference in student concentration or long-term memory retention with regards to lecture playback speeds.

CONCLUSIONS

Although more studies are needed to better understand the topic, it is the current recommendation of the authorial team that students are free to watch medical school lectures at their preferred speed without worry of changes in learning ability.

State-of-the-art session key generation on priority-based adaptive neural machine (PANM) in telemedicine

Telemedicine is one of the safest methods to provide healthcare facilities to the remote patients with the help of digitization. In this paper, state-of-the-art session key has been proposed based on the priority oriented neural machines followed by its validation. State-of-the-art technique can be mentioned as newer scientific method. Soft computing has been extensively used and modified here under the ANN domain. Telemedicine facilitates secure data communication between the patients and the doctors regarding their treatments. The best fitted hidden neuron can contribute only in the formation of the neural output. Minimum correlation was taken into consideration under this study. Hebbian learning rule was applied on both the patient’s neural machine and the doctor’s neural machine. Lesser iterations were needed in the patient’s machine and the doctor’s machine for the synchronization. Thus, the key generation time has been shortened here which were 4.011 ms, 4.324 ms, 5.338 ms, 5.691 ms, and 6.105 ms for 56 bits, 128 bits, 256 bits, 512 bits, and 1024 bits of state-of-the-art session keys, respectively. Statistically, different key sizes of the state-of-the-art session keys were tested and accepted. Derived value-based function had yielded successful outcomes too. Partial validations with different mathematical hardness had been imposed here too. Thus, the proposed technique is suitable for the session key generation and authentication in the telemedicine in order to preserve the patients’ data privacy. This proposed method has been highly protective against numerous data attacks inside the public networks. Partial transmission of the state-of-the-art session key disables the intruders to decode the same bit patterns of the proposed set of keys.

The role of cue utilization in the detection of phishing emails

This study was designed to examine the roles of cue utilization, phishing features and time pressure in the detection of phishing emails. During two experiments, participants completed an email sorting task containing both phishing and genuine emails. Participants were allocated to either a high or low time pressure condition. Performance was assessed via detection sensitivity and response bias. Participants were classified with either higher or lower cue utilization and completed a measure of phishing knowledge. When participants were blind to the nature of the study (N = 191), participants with higher cue utilization were better able to discriminate phishing from genuine emails. However, they also recorded a stronger bias towards classifying emails as phishing, compared to participants with lower cue utilization. When notified of phishing base rates prior to the email sorting task (N = 191), participants with higher cue utilization were better able to discriminate phishing from genuine emails without recording an increase in rate of false alarms, compared to participants with lower cue utilization. Sensitivity increased with a reduction in time pressure, while response bias was influenced by the number of phishing-related features in each email. The outcomes support the proposition that cue-based processing of critical features is associated with an increase in the capacity of individuals to discriminate phishing from genuine emails, above and beyond phishing-related knowledge. From an applied perspective, these outcomes suggest that cue-based training may be beneficial for improving detection of phishing emails.

Information Security Behavior in Health Information Systems: A Review of Research Trends and Antecedent Factors

This study aims to review the literature on antecedent factors of information security related to the protection of health information systems (HISs) in the healthcare organization. We classify those factors into organizational and individual aspects. We followed the Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA) framework. Academic articles were sourced from five online databases (Scopus, PubMed, IEEE, ScienceDirect, and SAGE) using keywords related to information security, behavior, and healthcare facilities. The search yielded 35 studies, in which the three most frequent individual factors were self-efficacy, perceived severity, and attitudes, while the three most frequent organizational factors were management support, cues to action, and organizational culture. Individual factors for patients and medical students are still understudied, as are the organizational factors of academic healthcare facilities. More individual factors have been found to significantly influence security behavior. Previous studies have been dominated by the security compliance behavior of clinical and non-clinical hospital staff. These research gaps highlight the theoretical implications of this study. This study provides insight for managers of healthcare facilities and governments to consider individual factors in establishing information security policies and programs for improving security behavior.

SoK: Human-Centered Phishing Susceptibility

Phishing is recognized as a serious threat to organizations and individuals. While there have been significant technical advances in blocking phishing attacks, end users remain the last line of defence after phishing emails reach their email inboxes. Most of the existing literature on this subject has focused on the technical aspects related to phishing. The factors that cause humans to be susceptible to phishing attacks are still not well-understood. To fill this gap, we reviewed the available literature and systematically categorised the phishing susceptibility variables studied. We classify variables based on their temporal scope which led us to propose a three-stage Phishing Susceptibility Model (PSM) for explaining how humans are vulnerable to phishing attacks. This model reveals several research gaps that need to be addressed to understand and improve protection against phishing susceptibility. Our review also systematizes existing studies by their sample size and generalizability, and further suggests a practical impact assessment of the value of studying variables: some more easily lead to improvements than others. We believe that this paper can provide guidelines for future phishing susceptibility research to improve experiment design and the quality of findings.

The COVID-19 scamdemic: A survey of phishing attacks and their countermeasures during COVID-19

The COVID-19 pandemic coincided with an equally-threatening scamdemic: a global epidemic of scams and frauds. The unprecedented cybersecurity concerns emerged during the pandemic sparked a torrent of research to investigate cyber-attacks and to propose solutions and countermeasures. Within the scamdemic, phishing was by far the most frequent type of attack. This survey paper reviews, summarises, compares and critically discusses 54 scientific studies and many reports by governmental bodies, security firms and the grey literature that investigated phishing attacks during COVID-19, or that proposed countermeasures against them. Our analysis identifies the main characteristics of the attacks and the main scientific trends for defending against them, thus highlighting current scientific challenges and promising avenues for future research and experimentation.

Investigation into Phishing Risk Behaviour among Healthcare Staff

A phishing attack is one of the less complicated ways to circumvent sophisticated technical security measures. It is often used to exploit psychological (as as well as other) factors of human users to succeed in social engineering attacks including ransomware. Guided by the state-of-the-arts in a phishing simulation study in healthcare and after deeply assessing the ethical dilemmas, an SMSbased phishing simulation was conducted among healthcare workers in Ghana. The study adopted an in-the-wild study approach alongside quantitative and qualitative surveys. From the state-of-the art studies, the in-the-wild study approach was the most commonly used method as compared to laboratory-based experiments and statistical surveys because its findings are generally reliable and effective. The attack results also showed that 61% of the targeted healthcare staff were susceptible, and some of the healthcare staff were not victims of the attack because they prioritized patient care and were not susceptible to the simulated phishing attack. Through structural equation modelling, the workload was estimated to have a significant effect on self-efficacy risk (r = 0.5, p-value = 0.05) and work emergency predicted a perceived barrier in the reverse direction at a substantial level of r = −0.46, p-value = 0.00. Additionally, Pearson’s correlation showed that the perceived barrier was a predictor of self-reported security behaviour in phishing attacks among healthcare staff. As a result, various suggestions including an extra workload balancing layer of security controls in emergency departments and better security training were suggested to enhance staff’s conscious care behaviour.

Hospital cybersecurity risks and gaps: Review (for the non-cyber professional)

Background

Healthcare is facing a growing threat of cyberattacks. Myriad data sources illustrate the same trends that healthcare is one of the industries with the highest risk of cyber infiltration and is seeing a surge in security incidents within just a few years. The circumstances thus begged the question: are US hospitals prepared for the risks that accompany clinical medicine in cyberspace?

Objective

The study aimed to identify the major topics and concerns present in today's hospital cybersecurity field, intended for non-cyber professionals working in hospital settings.

Methods

Via structured literature searches of the National Institutes of Health's PubMed and Tel Aviv University's DaTa databases, 35 journal articles were identified to form the core of the study. Databases were chosen for accessibility and academic rigor. Eighty-seven additional sources were examined to supplement the findings.

Results

The review revealed a basic landscape of hospital cybersecurity, including primary reasons hospitals are frequent targets, top attack methods, and consequences hospitals face following attacks. Cyber technologies common in healthcare and their risks were examined, including medical devices, telemedicine software, and electronic data. By infiltrating any of these components of clinical care, attackers can access mounds of information and manipulate, steal, ransom, or otherwise compromise the records, or can use the access to catapult themselves to deeper parts of a hospital's network. Issues that can increase healthcare cyber risks, like interoperability and constant accessibility, were also identified. Finally, strategies that hospitals tend to employ to combat these risks, including technical, financial, and regulatory, were explored and found to be weak. There exist serious vulnerabilities within hospitals' technologies that many hospitals presently fail to address. The COVID-19 pandemic was used to further illustrate this issue.

Conclusions

Comparison of the risks, strategies, and gaps revealed that many US hospitals are unprepared for cyberattacks. Efforts are largely misdirected, with external-often governmental-efforts negligible. Policy changes, e.g., training employees in cyber protocols, adding advanced technical protections, and collaborating with several experts, are necessary. Overall, hospitals must recognize that, in cyber incidents, the real victims are the patients. They are at risk physically and digitally when medical devices or treatments are compromised.

A Cybersecurity Culture Survey Targeting Healthcare Critical Infrastructures

Recent studies report that cybersecurity breaches noticed in hospitals are associated with low levels of personnel’s cybersecurity awareness. This work aims to assess the cybersecurity culture in healthcare institutions from middle- to low-income EU countries. The evaluation process was designed and performed via anonymous online surveys targeting individually ICT (internet and communication technology) departments and healthcare professionals. The study was conducted in 2019 for a health region in Greece, with a significant number of hospitals and health centers, a large hospital in Portugal, and a medical clinic in Romania, with 53.6% and 6.71% response rates for the ICT and healthcare professionals, respectively. Its findings indicate the necessity of establishing individual cybersecurity departments to monitor assets and attitudes while underlying the importance of continuous security awareness training programs. The analysis of our results assists in comprehending the countermeasures, which have been implemented in the healthcare institutions, and consequently enhancing cybersecurity defense, while reducing the risk surface.

Phishing simulation exercise in a large hospital: A case study

Background

Phishing is a major threat to the data and infrastructure of healthcare organizations and many cyberattacks utilize this socially engineered pathway. Phishing simulation is used to identify weaknesses and risks in the human defences of organizations. There are many factors influencing the difficulty of detecting a phishing email including fatigue and the nature of the deceptive message.

Method

A major Italian Hospital with over 6000 healthcare staff performed a phishing simulation as part of its annual training and risk assessment. Three campaigns were launched at approx. 4-month intervals, to compare staff reaction to a general phishing email and a customized one.

Results

The results show that customization of phishing emails makes them much more likely to be acted on. In the first campaign, 64% of staff did not open the general phish, significantly more than the 38% that did not open the custom phish. A significant difference was also found for the click rate, with significantly more staff clicking on the custom phish. However, the campaigns could not be run as intended, due to issues raised within the organization.

Conclusions

Phishing simulation is useful but not without its limitations. It requires contextual knowledge, skill and experience to ensure that it is effective. The exercise raised many issues within the Hospital. Successful, ethical phishing simulations require coordination across the organization, precise timing and lack of staff awareness. This can be complex to coordinate. Misleading messages containing false threats or promises can cause a backlash from staff and unions. The effectiveness of the message is dependent on the personalization of the message to current, local events. The lessons learned can be useful for other hospitals.

Sensors for Context-Aware Smart Healthcare: A Security Perspective

The advances in the miniaturisation of electronic devices and the deployment of cheaper and faster data networks have propelled environments augmented with contextual and real-time information, such as smart homes and smart cities. These context-aware environments have opened the door to numerous opportunities for providing added-value, accurate and personalised services to citizens. In particular, smart healthcare, regarded as the natural evolution of electronic health and mobile health, contributes to enhance medical services and people's welfare, while shortening waiting times and decreasing healthcare expenditure. However, the large number, variety and complexity of devices and systems involved in smart health systems involve a number of challenging considerations to be considered, particularly from security and privacy perspectives. To this aim, this article provides a thorough technical review on the deployment of secure smart health services, ranging from the very collection of sensors data (either related to the medical conditions of individuals or to their immediate context), the transmission of these data through wireless communication networks, to the final storage and analysis of such information in the appropriate health information systems. As a result, we provide practitioners with a comprehensive overview of the existing vulnerabilities and solutions in the technical side of smart healthcare.

Hospitals' Cybersecurity Culture during the COVID-19 Crisis

The coronavirus pandemic led to an unprecedented crisis affecting all aspects of the concurrent reality. Its consequences vary from political and societal to technical and economic. These side effects provided fertile ground for a noticeable cyber-crime increase targeting critical infrastructures and, more specifically, the health sector; the domain suffering the most during the pandemic. This paper aims to assess the cybersecurity culture readiness of hospitals' workforce during the COVID-19 crisis. Towards that end, a cybersecurity awareness webinar was held in December 2020 targeting Greek Healthcare Institutions. Concepts of cybersecurity policies, standards, best practices, and solutions were addressed. Its effectiveness was evaluated via a two-step procedure. Firstly, an anonymous questionnaire was distributed at the end of the webinar and voluntarily answered by attendees to assess the comprehension level of the presented cybersecurity aspects. Secondly, a post-evaluation phishing campaign was conducted approximately four months after the webinar, addressing non-medical employees. The main goal was to identify security awareness weaknesses and assist in drafting targeted assessment campaigns specifically tailored to the health domain needs. This paper analyses in detail the results of the aforementioned approaches while also outlining the lessons learned along with the future scientific routes deriving from this research.

Information Security Awareness and Behaviors of Health Care Professionals at Public Health Care Facilities

OBJECTIVES

This study investigated information security behaviors of professionals working in the public health sector to guide policymakers toward focusing their investments in infrastructure and training on the most vulnerable segments. We sought to answer the following questions: (1) Are certain professional demographics more vulnerable to cybersecurity threats? (2) Do professionals in different institution types (i.e., hospitals vs. primary care clinics) exhibit different cybersecurity behaviors? (3) Can Internet usage behaviors by professionals be indicative of their cybersecurity awareness and the risk they introduce?

METHODS

A cross-sectional, anonymous, paper-based survey was distributed among professionals working in public health care organizations in Kuwait. Data were collected about each professional's role, experience, work environment, cybersecurity practices, and understanding to calculate a cybersecurity score which indicates their level of compliance to good cybersecurity practices. We also asked about respondents' internet usage and used K-means cluster analysis to segment respondents into three groups based on their internet activities at work. Ordinary least squares regression assessed the association between the collected independent variables in question on the overall cybersecurity behavior.

RESULTS

A total of 453/700 (64%) were responded to the survey. The results indicated that professionals with more work experience demonstrated higher compliance with good cybersecurity practices. Interestingly, nurses demonstrate higher cybersecurity aptitude relative to physicians. Professionals that were less inclined to use the internet for personal use during their work demonstrated higher cybersecurity aptitude.

CONCLUSION

Our findings provide some guidance regarding how to target health care professional training to mitigate cybersecurity risks. There is a need for ensuring that physicians receive adequate cybersecurity training, despite the opportunity costs and other issues competing for their attention. Additionally, classifying professionals based on their internet browsing patterns may identify individuals vulnerable to cybersecurity incidents better than more discrete indicators such as age or gender.

Alternatives to Google Suite Applications

Librarians adopted and utilized web-based Google suite applications as a method of collaborating with each other on projects, research, and professional association membership duties. However, as cybercriminals have begun to exploit these tools to infect healthcare networks with ransomware, many hospital IT departments have blocked access to Google applications. This paper provides a background on security risks to healthcare institutions and possible alternatives to Google applications hospital librarians can use to continue collaborating.

Influence of Human Factors on Cyber Security within Healthcare Organisations: A Systematic Review

Background: Cybersecurity is increasingly becoming a prominent concern among healthcare providers in adopting digital technologies for improving the quality of care delivered to patients. The recent reports on cyber attacks, such as ransomware and WannaCry, have brought to life the destructive nature of such attacks upon healthcare. In complement to cyberattacks, which have been targeted against the vulnerabilities of information technology (IT) infrastructures, a new form of cyber attack aims to exploit human vulnerabilities; such attacks are categorised as social engineering attacks. Following an increase in the frequency and ingenuity of attacks launched against hospitals and clinical environments with the intention of causing service disruption, there is a strong need to study the level of awareness programmes and training activities offered to the staff by healthcare organisations. Objective: The objective of this systematic review is to identify commonly encountered factors that cybersecurity postures of a healthcare organisation, resulting from the ignorance of cyber threat to healthcare. The systematic review aims to consolidate the current literature being reported upon human behaviour resulting in security gaps that mitigate the cyber defence strategy adopted by healthcare organisations. Additionally, the paper also reviews the organisational risk assessment methodology implemented and the policies being adopted to strengthen cybersecurity. Methods: The topic of cybersecurity within healthcare and the clinical environment has attracted the interest of several researchers, resulting in a broad range of literature. The inclusion criteria for the articles in the review stem from the scope of the five research questions identified. To this end, we conducted seven search queries across three repositories, namely (i) PubMed^®/MED-LINE; (ii) Cumulative Index to Nursing and Allied Health Literature (CINAHL); and (iii) Web of Science (WoS), using key words related to cybersecurity awareness, training, organisation risk assessment methodologies, policies and recommendations adopted as counter measures within health care. These were restricted to around the last 12 years. Results: A total of 70 articles were selected to be included in the review, which addresses the complexity of cybersecurity measures adopted within the healthcare and clinical environments. The articles included in the review highlight the evolving nature of cybersecurity threats stemming from exploiting IT infrastructures to more advanced attacks launched with the intent of exploiting human vulnerability. A steady increase in the literature on the threat of phishing attacks evidences the growing threat of social engineering attacks. As a countermeasure, through the review, we identified articles that provide methodologies resulting from case studies to promote cybersecurity awareness among stakeholders. The articles included highlight the need to adopt cyber hygiene practices among healthcare professionals while accessing social media platforms, which forms an ideal test bed for the attackers to gain insight into the life of healthcare professionals. Additionally, the review also includes articles that present strategies adopted by healthcare organisations in countering the impact of social engineering attacks. The evaluation of the cybersecurity risk assessment of an organisation is another key area of study reported in the literature that recommends the organisation of European and international standards in countering social engineering attacks. Lastly, the review includes articles reporting on national case studies with an overview of the economic and societal impact of service disruptions encountered due to cyberattacks. Discussion: One of the limitations of the review is the subjective ranking of the authors associated to the relevance of literature to each of the research questions identified. We also acknowledge the limited amount of literature that focuses on human factors of cybersecurity in health care in general; therefore, the search queries were formulated using well-established cybersecurity related topics categorised according to the threats, risk assessment and organisational strategies reported in the literature.

Health Care Cybersecurity Challenges and Solutions Under the Climate of COVID-19: Scoping Review

BACKGROUND

COVID-19 has challenged the resilience of the health care information system, which has affected our ability to achieve the global goal of health and well-being. The pandemic has resulted in a number of recent cyberattacks on hospitals, pharmaceutical companies, the US Department of Health and Human Services, the World Health Organization and its partners, and others.

OBJECTIVE

The aim of this review was to identify key cybersecurity challenges, solutions adapted by the health sector, and areas of improvement needed to counteract the recent increases in cyberattacks (eg, phishing campaigns and ransomware attacks), which have been used by attackers to exploit vulnerabilities in technology and people introduced through changes to working practices in response to the COVID-19 pandemic.

METHODS

A scoping review was conducted by searching two major scientific databases (PubMed and Scopus) using the search formula "(covid OR healthcare) AND cybersecurity." Reports, news articles, and industry white papers were also included if they were related directly to previously published works, or if they were the only available sources at the time of writing. Only articles in English published in the last decade were included (ie, 2011-2020) in order to focus on current issues, challenges, and solutions.

RESULTS

We identified 9 main challenges in cybersecurity, 11 key solutions that health care organizations adapted to address these challenges, and 4 key areas that need to be strengthened in terms of cybersecurity capacity in the health sector. We also found that the most prominent and significant methods of cyberattacks that occurred during the pandemic were related to phishing, ransomware, distributed denial-of-service attacks, and malware.

CONCLUSIONS

This scoping review identified the most impactful methods of cyberattacks that targeted the health sector during the COVID-19 pandemic, as well as the challenges in cybersecurity, solutions, and areas in need of improvement. We provided useful insights to the health sector on cybersecurity issues during the COVID-19 pandemic as well as other epidemics or pandemics that may materialize in the future.

Human Cognition Through the Lens of Social Engineering Cyberattacks

Social engineering cyberattacks are a major threat because they often prelude sophisticated and devastating cyberattacks. Social engineering cyberattacks are a kind of psychological attack that exploits weaknesses in human cognitive functions. Adequate defense against social engineering cyberattacks requires a deeper understanding of what aspects of human cognition are exploited by these cyberattacks, why humans are susceptible to these cyberattacks, and how we can minimize or at least mitigate their damage. These questions have received some amount of attention, but the state-of-the-art understanding is superficial and scattered in the literature. In this paper, we review human cognition through the lens of social engineering cyberattacks. Then, we propose an extended framework of human cognitive functions to accommodate social engineering cyberattacks. We cast existing studies on various aspects of social engineering cyberattacks into the extended framework, while drawing a number of insights that represent the current understanding and shed light on future research directions. The extended framework might inspire future research endeavor toward a new sub-field that can be called Cybersecurity Cognitive Psychology, which tailors or adapts principles of Cognitive Psychology to the cybersecurity domain while embracing new notions and concepts that are unique to the cybersecurity domain.

Cybersecurity Risks in a Pandemic

Cybersecurity threats are estimated to cost the world US $6 trillion a year by 2021, and the number of attacks has increased five-fold after COVID-19. Although there is substantial literature on the threats technological vulnerabilities have on the health care industry, less research exists on how pandemics like COVID-19 are opportunistic for cybercriminals. This paper outlines why cyberattacks have been particularly problematic during COVID-19 and ways that health care industries can better protect patient data. The Office for Civil Rights has loosened enforcement of the Health Insurance Portability and Accountability Act, which, although useful in using new platforms like Zoom, has also loosened physical and technical safeguards to cyberattacks. This is especially problematic given that 90% of health care providers had already encountered data breaches. Companies must implement well-defined software upgrade procedures, should use secure networks like virtual local area networks, and conduct regular penetration tests of their systems. By understanding factors that make individuals, health care organizations, and employers more susceptible to cyberattacks, we can better prepare for the next pandemic.

The Role of Health Concerns in Phishing Susceptibility: Survey Design Study

Background

Phishing is a cybercrime in which the attackers usually impersonate a trusted source. The attackers usually send an email that contains a link that allows them to steal the receiver’s personal information. In the United States, phishing is the number one cybercrime by victim count according to the Federal Bureau of Investigation’s 2019 internet crime report. Several studies investigated ways to increase awareness and improve employees’ resistance to phishing attacks. However, in 2019, successful phishing attacks continued to rise at a high rate

Objective

The objective of this study was to investigate the influence of personality-based antecedents on phishing susceptibility in a health care context.

Methods

Survey data were collected from participants through Amazon Mechanical Turk to test a proposed conceptual model using structural equation modeling.

Results

A total of 200 participants took part. Health concerns, disposition to trust, and risk-taking propensity yielded higher phishing susceptibility. This highlights the important of personality-based factors in phishing attacks. In addition, females had a higher phishing susceptibility than male participants

Conclusions

While previous studies used health concerns as a motivator for contexts such as sharing personal health records with providers, this study shed light on the danger of higher health concerns in enabling the number one cybercrime.