Jalali Mohammad S, Kaiser Jessica P
MIT Sloan School of Management, Massachusetts Institute of Technology, Cambridge, MA, United States.
J Med Internet Res. 2018 May 28;20(5):e10059. doi: 10.2196/10059.
Cybersecurity incidents are a growing threat to the health care industry in general and hospitals in particular. The health care industry has lagged behind other industries in protecting its main stakeholder (ie, patients), and now hospitals must invest considerable capital and effort in protecting their systems. However, this is easier said than done because hospitals are extraordinarily technology-saturated, complex organizations with high end point complexity, internal politics, and regulatory pressures.
The purpose of this study was to develop a systematic and organizational perspective for studying (1) the dynamics of cybersecurity capability development at hospitals and (2) how these internal organizational dynamics interact to form a system of hospital cybersecurity in the United States.
We conducted interviews with hospital chief information officers, chief information security officers, and health care cybersecurity experts; analyzed the interview data; and developed a system dynamics model that unravels the mechanisms by which hospitals build cybersecurity capabilities. We then use simulation analysis to examine how changes to variables within the model affect the likelihood of cyberattacks across both individual hospitals and a system of hospitals.
We discuss several key mechanisms that hospitals use to reduce the likelihood of cybercriminal activity. The variable that most influences the risk of cyberattack in a hospital is end point complexity, followed by internal stakeholder alignment. Although resource availability is important in fueling efforts to close cybersecurity capability gaps, low levels of resources could be compensated for by setting a high target level of cybersecurity.
To enhance cybersecurity capabilities at hospitals, the main focus of chief information officers and chief information security officers should be on reducing end point complexity and improving internal stakeholder alignment. These strategies can solve cybersecurity problems more effectively than blindly pursuing more resources. On a macro level, the cyber vulnerability of a country's hospital infrastructure is affected by the vulnerabilities of all individual hospitals. In this large system, reducing variation in resource availability makes the whole system less vulnerable-a few hospitals with low resources for cybersecurity threaten the entire infrastructure of health care. In other words, hospitals need to move forward together to make the industry less attractive to cybercriminals. Moreover, although compliance is essential, it does not equal security. Hospitals should set their target level of cybersecurity beyond the requirements of current regulations and policies. As of today, policies mostly address data privacy, not data security. Thus, policy makers need to introduce policies that not only raise the target level of cybersecurity capabilities but also reduce the variability in resource availability across the entire health care system.
网络安全事件对整个医疗行业,尤其是医院构成了日益严重的威胁。在保护其主要利益相关者(即患者)方面,医疗行业落后于其他行业,现在医院必须投入大量资金和精力来保护其系统。然而,说起来容易做起来难,因为医院是技术高度饱和、极其复杂的组织,具有高端点复杂性、内部政治因素和监管压力。
本研究的目的是从系统和组织的角度来研究:(1)医院网络安全能力发展的动态过程;(2)这些内部组织动态如何相互作用,从而在美国形成一个医院网络安全系统。
我们采访了医院的首席信息官、首席信息安全官以及医疗网络安全专家;分析了访谈数据;并开发了一个系统动力学模型,以揭示医院建立网络安全能力的机制。然后,我们使用模拟分析来研究模型中的变量变化如何影响单个医院以及医院系统遭受网络攻击的可能性。
我们讨论了医院用来降低网络犯罪活动可能性的几个关键机制。对医院网络攻击风险影响最大的变量是端点复杂性,其次是内部利益相关者的一致性。虽然资源可用性对于弥补网络安全能力差距的努力很重要,但通过设定较高的网络安全目标水平,可以弥补资源水平较低的问题。
为了增强医院的网络安全能力,首席信息官和首席信息安全官的主要重点应放在降低端点复杂性和改善内部利益相关者的一致性上。与盲目追求更多资源相比,这些策略能更有效地解决网络安全问题。在宏观层面上,一个国家医院基础设施的网络脆弱性受到所有单个医院脆弱性的影响。在这个大系统中,减少资源可用性的差异会使整个系统更不易受攻击——一些网络安全资源匮乏的医院会威胁到整个医疗基础设施。换句话说,医院需要共同努力,使该行业对网络犯罪分子的吸引力降低。此外,虽然合规至关重要,但合规并不等同于安全。医院设定的网络安全目标水平应高于当前法规和政策的要求。截至目前,政策大多关注数据隐私,而非数据安全。因此,政策制定者需要出台不仅能提高网络安全能力目标水平,还能减少整个医疗系统资源可用性差异的政策。
