KIOS Research and Innovation Center of Excellence, University of Cyprus, Nicosia, Cyprus.
Health Informatics Centre, Department of Learning, Informatics, Management and Ethics, Karolinska Institutet, Stockholm, Sweden.
J Med Internet Res. 2023 Jul 27;25:e41294. doi: 10.2196/41294.
Cyber threats are increasing across all business sectors, with health care being a prominent domain. In response to the ever-increasing threats, health care organizations (HOs) are enhancing the technical measures with the use of cybersecurity controls and other advanced solutions for further protection. Despite the need for technical controls, humans are evidently the weakest link in the cybersecurity posture of HOs. This suggests that addressing the human aspects of cybersecurity is a key step toward managing cyber-physical risks. In practice, HOs are required to apply general cybersecurity and data privacy guidelines that focus on human factors. However, there is limited literature on the methodologies and procedures that can assist in successfully mapping these guidelines to specific controls (interventions), including awareness activities and training programs, with a measurable impact on personnel. To this end, tools and structured methodologies for assisting higher management in selecting the minimum number of required controls that will be most effective on the health care workforce are highly desirable.
This study aimed to introduce a cyber hygiene (CH) methodology that uses a unique survey-based risk assessment approach for raising the cybersecurity and data privacy awareness of different employee groups in HOs. The main objective was to identify the most effective strategy for managing cybersecurity and data privacy risks and recommend targeted human-centric controls that are tailored to organization-specific needs.
The CH methodology relied on a cross-sectional, exploratory survey study followed by a proposed risk-based survey data analysis approach. First, survey data were collected from 4 different employee groups across 3 European HOs, covering 7 categories of cybersecurity and data privacy risks. Next, survey data were transcribed and fitted into a proposed risk-based approach matrix that translated risk levels to strategies for managing the risks.
A list of human-centric controls and implementation levels was created. These controls were associated with risk categories, mapped to risk strategies for managing the risks related to all employee groups. Our mapping empowered the computation and subsequent recommendation of subsets of human-centric controls to implement the identified strategy for managing the overall risk of the HOs. An indicative example demonstrated the application of the CH methodology in a simple scenario. Finally, by applying the CH methodology in the health care sector, we obtained results in the form of risk markings; identified strategies to manage the risks; and recommended controls for each of the 3 HOs, each employee group, and each risk category.
The proposed CH methodology improves the CH perception and behavior of personnel in the health care sector and provides risk strategies together with a list of recommended human-centric controls for managing a wide range of cybersecurity and data privacy risks related to health care employees.
网络威胁在所有商业领域都呈上升趋势,医疗保健领域是一个突出的领域。为了应对日益增长的威胁,医疗机构(HOs)正在通过使用网络安全控制和其他先进的解决方案来增强技术措施,以进一步保护。尽管需要技术控制,但人类显然是 HOs 网络安全态势中的薄弱环节。这表明,解决网络安全的人为因素是管理网络物理风险的关键步骤。在实践中,HOs 需要应用专注于人为因素的一般网络安全和数据隐私准则。然而,关于可以帮助将这些准则成功映射到特定控制(干预措施)的方法和程序的文献有限,包括对人员有可衡量影响的意识活动和培训计划。为此,非常需要用于协助高层管理人员选择将对医疗保健人员最有效的最小数量所需控制的工具和结构化方法。
本研究旨在引入一种网络卫生(CH)方法,该方法使用基于独特调查的风险评估方法来提高 HOs 中不同员工群体的网络安全和数据隐私意识。主要目标是确定管理网络安全和数据隐私风险的最有效策略,并推荐针对特定组织需求定制的以人为中心的针对性控制措施。
CH 方法依赖于跨部门、探索性调查研究,随后是提出的基于风险的调查数据分析方法。首先,从 3 家欧洲 HOs 的 4 个不同员工群体中收集了调查数据,涵盖了 7 类网络安全和数据隐私风险。接下来,将调查数据转录并拟合到提议的基于风险的方法矩阵中,该矩阵将风险水平转换为管理风险的策略。
创建了以人为中心的控制措施列表和实施级别。这些控制措施与风险类别相关联,并映射到管理与所有员工群体相关风险的策略。我们的映射使计算和随后推荐实施识别策略所需的以人为中心的控制措施子集成为可能,以管理 HOs 的整体风险。一个示例说明了 CH 方法在简单场景中的应用。最后,通过在医疗保健领域应用 CH 方法,我们以风险标记的形式获得了结果;确定了管理风险的策略;并为每个 HOs、每个员工群体和每个风险类别推荐了控制措施。
所提出的 CH 方法提高了医疗保健领域人员对网络卫生的认识和行为,并提供了风险策略以及一系列用于管理与医疗保健人员相关的广泛网络安全和数据隐私风险的推荐以人为中心的控制措施。
