Cybersecurity in Hospitals: A Systematic, Organizational Perspective

Background Cybersecurity incidents are a growing threat to the health care industry in general and hospitals in particular. The health care industry has lagged behind other industries in protecting its main stakeholder (ie, patients), and now hospitals must invest considerable capital and effort in protecting their systems. However, this is easier said than done because hospitals are extraordinarily technology-saturated, complex organizations with high end point complexity, internal politics, and regulatory pressures. Objective The purpose of this study was to develop a systematic and organizational perspective for studying (1) the dynamics of cybersecurity capability development at hospitals and (2) how these internal organizational dynamics interact to form a system of hospital cybersecurity in the United States. Methods We conducted interviews with hospital chief information officers, chief information security officers, and health care cybersecurity experts; analyzed the interview data; and developed a system dynamics model that unravels the mechanisms by which hospitals build cybersecurity capabilities. We then use simulation analysis to examine how changes to variables within the model affect the likelihood of cyberattacks across both individual hospitals and a system of hospitals. Results We discuss several key mechanisms that hospitals use to reduce the likelihood of cybercriminal activity. The variable that most influences the risk of cyberattack in a hospital is end point complexity, followed by internal stakeholder alignment. Although resource availability is important in fueling efforts to close cybersecurity capability gaps, low levels of resources could be compensated for by setting a high target level of cybersecurity. Conclusions To enhance cybersecurity capabilities at hospitals, the main focus of chief information officers and chief information security officers should be on reducing end point complexity and improving internal stakeholder alignment. These strategies can solve cybersecurity problems more effectively than blindly pursuing more resources. On a macro level, the cyber vulnerability of a country’s hospital infrastructure is affected by the vulnerabilities of all individual hospitals. In this large system, reducing variation in resource availability makes the whole system less vulnerable—a few hospitals with low resources for cybersecurity threaten the entire infrastructure of health care. In other words, hospitals need to move forward together to make the industry less attractive to cybercriminals. Moreover, although compliance is essential, it does not equal security. Hospitals should set their target level of cybersecurity beyond the requirements of current regulations and policies. As of today, policies mostly address data privacy, not data security. Thus, policy makers need to introduce policies that not only raise the target level of cybersecurity capabilities but also reduce the variability in resource availability across the entire health care system.


Interview Data Summary
Effects of Heterogeneity in Resource Availability on Cyber-criminal Activities As discussed in the article, the cyber vulnerability of a country's hospital infrastructure is the result of many hospitals. Each hospital may have dramatically different cyber capabilities. The U.S. hospital system is market-based and thus is very decentralized and heterogeneous with regards to its cyber capabilities. By layering our model for a single hospital into a larger model with 1,000 hospitals, we can better understand the cyber resiliency of the entire ecosystem. In Figure S1, we drew the resource availability for these hospitals from a random uniform distribution u(0,1). This represents a healthcare system like that of the U.S., which is very heterogeneous. In Figure S2, however, we drew the resource availability for 1,000 hospitals from a random normal distribution N(0.5, 0.05), which has low variability and represents a homogenous hospital system more like the UK's NHS. It could also be considered to represent a smaller hospital system that has outsourced its cybersecurity to a larger entity. Both distributions have the same mean with regards to resource availability. Figure S1. Sensitivity of successful cyber-criminals' activity to resource availability in a heterogeneous setting. Figure S2. Sensitivity of successful cyber-criminals' activity to resource availability in a homogeneous setting.
Unsurprisingly, cyber-criminal activities in the heterogeneous setting have a wider variance. Note, however, the scale of successful cyber-criminal activities: in a homogeneous setting, not only is there less variance, but even the hospitals with the highest likelihood of cyber-criminal activities have lower chances than many of the hospitals in the heterogeneous settings.
This analysis lends support to smaller hospitals' decision to outsource cybersecurity. By making their resource availability more uniform through outsourcing, they reduce the variability for other hospitals in the U.S., thus decreasing the likelihood of successful cyber-criminal activities across the system.

Effects of Heterogeneity in End point Complexity on Cyber-criminal Activities
Heterogeneity in end point complexity does not influence successful cyber-criminal activities in the same way as heterogeneity in resource availability (discussed above). On the one hand, in a heterogeneous setting (where end point complexity is drawn from a random uniform distribution u(0,1)), there is wider variability in successful cyber-criminal activities, just as there is with heterogeneity in resource availability. However, only a moderate percentage of hospitals have successful cyber-criminal activities <.1. See Figure S3. Figure S3. Sensitivity of successful cyber-criminals' activity to end point complexity in a heterogeneous setting.
In a homogeneous setting with high end point complexity (drawn from a random normal distribution N(0.75, 0.05)), while variability decreases, the mean likelihood of successful cybercriminal activities increases. See Figure S4. A bigger effect on the likelihood of successful cyber-criminal activities comes from decreasing the mean of end point complexity from "high" (0.75) to "moderate" (0.5). See Figure S5. This suggests that efforts by individual hospitals to reduce end point complexity help reduce cyber vulnerabilities. Figure S4. Sensitivity of successful cyber-criminals' activity to end point complexity in a homogeneous "high" setting.  Figure S5. Sensitivity of successful cyber-criminals' activity to end point complexity in a homogeneous moderate setting.
While we argue that high end point variability can increase the likelihood of attack, it should be noted that we do not intend to recommend reducing the variation of end point complexity, as a homogenous system might be easier for cybercriminals to target. Future research must be done to study the tradeoffs in the heterogeneity of end point complexity in more depth.

Limitations and Suggestions for Future Research
We should note that the purpose of this research is to build theory and not to predict. In the absence of detailed quantitative data for cybersecurity in hospitals, one should be cautious about seeking specific operational advice from our model. Also, a limitation of this study is that it does not take into account the cost of closing cybersecurity gaps. Implicitly, if CISOs had unlimited resources available, cost of market solutions would not be a factor. In our interviews, rather than focus on the cost of solutions, our interviewees merely reflected whether they felt they had the budget to buy them. In practice of cybersecurity capability development, cost is a more important factor. Our intention in developing this model, however, was to analyze the dynamics and "what if" scenarios, rather than "how to" scenarios. Future research might incorporate cost into this model so that information security managers would play with "how" scenarios-e.g., how to effectively control end point complexity that does not hurt innovation. Future studies could also add more external stakeholders to the model, especially those providing IT services. Additionally, this model could be improved upon by quantifying all variables more rigorously.