Cybersecurity incidents have become an increasingly persistent threat to hospitals. Healthcare organizations have failed to prevent some of these incidents due to internal politics and regulations. In this study, researchers from the Massachusetts Institute of Technology, in Cambridge, Massachusetts, outlined a systematic and organizational perspective on evaluating the cybersecurity capabilities of hospitals. 

“This study helps healthcare leaders reduce hospital vulnerabilities by detailing the outcomes resulting from strategic decisions of cybersecurity development,” wrote first author Mohammad Jalali, MSc, PhD, and colleagues. “It also aids cybersecurity professionals in understanding the complexities of cybersecurity capability development in hospitals.”

Researchers conducted 19 interviews with chief information officers, chief information security officers and healthcare cybersecurity experts to develop a model to identify how hospitals could use improve their cybersecurity capabilities. A simulation analysis was then done to identify variables that affected the likelihood of cyberattacks.

Results showed variables such as end-point complexity and internal stakeholder alignment were significant risks. Additionally, researchers noted that low resource availability could be compensated by setting a high target level of cybersecurity when hospitals are attempting to close cybersecurity capability gaps.

To reduce end-point complexity, researchers suggested:

• Moving to cloud-hosted services when resource availability was a constraint
• Using technology to detect unauthorized devices on networks
• Maintaining firewalled networks for patients, staff, and medical devices
• Stricter policies on technology procurement

To improve internal stakeholder alignment, researchers suggested:

• Low internal stakeholder alignment decreases the effectiveness of capability development and increases the erosion of capabilities.
• Soft variables such as stakeholder alignments are often forgotten in cybersecurity management.

“To enhance cybersecurity capabilities at hospitals, the main focus of chief information officers and chief information security officers should be on reducing end point complexity and improving internal stakeholder alignment,” concluded Jalali and colleagues. “These strategies can solve cybersecurity problems more effectively than blindly pursuing more resources. Moreover, although compliance is essential, it does not equal security. Hospitals should set their target level of cybersecurity beyond the requirements of current regulations and policies.

“As of today, policies mostly address data privacy, not data security. Thus, policy makers need to introduce policies that not only raise the target level of cybersecurity capabilities but also reduce the variability in resource availability across the entire healthcare system.”