A Cybersecurity Culture Survey Targeting Healthcare Critical Infrastructures
Abstract
:1. Introduction
- The Brno University Hospital in the Czech Republic which, on 12 March 2020, was forced to shut down its entire IT network, impacting two of the hospital’s other branches, the Children’s Hospital and the Maternity Hospital [12].
- A fatality in a German hospital linked to a cyberattack [13].
2. Methods and Materials
- Employees occupied in the ICT departments (ICT questionnaire);
- Non-ICT healthcare employees (non-ICT questionnaire) i.e., doctors, nurses, auxiliary, laboratory, and administrative personnel.
3. Results
3.1. Employed ICT Cybersecurity Procedures and Methods
3.2. Training on Cybersecurity and Data Protection
3.3. Cybersecurity Awareness Level
4. Discussion
5. Considerations and Limitations
6. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Acknowledgments
Conflicts of Interest
Appendix A
ICT Personnel Questionnaire
- General Characteristics
- Demographics
- Age:
- 20–39 ☐
- 40–60 ☐
- 60+ ☐
- Gender:
- Male ☐
- Female ☐
- Education:
- Secondary Education ☐
- Vocational training Institution ☐
- Bachelor’s Degree ☐
- MSc ☐
- PhD ☐
- Position:
- ICT director ☐
- ICT manager ☐
- ICT staff ☐
- Years of experience
- 0–5 ☐
- 6–10 ☐
- more than 10 ☐
- Healthcare Organization:
- Hospital ☐
- Clinic ☐
- Health Authority ☐
- National ☐
- Regional ☐
- Local ☐
- Employees <100 ☐
- Employees 100–300 ☐
- Employees 301–600 ☐
- Employees 601–1000 ☐
- Employees >1000 ☐
- Population <100 k ☐
- Population 100 k–300 k ☐
- Population >300 k ☐
- Specific ICT
- Proportion of ICT employees in total employment (%)
- 0–1% ☐
- 1.1–2% ☐
- 2.1–3% ☐
- 3.1–4% ☐
- 4.1–5% ☐
- 5.1–6% ☐
- 6.1–7% ☐
- Existence of a Cybersecurity Department
- Yes ☐
- No ☐
- Official Trainings had in ICT cybersecurity during the last 3 years (number)
- 0 ☐
- 1 ☐
- 2 ☐
- 3 ☐
- 4 ☐
- Do you perform internal cybersecurity awareness trainings (e.g., phishing) in order to teach employees what to check in the received emails?
- Yes ☐
- No ☐
- Average yearly organization’s budget allocated to ICT during the last 3 years (in Euros)
- 0–100 K ☐
- 101–200 K ☐
- 201–300 K ☐
- 301–400 K ☐
- 401–500 K ☐
- Do not know ☐
- Percentage of current ICT budget allocated to cybersecurity (e.g., antivirus purchasing or license renewal, firewall purchase or firewall license renewals, etc.) during the last 3 years (%)
- 0–5% ☐
- 6–10% ☐
- 11–15% ☐
- 16–20% ☐
- 21–25% ☐
- 26–30% ☐
- Do not know ☐
- Network Communication with External Partners and Collaborators
- Usage of secure method or other methods for third party accesses
- VPN ☐
- TeamViewer ☐
- AnyDesk ☐
- Remote Desktop ☐
- Other secure method ☐
- Other unsecure method ☐
- Communication ports opened and monitored during daily operations (constantly or on demand)
- Port TCP 22 (SSH) ☐
- Port TCP 23 (Telnet) ☐
- Port TCP 3389 (RDP) ☐
- Port TCP 20 (FTP data) ☐
- Port TCP 21 (FTP control) ☐
- other ☐
- Do existing SLAs include terms that ensure cybersecurity policies are applied by the external partner for preventing data breaches when connected remotely to hospital’s information systems?
- Yes ☐
- No ☐
- Do not know ☐
- Cybersecurity Methods & Practices
- Does your organization have an official cybersecurity plan?
- Yes ☐
- No ☐
- Do not know ☐
- If the previous answer is yes, which of the following plans?
- Risk Assessment ☐
- Incident Respond Plan ☐
- Mitigation plan ☐
- Report plan ☐
- Have any cybersecurity tests been performed in your organization during the last 2 years?
- Yes ☐
- No ☐
- If the previous answer is yes, which of the following tests?
- Scanning ☐
- Penetration ☐
- Weak password identification ☐
- Phishing ☐
- Virus/malware checking ☐
- Verification of latest updates/outdates ☐
- Other ☐
- Are you familiar with the Directive (EU) 2016/1148 NIS Directive and GDPR regulation?
- Yes ☐
- No ☐
- Partially ☐
- Is a DDoS attack considered a criminal action according to your national legislation?
- Yes ☐
- No ☐
- Do not know ☐
- Does your working practice have policies and procedures for the assignment of a unique identifier for each authorized user according to its role?
- Yes ☐
- No ☐
- Do not know ☐
- Does your working practice have back up information systems so that it can access HIS in the event of an emergency or when your practice’s primary systems become unavailable i.e., in the event of a disaster?
- Yes ☐
- No ☐
- Do SSL certificates exist for web-based hospital information systems?
- Yes ☐
- No ☐
- Partially ☐
- Which of the following tools do you use daily for information security?
- Antivirus/malware ☐
- Firewall(s) ☐
- Data encryption (data in transit) ☐
- Data encryption (data at rest) ☐
- Patch & vulnerability management ☐
- Intrusion detection systems (IDS) ☐
- Network monitoring tools ☐
- Mobile device management ☐
- User access controls ☐
- Intrusion prevention system ☐
- Access control lists ☐
- Single sign on ☐
- Web security gateway ☐
- Multi-factor authentication ☐
- Data loss prevention (DLP application) ☐
- Messaging security gateway ☐
- Audit logs of each access to pt. health and financial records ☐
- My duties do not include cyber-security activities ☐
- Cybersecurity Performance Indicators
- Percentage of legacy (unsupported) or known vulnerable systems in place (e.g., end of life operating systems in medical devices) in total equipment (%)
- 0–10% ☐
- 11–20% ☐
- 21–30% ☐
- 31–40% ☐
- 41–50% ☐
- 51–60% ☐
- More than 60% ☐
- Do not know ☐
- Number of cyber security incidents during the last 3 years (e.g., phishing attacks, virus infections, etc.)?
- 0–5 ☐
- 6–10 ☐
- 11–15 ☐
- 16–20 ☐
- 21–25 ☐
- 26–30 ☐
- No records kept ☐
- Number of unauthorized login attempts in HIS, Active Directory, RIS/PACS per month?
- 0–5 ☐
- 6–10 ☐
- 11–15 ☐
- 16–20 ☐
- 21–25 ☐
- 26–30 ☐
- No records kept ☐
- No records kept but it is monitored regularly ☐
- Mean time to resolve an incident?
- 0–6 h ☐
- 7–12 h ☐
- 13–24 h ☐
- 25–48 h ☐
- 3–7 days ☐
- More than a week ☐
- No records kept ☐
- Mean downtime during an incident?
- 0–6 h ☐
- 7–12 h ☐
- 13–24 h ☐
- 25–48 h ☐
- 3–7 days ☐
- No records kept ☐
Appendix B
Non-ICT Personnel Questionnaire
- General Characteristics
- Demographics
- Age:
- 21–30 ☐
- 31–40 ☐
- 41–50 ☐
- 51–60 ☐
- 61+ ☐
- Gender:
- Male ☐
- Female ☐
- Education
- Secondary Education ☐
- Vocational training Institution ☐
- Bachelor’s Degree ☐
- MSc ☐
- PhD ☐
- Position
- Doctor ☐
- Nurse ☐
- Auxiliary personnel ☐
- Lab. personnel ☐
- Administrative personnel ☐
- Technical personnel ☐
- Other ☐
- Does your hospital have a cybersecurity department or external services?
- Yes ☐
- No ☐
- Do not know ☐
- Does your work on the hospital involves working on a computer at any time?
- Yes ☐
- No ☐
- Have you been informed or trained regarding General Data Protection Regulation (GDPR) in order to minimize private personal data breaches or cybersecurity incidents?
- Yes ☐
- No ☐
- Does your work in the hospital involves access to patient data, which is considered confidential and sensitive information?
- Yes ☐
- No ☐
- Do you have cybersecurity policies at your hospital?
- Yes ☐
- No ☐
- Do not know ☐
- Do you know when your computer is hacked or infected, and whom to contact when it occurs?
- Yes, I know when my computer is hacked or infected and I know whom to contact.
- No, I do not know when my computer is hacked or infected and I do not know whom to contact.
- Yes, I know when my computer is hacked or infected, but I do not know whom to contact.
- No, I do not know when my computer and I know whom to contact.
- Have you ever found a virus or trojan on your computer at work?
- Yes, my computer has been infected before
- No, my computer has never been infected
- I do not know what a virus or trojan is
- Is an anti-virus currently installed on your computer?
- Yes
- No
- Do not know
- How careful are you when you open an attachment in email?
- I always make sure it is from a person I know, and I am expecting the email
- As long as I know the person or company that sent me the attachment, I open it
- There is nothing wrong with opening attachments
- Do you know what a social engineering attack is?
- Yes, I do
- No, I do not
- Do you know what an email scam is and how to identify one?
- Yes, I know what an email scam is and how to identify one
- I know what an email scam is, but I do not know how to identify one
- No, I do not know what an email scam is or how to identify one
- My computer has no value to hackers; they do not target me.
- True
- False
- Can you use your own personal devices, such as your mobile phone or USB sticks or CD/DVD discs to store or transfer confidential hospital information?
- Yes
- No
- Do not know
- Have you downloaded and installed software on your computer at work?
- Yes
- No
- Have you given your password to your colleagues or your manager when you were asked for it?
- Yes
- No
- Which of these is closer to your thinking, even if neither is exactly right?
- Following security policies at our hospital prevents me from doing my job
- Following security policies at our hospital helps me do my job better
- I feel I have been sufficiently trained in security at our hospital.
- Strongly agree
- Agree
- Neither agree nor disagree
- Disagree
- Strongly disagree
- I am confident that I could recognize a security issue or incident if I saw one.
- Strongly agree
- Agree
- Neither agree nor disagree
- Disagree
- Strongly disagree
- Do you lock your PC when you leave your office even for a while?
- Yes ☐
- No ☐
References
- Giansanti, D. Cybersecurity and the Digital-Health: The Challenge of This Millennium. Healthcare 2021, 9, 62. [Google Scholar] [CrossRef] [PubMed]
- Jalali, M.S.; Russell, B.; Razak, S.; Gordon, W. EARS to cyber incidents in health care. J. Am. Med. Inform. Assoc. 2019, 26, 81–90. [Google Scholar] [CrossRef] [PubMed]
- Razaque, A.; Amsaad, F.; Khan, M.J.; Hariri, S.; Chen, S.; Siting, C.; Ji, X. Survey: Cybersecurity Vulnerabilities, Attacks and Solutions in the Medical Domain. IEEE Access 2019, 7, 168774–168797. [Google Scholar] [CrossRef]
- Appari, A.; Johnson, M.E. Information security and privacy in healthcare: Current state of research. Int. J. Internet Enterp. Manag. 2010, 6, 279. [Google Scholar] [CrossRef]
- Coventry, L.; Branley, D. Cybersecurity in healthcare: A narrative review of trends, threats and ways forward. Maturitas 2018, 113, 48–52. [Google Scholar] [CrossRef] [PubMed]
- Sfakianakis, A.; Douligeris, C.; Marinos, L.; Lourenço, M.; Raghimi, O. ENISA Threat Landscape Report 2018—15 Top Cyberthreats and Trends; European Union Agency for Network and Information Security (ENISA): Athens, Greece, 2019. [Google Scholar]
- Reason Cybersecurity. COVID-19, Info Stealer & the Map of Threats—Threat Analysis Report; ReasonLabs: New York, NY, USA, 9 March 2020; Available online: https://blog.reasonsecurity.com/2020/03/09/covid-19-info-stealer-the-map-of-threats-threat-analysis-report/ (accessed on 26 January 2022).
- Interpol. Pandemic Profiteering: How Criminals Exploit the COVID-19 Crisis; Interpol: Lyon, France, 2020. [Google Scholar]
- European Union Agency for Network and Information Security (ENISA). Smart Hospitals—Security and Resilience for Smart Health Service and Infrastructures; European Union Agency for Network and Information Security (ENISA): Athens, Greece, 2016. [Google Scholar]
- Gyles, S. Cyberattacks Hit Hospitals and Health Departments Amid COVID-19 Coronavirus Pandemic. Available online: https://vpnoverview.com/news/cyberattacks-hit-hospitals-and-health-departments-amid-covid-19-coronavirus-pandemic/ (accessed on 17 March 2020).
- Martin , A. Coronavirus: Cyber Criminals Threaten to Hold Hospitals to Ransom-Interpol. Available online: https://news.sky.com/story/coronavirus-cyber-criminals-threaten-to-hold-hospitals-to-ransom-interpol-11968602 (accessed on 5 April 2020).
- Porter, S. Cyberattack on Czech hospital forces tech shutdown during coronavirus outbreak. Healthcare IT News. 19 March 2020. Available online: https://www.healthcareitnews.com/news/emea/cyberattack-czech-hospital-forces-tech-shutdown-during-coronavirus-outbreak (accessed on 26 February 2021).
- Howell, P. A Patient Has Died after Ransomware Hackers Hit a German Hospital. Available online: https://www.technologyreview.com/2020/09/18/1008582/a-patient-has-died-after-ransomware-hackers-hit-a-german-hospital/(accessed on 18 September 2020).
- Doherty, N.F.; Fulford, H. Do Information Security Policies Reduce the Incidence of Security Breaches: An Exploratory Analysis. Inf. Resour. Manag. J. 2005, 18, 19. [Google Scholar] [CrossRef]
- Gordon, W.J.; Wright, A.; Aiyagari, R.; Corbo, L.; Glynn, R.J.; Kadakia, J.; Kufahl, J.; Mazzone, C.; Noga, J.; Parkulo, M.; et al. Assessment of Employee Susceptibility to Phishing Attacks at US Health Care Institutions. JAMA Netw. Open 2019, 2, e190393. [Google Scholar] [CrossRef] [PubMed]
- Landolt, S.; Hirsche, J.; Schlienger, T.; Businger, W.; Zbinden, A.M. Assessing and Comparing Information Security in Swiss Hospitals. Interact. J. Med. Res. 2012, 1, e11. [Google Scholar] [CrossRef] [PubMed]
- Jalali, M.S.; Bruckes, M.; Westmattelmann, D.; Schewe, G. Why Employees (Still) Click on Phishing Links: An Investigation in Hospitals. J. Med Internet Res. 2020, 22, e16775. [Google Scholar] [CrossRef] [PubMed]
- Yeng, P.K.; Yang, B.; Snekkenes, E.A. Framework for Healthcare Security Practice Analysis, Modeling and Incentivization. In Proceedings of the 2019 IEEE International Conference on Big Data (Big Data), Los Angeles, CA, USA, 9–12 December 2019. [Google Scholar]
- Arain, M.A.; Tarraf, R.; Ahmad, A. Assessing staff awareness and effectiveness of educational training on IT security and privacy in a large healthcare organization. J. Multidiscip. Heal. 2019, 12, 73–81. [Google Scholar] [CrossRef] [PubMed] [Green Version]
- Gardner, B.; Thomas, V. Building an Information Security Awareness Program: Defending Against Social Engineering and Technical Threats; Elsevier: Waltham, MA, USA, 2014. [Google Scholar]
- Hyla, T.; Fabisiak, L. Measuring Cyber Security Awareness within Groups of Medical Professionals in Poland. In Proceedings of the 53rd Hawaii International Conference on System Sciences, Maui, HI, USA, 7–10 January 2020. [Google Scholar] [CrossRef] [Green Version]
- Haukilehto, T.; Hautamäki, J. Survey of Cyber Security Awareness in Health, Social Services and Regional Government in South Ostrobothnia, Finland. In Internet of Things, Smart Spaces, and Next Generation Networks and Systems; Springer: Cham, Switzerland, 2019; pp. 455–466. [Google Scholar] [CrossRef]
- Evans, M.; He, Y.; Luo, C.; Yevseyeva, I.; Janicke, H.; Maglaras, L.A. Employee Perspective on Information Security Related Human Error in Healthcare: Proactive Use of IS-CHEC in Questionnaire Form. IEEE Access 2019, 7, 102087–102101. [Google Scholar] [CrossRef]
- Shahri, A.B.; Ismail, Z. Security effectiveness in health information system: Through improving the human factors by education and training. Aust. J. Basic Appl. Sci. 2012, 6, 226–233. [Google Scholar]
- Ponemon Institute LLC. The Human Factor in Data Protection; Ponemon Institute LLC: Traverse City, MI, USA, 2012. [Google Scholar]
- Hersh, W.; Wright, A. What workforce is needed to implement the health information technology agenda? Analysis from the HIMSS analytics database. In AMIA Annual Symposium Proceedings; American Medical Informatics Association: Washington, DC, USA, 2008; Volume 2008, pp. 303–307. [Google Scholar]
- ICT Specialists in Employment; European Commission, Eurostat: Luxembourg, 2021.
- Energy Shield. 2019. Available online: https://energy-shield.eu/ (accessed on 25 March 2020).
- Georgiadou, A.; Mouzakitis, S.; Bounas, K.; Askounis, D. A Cyber-Security Culture Framework for Assessing Organization Readiness. Available online: https://www.researchgate.net/publication/347119168_A_Cyber-Security_Culture_Framework_for_Assessing_Organization_Readiness (accessed on 10 November 2020).
- HIMSS Healthcare Cybersecurity Survey. Available online: https://www.himss.org/resources/himss-healthcare-cybersecurity-survey (accessed on 16 November 2020).
- American Hospital Association. Hospitals Implementing Cybersecurity Measures; American Hospital Association: Cleveland, OH, USA, 2017. [Google Scholar]
- Jalali, M.S.; Kaiser, J.P. Cybersecurity in Hospitals: A Systematic, Organizational Perspective. J. Med. Internet Res. 2018, 20, 1–18. [Google Scholar] [CrossRef] [PubMed] [Green Version]
- Waly, N.; Tassabehji, R.; Kamala, M. Improving Organisational Information Security Management: The Impact of Training and Awareness. In Proceedings of the 2012 IEEE 14th International Conference on High Performance Computing and Communication & 2012 IEEE 9th International Conference on Embedded Software and Systems, Washington, DC, USA, 25–27 June 2012; pp. 1270–1275. [Google Scholar] [CrossRef]
- Ghazvini, A.; Shukur, Z. Awareness Training Transfer and Information Security Content Development for Healthcare Industry. Int. J. Adv. Comput. Sci. Appl. 2016, 7, 361–370. [Google Scholar] [CrossRef] [Green Version]
- ISO/IEC 27005; Information Technology—Security Techniques—Information Security Risk Management. International Organization for Standardization (ISO): Geneva, Switzerland, 2018.
- Tirumala, S.S.; Valluri, M.R.; Babu, G. A survey on cybersecurity awareness concerns, practices and conceptual measures. In Proceedings of the 2019 International Conference on Computer Communication and Informatics (ICCCI), Coimbatore, India, 23–25 January 2019. [Google Scholar]
Question | Institution A n = 449 (100%) | Institution B n = 124 (100%) | Institution C n = 126 (100%) |
---|---|---|---|
Do you have cyber-security policies at your hospital? | |||
Yes | 11% ± 0.5 | 55% ± 4.9 | 60% ± 5.3 |
No | 14% ± 0.7 | 2% ± 0.2 | 7% ± 0.6 |
Do not know | 75% ± 3.5 | 43% ± 3.8 | 33% ± 2.9 |
Have you been informed or trained regarding General Data Protection Regulation (GDPR) in order to minimize private personal data breaches or cybersecurity incidents? | |||
Yes | 31% ± 2.5 | 31% ± 0.2 | 31% ± 0.1 |
No | 69% ± 0.08 | 69% ± 0.2 | 69% ± 0.1 |
How careful are you when you open an attachment in email? | |||
I always make sure it is from a person I know, and I am expecting the email | 32% ± 6.7 | 48% ± 15.9 | 50% ± 18.4 |
As long as I know the person or company that sent me the attachment, I open it | 59% ± 7.7 | 42% ± 15.4 | 45% ± 18.4 |
There is nothing wrong with opening attachments | 9% ± 6.3 | 10% ± 12.3 | 5% ± 7.4 |
Have you given your password to your colleagues or your manager, when you were asked for it? | |||
Yes | 33% ± 9.1 | 26% ± 14.2 | 30% ± 24.1 |
No | 67% ± 9.1 | 74% ± 14.2 | 70% ± 24.1 |
Is anti-virus currently installed on your computer? | |||
Yes | 60% ± 2.8 | 16% ± 1.4 | 79% ± 6.9 |
No | 11% ± 0.5 | 65% ± 5.8 | 5% ± 0.4 |
Do not know | 29% ± 1.3 | 19% ± 2.7 | 17% ± 1.5 |
I am confident that I could recognize a security issue or incident if I saw one. | |||
Strongly agree | 4% ± 2.4 | 4% ± 4.6 | 14% ± 12.3 |
Agree | 24% ± 8.1 | 39% ± 18.3 | 59% ± 15.3 |
Neither agree nor disagree | 42% ± 10 | 34% ± 18 | 8% ± 7.8 |
Disagree | 23% ± 8.3 | 20% ± 9.1 | 17% ± 10.3 |
Strongly disagree | 7% ± 4.5 | 3% ± 3 | 2% ± 1.9 |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Gioulekas, F.; Stamatiadis, E.; Tzikas, A.; Gounaris, K.; Georgiadou, A.; Michalitsi-Psarrou, A.; Doukas, G.; Kontoulis, M.; Nikoloudakis, Y.; Marin, S.; et al. A Cybersecurity Culture Survey Targeting Healthcare Critical Infrastructures. Healthcare 2022, 10, 327. https://doi.org/10.3390/healthcare10020327
Gioulekas F, Stamatiadis E, Tzikas A, Gounaris K, Georgiadou A, Michalitsi-Psarrou A, Doukas G, Kontoulis M, Nikoloudakis Y, Marin S, et al. A Cybersecurity Culture Survey Targeting Healthcare Critical Infrastructures. Healthcare. 2022; 10(2):327. https://doi.org/10.3390/healthcare10020327
Chicago/Turabian StyleGioulekas, Fotios, Evangelos Stamatiadis, Athanasios Tzikas, Konstantinos Gounaris, Anna Georgiadou, Ariadni Michalitsi-Psarrou, Georgios Doukas, Michael Kontoulis, Yannis Nikoloudakis, Sergiu Marin, and et al. 2022. "A Cybersecurity Culture Survey Targeting Healthcare Critical Infrastructures" Healthcare 10, no. 2: 327. https://doi.org/10.3390/healthcare10020327