A Cybersecurity Culture Survey Targeting Healthcare Critical Infrastructures

Recent studies report that cybersecurity breaches noticed in hospitals are associated with low levels of personnel’s cybersecurity awareness. This work aims to assess the cybersecurity culture in healthcare institutions from middle- to low-income EU countries. The evaluation process was designed and performed via anonymous online surveys targeting individually ICT (internet and communication technology) departments and healthcare professionals. The study was conducted in 2019 for a health region in Greece, with a significant number of hospitals and health centers, a large hospital in Portugal, and a medical clinic in Romania, with 53.6% and 6.71% response rates for the ICT and healthcare professionals, respectively. Its findings indicate the necessity of establishing individual cybersecurity departments to monitor assets and attitudes while underlying the importance of continuous security awareness training programs. The analysis of our results assists in comprehending the countermeasures, which have been implemented in the healthcare institutions, and consequently enhancing cybersecurity defense, while reducing the risk surface.


Introduction
Cybersecurity has become one of the dominant information technologies (IT) domains in the health sector [1]. Over recent decades, various scientific attempts have been made towards identifying, classifying, and addressing vulnerabilities and weaknesses in healthcare institutions and hospitals [2][3][4][5]. However, this effort did not discourage nor limit the continuously evolving cybercrime in this domain. The European Union Agency for Cybersecurity (ENISA) stated that the healthcare sector accounted for 27% of the overall cyberattacks in Europe in 2018 [6].
The coronavirus outbreak, among its many side-effects, resulted in a significant cybercrime increase [7,8]. Critical infrastructures, as categorized based on the 2016/1148 NIS Directive [9], have major targets. Among them, EU hospitals are experiencing patient data loss [10,11], ransomware, and availability attacks. The following are two of the most troubling examples:

•
The Brno University Hospital in the Czech Republic which, on 12 March 2020, was forced to shut down its entire IT network, impacting two of the hospital's other branches, the Children's Hospital and the Maternity Hospital [12]. • A fatality in a German hospital linked to a cyberattack [13].
Although security infrastructure is of critical importance for the defense against cybercriminals' tactics and techniques, an organization's biggest threat to privacy and security has been acknowledged to be its own personnel [14]. ENISA's report in 2018 [6] revealed that 50.6% of attacked hospitals identified insider threats as their most serious adversary.
As anticipated, a significant scientific effort has been made towards assessing healthcare personnel readiness over recent years [15][16][17]. Recognizing the multidisciplinary approach dictated towards this challenge, researchers soon adopted a holistic approach, and the term "cybersecurity culture" soon emerged.
Cybersecurity culture denotes the combination of attitudes, behaviors, knowledge, and awareness the organization's personnel display about common cyber risks and threats to protect the information assets [18]. Its evaluation involves the conduction of focused campaigns, which often results in the initiation of education programs, ICT infrastructure auditing, and the reassessment of current security policies to cultivate hospital personnel's culture and sense of responsibility when processing sensitive information in daily business operations, thus preventing attacks or leakages [19,20]. Several endeavors towards assessing healthcare personnel's cybersecurity culture were based on surveys. Indicatively, the surveys in Poland [21] and Finland [22] reported that medical professionals lack sufficient cybersecurity training. The analysis in [23] confirmed human error as one of the most common reasons for security incidents in hospitals. Authors in [24,25] highlighted that lack of security culture, awareness, and employee negligence or maliciousness constitute significant factors for the adoption of security policies.
Regarding the ICT resources utilization in hospitals, an analysis in 2008 [26] recorded a variation from 0.082 to 0.210 of ICT professionals (full-time job) per hospital bed in USA hospitals (0.142 in average, or equivalently, 1 ICT employee to total staff ratio of 60.7). Eurostat's general report in 2018 [27] documented an EU average value of 3.9% for the relative share of ICT specialists in total corporate employment.
This study analyses, before the COVID-19 situation, the overall disposition towards cybersecurity in healthcare institutions, which exhibit a proportion of ICT specialists in total employment below the EU average and compares the findings with relevant analyses in hospitals from Northern America and Northern Europe. We selected three different healthcare organizations from three different countries, i.e., Greece, Portugal, and Romania. In contrast to the above methods, we aimed to capture the cybersecurity awareness level of the organizations by first focusing on the ICT employees and consequently assessing the impact of this recorded level on the rest of the healthcare professionals.
The organizations under evaluation were the following: (i) a health region in Greece that comprises a significant number of reference hospitals and health centers (hereafter Institution A); (ii) a reference hospital in a large Portuguese region (henceforth Institution B); (iii) a Romanian medical clinic for impatient rehabilitation (henceforward Institution C). According to Eurostat [27], the percentage of ICT personnel to the total corporate staff for Greece was 1.8%, for Portugal it was 2.4%, and for Romania it was 2.2%. To the best of our knowledge, this is the first time that such an assessment has been conducted.

Methods and Materials
The Cybersecurity Culture Framework was developed in 2019 in the context of the EnergyShield [28], a European Union (EU) project targeting cybersecurity in the electrical power and energy system (EPES). It was officially introduced to the scientific community in 2020 [29] in a manuscript detailing an evaluation methodology of both individuals' and organizations' security culture indicators. Its model consists of dimensions and domains analyzed into a combination of organizational and individual security factors ( Figure 1). Thus, facilitating the assessment of organizational security policies and procedures in conjunction with employees' characteristics, behaviors, attitudes, and skills. The specific framework exploits a variety of evaluation techniques, varying from surveys to more sophisticated approaches, such as simulations and serious games. This study, using the aforementioned cybersecurity culture framework, aims to capture the perspective and the level of personnel's cybersecurity awareness in the prior presented healthcare institutions. The percentage of the ICT staff compared to the total workforce is 0.45% for Institution A (average number among all the supervised units), 0.78% for Institution B, and 0.92% for Institution C (values lower than the Eurostat recorded statistics for these countries). The following two discrete online questionnaires were carefully designed to target two different personnel categories:
The survey's questionnaires are presented in Appendices A and B, while the participation was on a voluntary and anonymous basis.
The ICT questionnaire comprised the following five parts: The first part included questions about demographics, years of experience, and serving population derived from the Employee Profiling domain of the Attitude dimension (individual level). The second part focused on ICT aspects involving the number of cybersecurity trainings performed, percentages of total budget allocation to ICT, and cybersecurity deriving from the Security Awareness and Training Program domain of the Defense dimension along with the Security Management Maturity domain of the Security Governance dimension (organization level). The Section 3 targeted computer network policies and external parties' access combining indicators from different domains of the Access and Trust and Assets dimensions (organizational level). The fourth part requested individuals to answer questions about current cybersecurity methods and practices used deriving from the Policies and Procedures Awareness domain of the Awareness dimension (individual level). The last part focused on cybersecurity performance indicators (e.g., number of cyber security incidents over time and mean time for resolving an incident) deriving from the Security Governance dimension (organizational level).
The non-ICT questionnaire included questions for demographics, employment status, cybersecurity, or related trainings such as General Data Protection Regulation (GDPR), the ability to understand cyberattacks, cybersecurity processes' availability, and precautions taken. Security metrics were once again a combination of different indicators described in multiple layers of the cybersecurity culture framework aiming to obtain an overall evaluation of the non-ICT personnel culture. To sense if the non-ICT personnel had previously participated in cybersecurity campaigns, we used technical terminology in some questions of the questionnaire. In other words, several techniques were used to carefully trim and adjust the assessment process to the targeted audience.
The deployed numbers of computers are approximately 2800, 850, and 90 for Institutions A, B, and C, respectively. Knowing that it is generally difficult to voluntarily collect answers from the non-ICT personnel, due to the nature of their work, we sent the invitations (electronic and paper-based) to all the employees with the target to increase the response rate for the non-ICT personnel, and especially of those that have access to computers. Additionally, multiple-choice based questionnaires were translated from English to the native languages of the participants for better comprehension of their contents and to lift the language barrier and alleviate it from the equation. The collected data was translated back to English, harmonized, and checked for consistency.
The surveys were conducted from September 2019 to November 2019. There was no time limit for the completion of the questionnaires and participants were not reimbursed or offered any other incentive. Furthermore, since our analysis focused on middle-to low-income countries, we conducted an extensive literature survey on evaluations of the cybersecurity awareness status of hospitals in the USA, Canada, and Northern Europe (high-to middle-income countries) so as to comparatively analyze our findings.

Results
We invited 10,418 healthcare professionals (8500 from Greece, 1700 from Portugal, and 218 from Romania) and 69 ICT hospital employees (60 from Greece, 7 from Portugal, and 2 from Romania) to participate in the online survey. The participation rate is graphically presented in Figure 2. In total, 736 individuals responded to the surveys (37 for ICT and 699 for non-ICT). The overall answers to the ICT personnel were 28 (Institution A), 7 (Institution B), and 2 (Institution C), respectively, while for the non-ICT, the responses to the healthcare questionnaire were 449 (Institution A), 124 (Institution B), and 126 (Institution C). The response rate for the ICT personnel was 53.62%. The response rate for the non-ICT employees was 18.69% on the basis of the deployed computers and 6.71% on the basis of total employees, respectively.

Employed ICT Cybersecurity Procedures and Methods
The results revealed that 89%, 100%, and 50% of the ICT personnel in Institutions A, B and C, respectively, acknowledged the complete absence of dedicated cybersecurity departments in their institutions. Similar responses were given by the non-ICT personnel (86%, 63%, and 68% for Institutions A, B, and C, respectively). This deviation is due to the participants' inability to distinguish between ICT and cybersecurity departments. In total, 100% of the ICT personnel in Institutions A and B and 50% in Institution C, responded they did not follow an incident response plan form responding to a data breach in a timely and cost-effective manner.

Employed ICT Cybersecurity Procedures and Methods
The results revealed that 89%, 100%, and 50% of the ICT personnel in Institutions A, B and C, respectively, acknowledged the complete absence of dedicated cybersecurity departments in their institutions. Similar responses were given by the non-ICT personnel (86%, 63%, and 68% for Institutions A, B, and C, respectively). This deviation is due to the participants' inability to distinguish between ICT and cybersecurity departments. In total, 100% of the ICT personnel in Institutions A and B and 50% in Institution C, responded they did not follow an incident response plan form responding to a data breach in a timely and cost-effective manner.
The ICT questionnaire responses on common vulnerabilities ( Figure 3) revealed they did not adopt common policies, irrespectively of their education status, gender, or age. Although obsolete and black-boxed technologies, deployed in hospitals, play a significant role in data breaches, 40.5% of ICT personnel indicated the usage of legacy systems with  The ICT questionnaire responses on common vulnerabilities ( Figure 3) revealed they did not adopt common policies, irrespectively of their education status, gender, or age. Although obsolete and black-boxed technologies, deployed in hospitals, play a significant role in data breaches, 40.5% of ICT personnel indicated the usage of legacy systems with known vulnerabilities in their day-to-day operations (representing more than 50% of the total equipment). Additionally, only 24.3% were aware of the existence of cybersecurity terms within the service level agreements (SLA) with vendors. The importance of setting up a unique identifier policy for users and roles for the mitigation of the impact of internal threats was acknowledged only by 48.6% of the ICT personnel. The need for secure sockets layer (SSL) certificates to be used by the web-based health information system (HIS) was identified by only 48.6%. Only 48.6% of the ICT personnel were aware that certain attacks, such as distributed denial of service (DDoS), are considered criminal actions. On the other hand, 75.7% acknowledged the usage of proactive backup measurements. Furthermore, 54% of the ICT personnel indicated that no records were kept, rendering a forensic analysis impossible and also resulting in no lessons learnt about the organizations' response. Moreover, as shown in Figure 4, the ICT personnel replied that most identified cybersecurity incidents took up to 6 h to resolve. The analysis revealed that the "Mean Downtime" was equal to the "Mean Time to Resolve the Incident", which means that parts of ICT facilities and related ICT-enabled services might have lost availability and functionality during the incident, a fact that possibly translates that no continuity plan was in place. This is in line with the finding that a small number of cybersecurity penetration tests were conducted during the last two years (affirmative answers: only 18% from A, 57% from B, and 50% from C). All the above indicate the necessity of performing regular ICT penetration tests and iterative trainings.

Training on Cybersecurity and Data Protection
The survey exposed the lack of cybersecurity-related training across the three institutions. 70% of the ICT personnel admitted they have not received official cybersecurity training in the past 3 years, with the remaining 30% revealing a frequency of less than one training per year even on European legislation and guidance, such as Directive (EU) 2016/1148 NIS Directive and the GDPR. Nevertheless, the ICT personnel responded they were aware of those acts at 80% in A, 86% in B and 50% in C. On the other hand, 73% of non-ICT personnel replied they had access to sensitive information and were aware of GDPR ( Figure 5). 39% of the ICT personnel in Institution A, 57% in Institution B and 100% in Institution C replied they used to perform internal cybersecurity awareness training (e.g., about phishing). The latter indicates the recorded low number of ICT staff might have played a significant role in not conducting training. Figure 6 shows the positive answers of the non-ICT group to questions related to cybersecurity awareness. Only 22.7% of the non-ICT personnel felt sufficiently trained in security, while only 38.5% were confident they could recognize a security issue or incident if they encountered one. This confidence was mainly supported by personnel in Institution C, while in the other two institutions they were perceived to be low-to-moderately trained. Trying to sensor the adequacy of the personnel's awareness of cybersecurity threats such as email phishing and their reactions to them, it was found that only 26.8% of the participants knew what a social engineering attack was, while only 21.9% knew how to detect an email phishing attack. Although participants acknowledged they handled sensitive data on a daily basis, only 23.3% perceived the level of importance of their terminals' content to hackers. 40.9% answered they knew when their terminals had been compromised and whom to contact in such a case. 30.9% understood the consequences of sharing their terminal or credentials, while 37.3% knew how to handle email attachments. More than 50% of the non-ICT personnel acknowledged the existence of antivirus software and the policy of locking their terminals when they leave. Their majority also responded (76%) that following security policies would help them do their job better.

Discussion
Our findings showed healthcare ICT personnel represented a very small percentage of the total workforce, generally below 1%. The surveyed organizations have dedicated only a small amount of their total ICT budget (below 5%) to cybersecurity purposes. The importance of budget allocation to cybersecurity is illustrated in the 2019 report [30] of the Healthcare Information and Management Systems Society (HIMSS) in the USA. Although our surveyed organizations reported less than 5% in ICT budget allocation for cybersecurity, the report among 166 USA health information security specialists in [30] acknowledged a significant increase in this budget category (10% of the respondents acknowledged cybersecurity funding of more than 10%, 11% responded 7-10%, while 25% answered 3-6%). The identified differences in the ICT investments indicate that smart hospitals have invested more in cybersecurity and in associated human resources to protect their information assets, rather than traditional hospitals [9], which are in the process of digital transformation. The ongoing application of the EU's digital convergence policies (e.g., cross-border health data exchange) is expected to bridge the aforementioned gap.
Almost all of the respondents (96%) in the 2019 HIMSS survey [30] indicated their respective organizations conducted risk assessments (37% of which were comprehensive, resulting in the adoption of new or improved security measures by 72% of them). In our study, the lack of cybersecurity departments and that 70% of ICT employees have not received official cybersecurity training in the past 3 years, accounted for the low adoption and lack of standard or common policies in cybersecurity incidents (100% for A and B and 50% for C). Only 48.6% of the ICT personnel (A, B, and C) acknowledged the importance of applying a unique identifier policy for users and roles, in contrast to the 2017 survey [31] among 39% of all the USA's hospitals, where more than 90% of them used unique identification for system users (supported by automatic logoff of system users, required use of strong passwords, etc.). Additionally, 40.5% of the ICT personnel in our study indicated the usage of legacy systems (more than 50% of the total equipment). The legacy-systems impediment is also acknowledged in [30] (69% of respondents), but in a lower percentage of the total equipment (more than 10% for only 14% of respondents). Moreover, in contrast to our study (see Section 3.2.), only 18% of respondents in [30] stated their organization did not conduct phishing tests and trainings due to a lack of personnel with the appropriate cybersecurity knowledge and expertise. Furthermore, in our study, 21.9% acknowledged they do not know how to detect an email phishing attack, which suggests that the actual percentage of a real, ongoing phishing attack might be even higher. In contrast to that, a recent study at US health care institutions [15] indicates a median click rate on phishing campaigns of 16.7%, which is further reduced on subsequent ones, highlighting the importance of training on that matter.
Regarding the non-ICT personnel, comparing our findings (Table 1) with a 2020 study in Poland [21], a 2019 study in a health region of western Finland [22], and a 2019 study in a health organization in western Canada [19], revealed the low level of cybersecurity awareness status. In Institutions A, B, and C, the 22.7% that felt sufficiently trained in security and the 23.3% that perceived the importance of the terminals' content to hackers, appeared significantly lower next to the 51.31% of the 1200 Finnish professionals reporting bring sufficiently aware of the information and the cybersecurity matters pertaining to their job. About the same percentage (55.7%) of 586 non-ICT professionals in the Canadian healthcare organization, declared their satisfaction with ICT security in their daily activities. 73.2% of our non-ICT participants did not know what a social engineering attack was, which makes them a potential hazard of disclosing sensitive information (e.g., passwords). 69.1% could not realize the consequences of sharing their terminal or credentials with other employees. The Finnish study reported a negative answer to disclosing one's password over the phone, either if requested by an authority (96%), or by an ICT manager (83%), while the Canadian one states that 93.6% would never share login information with other employees. Only 21.9% of the respondents in our study could detect spam emails and phishing attacks, and only 37.3% could handle attachments, which both fell behind the Finnish awareness score (41.54%) and the Canadian personnel that acted correctly upon them (55%). Low to moderate knowledge and awareness in the above fields pose a potential risk during daily working activities, such as processing patients' data or communicating medical information to other parties. Therefore, it is deduced that there is a high risk of security incidents triggered by non-ICT employees because the aforementioned threats and attacks and the associated impact of potential incidents have not been efficiently communicated to them by the ICT staff. All the above indicate that decreasing the endpoint complexity as proposed in [32], along with training conduction, is essential in raising awareness amongst personnel and motivating them to pay attention to cyber-threats and policies to limit human errors [33][34][35]. The adoption of a risk-aware attitude and associated skills by the non-ICT staff through cybersecurity trainings and a robust organizational monitoring strategy could lead to a more GDPR-compliant status. Even in New Zealand, a country where robust cybersecurity practices have long been in their agendas, the majority of internet users, as revealed by a 2019 survey [36], still take low to no security measures, while they perceive monitoring practices, such as the use of monitoring software, as highly technical. The necessity for intense cybersecurity awareness trainings, even from a young age, is highlighted.

Considerations and Limitations
The response rate of the non-ICT personnel was correlated with the number of the deployed computers they use daily. However, due to the variations in the clinic shift patterns, it was hard to stringently identify the non-ICT personnel that used computers. Therefore, we tried to collect responses by sending the non-ICT participation invitation mainly through their direct management, assuming it would be communicated to the total number of employees. Due to the voluntary and anonymous nature of the questionnaires, the commitment of all doctors and nurses was not totally ensured. Nevertheless, the collected answers proved to conform to the findings from the ICT questionnaire, where we managed to achieve high response rates. The availability of similar studies in the literature for the health care sector, especially recent ones, is not abundant, and comparisons were performed mainly against data from surveys conducted in hospitals in the USA, Canada, and some territories of northern Europe.

Conclusions
The implementation and deployment of security awareness programs in healthcare institutions along with training procedures proves to be a necessity. Furthermore, 76% of the non-ICT personnel replied that following hospitals' security policies would help them perform their job better. Consequently, the findings were communicated to the management of the institutions, and certain courses of proactive and reactive cybersecurity measures have been triggered and implemented during the COVID-19 crisis. Specifically, a certain budget was allocated to procure or upgrade cybersecurity systems and software (e.g., antivirus databases, UTM firewalls with IDS/IPS). A specialised workshop has been conducted with ENISA's support for the ICT staff, which in several cases was reinforced accordingly. Additionally, in-house awareness campaigns for non-ICT employees about anti-phishing or anti-social engineering have periodically been conducted. Moreover, those who deal daily with sensitive data and processes have participated in GDPR related seminars. In the future, we aim to revisit the updated cybersecurity measures and strategies and re-perform an extensive assessment to re-evaluate the new level of cybersecurity awareness and personnel readiness.