5.

1 Introduction
Healthcare sectors are embracing information and communication technologies at a rapid
pace.There have been significant efforts in integrating technological innovations such as
electronic health record (EHRs), mobile health (mHealth), cloud computing and Internet of
Things (IoT) into healthcare practices to diagnose, treat and rehabilitate patients [1]. These
technological innovations have been rapidly transforming healthcare industry into a more
patient-focused and economically sustainable service. By enabling healthcare providers timely
access to accurate patient data when needed from anywhere, these technologies have enabled
primary care providers to make fast and accurate decisions as well as provide good medical
outcomes to patients [2]. Furthermore, bymaking patientmedical histories easily and quickly
accessible, digitization has enabled healthcare professionals to quickly diagnose potential
health issues. Moreover, these technologies offer healthcare providers the right level of
actionable information at the point of care, thus greatly improving patient experiences.
Technological innovation in healthcare sectors has also established a platform for easily
and quickly sharing health data across a variety of stakeholders (e.g. patients, doctors,
insurance companies, government agencies, research institutes and other healthcare providers)
[2]. Furthermore, they empowered patients to have real-time access to their clinical information
online. This has enabled patients to engage in their care while increasing their understanding of
their health and improving their ability to look after themselves. The adoption of technological
innovations has benefited healthcare providers and patients tremendously through improving
healthcare delivery and management, convenience, as well as making them economically
sustainable [3].

Although there is ample evidence that digitization of healthcare workflow can enhance
the quality of care and decrease the cost of care, technological innovation of healthcare
systems brings with it potential privacy and security risks [4]. This is because health data
contains extremely sensitive patient information and thus their collection, usage and storage
raise serious patient privacy and data security issues. Healthcare data is exceedingly attractive
to cybercriminals who have been working overtime to get their hands on it [2]. Recent high-
profile cybersecurity incidents across the world in healthcare industry show that the sector is
exceedingly coming under constant cyberattacks. These trends are expected to escalate in
frequency and magnitude for the foreseeable future. The escalation of cyberattacks in health
care could lead to serious safety concerns of the patients, eroding patient confidence and
business reputation, productivity and financial losses. For example, the annual cost to
healthcare sector due to data breaches is estimated to be about $6.2 billion and is expected to
increase with adoption of new technologies by the healthcare industry [5].

With the recent health data breach incidents, cybersecurity has become a strategic issue
for healthcare organizations. Therefore, the concerns of cybersecurity and privacy are taking a
centre stage in modern digital healthcare system [4,6]. As health care is a critical infrastructure,
guaranteeing adequate protection of the patient privacy and data security is a critical factor in
realizing the benefits of the technological innovations in healthcare environment. Thus, the
benefits that the technological innovations offer to healthcare organizations should be matched
by the same measure of devotion and commitment to ensure the patient privacy and security of
the digitized healthcare systems.

The principal aim of this chapter is to give an overview of the current cybersecurity
trends in the healthcare domain. Specifically, the aim is to provide insight into the current
cybersecurity landscape with emphases on cybersecurity threats and vulnerabilities to patient
privacy and data security in healthcare settings. The important contribution is to provide an in-
depth understanding of the potential security and privacy risks facing healthcare providers and
vulnerabilities, as well as contemporary threats and the most effective countermeasures to
ensure safe and secure operation of the healthcare systems. We will discuss how the speed
and complexity of healthcare digitization complicate addressing patient privacy and data
security challenges. The different types of assets likely to be targeted will be reviewed as well
as the profile of the potential threat agents and their objectives. Advances in technologies and
management issues to ensure the patient privacy and data security are highlighted. Also,
regulations and acts that decree the standards for dealing with health information will be
discussed.

5.2 Health system architecture

Healthcare organizations such as hospitals, health insurance agencies and healthcare
manufacturing companies are experiencing rapid digitization. A wide range of hardware
(personal computers, mobile devices, medical hardware, data storage facilities, inventory
systems and power supply), software (custom software applications for a wide variety of
healthcare industry customers) and Web-based applications are used in the healthcare settings.
Figure 5.1 shows the high-level schematic representation of healthcare environment. In this
section, we discuss healthcare datasets and the infrastructures used to collect, store, process
and exchange the health information.

5.2.1 Healthcare infrastructure

Based on the functions performed by the various components of the systems, we classify the
overall system into patient care systems, administrative systems and research systems. The
patient care systems ensures continuity of care, including, among others, active/passive
medical devices, medicine delivery systems and surgery equipment. The disruption of these
services may have a devastating impact on patients’ health. The administrative systems are
dedicated to the smooth hospital workflow. Systems handling work orders, medicine inventories,
prescriptions, bills or appointments are part of these services. Their unavailability is however
less critical as long as their downtime remains of short duration. Healthcare organizations also
maintain intellectual properties such as experimental procedures for surgery, test and studies’
results, test subject information or drug formulas.

Health data is the lifeblood of any healthcare provider. Therefore, health data collection
is the single most important function of healthcare systems. There are a variety of ways in which
the health data is collected from the patients. The conventional face-to-face approach during the
normal course of business is still the prevailing approach. In this approach a healthcare
professional (e.g. physicians and nurses) prompts patients for information and documents it.
Also, a wide variety of technologies both within the hospital settings and outside hospitals such
as patient homes are used to collect data. For example, wearables (e.g. smart watches and
fitness trackers) are commonly used to gather patient-generated physiological health data such
as temperature and heart rhythm. Financial and other data are also collected either in a
traditional manner or online. Cloud computing is increasingly used as the main platform for
personal health record (PHR) [7]. Cloud computing offers on-demand access to computational
and storage resources from almost anywhere and when needed.

5.2.2 Healthcare dataset

Healthcare sectors collect, store, manage and analyse large amounts of patient data. In addition
to treating patients, healthcare data is used for a wide variety of purposes such as public health
and medical research. For healthcare sector, this data is the most important asset used for a
wide variety of purposes mainly to provide the best possible care for patients. This health record
typically contains extremely sensitive information including personally identifiable information
(PII) and the protected health information (PHI). The PII constitutes information that identifies or
can be used to identify the patient. This information includes social security number, information
regarding healthcare provider, credit card data, patient name, address and date of birth as well
as email addresses and employment information. The PHI includes information such as medical
history records (e.g. current and past diagnoses, pathology results, vital sign data, medical test
results, X-rays, treatments and medications), provision of health care and payment for health
care that can be directly linked to a specific individual. Both PII and PHI often remain valid for
years, if not decades.

With digitization process, the EHRs have been replacing the conventional paperbased
health record. EHRs have numerous advantages including the reduction of medical errors,
reliable prescription and quick access to records, fast data transfer and data sharing in
unprecedented scale. They enable clinicians and nurses to be able to view patient records
simultaneously from different locations, which is not possible with paper-based records. They
also decrease the number of lost records and permit a complete set of backup records in a cost-
effective manner.

EHRs make up-to-date and complete health information accessible to healthcare

providers instantly. This enables healthcare providers to render good health care and timely
treatment services to patients, thus enhancing quality of life and patient satisfaction. By
replacing physicians’ handwritten notes, EHRs decrease common problems with incorrect
medication, dosages and procedure due to illegible handwritten notes. Healthcare providers can
use the data for a wide variety of purposes such as making clinical decision support to decrease
the readmission rates and hospitalcontracted conditions, to prevent, detect and eliminate
wastage, and to efficiently coordinate and manage patient care.

By design, healthcare providers share patient records (clinical, administrative or

financial) with a variety of organizations such as public health and government agencies,
insurance, clearinghouses, pharmaceuticals, research institutions and third-party vendors. Each
organization may use the patient data for different purposes such as for research, disease
surveillance, population health management and for healthcare policy development. Advances
in information technology have also sparked patient and physician interest in sharing health
data in social environments. Patients may share their health data with their healthcare
providers, insurance companies, family members, etc. In this regard, patients use a variety of
mobile devices such as smartphones running medical consumer apps to access, store and
transmit their PHR as well as treatment in social environments. Similarly, some physicians
started sharing their ideas about specific sicknesses related to their professional area on social
environments. As health data sharing is one of the most desirable capabilities of healthcare
systems [4], EHRs enable healthcare information to be shared within and between hospitals to
provide better care and good outcomes for patients. It also enables healthcare information
sharing with researchers to develop better treatments.

EHRs contain a wealth of highly regulated, mission-critical information. They are the
lifeblood of every healthcare sector. They have also become cybercriminals’ primary target for
stealing at any cost. This is because, according to Ponemon Institute [8], EHRs are on average
valued at $50 on the black market as they can be used to commit identity theft and other
insurance frauds. Therefore, EHRs must be securely managed and used to reap the benefits
(e.g. cost-effectiveness, high efficiency and performance demands) of the EHR.

5.2.3 Data access infrastructure

Healthcare systems are used for treating patients with a variety of health conditions and
different stages of illness. Modern healthcare sectors deploy a wide variety of advanced medical
devices both in hospital settings and outside hospitals to provide quality care to patients with
acute and chronic conditions as well as for disease prevention and lifestyle changes in a cost-
effective manner. Healthcare employees (e.g. doctors and nurses) in the medical practice use a
myriad of devices for accessing and updating health records, prescribing medication, ordering
tests or viewing results, medical decision-making and many important tasks. Healthcare
providers also permit patients to access their PHR such that they participate in their own health
care via electronic means.

The common devices used in accessing healthcare records include the standard
workstation in offices and a wide variety of small handheld devices such as smartphones,
tablets such as iPads and other mobile devices. Workstations are good for static situations such
as at the nursing workspace. However, the workflow within the hospital environment is dynamic
as the clinicians, nurses and patients continually move around the hospital. With its capability to
enable mobility of the clinicians and access to the patient information wherever he/she is
providing care or reviewing information to provide care, mobile devices have become part and
parcel of healthcare digital system infrastructure. In addition to making patient care more
efficient, it has enhanced healthcare professionals’ workflow. As the number of healthcare
providers using mobile devices for patient care keeps increasing, huge investment in the
development of mobile EHR is currently underway.