Semester

Fall

Date of Graduation

2018

Document Type

Dissertation

Degree Type

PhD

College

School of Public Health

Department

Occupational & Environmental Health Sciences

Committee Chair

Tom Bias

Committee Co-Chair

Warren Eller

Committee Member

Warren Eller

Committee Member

Douglas Myers

Committee Member

Michael McCawley

Committee Member

Brian Gerber

Abstract

Healthcare in the United States, heavily reliant on digital technology in service provision, has recently seen an increase risk of cyberattacks. Coordinated electronic medical records, imaging, pharmaceutical services, lab services and even treatment devices all rely on electronic connectivity and represent critical services that must be secured from cyber threats. Hospitals have become increasingly complex systems, and this often makes the organization more vulnerable to failure. Planning for these events is often hard for hospitals because their main charge is to provide life-saving care to patients as they need it. This is a relatively new threat to healthcare organizations, and there has not been limited research on this hazard and its impacts on healthcare organizations.

Therefore, the aim of the first study was to assess the trend of successful major malware attacks on healthcare organizations in the United States between 2016 and 2017. Previous research found limited research specific to malware attacks and found most articles covering ransomware were restricted to news articles. A content analysis was conducted on articles from two well-renowned health IT organizations. This study identified 49 attack cases across 27 states. Based on previously reported statistics, the number of identified cases was low meaning healthcare organizations are not reporting their attacks. A true risk assessment cannot be completed by the industry until a more representative trend analysis can be completed.

The aim of the second study was to assess the organizational outcomes of a malware attack on a healthcare organization. Previous research on this health hazard discussed healthcare’s lack of preparedness for this new threat but did not delve in to the organization’s response, mitigation, and recovery from attacks. Therefore, qualitative interviews were conducted with key stakeholders from three organizations that suffered malware attacks during the years 2016-2017. Topics covered were system impact, system recovery and business continuity, and changes to organizational preparedness efforts. One of the main findings from this study was the realization by health stakeholders how connected their organization, and therefore the provision of care, has become. Participants also discussed their lack of full understanding on the potential impact these attacks could have on their organizations before their attack, including the loss of every digital system within their facility. A need was expressed across all facilities that more information about these attacks need to become shared across the industry to better prepare organizations and protect patient safety.

The final aim of the final study was to examine organizational preparedness efforts and to identify the organizational barriers to mitigating the threats arising from cyberattacks. A survey was conducted among healthcare emergency mangers to assess their perceptions of preparedness for cyber threats. While the majority of respondents reported feeling either confident or very confident in both their individual and their organizational ability to respond to a cyber attack, their responses regarding preparedness actions their organization has taken against cyber threats were lacking. When it comes to events like ransomware, where attack impacts are still not fully understood, the healthcare industry remains less prepared.

In conclusion, these studies indicate a need for data related to cyberattacks to be collected in a central repository that is either made public or shared among healthcare stakeholders. In order to best prepare their organizations, there needs to be accurate risk assessments completed and areas for preparedness with the best return on investment can then be identified. Cyberattacks are only expected to increase over the next five years. Patient care is put at risk during each of these attacks and it is essential for healthcare organizations to be better prepared for this new hazard to keep the organization's patients, workers, and community safe.

Share

COinS