PDF(Pubmed)
Abstract:
BACKGROUND: Over the last decade, the frequency and size of cyberattacks in the health care industry have increased, ranging from breaches of processes or networks to encryption of files that restrict access to data. These attacks may have multiple consequences for patient safety, as they can, for example, target electronic health records, access to critical information, and support for critical systems, thereby causing delays in hospital activities. The effects of cybersecurity breaches are not only a threat to patients\' lives but also have financial consequences due to causing inactivity in health care systems. However, publicly available information on these incidents quantifying their impact is scarce.
OBJECTIVE: We aim, while using public domain data from Portugal, to (1) identify data breaches in the public national health system since 2017 and (2) measure the economic impact using a hypothesized scenario as a case study.
METHODS: We retrieved data from multiple national and local media sources on cybersecurity from 2017 until 2022 and built a timeline of attacks. In the absence of public information on cyberattacks, reported drops in activity were estimated using a hypothesized scenario for affected resources and percentages and duration of inactivity. Only direct costs were considered for estimates. Data for estimates were produced based on planned activity through the hospital contract program. We use sensitivity analysis to illustrate how a midlevel ransomware attack might impact health institutions\' daily costs (inferring a potential range of values based on assumptions). Given the heterogeneity of our included parameters, we also provide a tool for users to distinguish such impacts of different attacks on institutions according to different contract programs, served population size, and proportion of inactivity.
RESULTS: From 2017 to 2022, we were able to identify 6 incidents in Portuguese public hospitals using public domain data (there was 1 incident each year and 2 in 2018). Financial impacts were obtained from a cost point of view, where estimated values have a minimum-to-maximum range of €115,882.96 to €2,317,659.11 (a currency exchange rate of €1=US $1.0233 is applicable). Costs of this range and magnitude were inferred assuming different percentages of affected resources and with different numbers of working days while considering the costs of external consultation, hospitalization, and use of in- and outpatient clinics and emergency rooms, for a maximum of 5 working days.
CONCLUSIONS: To enhance cybersecurity capabilities at hospitals, it is important to provide robust information to support decision-making. Our study provides valuable information and preliminary insights that can help health care organizations better understand the costs and risks associated with cyber threats and improve their cybersecurity strategies. Additionally, it demonstrates the importance of adopting effective preventive and reactive strategies, such as contingency plans, as well as enhanced investment in improving cybersecurity capabilities in this critical area while aiming to achieve cyber-resilience.
OBJECTIVE: We aim, while using public domain data from Portugal, to (1) identify data breaches in the public national health system since 2017 and (2) measure the economic impact using a hypothesized scenario as a case study.
METHODS: We retrieved data from multiple national and local media sources on cybersecurity from 2017 until 2022 and built a timeline of attacks. In the absence of public information on cyberattacks, reported drops in activity were estimated using a hypothesized scenario for affected resources and percentages and duration of inactivity. Only direct costs were considered for estimates. Data for estimates were produced based on planned activity through the hospital contract program. We use sensitivity analysis to illustrate how a midlevel ransomware attack might impact health institutions\' daily costs (inferring a potential range of values based on assumptions). Given the heterogeneity of our included parameters, we also provide a tool for users to distinguish such impacts of different attacks on institutions according to different contract programs, served population size, and proportion of inactivity.
RESULTS: From 2017 to 2022, we were able to identify 6 incidents in Portuguese public hospitals using public domain data (there was 1 incident each year and 2 in 2018). Financial impacts were obtained from a cost point of view, where estimated values have a minimum-to-maximum range of €115,882.96 to €2,317,659.11 (a currency exchange rate of €1=US $1.0233 is applicable). Costs of this range and magnitude were inferred assuming different percentages of affected resources and with different numbers of working days while considering the costs of external consultation, hospitalization, and use of in- and outpatient clinics and emergency rooms, for a maximum of 5 working days.
CONCLUSIONS: To enhance cybersecurity capabilities at hospitals, it is important to provide robust information to support decision-making. Our study provides valuable information and preliminary insights that can help health care organizations better understand the costs and risks associated with cyber threats and improve their cybersecurity strategies. Additionally, it demonstrates the importance of adopting effective preventive and reactive strategies, such as contingency plans, as well as enhanced investment in improving cybersecurity capabilities in this critical area while aiming to achieve cyber-resilience.
摘要:
背景:在过去的十年中,医疗保健行业网络攻击的频率和规模都有所增加,从违反进程或网络到限制数据访问的文件加密。这些攻击可能会对患者安全产生多种影响,尽其所能,例如,目标电子健康记录,获取关键信息,以及对关键系统的支持,从而导致医院活动的延误。网络安全漏洞的影响不仅对患者的生命构成威胁,而且由于导致医疗保健系统不活动而产生财务后果。然而,关于这些事件量化其影响的公开信息很少。
目标:我们的目标是,在使用来自葡萄牙的公共领域数据时,(1)确定自2017年以来国家公共卫生系统中的数据泄露情况;(2)使用假设情景作为案例研究来衡量经济影响.
方法:从2017年到2022年,我们从多个国家和地方媒体来源检索了有关网络安全的数据,并建立了攻击时间表。在没有关于网络攻击的公共信息的情况下,报告的活动下降是使用受影响资源的假设情景以及不活动的百分比和持续时间来估计的。估计只考虑了直接成本。估计数据是根据医院合同计划的计划活动产生的。我们使用敏感性分析来说明中级勒索软件攻击可能如何影响医疗机构的日常成本(根据假设推断潜在的价值范围)。鉴于我们包含的参数的异质性,我们还为用户提供了一个工具,可以根据不同的合同程序区分不同攻击对机构的影响,服务人口规模,以及不活动的比例。
结果:从2017年到2022年,我们能够使用公共领域数据在葡萄牙公立医院中识别出6起事件(每年有1起事件,2018年有2起)。财务影响是从成本的角度来看的,其中估计值的最小到最大范围为115,882.96欧元至2,317,659.11欧元(适用1欧元=1.0233美元的货币汇率)。这一范围和规模的成本是假设受影响资源的百分比不同,工作日数不同,同时考虑外部咨询的成本,推断出来的。住院治疗,以及门诊诊所和急诊室的使用,最多5个工作日。
结论:为了增强医院的网络安全能力,重要的是提供可靠的信息来支持决策。我们的研究提供了有价值的信息和初步见解,可以帮助医疗保健组织更好地了解与网络威胁相关的成本和风险,并改善其网络安全策略。此外,它表明了采取有效的预防和反应策略的重要性,比如应急计划,以及加强投资,以提高这一关键领域的网络安全能力,同时旨在实现网络弹性。
目标:我们的目标是,在使用来自葡萄牙的公共领域数据时,(1)确定自2017年以来国家公共卫生系统中的数据泄露情况;(2)使用假设情景作为案例研究来衡量经济影响.
方法:从2017年到2022年,我们从多个国家和地方媒体来源检索了有关网络安全的数据,并建立了攻击时间表。在没有关于网络攻击的公共信息的情况下,报告的活动下降是使用受影响资源的假设情景以及不活动的百分比和持续时间来估计的。估计只考虑了直接成本。估计数据是根据医院合同计划的计划活动产生的。我们使用敏感性分析来说明中级勒索软件攻击可能如何影响医疗机构的日常成本(根据假设推断潜在的价值范围)。鉴于我们包含的参数的异质性,我们还为用户提供了一个工具,可以根据不同的合同程序区分不同攻击对机构的影响,服务人口规模,以及不活动的比例。
结果:从2017年到2022年,我们能够使用公共领域数据在葡萄牙公立医院中识别出6起事件(每年有1起事件,2018年有2起)。财务影响是从成本的角度来看的,其中估计值的最小到最大范围为115,882.96欧元至2,317,659.11欧元(适用1欧元=1.0233美元的货币汇率)。这一范围和规模的成本是假设受影响资源的百分比不同,工作日数不同,同时考虑外部咨询的成本,推断出来的。住院治疗,以及门诊诊所和急诊室的使用,最多5个工作日。
结论:为了增强医院的网络安全能力,重要的是提供可靠的信息来支持决策。我们的研究提供了有价值的信息和初步见解,可以帮助医疗保健组织更好地了解与网络威胁相关的成本和风险,并改善其网络安全策略。此外,它表明了采取有效的预防和反应策略的重要性,比如应急计划,以及加强投资,以提高这一关键领域的网络安全能力,同时旨在实现网络弹性。
