Recommendations for the use of resilience matrix in healthcare institutions

Abstract: In recent years, the threat of cyberattacks has been increasing annually, necessitating organizations to prioritize security measures. This urgency is particularly critical in healthcare institutions, given their status as crucial infrastructures and the potential risks cyberattacks pose to human lives. However, limited IT investment in healthcare institutions has resulted in inadequate cybersecurity measures and underinvestment in IT infrastructure. Outdated and unsupported operating systems pose significant vulnerabilities, escalating the risk of security incidents. Despite the challenges imposed by limited IT investment, organizations must strive to develop resilience that enables swift recovery in the event of a security incident, even while accepting a certain level of risk. As it stands now, healthcare institutions that have gotten cyberattacks are hesitant to disclose some of the findings of security incidents involving vulnerabilities that have occurred at healthcare institutions because they reveal vulnerabilities within the industry and suggest the possibility of further cyber-attacks. However, NIST SP800-61, which is also a guideline for computer incident response, states that it is important to prepare for the next security incident by learning lessons from past security incidents. In the first half of this study, security incidents that have occurred in healthcare institutions in the past are discussed and issues are organized using the PPT (People, Process, and Technology) framework used to examine cybersecurity measures. In this study, issues were organized based on two hospital incident cases that occurred in Japan in 2021 and 2022 and for which investigation reports were issued.In terms of People (organizations), the lack of security personnel is positioned as the cause of incidents. However, healthcare institutions prioritize patient care, and for economic reasons, there is also the issue of difficulty in securing not only security personnel but also IT personnel.In terms of Process, the issues were that the information collection system for urgent vulnerabilities and the patch application process were not in place, and the password policy was not well maintained and was weak. In terms of Technology, the vulnerability of the equipment and systems had not been addressed, and the anti-virus system was not in operation. Due to the compatibility of the electronic healthcare record system, it was not possible to update the equipment or run the anti-virus.The second half of the paper will focus on People and Processes in particular, and organize their roles in the incident response phase using the Incident Command System (ICS). In a normal ICS, the five actors are Command, Operations, Planning, Logistics, Finance, and Administration, but since many of the roles played by the legal department could be read from the incident case studies, a resilience matrix was organized to identify the relevant actors. In the future, we will further discuss the practicality of the resilience matrix and the triggers and considerations for shifting to the OODA loop (Observe, Orient, Decide, Act) when responding to an incident by applying the results of previous studies, such as incident response exercises.

Keywords: Cybersecurity, Non-technical countermeasures, BCP, Humancentric perspective, Resilience

DOI: 10.54941/ahfe1004602

Cite this paper:

​