In recent years, healthcare organizations have increasingly become prime targets for cybercriminals, and an incident involving Ascension serves as a stark reminder of this ongoing crisis. In May, Ascension—a sprawling healthcare provider with 140 hospitals across the United States—faced a debilitating cyberattack that rendered its clinical operations inoperative for almost a month. Investigators traced the root of the issue to ransomware that infiltrated an employee’s computer. This incident highlights a significant concern: the treasure trove of valuable personal, financial, and health-related data housed within healthcare systems makes them exceedingly attractive to cyber attackers.
A recent survey conducted in 2023 among health information technology and IT security professionals underscored the magnitude of the threat in the industry, revealing that 88% of organizations experienced an average of 40 attacks in the preceding year. As healthcare systems expand and evolve, they become increasingly susceptible to these threats. A contributing factor to this vulnerability is the myriad complexities found within their IT infrastructures.
Dr. Hüseyin Tanriverdi, an associate professor at Texas McCombs, draws attention to the intricate nature of IT systems within healthcare organizations. He argues that decades of mergers and acquisitions within the industry have fostered an environment where disparate technologies and processes coexist without standardization. For example, after a merging of entities, organizations often fail to align their IT systems and care practices. As a result, the emerging health systems become labyrinthine in their structure, hosting various IT systems, unique care processes, and differing governance frameworks.
However, it is essential to recognize that complexity is not solely the enemy; under specific conditions, it can also be beneficial. Tanriverdi’s research, carried out alongside co-authors Juhee Kwon and Ghiyoung Im, suggests that a “good kind of complexity” can enhance communication and collaboration among different systems and processes, thereby fortifying defenses against cyber threats. Their published findings in the journal MIS Quarterly explore this concept in-depth, employing data from 445 multihospital groups spanning eight years.
The research distinguishes between two similarly termed concepts critical to understanding cybersecurity in healthcare: complicatedness and complexity. Complicatedness refers to systems characterized by a high number of interconnected elements that share information in structured patterns, while complexity arises in systems where connections among numerous elements are unstructured. This distinction is pivotal—it implies that complicated systems, despite their interwoven nature, can be managed predictably, whereas complex systems present unpredictability and increased vulnerability.
Tanriverdi’s findings indicate that as healthcare systems grow more complex, their susceptibility to cyber breaches escalates. The data reveals that the most complex systems, which facilitate diverse health service referrals, are 29% more likely to experience breaches than the average system. Such vulnerabilities stem from multiple factors, including increased data transfer points that create more opportunities for hackers and potential human errors in security practices.
To mitigate these growing threats, the researchers have proposed a transformative solution: establishing enterprise-wide data governance platforms. Such platforms can manage data sharing across varying systems by converting disparate data types into uniform formats, structuring data flows, and standardizing security measures. The objective of these platforms is to transition from a complex system to a more complicated one, reducing vulnerabilities significantly.
Tanriverdi’s research demonstrates that implementing these centralized data governance platforms could lead to a substantial reduction in breaches, stating that the most complicated systems could see breaches decreased by as much as 47%. By consolidating oversight and tightening cybersecurity controls, organizations can lessen the number of attack vectors available to malicious actors.
Balancing Complexity with Cybersecurity Measures
While centralizing data governance can initially introduce a new layer of complexity, creating a structured system ultimately helps mitigate greater risks. Tanriverdi encourages healthcare practitioners to embrace this structured complexity, which facilitates clearer information flows, as a strategic move toward enhancing cybersecurity. This myriad of changes should be supplemented with robust user training on cybersecurity best practices and stringent regulations regarding system access levels.
The ongoing issues of cybersecurity in the healthcare sector require innovative solutions that acknowledge the inherent complexities within their IT structures. By developing comprehensive strategies focused on structured data governance and user education, healthcare organizations can strengthen their defenses, ensuring patient data remains secure in an increasingly dangerous cyber landscape. The journey towards security is fraught with challenges, but with a proactive approach, organizations can transform vulnerabilities into opportunities for resilience.
Leave a Reply