In Could, a main cyberattack disabled scientific operations for almost a month at Ascension, a well being care supplier that features 140 hospitals throughout the U.S. Investigators tracked the issue to malicious ransomware that had contaminated an worker’s laptop.
Well being care programs supply juicy targets for cybercrime due to the precious private, monetary, and well being knowledge they maintain. A 2023 survey of well being data expertise and IT safety professionals reported that 88% of their organizations had skilled a mean of 40 assaults through the earlier yr.
One key vulnerability has been the rising complexity of their IT programs, says Hüseyin Tanriverdi, affiliate professor of data, threat, and operations administration at Texas McCombs. It is a results of a long time of mergers and acquisitions forming bigger and bigger multihospital programs.
After a merger, they do not essentially standardize their expertise and care processes. The well being system finally ends up having a number of complexity, with totally different IT programs, very totally different care processes and disparate governance constructions.”
Hüseyin Tanriverdi, affiliate professor of data, threat, and operations administration at Texas McCombs
However complexity may additionally supply an answer to such issues, he finds in new analysis. With co-authors Juhee Kwon of Metropolis College of Hong Kong and Ghiyoung Im of the College of Louisville, he says {that a} “good sort of complexity” can enhance communication amongst totally different programs, care processes, and governance constructions, higher defending them towards cyber incidents.
Advanced vs. difficult
Utilizing knowledge from 445 multihospital teams spanning 2009 to 2017, the group appeared on the oft-repeated notion that complexity is the enemy of safety.
They distinguished between two similar-sounding IT ideas which are key to the issue.
- Complicatedness is numerous components in a system that interconnect and share data in structured methods.
- Complexity happens when numerous components interconnect and share data in unstructured methods -; as when integrating programs after mergers and acquisitions.
As a result of difficult programs have constructions, Tanriverdi says, it is troublesome however possible to foretell and management what they will do. That is not possible for complicated programs, with their unstructured connections.
Tanriverdi discovered that as well being care programs acquired extra complicated, they grew to become extra weak. Probably the most complicated programs -; with the most important sorts of well being service referrals from one hospital to a different -; have been 29% extra prone to be breached than common.
The issue, he says, is that such programs supply extra knowledge switch factors for hackers to assault, and extra alternatives for human customers to make safety errors.
He discovered related vulnerabilities with different types of complexity, together with:
- Many several types of medical companies dealing with well being knowledge.
- Decentralizing strategic selections to member hospitals as a substitute of constructing them on the company middle.
Setting knowledge requirements
The researchers additionally proposed an answer: constructing enterprise-wide knowledge governance platforms, reminiscent of centralized knowledge warehouses, to handle knowledge sharing amongst numerous programs. Such platforms would convert dissimilar knowledge sorts into frequent ones, construction knowledge flows, and standardize safety configurations.
“They’d rework a posh system into an advanced system,” he says. By simplifying the system, they might additional decrease its degree of complication.
He examined the cybersecurity results of making such platforms. The outcome, he discovered, was that in probably the most difficult system, they would cut back breaches as much as 47%.
Centralizing knowledge governance reduces avenues for hackers to get in, Tanriverdi says. “With fewer entry factors and simplified and hardened cybersecurity controls, unauthorized events are much less prone to acquire unauthorized entry to affected person knowledge.”
He recommends supplementing technical controls with stronger human ones, as effectively: coaching customers in cybersecurity practices and higher regulating who has entry to numerous elements of the system.
Tanriverdi acknowledges a paradox in his method. Investing in a brand new layer of expertise could introduce extra IT complexity at first. However in the long term, it is a good kind of complexity that tames the present -; and extra hazardous -; sorts of complexity.
“Practitioners ought to embrace IT complexity, so long as it provides construction to data flows that have been beforehand advert hoc,” he says. “Expertise reduces cybersecurity dangers whether it is organized and ruled effectively.”
Supply:
Journal reference:
Tanriverdi, H., et al. (2024). Taming Complexity in Cybersecurity of Multihospital Programs: The Function of Enterprise-wide Knowledge Analytics Platforms. MIS Quarterly. doi.org/10.25300/misq/2024/17752.