Home / Publications
F. Rizzoni, S. Magalini, A. Casaroli, P. Mari, M. Dixon, L. Coventry, Digital Health, Vol. 8, SAGE Journals
Phishing is a major threat to the data and infrastructure of healthcare organizations and many cyberattacks utilize this socially engineered pathway. Phishing simulation is used to identify weaknesses and risks in the human defences of organizations. There are many factors influencing the difficulty of detecting a phishing email including fatigue and the nature of the deceptive message. A major Italian Hospital with over 6000 healthcare staff performed a phishing simulation as part of its annual training and risk assessment. Three campaigns were launched at approx. 4-month intervals, to compare staff reaction to a general phishing email and a customized one. The results show that customization of phishing emails makes them much more likely to be acted on. In the first campaign, 64% of staff did not open the general phish, significantly more than the 38% that did not open the custom phish. A significant difference was also found for the click rate, with significantly more staff clicking on the custom phish. However, the campaigns could not be run as intended, due to issues raised within the organization. Phishing simulation is useful but not without its limitations. It requires contextual knowledge, skill and experience to ensure that it is effective. The exercise raised many issues within the Hospital. Successful, ethical phishing simulations require coordination across the organization, precise timing and lack of staff awareness. This can be complex to coordinate. Misleading messages containing false threats or promises can cause a backlash from staff and unions. The effectiveness of the message is dependent on the personalization of the message to current, local events. The lessons learned can be useful for other hospitals.
D. Branley-Bell, L. Coventry, E. Sillence, ACM Digital Library, PETRA 2021 conference: PErvasive Technologies Related to Assistive Environments Conference
Cybersecurity problems have traditionally been addressed through technological solutions and staff training. Whilst technology can reduce or remove some weaknesses some attacks specifically target human users. Whilst training can educate staff on how to behave more securely, this is often not sufficient to promote actual secure behaviours . Knowing what to do is necessary but not sufficient. It is also necessary to remove barriers to the required behaviour and to intervene in a way that affords behaviour change. This is particularly true in healthcare, where environmental factors including time pressure, and staff fatigue can create barriers for cybersecurity behaviour change. Technology and training are only a partial solution. Only by taking a more holistic approach which encompasses technology, people and processes and addressing the culture change needed to facilitate more secure behaviours will any progress be made in the workplace. We conducted a series of in-depth interviews and workshops with staff across 3 healthcare organisations in Italy, Crete and Ireland. This paper reflects on our main findings, including key requirements for future cybersecurity interventions. We used this reflection to develop a secure behaviour toolkit to help healthcare organisations identify problematic behaviours, co-create interventions to increase secure staff behaviour being mindful that sometimes culture change is necessary to enable the required security behaviours. The toolkit also provides a means to evaluate the interventions identified and the final implementation of the intervention.
S. Bonomi, S. Magalini, D. Gui, P. Mari, M. Merialdo, E. Spanakis, F. Rizzoni, A, Casaroli, Journal of Strategic Innovation and Sustainability, Vol. 16 No. 3 (2021), OJS/PKP
Healthcare organizations are an attractive target for cyber-attacks, because the digitization of health processes is emerging as a necessity. Healthcare is a rich source of valuable data and its defences are weak. The particular weakness of this domain is due to the high complexity and dynamism of the healthcare technological environment and to the fact that healthcare working environment has many characteristics that make human behaviour a cybersecurity hazard. Cyberattacks may have significant effects on the provision of health services. Concrete measures strengthening a healthcare setting must take into account number and diversity of hospital basic components and existing security policies. The purpose of this work is to present a cybersecurity toolkit for connected devices and people. Panacea toolkit supports hospitals performing preparedness activities for example: assessment of the nature and severity of a threat, identification of mitigation measures and adoption of mitigation strategies.
L. Coventry, D. Branley-Bell, E. Sillence, S. Magalini, P. Mari, A. Magkanaraki, K. Anastasopoulou, Lecture Notes in Computer Science, Springer, International Conference on Human-Computer Interaction, HCII 2020: HCI for Cybersecurity, Privacy and Trust, pp. 105–122
There are increasing concerns relating to cybersecurity of healthcare data and medical devices. Cybersecurity in this sector is particularly important given the criticality of healthcare systems, the impacts of a breach or cyberattack (including in the worst instance, potential physical harm to patients) and the value of healthcare data to criminals. Technology design is important for cybersecurity, but it is also necessary to understand the insecure behaviours prevalent within healthcare. It is vital to identify the drivers behind these behaviours, i.e., why staff may engage in insecure behaviour including their goals and motivations and/or perceived barriers preventing secure behaviour. To achieve this, in-depth interviews with 50 staff were conducted at three healthcare sites, across three countries (Ireland, Italy and Greece). A range of seven insecure behaviours were reported: Poor computer and user account security; Unsafe e-mail use; Use of USBs and personal devices; Remote access and home working; Lack of encryption, backups and updates; Use of connected medical devices; and poor physical security. Thematic analysis revealed four key facilitators of insecure behaviour: Lack of awareness and experience, Shadow working processes, Behaviour prioritisation and Environmental appropriateness. The findings suggest three key barriers to security: i) Security perceived as a barrier to productivity and/or patient care; ii) Poor awareness of consequences of behaviour; and iii) a lack of policies and reinforcement of secure behaviour. Implications for future research are presented.
D. Branley-Bell, L. Coventry, E. Sillence, S. Magalini, P. Mari, A. Magkanaraki, K. Anastasopoulou, Annals of Disaster Risk Sciences, Proceedings of CYSEC 2020 conference
Staff behaviour plays a key role in the cybersecurity position of an organisation. Despite this, behaviour-change interventions are not commonly applied within the field of cybersecurity. Behaviour change technique could be particularly beneficial given increasing concerns around healthcare cybersecurity risks; particularly following the 2017 WannaCry ransomware attack which had devastating results on healthcare services. Cyber-risk is particularly concerning within healthcare given the criticality of medical systems and the potential impacts of a cyberbreach or attack. In worst case scenarios, cybersecurity incidents could result in patient harm or even fatalities. Whilst there has been concerted investment in improving healthcare’s technological defences against cyberthreat, the same level of investment has not been made in healthcare staff. This has left staff behaviour as a vulnerability which can be exploited by attackers. This paper introduces a structured approach to help organisations work through four key steps that we refer to as the AIDE approach to Assess, Identify, Develop and Evaluate behaviour change techniques to facilitate more secure behaviour. We include a worked example of how we are applying this approach to the development of interventions to mitigate insecure cybersecurity behaviours in a healthcare context.
L. Coventry & D. Branley-Bell, Maturitas, doi: 10.1016/j.maturitas.2018.04.008
Electronic healthcare technology is prevalent around the world and creates huge potential to improve clinical outcomes and transform care delivery. However, there are increasing concerns relating to the security of healthcare data and devices. Increased connectivity to existing computer networks has exposed medical devices to new cybersecurity vulnerabilities. Healthcare is an attractive target for cybercrime for two fundamental reasons: it is a rich source of valuable data and its defences are weak. Cybersecurity breaches include stealing health information and ransomware attacks on hospitals, and could include attacks on implanted medical devices. Breaches can reduce patient trust, cripple health systems and threaten human life. Ultimately, cybersecurity is critical to patient safety, yet has historically been lax. New legislation and regulations are in place to facilitate change. This requires cybersecurity to become an integral part of patient safety. Changes are required to human behaviour, technology and processes as part of a holistic solution.
K. Anastasopoulou, P. Mari, A. Magkanaraki, E. G. Spanakis, S. Magalini, M. Merialdo, V. Sakkalis. Proceedings of the 13th International Conference on Theory and Practice of Electronic Governance (ICEGOV2020), ACM Press, 2020, ISBN: 978-1-4503-7674-7
European Healthcare organisations have met growing common challenges. Health services have been identified at EU level as essential for the maintenance of critical societal and/or economic activities. Furthermore, patient safety and personal data are at risk in daily operations. ICT penetration and the increasing connectivity of devices within a healthcare organisation inevitably lead to a growing dependency on them. Therefore, a solid, cybersecurity prevention strategy is needed. Solidity depends on its capability to capture the Health Services specificities. The article describes a socio-technical modelling approach, set-up by the H2020 PANACEA project, based on four models (Healthcare Organization (HCOM), Medical Device Lifecycle, Information System Lifecycle, Cybersecurity system). The proposed models can identify cybersecurity aspects, map cybersecurity interventions, and compare cybersecurity solutions for the Healthcare organisations, which, by default, constitute large and complicated structured organisations. Focusing on the HCOM model, this paper presents a methodological tool for identifying the socio-technical structure (technical and nontechnical) of a healthcare organisation from the cybersecurity perspective, thus delivering a valuable tool for both public and private healthcare organisations.