New research offers solutions for cybersecurity in hospitals

In May, a major cyberattack paralyzed clinical operations at Ascension, a healthcare provider with 140 hospitals across the U.S., for nearly a month. Investigators linked the problem to ransomware that infected an employee’s computer.

Healthcare systems are attractive targets for cybercrime because of the valuable personal, financial, and health data they store. A 2023 survey of healthcare and IT security IT professionals found that 88% of their organizations had experienced an average of 40 attacks in the previous year.

One key gap is the growing complexity of their IT systems, says Hüseyin Tanriverdi, assistant professor of information, risk and operations management at Texas McCombs. That’s the result of decades of mergers and acquisitions that have created ever-larger multi-hospital systems.

After the merger, they don’t necessarily standardize their technology and care processes. The healthcare system ends up being very complex, with different IT systems, very different care processes, and divergent management structures.

Hüseyin Tanriverdi, assistant professor of information, risk and operations management at Texas McCombs

But complexity can also offer a solution to such problems, she finds in a new study. She and co-authors Juhee Kwon of the City University of Hong Kong and Ghiyoung Im of the University of Louisville say that “the right kind of complexity” can improve communication between different systems, care processes and management structures, better protecting them from cyber incidents.

Complex vs. complicated

Using data from 445 multi-hospital groups from 2009 to 2017, the team explored the oft-repeated finding that complexity is the enemy of safety.

They distinguished two similar-sounding computer science concepts that are key to solving the problem.

• Complicated a large number of elements in the system that are interconnected and provide information in a structured way.
• Complexity occurs when a large number of elements connect to each other and share information in an unstructured way – such as when integrating systems following mergers and acquisitions.

Because complex systems have structures, Tanriverdi says, it is difficult but feasible to predict and control what they will do. This is not possible for complex systems with their unstructured connections.

Tanriverdi found that as healthcare systems became more complex, they became more vulnerable to attack. The most complex systems—those with the greatest variety of referrals for healthcare services from one hospital to another—were 29% more vulnerable than average.

The problem, he said, is that such systems give hackers more data transfer points that can be used to launch attacks, and people are more likely to make security mistakes.

He discovered similar vulnerabilities in other forms of complexity, including:

• Many different types of medical services that process health data.
• Decentralize strategic decisions to member hospitals rather than at corporate headquarters.

Establishing Data Standards

The researchers also proposed a solution: building enterprise-wide data management platforms, such as centralized data warehouses, to manage data sharing across different systems. Such platforms would convert different data types into common ones, structure data flows, and standardize security configurations.

“They would transform a complex system into a complex system,” he says. By simplifying the system, they would reduce its complexity even further.

He tested the cybersecurity implications of creating such platforms. The result, he found, was that in the most complex system, they would reduce breaches by as much as 47%.

Centralizing data management limits hackers’ options, Tanriverdi says. “With fewer access points and simplified and strengthened cybersecurity controls, unauthorized parties are less likely to gain unauthorized access to patient data.”

It recommends supplementing technical controls with stronger human controls, as well as training users in cybersecurity practices and better regulating who has access to different parts of the system.

Tanriverdi acknowledges a paradox in his approach. Investing in a new layer of technology may initially introduce more IT complexity. But in the long run, it’s a good kind of complexity that tames existing — and more dangerous — kinds of complexity.

“Practitioners should embrace the complexity of IT as long as it adds structure to previously ad hoc information flows,” he says. “Technology reduces cybersecurity risk when it’s well-organized and managed.”