Economic impact of a hospital cyberattack in a national health system

Detalhes bibliográficos
Autor(a) principal: Portela, Diana
Data de Publicação: 2023
Outros Autores: Nogueira-Leite, Diogo, Almeida, Rafael, Cruz-Correia, Ricardo
Tipo de documento: Artigo
Idioma: eng
Título da fonte: Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
Texto Completo: http://hdl.handle.net/10362/163542
Resumo: Funding Information: This paper was supported by the Doctoral Programme in Health Data Science of the Faculty of Medicine at the University of Porto, Portugal [26]. The authors would like to thank e-MAIS (Movimento Associação dos Sistemas de Informação em Saúde), the Portuguese representative to the European Federation of Medical Informatics, for its contribution to the development of this study. Publisher Copyright: © JMIR Publications Inc.. All Rights Reserved.
id RCAP_870168db49808f0fa233dddaa8965f8b
oai_identifier_str oai:run.unl.pt:10362/163542
network_acronym_str RCAP
network_name_str Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
repository_id_str 7160
spelling Economic impact of a hospital cyberattack in a national health systemDescriptive case studycostcyberattackcybersecuritydata breacheconomiceconomic impacthealth systemmedical informaticsprivacysecurityMedicine (miscellaneous)Health InformaticsSDG 3 - Good Health and Well-beingFunding Information: This paper was supported by the Doctoral Programme in Health Data Science of the Faculty of Medicine at the University of Porto, Portugal [26]. The authors would like to thank e-MAIS (Movimento Associação dos Sistemas de Informação em Saúde), the Portuguese representative to the European Federation of Medical Informatics, for its contribution to the development of this study. Publisher Copyright: © JMIR Publications Inc.. All Rights Reserved.Background: Over the last decade, the frequency and size of cyberattacks in the health care industry have increased, ranging from breaches of processes or networks to encryption of files that restrict access to data. These attacks may have multiple consequences for patient safety, as they can, for example, target electronic health records, access to critical information, and support for critical systems, thereby causing delays in hospital activities. The effects of cybersecurity breaches are not only a threat to patients’ lives but also have financial consequences due to causing inactivity in health care systems. However, publicly available information on these incidents quantifying their impact is scarce. Objective: We aim, while using public domain data from Portugal, to (1) identify data breaches in the public national health system since 2017 and (2) measure the economic impact using a hypothesized scenario as a case study. Methods: We retrieved data from multiple national and local media sources on cybersecurity from 2017 until 2022 and built a timeline of attacks. In the absence of public information on cyberattacks, reported drops in activity were estimated using a hypothesized scenario for affected resources and percentages and duration of inactivity. Only direct costs were considered for estimates. Data for estimates were produced based on planned activity through the hospital contract program. We use sensitivity analysis to illustrate how a midlevel ransomware attack might impact health institutions’ daily costs (inferring a potential range of values based on assumptions). Given the heterogeneity of our included parameters, we also provide a tool for users to distinguish such impacts of different attacks on institutions according to different contract programs, served population size, and proportion of inactivity. Results: From 2017 to 2022, we were able to identify 6 incidents in Portuguese public hospitals using public domain data (there was 1 incident each year and 2 in 2018). Financial impacts were obtained from a cost point of view, where estimated values have a minimum-to-maximum range of €115,882.96 to €2,317,659.11 (a currency exchange rate of €1=US $1.0233 is applicable). Costs of this range and magnitude were inferred assuming different percentages of affected resources and with different numbers of working days while considering the costs of external consultation, hospitalization, and use of in- and outpatient clinics and emergency rooms, for a maximum of 5 working days. Conclusions: To enhance cybersecurity capabilities at hospitals, it is important to provide robust information to support decision-making. Our study provides valuable information and preliminary insights that can help health care organizations better understand the costs and risks associated with cyber threats and improve their cybersecurity strategies. Additionally, it demonstrates the importance of adopting effective preventive and reactive strategies, such as contingency plans, as well as enhanced investment in improving cybersecurity capabilities in this critical area while aiming to achieve cyber-resilience.NOVA School of Business and Economics (NOVA SBE)RUNPortela, DianaNogueira-Leite, DiogoAlmeida, RafaelCruz-Correia, Ricardo2024-02-14T23:18:34Z20232023-01-01T00:00:00Zinfo:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/articleapplication/pdfhttp://hdl.handle.net/10362/163542eng2561-326XPURE: 68872761https://doi.org/10.2196/41738info:eu-repo/semantics/openAccessreponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãoinstacron:RCAAP2024-03-11T05:47:10Zoai:run.unl.pt:10362/163542Portal AgregadorONGhttps://www.rcaap.pt/oai/openaireopendoar:71602024-03-20T03:59:27.141944Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãofalse
dc.title.none.fl_str_mv Economic impact of a hospital cyberattack in a national health system
Descriptive case study
title Economic impact of a hospital cyberattack in a national health system
spellingShingle Economic impact of a hospital cyberattack in a national health system
Portela, Diana
cost
cyberattack
cybersecurity
data breach
economic
economic impact
health system
medical informatics
privacy
security
Medicine (miscellaneous)
Health Informatics
SDG 3 - Good Health and Well-being
title_short Economic impact of a hospital cyberattack in a national health system
title_full Economic impact of a hospital cyberattack in a national health system
title_fullStr Economic impact of a hospital cyberattack in a national health system
title_full_unstemmed Economic impact of a hospital cyberattack in a national health system
title_sort Economic impact of a hospital cyberattack in a national health system
author Portela, Diana
author_facet Portela, Diana
Nogueira-Leite, Diogo
Almeida, Rafael
Cruz-Correia, Ricardo
author_role author
author2 Nogueira-Leite, Diogo
Almeida, Rafael
Cruz-Correia, Ricardo
author2_role author
author
author
dc.contributor.none.fl_str_mv NOVA School of Business and Economics (NOVA SBE)
RUN
dc.contributor.author.fl_str_mv Portela, Diana
Nogueira-Leite, Diogo
Almeida, Rafael
Cruz-Correia, Ricardo
dc.subject.por.fl_str_mv cost
cyberattack
cybersecurity
data breach
economic
economic impact
health system
medical informatics
privacy
security
Medicine (miscellaneous)
Health Informatics
SDG 3 - Good Health and Well-being
topic cost
cyberattack
cybersecurity
data breach
economic
economic impact
health system
medical informatics
privacy
security
Medicine (miscellaneous)
Health Informatics
SDG 3 - Good Health and Well-being
description Funding Information: This paper was supported by the Doctoral Programme in Health Data Science of the Faculty of Medicine at the University of Porto, Portugal [26]. The authors would like to thank e-MAIS (Movimento Associação dos Sistemas de Informação em Saúde), the Portuguese representative to the European Federation of Medical Informatics, for its contribution to the development of this study. Publisher Copyright: © JMIR Publications Inc.. All Rights Reserved.
publishDate 2023
dc.date.none.fl_str_mv 2023
2023-01-01T00:00:00Z
2024-02-14T23:18:34Z
dc.type.status.fl_str_mv info:eu-repo/semantics/publishedVersion
dc.type.driver.fl_str_mv info:eu-repo/semantics/article
format article
status_str publishedVersion
dc.identifier.uri.fl_str_mv http://hdl.handle.net/10362/163542
url http://hdl.handle.net/10362/163542
dc.language.iso.fl_str_mv eng
language eng
dc.relation.none.fl_str_mv 2561-326X
PURE: 68872761
https://doi.org/10.2196/41738
dc.rights.driver.fl_str_mv info:eu-repo/semantics/openAccess
eu_rights_str_mv openAccess
dc.format.none.fl_str_mv application/pdf
dc.source.none.fl_str_mv reponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação
instacron:RCAAP
instname_str Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação
instacron_str RCAAP
institution RCAAP
reponame_str Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
collection Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
repository.name.fl_str_mv Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação
repository.mail.fl_str_mv
_version_ 1799138174312644608

Registros relacionados