Portal de Periódicos da CAPES

Cybersecurity in the age of digital pandemics: protecting patient data in low-income and middle-income countries

2024; Elsevier BV; Volume: 12; Issue: 6 Linguagem: Inglês

10.1016/s2214-109x(24)00124-4

2572-116X

Cameron Sabet, John C. Lin, Anthony Zhong, Dang Nguyen,

IoT and Edge/Fog Computing

In the digital age, the health-care sector has become increasingly targeted by cybercriminals, particularly for its patient data. In January, 2024, a substantial data breach at French payment processors Viamedis and Almerys compromised the private health information of over 33 million individuals, affecting nearly half of France's population.1CNILViolation de données de deux opérateurs de tiers payant: la CNIL ouvre une enquête et rappelle aux assurés les précautions à prendre. Feb 7, 2024.https://cnil.fr/fr/violation-de-donnees-de-deux-operateurs-de-tiers-payant-la-cnil-ouvre-une-enquete-et-rappelle-auxDate accessed: February 18, 2024Google Scholar This incident is part of a growing trend of cyberattacks recently identified by WHO as a global threat to public health.2Abed SF Allain-Ioos S Shindo N Examining the threat of cyber-attacks on health care during the COVID-19 pandemic.Wkly Epidemiol Rec. 2024; 4: 25-37Google Scholar Cybercriminals have been demanding increasingly large ransoms to recover stolen patient data and re-establish access to crucial health-care systems. These breaches present substantial economic implications. Trend Micro, a cybersecurity firm, estimates the global cost of hospital cyberattacks at over US$6 billion annually.3CDWThe cost of cybersecurity in healthcare.https://www.cdw.com/content/cdw/en/articles/security/the-cost-of-cybersecurity-in-healthcare.htmlDate accessed: February 18, 2024Google Scholar Patient health data is valued at up to $250 per record on the underground market, far above the value of payment cards, which at $5·40 are the second most lucrative commodity.4ImprivataHackers, breaches, and the value of healthcare data. June 30, 2021.https://www.imprivata.com/uk/node/103708Date accessed: February 18, 2024Google Scholar The high price for patient health records is attributed to the potential for misuse, which could be used to illegally purchase pharmaceutical products or conduct insurance fraud. The risks associated with cyberattacks are particularly acute in low-income and middle-income countries (LMICs), where the necessary infrastructure, resources, and regulatory frameworks to protect health data can be insufficient. As a result, underfunded and understaffed systems have become soft targets for cybercriminals. In 2022, the Costa Rican Government reported that hackers demanded a $20 million ransom after successfully attacking multiple government agencies, including the nation's public health-care system.5Russu C The impact of low cyber security on the development of poor nations.https://www.developmentaid.org/news-stream/post/149553/low-cyber-security-and-development-of-poor-nationsDate accessed: February 18, 2024Google Scholar The risk of cyberattacks is compounded by the absence of standardised global data protection measures. Despite the limitations of the Health Insurance Portability and Accountability Act in the USA and the General Data Protection Regulation in the European Union, many countries do not have equivalent patient security frameworks. A 2016 report from WHO found that only 55% of nations had legislation to protect the privacy of electronic patient data.6World Health OrganizationGlobal diffusion of ehealth: making universal health coverage achievable. report of the third global survey on ehealth.https://iris.who.int/handle/10665/252529Date: 2016Date accessed: February 18, 2024Google Scholar This regulatory vacuum, in combination with a shortage of overarching safeguards at hospitals and data handling standards for providers, increases the risk of data breaches. A 2018 study7Jalali MS Kaiser JP Cybersecurity in hospitals: a systematic, organizational perspective.J Med Internet Res. 2018; 20: e10059Crossref PubMed Google Scholar highlights the challenges in improving hospital cybersecurity, including institutional politics, regulatory pressures, and the large number of individuals and devices within a health-care system. Furthermore, physicians have been increasingly using digital tools, like ChatGPT, which automatically store and use all inputted data, to help make clinical decisions and prepare patient notes, often in violation of privacy regulations.8Hetrick C Why doctors using ChatGPT are unknowingly violating HIPAA. USC. July 7, 2023.https://priceschool.usc.edu/news/chatgpt-doctors-data-privacy-hipaa/Date accessed: February 18, 2024Google Scholar Economic circumstances in LMICs can leave these countries more vulnerable to patient data breaches. With device manufacturers withdrawing support for older technology, and fewer resources available to invest in cybersecurity measures, patient data systems might be easier to hack. Some LMICs, such as South Africa, have attempted to respond to these threats, but their efforts have been hampered by insufficient funding and underinvestment in national cyber strategies. Their experience underscores the urgent need for governments to prioritise updating their cybersecurity approaches, incorporating strategies like multi-factor authentication and risk-based authentication, alongside educating health-care staff about digital risks and data privacy. International agencies and non-governmental organisations (NGOs) have primarily responded by raising awareness about the need for stronger health-care cybersecurity in LMICs. WHO has published reports and organised high-level meetings with the World Health Assembly to warn global leaders about cybersecurity threats.2Abed SF Allain-Ioos S Shindo N Examining the threat of cyber-attacks on health care during the COVID-19 pandemic.Wkly Epidemiol Rec. 2024; 4: 25-37Google Scholar The International Telecommunication Union has also offered policy recommendations and technical guidelines, such as its Guide to Developing a National Cybersecurity Strategy. While their approaches are encouraging, the perspectives of cybersecurity stakeholders, such as patients and health-care providers, should be included to help develop detailed, practical, and clear guidelines. For example, the Global Cyber Alliance has launched initiatives to improve cybersecurity by developing tools, such as the Domain-based Message Authentication, Reporting, and Conformance (DMARC) protocol, that have been widely adopted by health-care providers to prevent email fraud, and demonstrate how targeted cybersecurity frameworks can substantially improve safeguards for health-care data.9GFCEGlobal Cyber Alliance.https://thegfce.org/member-and-partner/global-cyber-alliance-gca/Date accessed: February 18, 2024Google Scholar To improve cybersecurity in health care, WHO should actively collaborate with NGOs such as Switzerland's CyberPeace Institute, which provides complimentary cybersecurity support, to fortify defences in at-risk areas. Furthermore, we urge national governments to partner with leading technology firms, including Microsoft and Google, to improve security of current infrastructure and cloud services. The scope of the Global Cyber Alliance's DMARC protocol should be broadened to secure text communications and prevent internal data breaches, while also tackling practices like shoulder surfing—when individuals observe screens to steal data—by endorsing the use of privacy screens and improving authentication processes. Health-care organisations should adopt the National Institute of Standards and Technology (NIST) Cybersecurity Framework, drawing from proven integrations in hospitals in the USA where NIST protocol adherence helped keep cyber insurance costs down.10Censinet2024 healthcare cybersecurity benchmarking study executive summary. February, 2024.https://www.censinet.com/2024-healthcare-cybersecurity-benchmarking-study-executive-insightsDate accessed: April 8, 2024Google Scholar Moreover, the World Bank should allocate specific funds for health-care cybersecurity, following the model of past disease response initiatives. Adopting these strategies will protect global health-care cybersecurity in the world's most vulnerable regions, securing the future of patient privacy. We declare no competing interests.