2) Barriers associated with healthcare providers
Participants perceived the healthcare environment as dynamic, complex, and characterized by constraints that require balancing a commitment to patient data protection alongside organizational demands for efficient patient care and service, particularly the need to ensure continual access to patient data by the professional staff.
(1) Low capacity: Participants acknowledged the difficulties posed by the continually rising costs of cybersecurity when the resources available to them are very limited, in terms of both budget and professional human capital. They cited this tension as an obstacle to upgrading their security systems.
“Lack of resources also causes employee burnout. The existing resources are people… I’m not buying new systems anymore, because I can’t afford it with my existing resources [small number of employees].”
“Today I need to protect more and more vectors…the whole IoT world is coming in so I need to protect that as well…. I mean, it’s no longer just IT and medical devices. We have more vectors to protect but much lower budgets.”
(2) Business priorities: Some participants assessed that information security was not seen as a high priority in their organization. They believed that their organization prioritized resource allocation toward core healthcare activities rather than toward investing in data security infrastructure.
“I remind you that the hospital’s business is to provide care. One more PET-CT machine is more important than any of the organization’s cybersecurity. That is a risk assessment, at the economic level for sure.”
“One should always look at two aspects: information systems usually deal with the technological side, and the business management always looks at the business interest. Somehow information security was created to link business to technology, it is about balances, because there are limited resources.”
(3) The importance of an uninterrupted workflow: Several participants perceived there to be a tradeoff between data security and access, when excessive security might hinder the optimal workflow of the professional staff. Several participants (computer and information security professionals) felt that ensuring employees’ ability to access patient data was vital, even at the cost of less stringent security protocols.
“We are enablers, not preventers. We manage permissions for users who need them for various applications and systems... give access and not deny access. Doctors are not here 24/7... If we need their advice, it is necessary that they access the patient’s record remotely. The access is managed according to the guidelines set by the Ministry of Health and those we set ourselves.”
“I’ll tell you where it becomes a problem. Suddenly some of our users cannot work properly and then you have to start chasing an information security team that does not understand where the problem is. You have to call 30 people trying to understand who made the change that now affects you...”
(4) A responsive approach: Another recurring theme in our analysis was the participants’ approach to decision-making. Most participants in our study adopted a responsive approach to decision-making with regard to cyber-threats, rather than a preventative approach by investing resources in cyber-defense to mitigate future risks.
“Unfortunately, in the world of cybersecurity, as long as everything is fine then the management does not really see any need beyond a reasonable level. In May 2017, there was an attack on the world of healthcare. The management said: ‘We were not hurt? Ok. Next!’ Not every attack that hits someone else shocks them.”
“If someone were to ask for an extra budget for pandemic diseases in 2019, then they probably would not get a penny. The same also goes for cybersecurity. If there is a major event here, maybe even if people get hurt, then there is no doubt that everyone will wake up.”
3) Barriers associated with vendors
Participants discussed the cyber-defense systems they use on a daily basis as products that are expected to provide added value. When vendors fail to prove added value, there is a reduced likelihood that organizations will invest in the advanced cryptographic security systems that they offer.
(1) Unclear return on investment (ROI)/necessity: Some participants were skeptical about claims that cryptographic methods of cybersecurity would provide them with significant added value relative to the infrastructure they currently use.
“I think we would use existing tools and would not mess with it for now (cryptographic technology)… First, we look for added value.”
“It is difficult to prove the direct and immediate link between information security and ROI because it does not exist. The ROI that comes from information security is very long-term. This is risk minimization and not something that can be quantified in real money.”