Hospitals' Cybersecurity Culture during the COVID-19 Crisis.

Anna Georgiadou,Evangelos Stamatiadis,Athanasios Tzikas,Luís Landeiro Ribeiro,Konstantinos Gounaris,Fotios Gioulekas,Christos Ntanos,Dimitris Askounis,Georgios Doukas,Ariadni Michalitsi-Psarrou

doi:10.3390/healthcare9101335

Abstract

The coronavirus pandemic led to an unprecedented crisis affecting all aspects of the concurrent reality. Its consequences vary from political and societal to technical and economic. These side effects provided fertile ground for a noticeable cyber-crime increase targeting critical infrastructures and, more specifically, the health sector; the domain suffering the most during the pandemic. This paper aims to assess the cybersecurity culture readiness of hospitals’ workforce during the COVID-19 crisis. Towards that end, a cybersecurity awareness webinar was held in December 2020 targeting Greek Healthcare Institutions. Concepts of cybersecurity policies, standards, best practices, and solutions were addressed. Its effectiveness was evaluated via a two-step procedure. Firstly, an anonymous questionnaire was distributed at the end of the webinar and voluntarily answered by attendees to assess the comprehension level of the presented cybersecurity aspects. Secondly, a post-evaluation phishing campaign was conducted approximately four months after the webinar, addressing non-medical employees. The main goal was to identify security awareness weaknesses and assist in drafting targeted assessment campaigns specifically tailored to the health domain needs. This paper analyses in detail the results of the aforementioned approaches while also outlining the lessons learned along with the future scientific routes deriving from this research.

Highlights

Coronavirus disease 2019 (COVID-19) is an infectious disease caused by severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2) [1]
Cybersecurity Culture Framework was developed in the context of the EnergyShield [37], a European Union (EU) project targeting cybersecurity in the Electrical Power and Energy System (EPES)
The prioritization of the phishing quiz campaign against the other alternatives provided by the Cybersecurity Culture Framework presented in Section 2.1 was set by the IT and security experts of the participating hospitals, giving their alarming frequency

Summary

Introduction

Coronavirus disease 2019 (COVID-19) is an infectious disease caused by severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2) [1]. It was originally identified in December 2019 in Wuhan [2], from where it spread worldwide, leading to a pandemic, as denoted by the World Health Organization (WHO), in March 2020 [3]. Cybersecurity Culture Framework was developed in the context of the EnergyShield [37], a European Union (EU) project targeting cybersecurity in the Electrical Power and Energy System (EPES) It was officially introduced in 2020 [38], presenting an evaluation and assessment methodology of both individuals’ and organizations’ security culture readiness. Each security metric introduced by the framework is assessed using a variety of evaluation techniques, such as surveys, tests, simulations, and serious games

Objectives

Methods

Results

Conclusion