Executive Summary
Digital technology has transformed health systems, helping to reduce costs and improve the management of patient care. But the rapid global adoption of emerging technologies in healthcare has led to increased vulnerability to cyber threats that can erode patient trust and compromise the safety and confidentiality of patient data. The number of cyberattacks is rising, and healthcare systems and organizations around the world are lagging behind other sectors in developing cyber readiness – the ability to act against cyberattacks. The challenges in cybersecurity planning across high-, middle- and low-income health systems are varied. There has been a lack of investment and support to raise awareness of its global importance. Urgent work is needed to help healthcare organizations develop a common language and scale-up cybersecurity planning.
While there has been cybersecurity investment in high-income countries, success can be hindered by the challenge of working with outdated Health Management Information Systems (HMIS). However, in low– and middle-income countries there is a chance to design a system with cybersecurity at its foundation.
In this report we look at existing cybersecurity frameworks worldwide. And we examine why, despite being one of the sectors most targeted by cyberattackers, the healthcare sector remains one of the worst adopters of cybersecurity frameworks.
In response to this urgent sector need, we asked members of the Leading Health Systems Network (LHSN) – an international group of health systems and providers hosted at Institute of Global Health Innovation (IGHI), and key experts in the areas of IT, cybersecurity, health policy and health systems – about their experiences and organizational efforts related to cybersecurity. An initial survey of LHSN member institutions explored the current global cybersecurity landscape. We then convened a group of experts from a range of health systems to provide input on the most relevant elements of a global framework for cyber readiness in healthcare. The resulting Essentials of Cybersecurity in Healthcare Organizations (ECHO) framework was developed by the IGHI, Imperial College London, with input from the LHSN.
The ECHO framework includes the most important elements of a global cybersecurity framework for healthcare (see Figure 1). It outlines the six primary dimensions to consider when scaling up cybersecurity in a healthcare organization. The ECHO framework may act as a ‘minimum standard’ or an aspirational checklist, depending on an organization’s resources and its cyber maturity – that is, the level it has achieved in its ability to protect its information assets against cyber threats. Section 5 of the report examines each of these dimensions in more detail.