Holistic view of healthcare cybersecurity ecosystem

The healthcare sector is the target of increasing phishing attacks amid COVID19 pandemic.

Cybersecurity incidents are a growing threat to the healthcare industry in general and hospitals in particular (Jalali, 2018). The healthcare industry has lagged behind other industries in protecting its main stakeholder (e.g. patients), and now hospitals must invest considerable capital and effort in protecting their systems. However, this is easier said than done because hospitals are extraordinarily technology-saturated, complex organizations with high end point complexity, internal politics, and regulatory pressures.

The scale of the problem makes it necessary to act at the European level (e.g. cybersecurity awareness strategies in healthcare in the UK (Jordan, 2018; AIG, 2017). Therefore, the European Union aims to strengthen its cybersecurity rules in order to tackle the increasing threat posed by cyber-attacks as well as to take advantage of the opportunities of the new digital age. Faced with ever-increasing cybersecurity challenges, the EU needs to improve awareness of and response to cyber-attacks aimed at institutions, both public and private (Muguruza, 2019).

Healthcare ecosystem is complex with multiple players and stakeholders who constantly interrelate, integrate, and interoperate (Drougkas, 2020). Therefore, healthcare organizations of all types looking to grow and achieve their financial-, quality-, service level and compliance performance objectives must understand and account for the capabilities, drivers, strategies, and challenges of other ecosystems such as cybersecurity (Pickens, 2103; Soroka, 2015). As cybersecurity becomes more of a priority for hospitals, it is essential that this has to be integrated holistically in the different processes, components and stages, influencing the healthcare ICT Ecosystem (Drougkas, 2020;Nicholls, 107; Hodge, 2018; Morenco, 2018; Sethunathan, 2020; MediTechSafe, 2017; Murphy, 2018; Rudresh, 2018; Boehm, 2018).

In Figure 1, a holistic overview of the cybersecurity in hospitals ecosystem has been assembled and developed from the identification of stakeholders (Pickens, 2013; Soroka, 2015; Antomarini, 2019; PANACEA, 2019) and the analysis in (Aumayr, 2019) focused on cybersecurity (Cyberwatch, 2018).

Figure 1. Holistic overview of the cybersecurity in hospitals ecosystem has been assembled and developed from the identification of stakeholders and the analysis focused on cybersecurity. In green represents the stakeholders, in orange its main vulnerability factor and in black the potential motivation (in italic) and support (in bold) for cybersecurity attacks and (arrows) the interrelations among the stakeholders.
Figure 1. Holistic overview of the cybersecurity in hospitals ecosystem has been assembled and developed from the identification of stakeholders and the analysis focused on cybersecurity. In green represents the stakeholders, in orange its main vulnerability factor and in black the potential motivation (in italic) and support (in bold) for cybersecurity attacks and (arrows) the interrelations among the stakeholders.

The ecosystem is based on three levels: stakeholders, vulnerability factors and cybersecurity risks. The holistic cybersecurity in hospitals ecosystem includes more than ten stakeholders listed as: healthcare organisations (e.g. hospitals, care centres), National Health Systems (or Social Security Systems), healthcare professionals (e.g. medical and nursing staff, physicians, administratives), solution providers (e.g. cybersecurity), academia and trainers (e.g. cybersecurity Universities and Schools), patient associations (e.g. users/patients, third sector), umbrella organisations (e.g. NGOs, scientific organisations), agencies and institutions (e.g. governmental cybersecurity, policy and regulation officers), healthcare associations (e.g. medical, nursing), insurance groups (e.g. payers) and advocacy groups (e.g. GDPR consultants and experts).

First, to understand the importance of the ecosystem it is adequately to show some quantifiable representing numbers of persons and entities involved in this ecosystem in Europe: number of healthcare professionals is more than 10 million (WHO, 2020; Eurostat, 2020); 15.000 hospitals (Chevalier, 2009; Garel, 2018); 28 National Healthcare Systems or Social Security Systems (MSSSI, 2019); more than 25 cybersecurity agencies and institutions (CyberSecurityMonth, 2020; ECSO, 2020) in a market of 2,310 million euro for cybersecurity solution providers in Europe (MarketWatch, 2020; ECSO, 2016).

Furthermore, to fully perceive the big picture and to be able to make reasonable decisions it is important to define vulnerabilities, in orange in the Figure, in all levels of the ecosystem covering people, process, technology and data, and in addition governance, where the prerequisite for success or failure originally is laid down (Cyberwatch, 2018). Identifying the need for a common understanding of existing threats, regulations, standards, risks and complexities are essential for securing the healthcare ecosystem in the future.

Additionally, the motivation of cyber-attacks in healthcare are not just random malware anymore, but include different motivations and aims by the attackers such as cyber warfare, terrorism, espionage, crime and activism, in black italic text in the Figure. Nevertheless, the ecosystem is starting to respond to the current cybersecurity situation in different ways related to cybersecurity protection and training support (black bold text in the Figure 1). Finally, the solid arrows depict the first level interaction among the listed stakeholders and the dashed arrows indicate the second level relation in the cybersecurity ecosystem in healthcare.

This ecosystem is complex but also provides opportunities to overcome the challenges and achieve and exceed compliance and operational performance objectives while minimizing risk to healthcare organisations and patients.


Marc Jofre

Fundacion Privada Hospital Asil de Granollers, Spain


M.S. Jalali, “Cybersecurity in Hospitals: A Systematic, Organizational Perspective”, J Med Internet Res, 20, e10059 (2018).


M. Jordan, “Study on Cybersecurity”, The European Economic and Social Committee (EESC) (2018).


“New Cyber Trends: EMEA Outlook”, AIG Cyber (2017). https://www.aig.com/knowledge-and-insights/k-and-i-article-state-of-cybersecurity-uk-middle-east-africa

B.T. Muguruza, et al., “Challenges to effective EU cybersecurity policy”, European Court of Auditors (2019). https://www.eca.europa.eu/Lists/ECADocuments/BRP_CYBERSECURITY/BRP_CYBERSECURITY_EN.pdf

A. Drougkas, “PROCUREMENT GUIDELINES FOR CYBERSECURITY IN HOSPITALS” ENISA (2020). https://www.enisa.europa.eu/publications/good-practices-for-the-security-of-healthcare-services

S. Pickens, “The Healthcare Ecosystem”, Arlington Healthcare Group (2013). https://www.arlingtonhealthcaregroup.com/healthcare-ecosystem/

A. Soroka, “Cyber security solutions vs cyber criminals”, WOHIT2015 (EU eHealth week) (2015). https://www.slideshare.net/AndSor/2015-cyber-security-solutions-vs-cyber-criminals-wohit2015-eu-ehealth-week

M. Nicholls, “Hospitals need a holistic approach to cyber security”, healthcare-in-europe (2017). https://healthcare-in-europe.com/en/news/hospitals-need-a-holistic-approach-to-cyber-security.html

L. Hodge, “Why Cybersecurity in the Healthcare Industry Requires a Holistic Approach”, HealthTech resources (2018).


M. Marenco, “Cybersecurity: the role of digital literacy towards a holistic approach”, HIMSS Europe (2018).


B.Sethunathan, “Achieve a Holistic Approach to Cyber-Security”, SoftwareOne (2020). https://www.softwareone.com/en-za/blog/articles/2019/10/25/achieving-a-holistic-approach-to-cybersecurity

“Need Holistic Approach to Cybersecurity of Medical Devices and Networks … reinformecement from WannaCry attacks!”, MediTechSafe (2017).  https://www.meditechsafe.com/single-post/2017/06/15/Need-Holistic-Approach-to-Cybersecurity-of-Medical-Devices-and-Networks-%E2%80%A6-reinforcement-from-WannaCry-attacks

S.P. Murphy, “A Holistic Approach to Cybersecurity Starts at the Top”, Frontier of Health Services Management, 35, 30-36 (2018). https://journals.lww.com/frontiersonline/Citation/2018/09000/A_Holistic_Approach_to_Cybersecurity_Starts_at_the.5.aspx

V. Rudresh, “Securing Industrial Control Systems: A Holistic Defense-In-Depth Approach”, IIOT Connections (2018). https://www.iiotconnection.com/securing-industrial-control-systems-a-holistic-defense-in-depth-approach/

J. Boehm, et al., “Cyber risk measurement and the holistic cybersecurity approach”, McKinsey (2018). https://www.mckinsey.com/business-functions/risk/our-insights/cyber-risk-measurement-and-the-holistic-cybersecurity-approach

M. Antomarini, et al., “D2.1. Stakeholder involvement roadmap and engagement strategy”, EU H2020 SecureHospitals.eu (2019). https://project.securehospitals.eu/deliverables/

“Stakeholders”, EU H2020 PANACEA project (2019).


G. Aumayr, et al., “D5.1. Training Strategy 1”, EU H2020 SecureHospitals.eu (2019). https://project.securehospitals.eu/deliverables/

“Cyber Vulnerabilities and Risks in the Healthcare Ecosystem”, Cyberwatch (2018). https://www.cyberwatchfinland.fi/wp-content/uploads/2018/06/MDISS_Cyber_Vulnerabilities_and_Risks_in_the_Healthcare_Ecosystem_2017_en.pdf

“WHO European health information at your fingertips”, World Health Organisation, Europe office (2020).


“Healthcare personnel statistics – physicians”, Eurostat (2020).


F. Chevalier, et al., “Hospitals Hospitals in the 27 Member States of the European Union”, European Hospital and Healthcare Federation (2009).


P. Garel, “HOSPITALS IN EUROPE HEALTHCARE DATA”, European Hospital and Healthcare Federation (2018).


“Health care systems in the European Union countries”, NHS Statistical Portal of the Ministerio de Sanidad, Servicios Sociales e Igualdad (2019).


“National Campaigns”, European CyberSecurity Month (2020).


“INFORMATION PACKAGE 2018”, European Cyber Security Organisation (ECSO) (2018).


“Healthcare Cybersecurity Market Share is Projected to Reach More Than USD 27 Bn by 2025”, The MarketWatch (2020).


“European Cybersecurity Strategic Research and Innovation Agenda (SRIA) for a contractual Public-Private-Partnership (cPPP)”, European Cyber Security Organisation (ECSO) (2016).