Risk management focusing on the best practices of data security systems for healthcare

Fábio Martins Dias, Mauro Luiz Martens, Sonia Francisca de Paula Monken, Luciano Ferreira da Silva, Ernesto Del Rosario Santibanez-Gonzalez


Objective of the study: Statistics shows a worrisome picture of challenges to be overcome by cybersecurity in the healthcare sector. Data evidence that the healthcare industry experiences four data breaches per week in the United States alone, making it the sector most often affected by digital security breaches. Thus, the current article aims to investigate risk management focusing on identifying requirements and best practices for healthcare data security systems.

Methodology/approach: It is based on a systematic literature review. Studies on state-of-the-art data security systems were collected and interpreted through content analysis. Assertive keywords, source-selection criteria, interpretation of selected articles, and database analysis were used to form the investigated sample and to represent the broad applications of this study’s objective.

Originality/Relevance: The current study contributes to define a set of minimum requirements and best practices that can be adopted to manage data security risks in the healthcare sector and medical devices.

Main results: Results have pointed out that there is no fully effective way to prevent all violations by cybercriminals; however, cybersecurity must be part of management processes adopted by different organizations.

Theoretical/methodological contributions: It is found that cybersecurity has a great importance for the healthcare sector, the information generated is rich in content and that cybersecurity is neglected in the sector, that is not able to deal with the reality of cyber threats in the industry 4.0 context.

Social /management contributions: By the good risk management practices and the adoption of minimum security items, institutions can ensure that managers can prepare and respond efficiently to cyber risks.


Cybersecurity; Cyber-Physical System; Industry 4.0; Health Management; Risk Management.

Full Text:



Abdelhamid, M., Kisekka, V., & Samonas, S. (2018). Mitigating e-services avoidance: the role of government cybersecurity preparedness. Information and Computer Security, 27, pp. 26-46. doi:10.1108/ICS-02-2018-0024.

Abraham, C., Chatterjee, D., & Sims, R. R. (2019). Muddling through cybersecurity: Insights from the U.S. healthcare industry. Business Horizons, v.62(n.04), pp. 539-548. doi:10.1016/j.bushor.2019.03.010.

Ahmed, A. A., & Ahmed, W. A. (2019). An Effective Multifactor Authentication Mechanism Based on Combiners of Hash Function over Internet of Things. Sensors, 19 n.17. doi:10.3390/s19173663.

Alcantara, D. P., & Martens, M. L. (2018). Technology Roadmapping (TRM): a systematic review of the literature focusing on models. Technological Forecasting and Social Change, pp. 127-138. doi:doi.org/10.1016/j.techfore.2018.08.014.

Alexander, B., Haseeb, S., & Baranchuk, A. (2019). Are implanted electronic devices hackable? Trends in Cardiovascular Medicine, pp. 476-480. doi:10.1016/j.tcm.2018.11.011.

Al-Muhtadi, J., Shahzad, B., Saleem, K., Jameel, W., & Orgun, M. A. (2019). Cybersecurity and privacy issues for socially integrated mobile healthcare applications operating in a multi-cloud environment. Health Informatics Journal, 25, 315-329. doi:10.1177/1460458217706184.

Askar, A. J. (2019). Healthcare management system and cybersecurity. International Journal of Recent Technology and Engineering, 237-248.

Baaziz, A.; Quoniam, l. (2013). How to use big data technologies to optimize operations in upstream petroleum industry. International Journal of Innovation, v. 1 n.1, p. 19-25. doi 10.5585/iji.v1i1.4.

Berger, K. M., & Schneck, P. A. (2019). National and transnational security implications of asymmetric access to and use of biological data. Frontiers in Bioengineering and Biotechnology, 7. doi:10.3389/fbioe.2019.00021.

Bilek, A. M., Muscionico, D., & Amiel, C. (2017). A primer on the regulation and development of M-Health products. Regulatory Rapporteur, https://www.scopus.com/record/display.uri?eid=2s2.085032879397&origin=inward&txGid=408ced46814b35c8bd8454243cf24e2d.

Bissonnette, L., & Bergeron, M. G. (2017). Portable devices and mobile instruments for infectious diseases point-of-care testing. Expert Review of Molecular Diagnostics, 471-494. doi:10.1080/14737159.2017.1310619.

Blanke, S. J., & McGrady, E. (2016). When it comes to securing patient health information from breaches, your best medicine is a dose of prevention: A cybersecurity risk assessment checklist. Journal of healthcare risk management, 14-24. doi:10.1002/jhrm.21230.

Bojanova, I., & Voas, J. (2017). Trusting the Internet of Things. IT Professional, 19 n.5, 16-19. doi:10.1109/MITP.2017.3680956.

Braga, A., Dahab, R., Antunes, N., Laranjeiro, N., & Vieira, M. (2019). Understanding How to Use Static Analysis Tools for Detecting Cryptography Misuse in Software. IEEE TRANSACTIONS ON RELIABILITY, 1384-1403. doi: 10.1109/TR.2019.2937214.

Brody, R. G., Chang, H. U., & Schoenberg, E. S. (2018). Malware at its worst: death and destruction. International Journal of Accounting & Information Management. doi:10.1108/ijaim.2011.36619caa.003.

Burns, L. R., DeGraaff, R. A., Danzon, P. M., Kimberly, J. R., Kissick, W. L., & Pauly, M. V. (2011). The Wharton School Study of the Health Care Value Chain. San Francisco CA: John Wilet and Sons.

Busdicker, M., & Upendra, P. (2017). The role of healthcare technology management in facilitating medical device cybersecurity. Biomedical Instrumentation and Technology, 19-25. doi:10.2345/0899-8205-51.s6.19.

Coronado, A. J., & Wong, T. L. (2014). Healthcare cybersecurity risk management: Keys to an effective plan. Biomedical Instrumentation and Technology, 48, 26-30. doi:10.2345/0899-8205-48.s1.26.

Coveney, P. V., Dougherty, E. R., & Highfield, R. R. (2016). Big data need big theory too. Philosophical Transactions Of The Royal Society A-Mathematical Physical And Engineering Sciences, 374. doi:10.1098/rsta.2016.0153.

Coventry, L., & Branley, D. (2018). Cybersecurity in healthcare: A narrative review of trends, threats and ways forward. Maturitas, 48-52. doi:10.1016/j.maturitas.2018.04.008.

Cleland-Huang, J. (2014). How well do you know your personae non gratae? IEEE Software, 31, 28-31. doi:10.1109/MS.2014.85.

Dandage, R., Mantha, S. S., & Rane, S. B. (2018). Ranking the risk categories in international projects using the TOPSIS method. International Journal of Managing Projects in Business, 11, 317-331. doi:10.1108/IJMPB-06-2017-0070.

Diggans, J., & Leproust, E. (2019). Next steps for access to safe, secure DNA synthesis. Frontiers in Bioengineering and Biotechnology, 7. doi:10.3389/fbioe.2019.00086.

Elizabeth, M. J., Jobin, J., & Dona, J. (2019). A fog based security model for electronic medical records in the cloud database. International Journal of Innovative Technology and Exploring Engineering, 8 n.7, pp. 2552-2560.

Frontoni, E., Mancini, A., Bald, M., Paolanti, M., Moccia, S., Zingaretti, P., . . . Misericordia, P. (2019). Sharing health data among general practitioners: The Nu.Sa. project. International Journal of Medical Informatics, 129, pp. 267-274. doi:10.1016/j.ijmedinf.2019.05.016.

Ghafir, I., Prenosil, V., Hammoudeh, M., Baker, T., Jabbar, S., Khalid, S., & Jaf, S. (2018). BotDet: A System for Real Time Botnet Command and Control Traffic Detection. IEEE Access, 38947-38958. doi:10.1109/ACCESS.2018.2846740.

Ghafur, S., Grass, E., Jennings, N., & Darzi, A. (2019). The challenges of cybersecurity in health care: the UK National Health Service as a case study. The Lancet Digital Health, 1 n.1, pp. 10-12. doi:10.1016/S2589-7500(19)30005-6.

Good, N., Dhamija, R., Grossklags, J., Thaw, D., Aronowitz, S., Mulligan, D., & Konstan , J. (2005). Stopping spyware at the gate: A user study of privacy, notice and spyware. ACM International Conference Proceeding Series. doi:10.1145/1073001.1073006.

Gordon, W. J., Stern, A. D., Landman, A. B., & Kramer, D. B. (2019). Evaluation of a mandatory phishing training program for high-risk employees at a US healthcare system. Journal of the American Medical Informatics Association, 547-552. doi:10.1093/jamia/ocz005.

Goncharov, E., Kruglov, K., & Dashchenko, Y. (2019). Five ICS cybersecurity myths based on Kaspersky Lab ICS CERT experience. At-Automatisierungstechnik, 67, pp. 372-382. doi:10.1515/auto-2019-0016.

Grimes, S., & Wirth, A. (2017). Holding the Line: Events that Shaped Healthcare Cybersecurity. Biomedical instrumentation & technology. doi:10.2345/0899-8205-51.s6.30.

Habibzadeh, H., Nussbaum, B. H., Anjomshoa, F., Kantarci, B., & Soyata, T. (2019). A survey on cybersecurity, data privacy, and policy issues in cyber-physical system deployments in smart cities. Sustainable Cities and Society, 50. doi:10.1016/j.scs.2019.101660.

Handler, I. (2018). Data Sharing Defined-Really! Computer, 36-42. doi:10.1109/MC.2018.1451659.

Huang, J. C. (2014). How well do you know your personae non gratae? IEEE Software, 31, 28-31. doi:10.1109/MS.2014.85.

ISO/IEC 27001 (2013) Information technology - Security techniques — Information security management systems — Requirements. [S.l.]. https://www.iso.org/standard/54534.html.

ISO31000 (2018). Risk management - Principles and guidelines. [S.l.]. https://www.iso.org/standard/65694.html.

Jalali, M. S., Russell, B., Razak, S., & Gordon, W. J. (2019). EARS to cyber incidents in health care. Journal of the American Medical Informatics Association, 26, 81-90. doi:10.1093/jamia/ocy148.

Kabir, U. Y., Ezekekwu, E., Bhuyan, S. S., Mahmood, A., & Dobalian, A. (2020). Trends and best practices in health care cybersecurity insurance policy. Journal of Healthcare Risk Management, pp. 1-5. doi:10.1002/jhrm.21414.

Kessler, S. R., Pindek, S., Kleinman, G., Andel, S. A., & Spector, P. E. (2019). Information security climate and the assessment of information security risk among healthcare employees. Health informatics Journal. doi:10.1177/1460458219832048.

Kharraz, A., Robertson , W., & Kirda, E. (2018). Protecting against Ransomware: A New Line of Research or Restating Classic Ideas? IEEE Security and Privacy, 16, 103-107. doi:10.1109/MSP.2018.2701165.

King, F., Klonoff, D. C., Kerr, D., Hu, J., Lyles, C., Quinn, C., . . . Gabbay, R. (2018). Digital Diabetes Congress 2018. Journal of Diabetes Science and Technology, 1231-1238. doi:10.1177/1932296818805632.

Koppel, R., & Kuziemsky, C. (2019). Healthcare data are remarkably vulnerable to hacking: Connected healthcare delivery increases the risks. Studies in Health Technology and Informatics, 218-222. doi:10.3233/978-1-61499-951-5-218.

Kruse, C. S., Frederick , B., Jacobson , T., & Monticone , K. (2017). Cybersecurity in healthcare: A systematic review of modern threats and trends. Technology and Health Care, 25, 1-10. doi:10.3233/THC-161263.

Kuerbis, B., & Badiei, F. (2017). Mapping the cybersecurity institutional landscape. Australian Catholic University, 19, 466-492. doi:10.1108/DPRG-05-2017-0024.

Kure, H. I., Islam, S., & Razzaque, M. A. (2018). An integrated cyber security risk management approach for a cyber-physical system. Applied Sciences (Switzerland). doi:10.3390/app8060898.

Lebeda, F. J., Zalatoris, J. J., & Scheerer, J. B. (2018). Government Cloud Computing Policies: Potential Opportunities for Advancing Military Biomedical Research. MILITARY MEDICINE, 183, 438-447. doi:10.1093/milmed/usx114.

Lechler, T., & Wetzel, S. (2017). Conceptualizing the silent risk of inadvertent information leakages. Computers and Electrical Engineering, 67-75. doi:10.1016/j.compeleceng.2016.12.020.

Leung, K., Clark, C., Sakal, M., Friesen, M., & Strudwick, G. (2019). Patient and family member readiness, needs, and perceptions of a mental health patient portal: A mixed methods study. Studies in Health Technology and Informatics, 266-270. doi:10.3233/978-1-61499-951-5-266.

Loi, M., Christen, M., Kleine, N., & Weber, K. (2019). Cybersecurity in health –disentangling value tensions. Journal of Information, Communication and Ethics in Society, 229-245. doi:10.1108/JICES-12-2018-0095.

Maimó, L. F., Celdrán, A. H., Gómez, Á. L., Clemente, F. J., Weimer, J., & Lee, I. (2019). Intelligent and dynamic ransomware spread detection and mitigation in integrated clinical environments. Sensors (Switzerland). doi:10.3390/s19051114.

Martin, G., Martin , P., Hankin , C., Darzi , A., & Kinross , J. (2017). Cybersecurity and healthcare: How safe are we? BMJ (Online). doi:10.1136/bmj.j3179.

Mostfa Kamal, S. U., Abd Ali, R. J., Alani, H. K., & Abdulmajed, E. S. (2016). Survey and brief history on malware in network security case study: Viruses, worms and bots. ARPN Journal of Engineering and Applied Sciences, 683-698.

Natsiavas, P., Rasmussen, J., Voss-Knude, M., Votis, Κ., Coppolino, L., Cano, I., . . . Nalin, M. (2018). Comprehensive user requirements engineering methodology for secure and interoperable health data exchange. BMC Medical Informatics and Decision Making, 18 n.1. doi:10.1186/s12911-018-0664-0.

Okereafor, K., & Marcelo, A. (2020). Addressing Cybersecurity Challenges Of Health Data In The Covid-19 Pandemic. International Journal in IT & Engineering (IJITE), 8 n.6, pp. 1-12. Fonte: http://ijmr.net.in.

Ondiege, B., Clarke, M., & Mapp, G. (2017). Exploring a new security framework for remote patient monitoring devices. Computers, 6 n.1. doi:10.3390/computers6010011.

Pesapane, F., Volonté, C., Codari, M., & Sardanelli, F. (2018). Artificial intelligence as a medical device in radiology: ethical and regulatory issues in Europe and the United States. Insights into Imaging. doi:10.1007/s13244-018-0645-y.

PMI, P. M. (2017). Project Management Body of Knowledge -PMBOK. Global Standard.

Priestman, W., Anstis, T., Sebire, I. G., Sridharan, S., & Sebire, N. J. (2019). Phishing in healthcare organisations: threats, mitigation and approaches. BMJ Health & Care Informatics, 26, e100031. doi:10.1136/bmjhci-2019-100031.

Primo, H., Bishop, M., Lannum, L., Cram, D., Nader, A., & Boodoo, R. (2018). 10 Steps to Strategically Build and Implement your Enterprise Imaging System: HIMSS-SIIM Collaborative White Paper. Journal of Digital Imaging, 32, 535-543. doi:10.1007/s10278-019-00236-w.

Silva F., J. C., Braga, C. S., & Reboucas, S. M. (2016). Perception of the brazilian manufacturing industry about the main barriers to innovation. International journal of innovation, v. 5 n.1, p. 114-131, 2016. doi 10.5585/iji.v5i1.114.

Shneiderman, B., & Plaisant, C. (2015). Sharpening analytic focus to cope with big data volume and variety. IEEE Computer Graphics and Applications. doi:10.1109/MCG.2015.64.

Stern, A. D., Gordon, W. J., Landman, A. B., & Kramer, D. B. (2019). Cybersecurity features of digital medical devices: An analysis of FDA product summaries. BMJ Open, 9 n.6. doi:10.1136/bmjopen-2018-025374.

Swede, M. J., Scovetta, V., & Eugene-Colin, M. (2019). Protecting patient data is the new scope of practice: A recommended cybersecurity curricula for healthcare students to prepare for this challenge. Journal of Allied Health, 48 n.2, pp. 148-155. doi:PubMed ID: 31167018.

Thomé, A. M., Scavarda, L. F., Scavarda, A., & Thomé, F. E. (2016). Similarities and contrasts of complexity, uncertainty, risks, and. International Journal of Project Management, 1328-1346. doi:10.1016/j.ijproman.2015.10.012.

Van Eck, N. J., & Waltman, L. (2010). Software survey: VOSviewer, a computer program for bibliometric mapping. Scientometrics 84, 523–538. Scientometrics. doi:10.1007/s11192-009-0146-3.

Vecchione, L., Stintzing, S., Pentheroudakis, G., Douillard, J.-Y., & Lordick, F. (2020). ESMO management and treatment adapted recommendations in the COVID-19 era: colorectal cancer. Esmo Open. doi:10.1136/esmoopen-2020-000826.

Ward, s., & Chapman, C. (2008). Stakeholders and uncertainty management in projects. Construction Management and Economics, 26, 563-577. doi:10.1080/01446190801998708.

Wethington, E., Eccleston, C., Gooberman-Hill, R., Schofield, P. A., Bacon, E., Dombrowski, W., . . . Reid, M. C. (2018). Establishing a Research Agenda on Mobile Health Technologies and Later-Life Pain Using an Evidence-Based Consensus Workshop Approach. Journal of Pain, 1416-1423. doi:10.1016/j.jpain.2018.06.006.

Wiltz, C. (07 de April de 2014). Medical Device and Diagnostic Industry. Fonte: MD+DI Qmed: https://www.mddionline.com/report-healthcare-cybersecurity-appalling-legislation-not-enough.

World Economic Forum. (Janeiro de 2017). The Global Risks Report 2017. Fonte: World Economic Forum: https://www.weforum.org/reports/the-global-risks-report-2017.

Zhang, X., Tan, Y.-a., Xue, Y., Zhang, Q., Li, Y., Zhang, C., & Zheng, J. (2017). Cryptographic key protection against FROST for mobile devices. Cluster Comput, 2393-2402. doi:10.1007/s10586-016-0721-3.

DOI: https://doi.org/10.5585/iji.v9i1.18246


  • There are currently no refbacks.

Copyright (c) 2021 International Journal of Innovation

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Internacional Journal of Innovation

e-ISSN: 2318-9975

Int. J. Innov ©2021 – All rights reserved.

Is this work licensed with a License
Creative Commons Atribuição-NãoComercial-CompartilhaIgual 4.0 Internacional