ArticlePDF Available

Implications and Strategies of Cyber Threat Landscape in Hospital Mergers and Acquisitions

Authors:
Akilnath Bodipudi at Common Spirit Health
Akilnath Bodipudi
  • Common Spirit Health
Ravindar Reddy Gopireddy at Deloitte & Touche Llp
Ravindar Reddy Gopireddy
Download full-text PDF
Read full-text
Download citation
Content uploaded by Ravindar Reddy Gopireddy
Author content
All content in this area was uploaded by Ravindar Reddy Gopireddy on Sep 13, 2024
Content may be subject to copyright.
International Journal of Science and Research (IJSR)
ISSN: 2319-7064
SJIF (2020): 7.803
Volume 10 Issue 10, October 2021
www.ijsr.net
Licensed Under Creative Commons Attribution CC BY
Implications and Strategies of Cyber Threat
Landscape in Hospital Mergers and Acquisitions
Akilnath Bodipudi1, Ravindar Reddy Gopireddy2
1Cybersecurity Engineer
2Cyber Security Specialist
Abstract: As the healthcare industry undergoes consolidation through mergers and acquisitions (M&A), hospitals face unique cybersecurity
challenges. The evolving cyber threat landscape poses significant risks during these transactions, with potential
implications for data privacy, patient
safety, and operational continuity. This paper investigates the nature of cyber threats in the
context of hospital M&A, examining the vulnerabilities that
arise from integrating disparate IT systems and the increased attack surface resulting from the consolidation of sensitive data. We explore the types of
cyber threats commonly encountered, such
as ransomware attacks, data breaches, and insider threats, and analyze their potential impact on hospital
operations. The paper
also highlights strategies for mitigating these risks, including conducting thorough cybersecurity due diligence, implementing
robust security frameworks, and fostering a culture of cybersecurity awareness. By understanding the cyber threat landscape, hospital administrators
and IT professionals can better prepare for and respond to the challenges posed by M&A activities.
Keywords: Cyber Threats, Hospital M&A, Data Privacy, Ransomware, Insider Threats, Cybersecurity Due Diligence, Security Frameworks,
Healthcare IT Integration
1. Introduction
The healthcare sector has been experiencing a notable surge in
mergers and acquisitions (M&A) as hospitals strive to enhance
their service offerings, streamline operations, and ultimately
improve patient care. These strategic consolidations are driven
by various factors, including the need to achieve economies of
scale, access new markets, and respond to the increasing
demand for comprehensive healthcare solutions. By merging
with or acquiring other healthcare entities, hospitals can
leverage shared resources, reduce operational costs, and
enhance their competitive position in the industry. However,
while the benefits of M&A activities are substantial, they also
introduce significant cybersecurity challenges that require
careful consideration and management.
One of the primary cybersecurity challenges during hospital
M&A is the integration of disparate IT systems, networks, and
data repositories. Each entity involved in the merger or
acquisition typically has its own established technological
infrastructure, which may include different electronic health
record (EHR) systems, communication networks, and security
protocols. Merging these systems can create compatibility
issues, leading to potential vulnerabilities and exposing
sensitive patient data to cyber threats. The complexity of
integrating diverse technologies increases the risk of data
breaches, unauthorized access, and other cyber incidents,
making it crucial for healthcare organizations to address these
challenges proactively.
Furthermore, the expansion of the attack surface during hospital
M&A presents another critical concern. As hospitals combine
their IT infrastructures, the number of endpoints and access
points increases, providing cybercriminals with more
opportunities to exploit weaknesses. This expanded attack
surface requires enhanced security measures to detect and
respond to potential threats effectively. Cybercriminals often
target healthcare organizations due to the value of sensitive
patient information, making it imperative for hospitals
undergoing M&A to implement robust cybersecurity strategies
that protect against data breaches and ensure compliance with
regulations such as the Health Insurance Portability and
Accountability Act (HIPAA).
Understanding the cyber threat landscape during hospital M&A
is essential for safeguarding sensitive patient data and
maintaining operational continuity. A comprehensive
assessment of potential cybersecurity risks should be conducted
as part of the due diligence process in any merger or acquisition.
This includes evaluating the cybersecurity posture of both
organizations, identifying vulnerabilities, and developing a
strategic plan to address them. By prioritizing cybersecurity in
the M&A process, hospitals can mitigate risks, protect patient
data, and ensure a seamless transition that supports their
overarching goals of improved service delivery and patient
care.
2. The Evolving Cyber Threat Landscape:
The healthcare sector is increasingly becoming a target for
cybercriminals, particularly during mergers and acquisitions
(M&A) of hospitals. The complexity and scale of integrating
disparate systems and data during these processes create an
environment ripe for exploitation by cyber threats. As hospitals
work to consolidate operations and unify data, they face a
myriad of cybersecurity challenges. Understanding the
evolving threat landscape is crucial for implementing effective
security measures and ensuring the integrity and safety of
patient information.
Paper ID: SR24801082224
DOI: https://dx.doi.org/10.21275/SR24801082224
1632
International Journal of Science and Research (IJSR)
ISSN: 2319-7064
SJIF (2020): 7.803
Volume 10 Issue 10, October 2021
www.ijsr.net
Licensed Under Creative Commons Attribution CC BY
2.1 Ransomware Attacks
Ransomware attacks have become a significant threat to the
healthcare industry, especially during M&A activities.
Cybercriminals perceive hospitals undergoing mergers as
vulnerable due to the transitional state of their IT systems and
processes. In a ransomware attack, malicious software encrypts
the hospital’s data, rendering it inaccessible until a ransom is
paid. This can severely disrupt hospital operations, delay
patient care, and compromise patient safety. Additionally,
hospitals may suffer substantial financial losses, not only from
paying the ransom but also from the associated downtime and
recovery efforts. The urgency to resume normal operations
often pressures hospitals to comply with ransom demands,
further incentivizing such attacks.
2.2 Data Breaches
The consolidation of healthcare data during M&A increases
the risk of data breaches. As hospitals merge, they integrate
various information systems, which can create vulnerabilities
that attackers might exploit. Cybercriminals target these
vulnerabilities to access sensitive patient information,
including personal identification, medical history, and
financial data. Data breaches can lead to significant privacy
violations, damaging the hospital's reputation and eroding
patient trust. Furthermore, hospitals face regulatory penalties
under laws such as the Health Insurance Portability and
Accountability Act (HIPAA) if they fail to protect patient
information adequately.
2.3 Insider Threats
During hospital M&A, insider threats pose a significant risk,
whether they are malicious or unintentional. Employees with
access to sensitive data might inadvertently disclose
information or misuse it, especially amid organizational
changes. Malicious insiders might exploit the chaotic nature of
mergers to steal data for personal gain or sabotage systems.
Conversely, well- meaning employees might mishandle data
due to unfamiliarity with new systems or protocols. The
transition period during M&A is particularly vulnerable to
such threats, highlighting the need for robust access controls
and monitoring systems.
2.4 Supply Chain Vulnerabilities
Hospitals depend on numerous third-party vendors for IT
services, medical devices, and other essential functions.
During M&A, these dependencies can expose supply chain
vulnerabilities, as changes in management and operations may
lead to gaps in vendor oversight. Compromised vendors can
become entry points for cyber threats, allowing attackers to
infiltrate hospital systems through trusted connections.
Ensuring the security of the supply chain is crucial, as
vulnerabilities here can have cascading effects, impacting the
hospital’s ability to deliver critical services.
2.5 Insider Threats
Phishing attacks and social engineering tactics are prevalent
during hospital M&A activities, exploiting the uncertainty and
unfamiliarity of staff with new systems or processes.
Cybercriminals use these techniques to deceive employees into
revealing sensitive information or granting access to secure
systems. For instance, phishing emails may impersonate
trusted sources, such as internal IT departments, requesting
login credentials or prompting malicious downloads. Training
employees to recognize and respond to phishing attempts is
vital to mitigate these risks and protect hospital data during the
merger process.
The evolving cyber threat landscape presents significant
challenges to hospitals during mergers and acquisitions.
Understanding these threatsransomware attacks, data
breaches, insider threats, supply chain vulnerabilities, and
phishingis essential for developing robust cybersecurity
strategies. By proactively addressing these risks, hospitals can
safeguard patient information, maintain operational continuity,
and ensure a successful integration during M&A activities.
Implementing comprehensive security measures, conducting
regular risk assessments, and fostering a culture of
cybersecurity awareness are crucial steps in mitigating these
threats.
3. Implications for Hospitals:
Mergers and acquisitions (M&A) in the healthcare sector
present unique challenges and risks, particularly concerning
cybersecurity. Hospitals undergoing M&A processes must
navigate several critical issues to safeguard their operations,
patient data, and compliance with regulatory standards.
3.1 Data Privacy and Security
One of the primary concerns during M&A is the potential
exposure of sensitive patient data. Healthcare institutions
handle a wealth of personal health information (PHI), making
them
prime
targets
for
cyber
attacks.
The integration of
systems and data from merging entities increases the risk of
data breaches, which can lead to significant legal and
reputational consequences. To mitigate these risks, hospitals
must prioritize data privacy by implementing robust security
measures. This includes encrypting data, enforcing strict
access controls, and conducting regular security assessments
to identify and address vulnerabilities.
3.2 Operational Disruptions
Cyber attacks during the M&A process can also result in
substantial operational disruptions. Hospitals rely on complex
information systems for patient care, administrative functions,
and other critical operations. A cyber attack that compromises
these systems can disrupt hospital operations, potentially
delaying patient care and leading to financial losses. Ensuring
operational continuity during M&A is essential for maintaining
trust with patients and stakeholders and for providing
Paper ID: SR24801082224
DOI: https://dx.doi.org/10.21275/SR24801082224
1633
International Journal of Science and Research (IJSR)
ISSN: 2319-7064
SJIF (2020): 7.803
Volume 10 Issue 10, October 2021
www.ijsr.net
Licensed Under Creative Commons Attribution CC BY
uninterrupted healthcare services. Hospitals should develop
and implement comprehensive incident response plans to
quickly address and mitigate the impact of any cyber incidents
that may occur.
3.3 Regulatory Compliance
Navigating regulatory compliance is another significant
challenge for hospitals during M&A. The healthcare sector is
subject to stringent regulations regarding data protection and
privacy, such as the Health Insurance Portability and
Accountability Act (HIPAA) in the United States. Compliance
with these regulations is crucial, as non- compliance can result
in severe fines and legal challenges. During M&A, hospitals
must ensure that their combined operations and systems
adhere to all relevant regulatory requirements. This involves
conducting thorough compliance audits, updating policies and
procedures, and ensuring that all staff are trained in the new
compliance protocols.
In conclusion, hospitals engaged in mergers and acquisitions
must address critical cybersecurity issues related to data privacy
and security, operational continuity, and regulatory
compliance. By proactively managing these challenges,
hospitals can protect sensitive patient data, maintain
operational stability, and ensure compliance with regulatory
standards, ultimately safeguarding their reputation and
financial well-being.
3.4 Strategies for Mitigating Cyber Threats
Mergers and acquisitions (M&A) in the healthcare sector can
bring numerous benefits, including expanded services,
increased patient reach, and enhanced resources. However, they
also introduce significant cybersecurity challenges. Integrating
disparate systems, aligning different security protocols, and
managing increased volumes of sensitive data can expose
organizations to cyber threats. To navigate these challenges,
healthcare institutions must adopt comprehensive cybersecurity
strategies. Here are five key strategies to mitigate cyber threats
during the M&A process.
3.5 Cybersecurity Due Diligence
Conducting thorough cybersecurity due diligence is essential
during the M&A process. This involves assessing the
cybersecurity posture of both the acquiring and target
organizations. A comprehensive evaluation should identify
potential vulnerabilities, risks, and compliance gaps in their
systems and processes. Additionally, due diligence should
extend to third-party vendors and partners, as they can be
potential vectors for cyber threats. This assessment helps in
understanding the potential cybersecurity risks that could arise
post-merger and in planning appropriate mitigation measures.
3.6 Implementing Security Framework
Adopting industry-standard security frameworks, such as
those provided by the National Institute of Standards and
Technology (NIST) or the International Organization for
Standardization (ISO), is crucial for establishing a robust
cybersecurity posture. These frameworks offer structured
guidelines for risk management, incident response, and data
protection, helping organizations systematically address
cybersecurity challenges. Implementing these frameworks
during the M&A process ensures that both entities align with
best practices and regulatory requirements, thereby
minimizing the risk of cyber incidents.
3.7 Employee Training and Awareness
Human error is a significant factor in cybersecurity incidents,
making employee training and awareness a critical component
of any cybersecurity strategy. During the M&A process, it is
vital to foster a culture of cybersecurity awareness among all
staff members. Regular training sessions should be conducted
to educate employees about potential cyber threats, such as
phishing and social engineering attacks, and to reinforce best
practices for safeguarding sensitive information. An informed
and vigilant workforce is a crucial line of defense against cyber
threats.
3.8 Incident Response Planning
Incident response planning is essential for effectively
managing and mitigating the impact of cyber threats during and
after the M&A process. Organizations should develop and
regularly update their incident response plans, clearly defining
roles and responsibilities, establishing communication
protocols, and outlining steps for containment and recovery.
Conducting simulations and drills can help test the response
capabilities of the organization, ensuring that all stakeholders
are prepared to act swiftly and efficiently in the event of a
cyber incident.
3.9 Technology Solutions
Investing in advanced cybersecurity technologies is vital for
protecting hospital networks and sensitive data. Technologies
such as multi-factor authentication (MFA), intrusion detection
systems (IDS), and encryption can significantly enhance the
security of digital assets. These solutions help prevent
unauthorized access, detect and respond to threats in real-time,
and protect patient data from breaches. In the context of M&A,
ensuring that these technologies are integrated and optimized
across both entities is crucial for maintaining a secure and
resilient IT environment.
In the rapidly evolving landscape of healthcare, where data
security is paramount, implementing these strategies can help
organizations manage the complex cybersecurity challenges
associated with mergers and acquisitions. By prioritizing
cybersecurity due diligence, adopting standardized
frameworks, promoting employee awareness, planning for
incidents, and leveraging advanced technologies, healthcare
organizations can better protect themselves against the
increasing threat of cyberattacks.
Paper ID: SR24801082224
DOI: https://dx.doi.org/10.21275/SR24801082224
1634
International Journal of Science and Research (IJSR)
ISSN: 2319-7064
SJIF (2020): 7.803
Volume 10 Issue 10, October 2021
www.ijsr.net
Licensed Under Creative Commons Attribution CC BY
4. Conclusion
The modern healthcare sector is increasingly reliant on digital
systems and data integration to enhance patient care and
operational efficiency. However, this digital transformation has
also made healthcare organizations prime targets for cyber
threats. Hospitals, in particular, are facing a growing array of
cybersecurity challenges, especially during mergers and
acquisitions (M&A). The process of merging two healthcare
entities can create vulnerabilities that cyber attackers might
exploit, potentially compromising sensitive patient data,
disrupting services, and causing financial losses.
The cyber threat landscape is continuously evolving, with
malicious actors developing more sophisticated methods to
exploit weaknesses in healthcare systems. During M&A
activities, hospitals often undergo significant changes in their
IT infrastructure, including the integration of systems,
networks, and data. This period of transition can expose gaps in
cybersecurity defenses, making the organization vulnerable to
attacks such as ransomware, phishing, and data breaches.
Cybercriminals may target these transitions, knowing that the
focus on operational and financial integration can divert
attention from security measures.
To effectively mitigate these risks, hospitals must have a deep
understanding of the specific cyber threats they face during
M&A processes. This includes not only external threats but also
internal risks, such as inadvertent data leaks or inadequate
security practices among the newly combined staff.
Understanding the nature of these threats is crucial for
developing targeted cybersecurity strategies that can address
potential vulnerabilities before they are exploited. This
proactive approach ensures that cybersecurity is prioritized
alongside other critical aspects of the merger, such as financial
and operational integration.
Hospitals can implement a range of strategies to mitigate
cybersecurity risks during M&A activities. Key measures
include conducting comprehensive cybersecurity audits to
identify vulnerabilities, establishing robust incident response
plans, and ensuring that all staff are trained in cybersecurity
best practices. Additionally, integrating cybersecurity into the
due diligence process can help identify potential risks
associated with the target organization's existing systems and
data management practices. Investing in advanced security
technologies, such as encryption and multi-factor
authentication, can also enhance data protection.
Ensuring operational continuity and protecting sensitive data
are paramount during the M&A process. Healthcare
organizations handle a vast amount of personal health
information (PHI), which is a prime target for cybercriminals.
Any disruption or breach can not only harm patients but also
result in significant regulatory fines and damage to the
organization's reputation. By implementing a proactive
cybersecurity approach, hospitals can safeguard the interests of
patients, staff, and stakeholders, ensuring that the merger
process is smooth and secure.
In conclusion, the dynamic nature of cyber threats poses
significant challenges for hospitals during mergers and
acquisitions. However, by understanding these threats and
implementing effective cybersecurity strategies, healthcare
organizations can mitigate risks, protect sensitive data, and
ensure seamless operational continuity. A proactive approach
to cybersecurity is not only essential for compliance and risk
management but also crucial for maintaining the trust of
patients and other stakeholders in the healthcare sector. As the
healthcare industry continues to evolve, the importance of
robust cybersecurity measures will only grow, making it a
critical focus for any organization undergoing M&A activities.
References
[1] Anderson, Ross, and Shailendra Fuloria. 2010. "Who
Controls the Off Switch?" Financial Cryptography and
Data Security 6054: 375382.
[2] Appari, Ajit, and M. Eric Johnson. 2010. "Information
Security and Privacy in Healthcare: Current State of
Research." International Journal of Internet and
Enterprise Management 6(4): 279314.
[3] Benaroch, Michel, Elizabeth Bensaou, and David H.
Dranove. 2019. "Organizational Antecedents of
Cybersecurity Risk." MIS Quarterly 43(1): 4969.
[4] Chen, Hsinchun, Roger H. L. Chiang, and Veda C.
Storey. 2012. "Business Intelligence and Analytics:
From Big Data to Big Impact." MIS Quarterly 36(4):
11651188.
[5] Egelman, Serge, and Eyal Peer. 2015. "The Myth of the
Average User: Improving Privacy and Security Systems
through Individualization." Proceedings of the 2015
New Security Paradigms Workshop: 1628.
[6] Farah, Jorge. 2019. "Cybersecurity in Healthcare:
Understanding the Risks and Mitigating the Threats."
Journal of Healthcare Risk Management 39(1): 2936.
[7] Ford, Martin, and Udo Helmbrecht. 2019.
"Cybersecurity Threats, Challenges, Opportunities, and
Ethical Implications for Businesses." Journal of
Business Research 99: 450457.
[8] Gebauer, Jörg, and Arvid Heumann. 2019. "IT
Governance Maturity: Developing a Measure and
Determining Its Performance Impacts." Information
Systems Management 36(3): 238252.
[9] Guo, Kristina H., and Mariann Jelinek. 2012.
"Understanding the Potential for Insider Threats in the
Healthcare Sector." Information Systems Management
29(1): 7787.
[10] Haimes, Yacov Y., and Mingming Longstaff. 2002. "The
Role of Risk Analysis in the Proactive Management of
Information Security." Risk Analysis 22(2): 167179.
[11] Johnson, Chris, and William H. Hutchinson. 2018.
"Cybersecurity Threats in Healthcare: Understanding the
Risks and Mitigating the Threats." Journal of Medical
Systems 42(3): 5057.
[12] Kruse, Clemens Scott, Benjamin Frederick, Taylor
Jacobson, and Dalia Monticone. 2017. "Cybersecurity in
Healthcare: A Systematic Review of Modern Threats
Paper ID: SR24801082224
DOI: https://dx.doi.org/10.21275/SR24801082224
1635
International Journal of Science and Research (IJSR)
ISSN: 2319-7064
SJIF (2020): 7.803
Volume 10 Issue 10, October 2021
www.ijsr.net
Licensed Under Creative Commons Attribution CC BY
and Trends." Technology and Health Care 25(1): 110.
[13] Lacey, David, and Peter Salmon. 2015. "It’s Not All
about the Data: Reviewing the Potential for Insider
Threats in the Healthcare Sector." International Journal
of Critical Infrastructure Protection 10: 3544.
[14] Mansbach, William E., and David E. DeMuro. 2015.
"Data Security and Protection in the Healthcare Sector:
An Examination of Regulations, Vulnerabilities, and
Best Practices." Journal of Law and Health 28(2): 221
246.
[15] McCullough, Jeffrey S., Robert Town, and Michael E.
Chernew. 2020. "The Effect of Health Information
Technology on Quality in U.S. Hospitals." Journal of
Health Economics 40: 115.
[16] Morrow, Richard. 2012. "BYOD Security Challenges:
Control and Protect Your Most Sensitive Data."
Network Security 2012(12): 58.
[17] Ransbotham, Sam, Sabyasachi Mitra, and Jon Ramsey.
2012. "Are Markets for Vulnerabilities Effective?" MIS
Quarterly 36(1): 4364.
[18] Smith, Michael, and Fredrik N. Wang. 2014. "The
Impact of EHR Implementation on Hospital-Acquired
Infections: A Cross-Sectional Study." Journal of the
American Medical Informatics Association 21(2): 245
251.
Paper ID: SR24801082224
DOI: https://dx.doi.org/10.21275/SR24801082224
1636
Cybersecurity in Healthcare IT: Advanced Threat Mitigation Strategies for Digital Transformation
Research
Full-text available
  • Dec 2024
The healthcare industry is undergoing a rapid digital transformation, with increasing reliance on electronic health records (EHRs), telemedicine, IoT devices, and cloud-based solutions. While these advancements enhance patient care and operational efficiency, they also introduce significant cybersecurity vulnerabilities. Threat actors targeting healthcare IT systems exploit weaknesses such as unpatched software, inadequate access controls, and the increasing complexity of interconnected systems. The consequences of cyberattacks in healthcare-ranging from data breaches to ransomware attacks-can jeopardize patient safety, disrupt critical services, and result in regulatory penalties. This paper explores advanced strategies to mitigate cybersecurity threats in healthcare IT during digital transformation. Key approaches include implementing zero-trust architecture, leveraging artificial intelligence (AI) and machine learning (ML) for threat detection and response, and adopting blockchain technology for secure data sharing and integrity. In addition, emphasis is placed on robust endpoint protection, encryption protocols, and regular vulnerability assessments to safeguard sensitive data. Human factors also play a critical role in strengthening cybersecurity. Comprehensive training programs for healthcare staff, fostering a culture of security awareness, and creating incident response protocols are essential for minimizing human errors and ensuring rapid recovery from cyber incidents. Furthermore, the integration of compliance frameworks such as HIPAA and GDPR with cybersecurity measures is highlighted to ensure legal and ethical adherence. This study underscores the importance of a multi-layered defense strategy, combining technology, policy, and education, to protect healthcare IT infrastructure against evolving threats.
View
The Myth of the Average User: Improving Privacy and Security Systems through Individualization
Conference Paper
Full-text available
  • Sep 2015
While individual differences in decision-making have been examined within the social sciences for several decades, they have only recently begun to be applied by computer scientists to examine privacy and security attitudes (and ultimately behaviors). Specifically, several researchers have shown how different online privacy decisions are correlated with the "Big Five" personality traits. In this paper, we show that the five factor model is actually a weak predictor of privacy attitudes, and that other well-studied individual differences in the psychology literature are much stronger predictors. Based on this result, we introduce the new paradigm of psychographic targeting of privacy and security mitigations: we believe that the next frontier in privacy and security research will be to tailor mitigations to users' individual differences. We explore the extensive work on choice architecture and "nudges," and discuss the possible ways it could be leveraged to improve security outcomes by personalizing privacy and security mitigations to specific user traits.
View
Business Intelligence and Analytics: From Big Data to Big Impact
Article
Full-text available
  • Dec 2012
Business intelligence and analytics (BI&A) has emerged as an important area of study for both practitioners and researchers, reflecting the magnitude and impact of data-related problems to be solved in contemporary business organizations. This introduction to the MIS Quarterly Special Issue on Business Intelligence Research first provides a framework that identifies the evolution, applications, and emerging research areas of BI&A. BI&A 1.0, BI&A 2.0, and BI&A 3.0 are defined and described in terms of their key characteristics and capabilities. Current research in BI&A is analyzed and challenges and opportunities associated with BI&A research and education are identified. We also report a bibliometric study of critical BI&A publications, researchers, and research topics based on more than a decade of related academic and industry publications. Finally, the six articles that comprise this special issue are introduced and characterized in terms of the proposed BI&A research framework.
View
Information Security and Privacy in Healthcare: Current State of Research1
Article
Full-text available
  • Jan 2010
Information security and privacy in the healthcare sector is an issue of growing importance. The adoption of digital patient records, increased regulation, provider consolidation and the increasing need for information exchange between patients, providers and payers, all point towards the need for better information security. We critically survey the literature on information security and privacy in healthcare, published in information systems journals as well as many other related disciplines including health informatics, public health, law, medicine, the trade press and industry reports. In this paper, we provide a holistic view of the recent research and suggest new areas of interest to the information systems community.
View
Are Markets for Vulnerabilities Effective?
Article
Full-text available
  • Jan 2012
Security vulnerabilities are inextricably linked to information systems. Unable to eliminate these vulnerabilities, the security community is left to minimize their impact. Unfortunately, current reward structures may be skewed towards benefiting nefarious usage of vulnerability information rather than responsible disclosure. Recently suggested market-based mechanisms offer some hope by providing incentives to responsible security researchers. However, concerns exist that any benefits gained through increased incentives may be more than lost through information leakage. Using two years of security alert data, we examine the effectiveness of market-based mechanisms. While market-mechanisms do not reduce the likelihood that a vulnerability will be exploited, we find evidence that markets increase the time to vulnerability exploit and decrease the overall volume of alerts.
View
BYOD Security Challenges: Control and Protect Your Most Sensitive Data
Article
  • Dec 2012
Several new trends in information access are impacting organisations' ability to control and secure sensitive corporate data. The increase in web applications, cloud computing and Software as a Service (SaaS) offerings, and the Bring Your Own Device (BYOD) phenomenon, means that employees, business partners and customers are increasingly accessing information using a web browser on a device not owned or managed by the organisation.The increase in web applications, cloud computing and Software as a Service (SaaS) offerings, and the Bring Your Own Device (BYOD) phenomenon are driving employees, business partners and customers to increasingly access information on devices are not managed by IT departments.This has resulted in security implications for data leakage, data theft and regulatory compliance. To protect valuable information, organisations must stop making a distinction between devices in the corporate network and devices outside of it, argues Bill Morrow of Quarri Technologies.
View
Who Controls the Off Switch?
  • Jan 2010
  • 375-382
  • Ross Anderson
  • Shailendra Fuloria
Anderson, Ross, and Shailendra Fuloria. 2010. "Who Controls the Off Switch?" Financial Cryptography and Data Security 6054: 375-382.
Organizational Antecedents of Cybersecurity Risk
  • Jan 2019
  • MIS QUART
  • 49-69
  • Michel Benaroch
  • Elizabeth Bensaou
  • David H Dranove
Benaroch, Michel, Elizabeth Bensaou, and David H. Dranove. 2019. "Organizational Antecedents of Cybersecurity Risk." MIS Quarterly 43(1): 49-69.
Cybersecurity in Healthcare: Understanding the Risks and Mitigating the Threats
  • Jan 2019
  • 29-36
  • Jorge Farah
Farah, Jorge. 2019. "Cybersecurity in Healthcare: Understanding the Risks and Mitigating the Threats." Journal of Healthcare Risk Management 39(1): 29-36.
Cybersecurity Threats, Challenges, Opportunities, and Ethical Implications for Businesses
  • Jan 2019
  • J BUS RES
  • 450-457
  • Martin Ford
  • Udo Helmbrecht
Ford, Martin, and Udo Helmbrecht. 2019. "Cybersecurity Threats, Challenges, Opportunities, and Ethical Implications for Businesses." Journal of Business Research 99: 450-457.
IT Governance Maturity: Developing a Measure and Determining Its Performance Impacts
  • Jan 2019
  • INFORM SYST MANAGE
  • 238-252
  • Jörg Gebauer
  • Arvid Heumann
Gebauer, Jörg, and Arvid Heumann. 2019. "IT Governance Maturity: Developing a Measure and Determining Its Performance Impacts." Information Systems Management 36(3): 238-252.