Sr

No

Vulnerability

Threat

Risk of
compromise
of

Risk Summary

Health
Information
exchange not
secured

Data compromise
by intrusion, data
breach

Sensitive and
critical data

Failure at Data
Warehouse

Denial of Service
attack on Data
Centre

Availability of
data and
applications

Disaster
Recovery and
Business
Continuity not in
place

Severe effect on
operations of the
hospital, impact
on business

Productivity,
revenue,
patient safety

Unidentified
security
vulnerabilities in
biomedical
devices

Systems can be
hacked or
planted with
malware

Patient safety,
privacy of data

Electronic Health
Record (EHR)
application not
secured

Access rights
misused, data
breach or man in
the middle attack

Data privacy,
intellectual
property

As health information
exchanges (HIEs) make
patient information
electronically available
across hospital system,
privacy and data security
concerns have become
paramount. The risks are
compounded by the
numerous systems and
organizations involved.
Data-based business
intelligence is quickly
moving to the forefront
for most healthcare
organizations. The
greater the emphasis on
better managing
outcomes and overall
population health, the
more important data
(clinical or otherwise)
becomes.
Productivity, revenue,
and even patient safety
could be severely
affected if systems
and data are not
available and operational
at all times. While
business continuity
related to disaster
recovery is not a new
concern for healthcare
organizations,
it ranked high because of
its strategic and business
impact.
Unidentified security
vulnerabilities in
biomedical devices can
affect patient safety as
well as the privacy of
data on devices and
networked systems.
Many healthcare
organizations
are susceptible to risks
related to the

No information
security policy
implemented

Technical,
physical, and
administrative
safeguards
vulnerable

Security of
health
information

IT assets and
Software licenses
not tracked

Use of outdated
software
introduces
vulnerability,
software stops
operating after
license expiry

Security of
health
information,
availability of
data and
applications

Access through
personal devices
not restricted
(BYOD)

Data loss,
malware infection

Confidentiality
and integrity of
hospital data
(financial, ip,
staff info)

Identity
management and
RBAC not
implemented

Unauthorised
access to data or
applications

Security of
hospital data,
patient
information,
applications

implementation of
electronic health record
(EHR), financial, and
other business systems.
HIPAA remains an area of
significant risk for
healthcare organizations.
Maintaining the security
of protected health
information is
challenging. Absence of
supporting
documentation
demonstrating
adherence to policies can
be a huge risk.
Many organizations have
issues with tracking not
only their physical IT
assets but
their software licenses as
well. Lack of control in
these areas can lead to
financial losses for the
organization.
Electronic protected
health information (ePHI)
and similarly sensitive
data can be disclosed to
unauthorized personnel
either by malicious intent
or inadvertent mistake.
Unauthorized access to
data or applications is a
significant organizational
risk, making system
access a highly ranked
area of concern.
Healthcare organizations
often struggle to
maintain consistent core
controls (for example,
passwords, timeouts, and
lockouts) around system
access.

10

Not complied to
Payment Card
Industry Data
Security Standard
(PCI DSS)

Credit card data

stolen at Point of
Sale and/or
through web
application.

Customers'
credit card data

The standard outlines

technical and operational
system requirements to
protect cardholder data,
often is overlooked in the
healthcare industry.
Overlooking the
requirements can be very
costly for the hospital.

11

Malfunctioning of
the application

Electronic Health
Record (EHR)
Application
failure

An enterprise system
tends to come with
standard IT
configurations.leaving a
huge margin for error If
your hospital has
deployed an electronic
health record (EHR)
system, you probably
have a contingency plan
in the event of a system
outage. After all,
computing systems go
down, and when an EHR
system is not working, it
affects nearly every
aspect of a hospitals
operations, from patient
care to admissions to
finance to supply chain

12

Defects in the
systems

Systems failure in
hospitals

Operational Systems failures in

healthcare can hinder
employees, potentially
decreasing both productivity
and quality of care Both

hospitals and hospital

patients are bearing a
massive cost as a result
of the occurrence of
medication prescribing
errors in the
public health systems,
poor information systems
may be a contributing
factor in the occurrence
of these errors.These are
linked to situations
where information is is
unavailable or
inaccessible

13

Intentional
human Error

Unscheduled
system downtime

Unscheduled downtime is
unplanned downtime due to
system or environmental (e.g.,
power) failures. Downtime may
affect a single application or be
systemwide

14

Levels of
securities not
applied

Indiscriminate
Malicious Attack(Mock
Cyberattacks)

Medical
devices, patient
safety

15

Firewall not updated

or not configured
properly

Highly Funded Attack

on confidentiality of
data

Patients
details,their
reputation and
privacy

16

Distruntled
member,frustrated
person

Personal Revenge

Business
loss,reputation
at stake

A medical device is being used

on a patient (e.g., x-ray, ECG,
ventilator,
CT, MRI, PET), when a
malicious software attack
occurs. This may be a side
effect of a broad cyber attack
where the medical device is not
specifically targeted.
These broad, sometimes lowskill, technology attack tools are
otherwise known as viruses,
Trojan horses, or worms, for
example. Even under these
circumstances,
the system should be able to
protect patient safety and
health. Individual patient and
healthcare provider damage
may result if the attack leads to
the disclosure of personal data
A malicious attacker is highly
funded and is highly capable of
launching a targeted attack.
Typically, the attacker is an
outsider and the targets are
medical data of VIPs such as
athletes or celebrities, stored in
a healthcare system. The
effects of disclosed medical
information (e.g., cancer, HIV
status) may never be undone
and may cause severe social
and financial consequences to
the victim
A threat may originate from
angry or vengeful persons
(employees, patients,
or service staff, for example).
The bulk of these attacks come
from internal,
or formerly internal, people.
They have a powerful desire to
inflict damage to a
specific target inside the
healthcare facility or to the
healthcare facility as a whole,
but are not likely to be

sophisticated in terms of
knowledge about systems or
well
funded

17

Occurrence of Natural
calamities,disasters.

Wide spread
disasters results
power blackout

Availability of
the entire
infrastructure

18

Power blackout and

power backup failure

Operational
discontinuity

Business
Impact,Availabili
ty impact

19

Lack of awareness

Provision of healthcare in the

aftermath of a widespread
disaster. Such a disaster may
have been caused by natural
(e.g., earthquake, tsunami,
hurricane/ typhoon, volcano,
wildfire) or man-made causes
(terror, war, power failure).
During these disasters the
general infrastructure (IT
networks, roads, electrical
power, water) may additionally
be disrupted or destroyed.
Further, the disaster may have
caused damage to the
healthcare facility itself and thus
may have destroyed
parts of the local building or
healthcare infrastructure
causing a Healthcare
System Failure. The situation
may get worse as the disaster
itself increases
the number of patients who
arrive at the healthcare facility
Many hospitals are unprepared
for the consequences caused
by the power blackouts and are
often unaware of the true costs
and impact that they can have
on their working procedures

The greatest threat to the

security of the healthcare
industry is the total lack of
awareness of principal cyber
threats