Content uploaded by Mike Durkin
Author content
All content in this area was uploaded by Mike Durkin on Nov 08, 2021
Content may be subject to copyright.
1
Cybersecurity in healthcare: Comparing cybersecurity maturity and experiences across
global healthcare organizations
O’Brien N, MSc1§, Martin G, MBBS, PhD1, Grass E, PhD1, Durkin M, OBE, MBBS
FRCA, FRCP, DSc1, Darzi A, PC, KBE, FRS, FMedSci, HonFREng1, Ghafur S, MD,
MBChB, MRCP (resp), MSc1
1Institute of Global Health Innovation, Imperial College London
§Corresponding author: Niki O’Brien
Institute of Global Health Innovation
Imperial College London
10th Floor, QEQM Building, St Mary’s Hospital
Praed Street, London W2 1NY, UK
n.obrien@imperial.ac.uk
Email addresses of authors:
NO: n.obrien@imperial.ac.uk
GM: guy.martin@imperial.ac.uk
EG: e.grass@imperial.ac.uk
MD: m.durkin@imperial.ac.uk
AD: karen.jones@imperial.ac.uk (PA of author)
SG: Saira.ghafur13@ic.ac.uk
Word count: 3,410
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885
Preprint not peer reviewed
2
Funding information: This work was supported by the World Innovation Summit for Health
(WISH), Qatar Foundation. Infrastructure support for this research was provided by the NIHR
Imperial Biomedical Research Centre (BRC).
Disclosures: We declare no conflicts of interest associated with this research.
Author’s contributions: The manuscript was written by NO and SG. SG, GM, MD and AD
conceptualized this research. SG, NO, GM and EG designed the survey. NO and EG conducted
the survey analysis. All authors contributed to the multiple versions of the manuscript.
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885
Preprint not peer reviewed
3
Abstract
Health systems around the world are increasingly reliant on digital technology. Such reliance
requires that healthcare organizations consider effective cybersecurity and digital resilience as
a fundamental component of patient safety, with recent cyberattacks highlighting the risks to
patients and targeted organizations. To better understand how well-prepared organizations are
to meet this challenge we developed and administered a survey to examine the current
cybersecurity landscape and preparedness level across global healthcare organizations. Cyber
threats were a common concern for the 17 healthcare organizations who participated. The
principal concerns highlighted were data security, including the manipulation or loss of
electronic health records; loss of trust in the organization; and risks of service disruption.
Cybersecurity maturity scoring showed that despite the majority of organizations having
established cybersecurity practices, levels of awareness and education were universally poor.
Policymakers should consider raising awareness and improving education/training on
cybersecurity as a fundamental tenet of patient safety.
Abstract word count: 150
Keywords: Global health; Healthcare providers; Healthcare workers; Patient care; Patient
safety; Systems of care; Covid-19; Healthcare threats; Digital health; Cybersecurity;
Communication; Training
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885
Preprint not peer reviewed
4
Background
The digitization of healthcare has increased globally in recent years as new emerging
technologies have entered the health sector [1]. Innovations such as cloud computing,
connected mobile devices and artificial intelligence can support more effective and efficient
healthcare. Moreover, the use of Health Management Informatics systems (HMIS) and
electronic health records (EHR) can aid countries in collecting, analyzing and reporting health
information to support the scaling up of services and achieving Universal Health Coverage
(UHC) [2]. Despite these advances, the adoption of new technologies across high-, middle-,
and low-income countries exposes healthcare organizations to increased vulnerabilities from
cyber-attacks that may compromise patient safety, threaten data integrity and confidentiality,
and erode patient trust [1,3].
There are several recent examples of the detrimental effect of cyber-attacks on healthcare
institutions and patients. The 2017 WannaCry ransomware attack which effected the UK
National Health Service (NHS) demonstrated the lack of readiness for protecting patient data
and health delivery systems, despite the sector not being specifically targeted [1]. Similarly,
attacks across healthcare organizations and systems in numerous countries have compromised
patient records and shut down services [4].
Despite increasing cyber threats and multiple cyber-attacks, evidence reveals that healthcare
systems around the world are still lagging behind other critical sectors in responding to this
challenge [5]. Following the emergence of the Covid-19 pandemic there has been an increase
in the number of cyber-attacks globally against healthcare organizations, making it increasingly
important that healthcare institutions understand and develop their cybersecurity planning and
preparedness [6].
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885
Preprint not peer reviewed
5
Guiding cybersecurity planning across high income countries (HICs) and in low- and middle-
income countries (LMICs) is a significant challenge for national governments, multi-lateral
donor organizations and health policymakers, as well as at an organizational or facility level.
Considerable work needs to be undertaken to understand the current cybersecurity landscape
at the organizational level, including the scale and nature of cyber-attacks being experienced,
the level of preparedness and cybersecurity maturity of individual facilities, and the major
challenges to developing better cybersecurity both at the organizational level and across health
systems.
The article explores the current global cybersecurity landscape and maturity in healthcare
through the results of a survey developed and administered to healthcare organizations around
the world. The survey is the first of its kind in exploring the state of cybersecurity in healthcare
at the organizational level across multiple health systems, allowing for regional comparison
and discussion.
Methods
Survey design
To determine the state of cybersecurity and maturity level of healthcare institutions around the
world, we developed a two-part survey. The first section collected details of cybersecurity
attacks on each organization and the perceived strengths and weaknesses of the organization
in developing their cybersecurity posture. The latter section of the survey utilized the Global
Cyber Security Capacity Centre’s Cybersecurity Capacity Maturity Model for Nations (CMM),
a model to facilitate the assessment of the maturity of national cybersecurity capacity [7]. The
CMM outlines five dimensions that cover the scope of cybersecurity by defining areas that
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885
Preprint not peer reviewed
6
should be considered when seeking to develop capacity. The model assesses these dimensions
on a five-point maturity scale, which measures the degree of formality and optimization of
processes related to cybersecurity [7,8]. The research team considered the CMM dimensions
and maturity levels as a starting point for the survey development as they have already been
validated globally, though not specifically in healthcare or at the sub-national level. As such,
adjustments were made to some of the dimension maturity indicators which were focused on
the national level in order to develop a questionnaire relevant for individual healthcare
organizations.
The questionnaire items developed were a mix of open- and closed-ended questions including
those with pre-defined responses and Likert scales. The questions collected information on six
elements of cybersecurity identified by the research team, based on the CMM and a literature
scan of validated questionnaires on cybersecurity planning. The six elements were governance,
awareness, education and training, (national) regulation, technology, and (organizational)
resilience. Responses were scored on the same five-point maturity scale outlined in the CMM,
measuring how the organization has progressed in relation to the six aspects of cybersecurity:
1 (start-up), 2 (formative), 3 (established), 4 (strategic) and 5 (dynamic) (see Appendix for full
description of cyber maturity stages categorization) [7].
Study participants
Participants were members of the Imperial College London Leading Health Systems Network
(LHSN). The LHSN is a collaborative network of healthcare leaders and organizations
dedicated to improving health care delivery, and as such, members were well placed to submit
a survey response for their institution. Organizational descriptive data is provided in Table 1.
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885
Preprint not peer reviewed
7
Ethical approval
The research protocol was reviewed and institutional; ethical approval was granted by the
Imperial College London Joint Research Compliance Office (JRCO).
Data collection and analysis
All data were collected in the period February - May 2020. Survey responses were collected
and analyzed using Qualtrics software. Further analysis was done on Microsoft Excel within a
secure data storage environment. Responses from a total of 17 participant organizations were
received and included in the analysis, representing 6 geographic regions; Africa, East Asia and
Pacific, Europe and Central Asia, Latin America and Caribbean, Middle East and North Africa,
South Asia, and global economies.
[Table 1 around here]
Limitations
The findings of this study must be interpreted within its limitations. Firstly, while the results
showcase results from all 6 global regions as well as high-income and middle- and low-income
health systems, the sample size of 17 institutions remains small, with some regions also
relatively underrepresented. As such, it is possible that the same survey with a larger number
of participants could produce different results and the findings presented are not generalizable.
Secondly, as the survey was completed by a several types of organization, it is possible that
the results do not accurately reflect the cybersecurity landscape in any one particular health
setting. However, as there is currently no published data comparing cybersecurity among
healthcare organizations globally, more must be done to generate data in this area. Thirdly, the
survey was self-reported and so response are likely to be subject to reporting bias that will
affect the accuracy of responses that have not been independently verified.
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885
Preprint not peer reviewed
8
Study Results
Every organization classified as hospital/health center reported the use of Electronic Health
Records in some capacity.
Reported cyber-attacks
56% of respondents reported having experienced at least one cyber-attack in the previous 12
months, although it is likely that this is an under-estimation as cyber-attacks may have gone
unnoticed. Of those who reported experiencing cyber-attacks in the previous 12 months, the
number of reported attacks in that period varied from less than 5 to several hundred. Overall,
respondents noted an increasing frequency of attacks in the preceding two years independent
of the total number reported.
As shown in Figure 1, the effect of the cyber-attacks reported by respondents were also varied,
and multiple effects were reported by some respondents. No effect was the most common
response. Data loss was the most commonly reported effect among the respondents, although
effects related to patient services and systems, and on organizational projects and finances were
also reported.
When asked to score the organization’s effectiveness in cybersecurity out of ten, specifically
defined as the ability to mitigate risks, vulnerabilities and attacks across the organization, the
mean score was 7 with only one self-reported effectiveness score under 5, see Figure 1.
[Figure 1 around here]
Cybersecurity maturity scoring
The South-East Asia region scored the highest across the six domains (see Table 2), categorized
as strategic in its maturity level alongside the Western Pacific Region. Notably, respondents
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885
Preprint not peer reviewed
9
from these regions were overrepresented in reporting the number of cyber-attacks the
organization had had in the preceding twelve months. Overall, they reported the fewest attacks
as compared to reported attacks in other regions.
As shown in Table 2, the European region, Region of the Americas, and African Region scored
2.7 - 3.4 and were categorized as having established cybersecurity practices (see Appendix for
definitions). The Eastern Mediterranean Region has the lowest maturity score and was
categorized as having formative cybersecurity practices. None of the organizations scored
dynamic (4.5-5) or start up (0.1 - 1.4) levels of maturity. While each organization has already
achieved a minimum level of cybersecurity, none can be considered highly sophisticated in
their maturity, suggesting there is still a lot of work to do to develop cybersecurity in healthcare
organizations.
[Table 2 around here]
The average maturity score for each participating organization was calculated and averaged to
determine the maturity score and categorization of each dimension. Regulation received the
highest maturity score followed by technology, governance and resilience which all scored
above 3 (see Table 2). However, on average respondents scored lower in the dimensions of
awareness and education suggesting these areas are less developed among organizations
globally.
Cybersecurity governance and financing
Figure 2 summarizes the results concerning cybersecurity governance and financing.
Respondents overwhelmingly reported that cybersecurity was a part of the organization’s
Board/leadership agenda (94%). However, far fewer organizations reported that a member of
the Board/leadership were allocated specific responsibility for cybersecurity (60%).
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885
Preprint not peer reviewed
10
Additionally, only 62% reported that training was available for Board members or those in
senior leadership positions.
The majority of respondents (88%) reported that there was a dedicated budget for cybersecurity
within the organization, with 71% of respondents reporting that this budget had increased in
the past 12 months. Specific amounts were not however disclosed due to confidentiality
reasons.
[Figure 2 around here]
Cybersecurity regulation
The majority of respondents (69%) reported that the organization was required to report cyber
incidents as part of local or national regulatory or legal requirements. Respondents reported
that they were required to report cyber incidents to the Ministry of Health, a national data
protection agency and/or internally to senior leadership/Board, including the Chief Information
Officer, Chief Information Security Officer, Chief Executive Officer etc. Some respondents
reported that they were required to report to more than one of the individuals and organizations
listed.
Discussion
The results of the survey outline a large range of differences across healthcare institutions and
geographic regions in cyber-attack experiences and cybersecurity preparedness which have
implications for the future design and implementation of cybersecurity policy in healthcare at
a global level.
Identification, analysis and reporting of cyber-attacks
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885
Preprint not peer reviewed
11
The reporting of cyber-attacks varied at the organizational level. This was particularly evident
in the reporting of the number of cyber-attacks, which ranged from less than five to several
hundred per year. It is possible that some of the organizations surveyed had less robust systems
for the identification and analysis of attacks which may lead to under recognition and reporting.
Policies, protocols and systems for surveillance, risk identification, assessment and reduction
should be developed in every healthcare organization to ensure cyber-attacks are robustly
identified, accurately captured, and addressed as quickly as possible.
It is vital that senior management at organization level are engaged in this process from the
inception phase. Cybersecurity, representing a major risk to patient safety and the organization
itself, is in the remit of the executive [9]. As noted, 60% of respondents reported senior
leadership was directly responsible for cybersecurity. A positive early initiative to develop the
protocols and systems for identification and analysis of risks and attacks is to assign this
specific responsibility to a member of the senior leadership team at board level.
The survey results indicated a disconnect between the relatively high self-effectiveness scores
reported, a mean score of 7, and the range of impacts of cyber-attacks listed by the recipients,
including data loss, breaches to patient safety and systems, and opportunity costs on
organizations. Developing an organizational culture that supports the reporting of cyber-threats
and attacks, as well as conducting an honest appraisal of progress in cybersecurity preparedness
is another crucial element of developing effective cybersecurity. A failure to do so will result
in missed opportunities for identification, analysis, reflection and improvement [10]. In other
areas of patient safety, a positive reporting culture has been found to directly impact the number
of incidents that are both reported and subsequently addressed [11]. Healthcare managers at all
levels should work towards ensuring that frontline staff are both trained to recognize cyber
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885
Preprint not peer reviewed
12
threats, and critically, are encouraged to report any potential threats or attacks that are
identified.
Development of specific areas of cybersecurity within healthcare organizations
Differences were noted in the relative maturity of organizations across the six domains of
cybersecurity measured. Notably, maturity was found to be lowest in the areas of awareness
and training. Existing research has shown that these areas are crucial for effective cybersecurity
[12,13]. A study on the cybersecurity behaviors of UK school children showed that the most
successful behaviors were exhibited when individuals were taught appropriate cybersecurity
skills and then trusted to behave responsibly [13]. One explanation for the lack of maturity in
the areas of awareness and education could be the assumption that cybersecurity is a concern
for ICT departments rather than for frontline staff. However, cybersecurity, as a patient safety
concern, must be a consideration for all staff across every healthcare organization. At the
organizational level, key areas of education, training and awareness for staff should be
considered and developed based on staff job role, access privilege and cybersecurity risk
profile. The cybersecurity knowledge and skills of staff in the ICT department will of course
be different and more comprehensive than nurses in the emergency department, for example.
However, frontline staff have an equally integral role to play in strengthening the cybersecurity
of an organization. As such, it is essential to recognize the importance of education, training
and awareness, which may be implemented in a variety of ways, but should include clear, and
easily accessible information for all staff.
The maturity scoring of the technology aspect of cybersecurity among survey participants was
relatively high (3.2). At the global level this was a somewhat unpredicted result as one would
expect to see a greater range of technological maturity, particularly in comparisons across
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885
Preprint not peer reviewed
13
healthcare organizations from high-, middle- and low-income health systems. The finding may
have been influenced by the nature of the healthcare organizations that took part, including the
relatively high number of private healthcare facilities in the sample. These organizations may
not be representative of the typical public healthcare facilities and the health technologies
found within their national health system. As there is currently no published data comparing
cybersecurity among healthcare organizations globally, multilateral organizations such as the
World Health Organization (WHO) should consider generating data on cybersecurity in future
work on eHealth and mHealth, such as the WHO Global Survey on eHealth which was last
published in 2016 [14].
Further work is also required to identify stages of technological development in healthcare at
the global level in order to devise applicable cybersecurity preparedness strategies that take
into account the digital technology used and how it can best be kept secure, including
considerations of medical device manufacture and associated security standards.
Development of cybersecurity within a wider healthcare and legislative context
The maturity analysis found that regulation and governance were the two aspects where
participants had the strongest cybersecurity mechanisms in place. Notably, of the six aspects
of cybersecurity, regulation and governance are largely controlled externally to the healthcare
facility or controlled at the healthcare facility’s highest level, making them largely upstream
measures of cybersecurity preparedness. As such, a major consideration going forward is how
the regulatory and healthcare context in which healthcare organizations exist, as well as the
cybersecurity governance mechanisms of organizations, can feed into healthcare institutions,
both in terms of guiding targeted and systematic cybersecurity scale-up, but also in developing
a culture of cybersecurity.
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885
Preprint not peer reviewed
14
Of course, this is not a simple task. Rather, it is one that requires multi-sector coordination and
collaboration across the health system, and across sectors and specialties [15,16]. A first step
could be to clearly define the roles of the relevant stakeholders with regard to the organization
itself, including its assets (financial and human resources), systems and business processes,
and users and patients, but also the wider health and cybersecurity landscape. This wider
landscape may include advisory and reporting bodies, medical device manufacturers and other
external stakeholders with a direct relationship to the cybersecurity of the healthcare
organization. Once a stakeholder map exists, an assessment of the current and future cyber
requirements, and the responsible stakeholder for adherence to such requirements, can be
undertaken. Through this process a commonality of language must be a priority, alongside open
and transparent sharing of best practices between healthcare organizations. Such organizational
level collaboration will advance best practice and expertise in developing cybersecurity policy
in the healthcare setting.
Conclusion
Multiple recent examples of the detrimental effect of cyber-attacks on healthcare institutions
have shown cybersecurity to be a fundamental patient safety concern. This study found that
healthcare organizations have made some progress in developing organizational cybersecurity
at the global level, but cybersecurity maturity remains patchy and requires further development
in nearly all global settings. Healthcare cybersecurity preparedness requires urgent scale up
and policy development to provide a better understanding of the wider healthcare and
legislative context, to facilitate multi-sector collaboration and improve cybersecurity in
healthcare. As cyber-attacks become more sophisticated, affecting multiple organizations and
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885
Preprint not peer reviewed
15
systems across national and geographic areas, a global approach to developing effective and
cost-efficient cybersecurity across all healthcare settings is vital.
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885
Preprint not peer reviewed
16
References
[1] Ghafur S, Fontana G, Martin G, et al. Improving Cyber Security in the NHS [online].
Institute of Global Health Innovation, Imperial College London; 2019. Available from:
https://www.imperial.ac.uk/media/imperial-college/institute-of-global-health-
innovation/Cyber-report-2020.pdf
[2] Joint Learning Network. Using Health Data to Improve Universal Health Coverage: Three
Case Studies. 2018; Joint Learning Network for Universal Health Coverage, PATH, Wipro
Ltd.
[3] Ghafur S. & Schneider, E. Why Are Health Care Organizations Slow To Adopt Patient-
Facing Digital Technologies [online]? Health Affairs blog; 2019:
10.1377/hblog20190301.476734
[4] Martin G, Martin P, Hankin C. et al. Cybersecurity and healthcare: how safe are we?
BMJ. 2017; 358: j3179.
[5] Jalali MS & Kaiser JP. Cybersecurity in Hospitals: A Systematic, Organizational
Perspective. J Med Internet Res. 2018 May 28; 20(5): e10059.
[6] World Health Organization (WHO). WHO reports fivefold increase in cyber-attacks,
urges vigilance [press release]. World Health Organization; 2020. Available from:
https://www.who.int/news-room/detail/23-04-2020-who-reports-fivefold-increase-in-cyber-
attacks-urges-vigilance
[7] Global Cyber Security Capacity Centre. Cybersecurity Capacity Maturity Model for
Nations (CMM) Revised Edition (online). University of Oxford; 2016. Available from:
https://cybilportal.org/wp-content/uploads/2020/05/CMM-revised-edition_09022017_1.pdf
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885
Preprint not peer reviewed
17
[8] Humphrey WS. Characterizing the software process: a maturity framework. IEEE
Software; 1988, 5(2): 73-79.
[9] Rothrock RA Kaplan J, Van Der Oord F. The Board's Role in Managing Cybersecurity
Risks. MIT Sloan Management Review; 2018, 59(2): 12-15.
[10] Ghafur S, Kristensen, S, Honeyford K. et al. A retrospective impact analysis of the
WannaCry cyberattack on the NHS. npj Digital Medicine; 2019, 2(98):
https://doi.org/10.1038/s41746-019-0161-6
[11] Nieva VF & Sorra J. Safety culture assessment: a tool for improving patient safety in
healthcare organizations. BMJ Quality & Safety; 2003, 12: ii17-ii23.
[12] Kweon E, Lee H, Chai S et al. The Utility of Information Security Training and
Education on Cybersecurity Incidents: An empirical evidence. Inf Systems Frontiers; 2019.
[13] Pfleeger S & Caputo D. Leveraging Behavioral Science to Mitigate Cyber Security Risk,
Computers & Security; 2012, 31(4): 597-611.
[14] World Health Organization. Global Diffusion of eHealth: making universal health
coverage achievable. Report of the third global survey on eHealth. 2016; World Health
Organization. Available from: https://www.who.int/goe/publications/global_diffusion/en/
[15] Nazli C, Madnick S & Ferwerda J. Institutions for Cyber Security: International
Responses and Global Imperatives. Information Technology for Development; 2013, 20(2):
96–121.
[16] Ghafur S, Grass E, Jennings NR, Darzi A. The challenges of cybersecurity in health
care: the UK National Health Service as a case study. The Lancet Digital Health; 2019, 1(1):
E10-E12.
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885
Preprint not peer reviewed
18
Table 1: Country classification and organization type of participant organizations
Total
Country classification
n (%)
High income
11 (64.70)
Low- and Middle-income
6 (35.29)
Total
17
Total
Organization type
n (%)
Public Hospital/Medical Center
3 (17.6)
Private Hospital/Medical Center
3 (17.6)
Faith-based Hospital/Medical Center
1 (5.9)
National, Federal or Regional Ministry of Health
3 (17.6)
Non-Governmental Organization (NGO)
3 (17.6)
Research Institution
1 (5.9)
Other
3 (17.6)
Total
17
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885
Preprint not peer reviewed
19
Table 2: Maturity score by region and dimension
Maturity score
Categorization
Region
African Region
2.7
Established
Eastern Mediterranean Region
1.7
Formative
European Region
3.4
Established
Region of the Americas
2.8
Established
South-East Asia Region
3.7
Strategic
Western Pacific Region
3.7
Strategic
Maturity score
Categorization
Dimension
Regulation
3.5
Strategic
Technology
3.2
Established
Governance
3.2
Established
Resilience
3.1
Established
Education
2.6
Established
Awareness
2.5
Established
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885
Preprint not peer reviewed
20
Figure 1: Reported impacts of the most serious cyber-attack in the previous 12 months (top)
and self-reported organizational effectiveness scores (bottom)
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885
Preprint not peer reviewed
21
0
2
4
6
8
10
12
14
16
Budget increased in previous 12 months
Dedicated budget for cybersecurity
Cybersecurity training available for Board/leadership
Member(s) of Board/leadership responsible for
cybersecurity
Cybersecurity on Board/leadership agenda
Yes
No
Don't know
Figure 2: Reported organizational leadership and funding for cybersecurity
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885
Preprint not peer reviewed
22
Appendix
Appendix A: Characterization of the stages of cyber maturity
Definition below taken from the Cybersecurity Capacity Maturity Model for Nations (CMM).
Start-up: At this stage either no cybersecurity maturity exists, or it is very embryonic in nature.
There might be initial discussions about cybersecurity capacity building, but no concrete
actions have been taken. There is an absence of observable evidence at this stage.
Formative: Some features of the aspects have begun to grow and be formulated, but may be
ad-hoc, disorganized, poorly defined – or simply “new”. However, evidence of this activity
can be clearly demonstrated.
Established: The elements of the aspect are in place, and working. There is not, however, well-
thought-out consideration of the relative allocation of resources. Little trade-off decision-
making has been made concerning the “relative” investment in the various elements of the
aspect. But the aspect is functional and defined.
Strategic: Choices have been made about which parts of the aspect are important, and which
are less important for the particular organisation or nation. The strategic stage reflects the fact
that these choices have been made, conditional upon the nation or organization's particular
circumstances.
Dynamic: At this stage, there are clear mechanisms in place to alter strategy depending on the
prevailing circumstances such as the technology of the threat environment, global conflict or a
significant change in one area of concern (e.g. cybercrime or privacy). Dynamic organisations
have developed methods for changing strategies in stride. Rapid decision- making, reallocation
of resources, and constant attention to the changing environment are feature of this stage.
Source: Global Cyber Security Capacity Centre. Cybersecurity Capacity Maturity Model for
Nations (CMM) Revised Edition (online). University of Oxford; 2016. Available from:
https://cybilportal.org/wp-content/uploads/2020/05/CMM-revised-edition_09022017_1.pdf
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885
Preprint not peer reviewed
0
2
4
6
8
10
12
14
16
Budget increased in previous 12 months
Dedicated budget for cybersecurity
Cybersecurity training available for Board/leadership
Member(s) of Board/leadership responsible for
cybersecurity
Cybersecurity on Board/leadership agenda
Yes
No
Don't know
Figure 2: Reported organizational leadership and funding for cybersecurity
This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885This preprint research paper has not been peer reviewed. Electronic copy available at: https://ssrn.com/abstract=3688885
Preprint not peer reviewed
