In May, a major cyberattack disabled clinical operations for nearly a month at Ascension, a health care provider that includes 140 hospitals across the U.S. Investigators tracked the problem to malicious ransomware that had infected an employee's computer.
Health care systems offer juicy targets for cybercrime because of the valuable personal, financial, and health data they hold. A 2023 survey of health information technology and IT security professionals reported that 88% of their organizations had experienced an average of 40 attacks during the previous year.
One key vulnerability has been the increasing complexity of their IT systems, says Hüseyin Tanriverdi, associate professor of information, risk, and operations management at Texas McCombs. It's a result of decades of mergers and acquisitions forming larger and larger multihospital systems.
"After a merger, they don't necessarily standardize their technology and care processes," Tanriverdi says. "The health system ends up having a lot of complexity, with different IT systems, very different care processes and disparate governance structures."
But complexity could also offer a solution to such problems, he finds in new research. With co-authors Juhee Kwon of City University of Hong Kong and Ghiyoung Im of the University of Louisville, he says that a "good kind of complexity" can improve communication among different systems, care processes, and governance structures, better protecting them against cyber incidents.
Complex vs. Complicated
Using data from 445 multihospital groups spanning 2009 to 2017, the team looked at the oft-repeated notion that complexity is the enemy of security.
They distinguished between two similar-sounding IT concepts that are key to the problem.
- Complicatedness is a large number of elements in a system that interconnect and share information in structured ways.
- Complexity occurs when a large number of elements interconnect and share information in unstructured ways — as when integrating systems after mergers and acquisitions.
Because complicated systems have structures, Tanriverdi says, it's difficult but feasible to predict and control what they'll do. That's not feasible for complex systems, with their unstructured connections.
Tanriverdi found that as health care systems got more complex, they became more vulnerable. The most complex systems — with the largest varieties of health service referrals from one hospital to another — were 29% more likely to be breached than average.
The problem, he says, is that such systems offer more data transfer points for hackers to attack, and more opportunities for human users to make security errors.
He found similar vulnerabilities with other forms of complexity, including:
- Many different types of medical services handling health data.
- Decentralizing strategic decisions to member hospitals instead of making them at the corporate center.
Setting Data Standards
The researchers also proposed a solution: building enterprise-wide data governance platforms, such as centralized data warehouses, to manage data sharing among diverse systems. Such platforms would convert dissimilar data types into common ones, structure data flows, and standardize security configurations.
"They would transform a complex system into a complicated system," he says. By simplifying the system, they would further lower its level of complication.
He tested the cybersecurity effects of creating such platforms. The result, he found, was that in the most complicated system, they would reduce breaches up to 47%.
Centralizing data governance reduces avenues for hackers to get in, Tanriverdi says. "With fewer access points and simplified and hardened cybersecurity controls, unauthorized parties are less likely to gain unauthorized access to patient data."
He recommends supplementing technical controls with stronger human ones, as well: training users in cybersecurity practices and better regulating who has access to various parts of the system.
Tanriverdi acknowledges a paradox in his approach. Investing in a new layer of technology may introduce more IT complexity at first. But in the long run, it's a good type of complexity that tames the existing — and more hazardous — kinds of complexity.
"Practitioners should embrace IT complexity, as long as it gives structure to information flows that were previously ad hoc," he says. "Technology reduces cybersecurity risks if it is organized and governed well."
"Taming Complexity in Cybersecurity of Multihospital Systems: The Role of Enterprise-wide Data Analytics Platforms" is published online in MIS Quarterly.
