Treffer: Band-aids and firewalls: A resource-based view of ransomware attack vulnerability in health care organizations.
Title:
Band-aids and firewalls: A resource-based view of ransomware attack vulnerability in health care organizations.
Authors:
Source:
Health care management review [Health Care Manage Rev] 2026 Jan-Mar 01; Vol. 51 (1), pp. 54-65. Date of Electronic Publication: 2025 Nov 14.
Publication Type:
Journal Article
Language:
English
Journal Info:
Publisher: Lippincott Williams & Wilkins Country of Publication: United States NLM ID: 7611530 Publication Model: Print-Electronic Cited Medium: Internet ISSN: 1550-5030 (Electronic) Linking ISSN: 03616274 NLM ISO Abbreviation: Health Care Manage Rev Subsets: MEDLINE
Imprint Name(s):
Publication: 2003- : Hagerstown, MD : Lippincott Williams & Wilkins
Original Publication: Germantown, Md., Aspen Systems Corp.
Original Publication: Germantown, Md., Aspen Systems Corp.
MeSH Terms:
References:
Abernethy A., Adams L., Barrett M., Bechtel C., Brennan P., Butte A., Faulkner J., Fontaine E., Friedhoff S., Halamka J., Howell M., Johnson K., Long P., McGraw D., Miller R., Lee P., Perlin J., Rucker D., Sandy L., Valdes K. (2022). The promise of digital health: Then, now, and the future. NAM Perspectives , 2022, 10.31478/202206e. https://doi.org/10.31478/202206e. (PMID: 10.31478/202206e)
Anthony R. T. (2024). Adoption of advanced cybersecurity tools by organizations: Motivations, barriers, and leader responses. Journal of Behavioral and Applied Management , 24(3), 161–172.
Astani M., Ready K. J. (2016). Trends and preventive strategies for mitigating cybersecurity breaches in organizations. Issues in Information Systems , 17(2), 208–214.
Ayala L. (2016). Cybersecurity for hospitals and healthcare facilities: A guide to detection and prevention. Apress . https://doi.org/10.1007/978-1-4842-2155-6 . (PMID: 10.1007/978-1-4842-2155-6)
Barney J. (1991). Firm resources and sustained competitive advantage. Journal of Management , 17(1), 99–120. https://doi.org/10.1177/014920639101700108. (PMID: 10.1177/014920639101700108)
Benmalek M. (2024). Ransomware on cyber-physical systems: Taxonomies, case studies, security gaps, and open challenges. Internet of Things and Cyber-Physical Systems , 4, 186–202.
Chirra D. R. (2021). Mitigating ransomware in healthcare: A cybersecurity framework for critical data protection. Revista de Inteligencia Artificial en Medicina , 12(1), 495–513.
Choi S. J., Johnson M. E. (2019). Understanding the relationship between data breaches and hospital advertising expenditures. The American Journal of Managed Care , 25(1), e14–e20.
Connolly Yuryna L., Wall D. S., Lang M., Oddson B. (2020). An empirical study of ransomware attacks on organizations: An assessment of severity and salient factors affecting vulnerability. Journal of Cybersecurity , 6(1), tyaa023.
Culbertson N. (2021, June 7). Increased cyberattacks on healthcare institutions shows the need for greater cybersecurity. Forbes , https://www.forbes.com/sites/forbestechcouncil/2021/06/07/increased-cyberattacks-on-healthcare-institutions-shows-the-need-for-greater-cybersecurity/?sh=2b54202e5650.
George A. S., Sujatha V., George A. H., Baskar T. (2023). Bringing light to dark data: A framework for unlocking hidden business value. Partners Universal International Innovation Journal , 1(4), 35–60.
Goodman D. C., Grumbach K. (2008). Does having more physicians lead to better health system performance. JAMA , 299(3), 335–337.
Gordon L. A., Loeb M. P. (2002). The economics of information security investment. ACM Transactions on Information and System Security , 5(4), 438–457. https://doi.org/10.1145/581271.581274. (PMID: 10.1145/581271.581274)
Heath M. L., Silvera G. A., Porter T. H. (2025). From the backroom to the boardroom: Health care chief information officers, stereotypes, and strategic leadership in the digital transformation era. Health Care Management Review , 50(2), 104–111. https://doi.org/10.1097/HMR.0000000000000436. (PMID: 10.1097/HMR.0000000000000436)
Iyanna S., Kaur P., Ractham P., Talwar S., Islam A. N. (2022). Digital transformation of healthcare sector. What is impeding adoption and continued usage of technology-driven innovations by end-users. Journal of Business Research , 153, 150–161.
Javaid A. (2023). Cybersecurity: A new realm in national security of Pakistan. Research Journal of Human and Social Aspects , 1(4), 52–64.
Lemak C. H., Pena D., Jones D. A., Kim D. H., Guptill J. (2024). Leadership to accelerate healthcare's digital transformation: Evidence from 33 health systems. Journal of Healthcare Management , 69(4), 267–279. 10.1097/JHM-D-23-00210. (PMID: 10.1097/JHM-D-23-00210)
Li X., Wang Q., Lan X., Chen X., Zhang N., Chen D. (2019). Enhancing cloud-based IoT security through trustworthy cloud service: An integration of security and reputation approach. IEEE Access , 7, 9368–9383.
Lyngaas S. (2024, May 8). Cyberattack disrupts operations at major US health care network. CNN , https://www.cnn.com/2024/05/08/tech/cyberattack-disrupts-healthcare-network.
McIntosh T., Kayes A. S. M., Chen Y. P. P., Ng A., Watters P. (2021). Ransomware mitigation in the modern era: A comprehensive review, research challenges, and future directions. ACM Computing Surveys (CSUR) , 54(9), 1–36.
Melville N., Kraemer K., Gurbaxani V. (2004). Information technology and organizational performance: An integrative model of IT business value. MIS Quarterly , 28(2), 283–322. https://doi.org/10.2307/25148636. (PMID: 10.2307/25148636)
Minnaar A., Herbig F. J. (2021). Cyberattacks and the cybercrime threat of ransomware to hospitals and healthcare services during the COVID-19 pandemic. Acta Criminologica: African Journal of Criminology & Victimology, 34(3), 155–185.
Neprash H. T., McGlave C. C., Cross D. A., Virnig B. A., Puskarich M. A., Huling J. D., Rozenshtein A. Z., Nikpay S. S. (2022). Trends in ransomware attacks on US hospitals, clinics, and other health care delivery organizations, 2016–2021. JAMA Health Forum , 3(12), e224873. https://doi.org/10.1001/jamahealthforum.2022.4873. (PMID: 10.1001/jamahealthforum.2022.4873)
Nifakos S., Chandramouli K., Nikolaou C. K., Papachristou P., Koch S., Panaousis E., Bonacina S. (2021). Influence of human factors on cyber security within healthcare organisations: A systematic review. Sensors, 21(15), 5119.
Ofe M. (2023). A qualitative study exploring security practices healthcare providers need to reduce the risk of successful ransomware attacks on electronic health record systems [Doctoral dissertation, Colorado Technical University].
Perwej Y., Abbas S. Q., Dixit J. P., Akhtar N., Jaiswal A. K. (2021). A systematic literature review on the cyber security. International Journal of Scientific Research and Management , 9(12), 669–710.
Porath J. C. (2023). Typing a terrorist attack: Using tools from the war on terror to fight the war on ransomware. Pepperdine Law Review , 50, 139.
Reshmi T. R. (2021). Information security breaches due to ransomware attacks—A systematic literature review. International Journal of Information Management Data Insights , 1(2), 100013.
Siponen M., Oinas-Kukkonen H. (2007). A review of information security issues and respective research contributions. Data Base for Advances in Information Systems , 38(1), 60–80. https://doi.org/10.1145/1216218.1216224. (PMID: 10.1145/1216218.1216224)
Swasey K. (2020). Insufficient healthcare cybersecurity invites ransomware attacks and sale of phi on the dark web . Center for Anticipatory Intelligence Student Research Reports.
United States (1996). Health Insurance Portability and Accountability Act of 1996. Public Law 104-191. United States Statutes at Large , 110, 1936–2103.
Upadhyay S., Hu H. F. (2020). Clinicians' Lived Experiences on Impact of Electronic Health Records (EHR) on Quality and Safety. In Academy of Management Proceedings (Vol. 2020, No. 1, p. 12928). Briarcliff Manor, NY 10510: Academy of Management.
Weishäupl E., Yasasin E., Schryen G. (2015). A multi-theoretical literature review on information security investments using the Resource-Based View and the Organizational Learning Theory . Thirty-Sixth International Conference on Information Systems (ICIS 2015), Fort Worth, TX, United States.
Winsor M., Madden P., Ross B., Meek J. G., Reevell P. (2017, May 15). A timeline of the WannaCry cyberattack. ABC News , https://abcnews.go.com/US/timeline-wannacry-cyberattack/story?id=47416785.
Yeo L. H., Banfield J. (2022). Human factors in electronic health records cybersecurity breach: An exploratory analysis. Perspectives in Health Information Management , 19, 1i.
Zainal H., Hui X. X., Thumboo J., Fong W., Yong F. K. (2024). Patients' expectations of doctors' clinical competencies in the digital health care era: Qualitative semistructured interview study among patients. JMIR Human Factors , 11, e51972.
Anthony R. T. (2024). Adoption of advanced cybersecurity tools by organizations: Motivations, barriers, and leader responses. Journal of Behavioral and Applied Management , 24(3), 161–172.
Astani M., Ready K. J. (2016). Trends and preventive strategies for mitigating cybersecurity breaches in organizations. Issues in Information Systems , 17(2), 208–214.
Ayala L. (2016). Cybersecurity for hospitals and healthcare facilities: A guide to detection and prevention. Apress . https://doi.org/10.1007/978-1-4842-2155-6 . (PMID: 10.1007/978-1-4842-2155-6)
Barney J. (1991). Firm resources and sustained competitive advantage. Journal of Management , 17(1), 99–120. https://doi.org/10.1177/014920639101700108. (PMID: 10.1177/014920639101700108)
Benmalek M. (2024). Ransomware on cyber-physical systems: Taxonomies, case studies, security gaps, and open challenges. Internet of Things and Cyber-Physical Systems , 4, 186–202.
Chirra D. R. (2021). Mitigating ransomware in healthcare: A cybersecurity framework for critical data protection. Revista de Inteligencia Artificial en Medicina , 12(1), 495–513.
Choi S. J., Johnson M. E. (2019). Understanding the relationship between data breaches and hospital advertising expenditures. The American Journal of Managed Care , 25(1), e14–e20.
Connolly Yuryna L., Wall D. S., Lang M., Oddson B. (2020). An empirical study of ransomware attacks on organizations: An assessment of severity and salient factors affecting vulnerability. Journal of Cybersecurity , 6(1), tyaa023.
Culbertson N. (2021, June 7). Increased cyberattacks on healthcare institutions shows the need for greater cybersecurity. Forbes , https://www.forbes.com/sites/forbestechcouncil/2021/06/07/increased-cyberattacks-on-healthcare-institutions-shows-the-need-for-greater-cybersecurity/?sh=2b54202e5650.
George A. S., Sujatha V., George A. H., Baskar T. (2023). Bringing light to dark data: A framework for unlocking hidden business value. Partners Universal International Innovation Journal , 1(4), 35–60.
Goodman D. C., Grumbach K. (2008). Does having more physicians lead to better health system performance. JAMA , 299(3), 335–337.
Gordon L. A., Loeb M. P. (2002). The economics of information security investment. ACM Transactions on Information and System Security , 5(4), 438–457. https://doi.org/10.1145/581271.581274. (PMID: 10.1145/581271.581274)
Heath M. L., Silvera G. A., Porter T. H. (2025). From the backroom to the boardroom: Health care chief information officers, stereotypes, and strategic leadership in the digital transformation era. Health Care Management Review , 50(2), 104–111. https://doi.org/10.1097/HMR.0000000000000436. (PMID: 10.1097/HMR.0000000000000436)
Iyanna S., Kaur P., Ractham P., Talwar S., Islam A. N. (2022). Digital transformation of healthcare sector. What is impeding adoption and continued usage of technology-driven innovations by end-users. Journal of Business Research , 153, 150–161.
Javaid A. (2023). Cybersecurity: A new realm in national security of Pakistan. Research Journal of Human and Social Aspects , 1(4), 52–64.
Lemak C. H., Pena D., Jones D. A., Kim D. H., Guptill J. (2024). Leadership to accelerate healthcare's digital transformation: Evidence from 33 health systems. Journal of Healthcare Management , 69(4), 267–279. 10.1097/JHM-D-23-00210. (PMID: 10.1097/JHM-D-23-00210)
Li X., Wang Q., Lan X., Chen X., Zhang N., Chen D. (2019). Enhancing cloud-based IoT security through trustworthy cloud service: An integration of security and reputation approach. IEEE Access , 7, 9368–9383.
Lyngaas S. (2024, May 8). Cyberattack disrupts operations at major US health care network. CNN , https://www.cnn.com/2024/05/08/tech/cyberattack-disrupts-healthcare-network.
McIntosh T., Kayes A. S. M., Chen Y. P. P., Ng A., Watters P. (2021). Ransomware mitigation in the modern era: A comprehensive review, research challenges, and future directions. ACM Computing Surveys (CSUR) , 54(9), 1–36.
Melville N., Kraemer K., Gurbaxani V. (2004). Information technology and organizational performance: An integrative model of IT business value. MIS Quarterly , 28(2), 283–322. https://doi.org/10.2307/25148636. (PMID: 10.2307/25148636)
Minnaar A., Herbig F. J. (2021). Cyberattacks and the cybercrime threat of ransomware to hospitals and healthcare services during the COVID-19 pandemic. Acta Criminologica: African Journal of Criminology & Victimology, 34(3), 155–185.
Neprash H. T., McGlave C. C., Cross D. A., Virnig B. A., Puskarich M. A., Huling J. D., Rozenshtein A. Z., Nikpay S. S. (2022). Trends in ransomware attacks on US hospitals, clinics, and other health care delivery organizations, 2016–2021. JAMA Health Forum , 3(12), e224873. https://doi.org/10.1001/jamahealthforum.2022.4873. (PMID: 10.1001/jamahealthforum.2022.4873)
Nifakos S., Chandramouli K., Nikolaou C. K., Papachristou P., Koch S., Panaousis E., Bonacina S. (2021). Influence of human factors on cyber security within healthcare organisations: A systematic review. Sensors, 21(15), 5119.
Ofe M. (2023). A qualitative study exploring security practices healthcare providers need to reduce the risk of successful ransomware attacks on electronic health record systems [Doctoral dissertation, Colorado Technical University].
Perwej Y., Abbas S. Q., Dixit J. P., Akhtar N., Jaiswal A. K. (2021). A systematic literature review on the cyber security. International Journal of Scientific Research and Management , 9(12), 669–710.
Porath J. C. (2023). Typing a terrorist attack: Using tools from the war on terror to fight the war on ransomware. Pepperdine Law Review , 50, 139.
Reshmi T. R. (2021). Information security breaches due to ransomware attacks—A systematic literature review. International Journal of Information Management Data Insights , 1(2), 100013.
Siponen M., Oinas-Kukkonen H. (2007). A review of information security issues and respective research contributions. Data Base for Advances in Information Systems , 38(1), 60–80. https://doi.org/10.1145/1216218.1216224. (PMID: 10.1145/1216218.1216224)
Swasey K. (2020). Insufficient healthcare cybersecurity invites ransomware attacks and sale of phi on the dark web . Center for Anticipatory Intelligence Student Research Reports.
United States (1996). Health Insurance Portability and Accountability Act of 1996. Public Law 104-191. United States Statutes at Large , 110, 1936–2103.
Upadhyay S., Hu H. F. (2020). Clinicians' Lived Experiences on Impact of Electronic Health Records (EHR) on Quality and Safety. In Academy of Management Proceedings (Vol. 2020, No. 1, p. 12928). Briarcliff Manor, NY 10510: Academy of Management.
Weishäupl E., Yasasin E., Schryen G. (2015). A multi-theoretical literature review on information security investments using the Resource-Based View and the Organizational Learning Theory . Thirty-Sixth International Conference on Information Systems (ICIS 2015), Fort Worth, TX, United States.
Winsor M., Madden P., Ross B., Meek J. G., Reevell P. (2017, May 15). A timeline of the WannaCry cyberattack. ABC News , https://abcnews.go.com/US/timeline-wannacry-cyberattack/story?id=47416785.
Yeo L. H., Banfield J. (2022). Human factors in electronic health records cybersecurity breach: An exploratory analysis. Perspectives in Health Information Management , 19, 1i.
Zainal H., Hui X. X., Thumboo J., Fong W., Yong F. K. (2024). Patients' expectations of doctors' clinical competencies in the digital health care era: Qualitative semistructured interview study among patients. JMIR Human Factors , 11, e51972.
Contributed Indexing:
Keywords: Cybersecurity; data breach; digital transformation; health IT; ransomware
Entry Date(s):
Date Created: 20251117 Date Completed: 20251120 Latest Revision: 20251128
Update Code:
20251129
DOI:
10.1097/HMR.0000000000000463
PMID:
41247853
Database:
MEDLINE
Weitere Informationen
Background: In the advance of the digital health technology, health care organizations (HCOs) are tasked with balancing technological advances with rising incidence of cyber threats. Despite the importance of robust Information Technology (IT) infrastructure, HCOs may be underinvesting in cybersecurity, prioritizing system integration and other operational needs.
Purposes: This study examines the threat of health information breaches and ransomware attacks via resource-based view of the firm by examining the role of HCO resources in breaches.
Methodology/approach: A multivariate logistic regression analysis of a nationally representative sample of HCOs ( N = 2,262) was executed on data provided by the Office for Civil Rights (2019-2024) and the American Hospital Association (2019).
Results: The study finds mixed evidence that resource availability influences the likelihood of a breach and ransomware attack. HCO centralization and teaching status were more likely to report both breach and ransomware attack, whereas HCO size relates to a significant reduction. The study finds no support for the effectiveness of IT risk mitigation capacity.
Conclusion: The findings show that the incidence of breaches and ransomware attacks relates to HCO resource availability. Although the study finds no evidence that IT risk-mitigation capacity (IT staffing and expenditures) reduced the likelihood of breach or ransomware, this may be driven by the infrequency of these events.
Practical Implications: HCOs' understanding of their risk profile is limited, and there is a need for greater transparency in the incidence of ransomware attacks, in particular. There is a need for further examination of IT strategy and operations in an increasingly digital health care environment.
(Copyright © 2025 Wolters Kluwer Health, Inc. All rights reserved.)