Accessible and Inclusive Cyber Security: A Nuanced and Complex Challenge

Renaud, Karen; Coles-Kemp, Lizzie

doi:10.1007/s42979-022-01239-1

Cited by 16 publications

(17 citation statements)

References 93 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Quantifying the impacts of cyberattacks on health care organizations can be a challenge as many factors should be considered. Among these are limited data (as these data tend be self-reported, which can limit the accuracy of results), the methodologies used (whether they consider direct costs or both direct and indirect costs), the cost variation (as it depends on factors such as the type of attack, downtime, organization size, and value of compromised data), or the context (how these incidents affect the organization’s daily operations, patient safety, and public trust) [ 24 , 25 ]. Moreover, the ramifications of cyberattacks transcend economic impacts, and health outcomes should also be considered, which may be more difficult to measure and quantify compared to the financial costs of such incidents [ 23 ].…”

Section: Discussionmentioning

confidence: 99%

Economic Impact of a Hospital Cyberattack in a National Health System: Descriptive Case Study

Portela¹,

Nogueira-Leite²,

Almeida³

et al. 2023

JMIR Form Res

View full text Add to dashboard Cite

Background Over the last decade, the frequency and size of cyberattacks in the health care industry have increased, ranging from breaches of processes or networks to encryption of files that restrict access to data. These attacks may have multiple consequences for patient safety, as they can, for example, target electronic health records, access to critical information, and support for critical systems, thereby causing delays in hospital activities. The effects of cybersecurity breaches are not only a threat to patients’ lives but also have financial consequences due to causing inactivity in health care systems. However, publicly available information on these incidents quantifying their impact is scarce. Objective We aim, while using public domain data from Portugal, to (1) identify data breaches in the public national health system since 2017 and (2) measure the economic impact using a hypothesized scenario as a case study. Methods We retrieved data from multiple national and local media sources on cybersecurity from 2017 until 2022 and built a timeline of attacks. In the absence of public information on cyberattacks, reported drops in activity were estimated using a hypothesized scenario for affected resources and percentages and duration of inactivity. Only direct costs were considered for estimates. Data for estimates were produced based on planned activity through the hospital contract program. We use sensitivity analysis to illustrate how a midlevel ransomware attack might impact health institutions’ daily costs (inferring a potential range of values based on assumptions). Given the heterogeneity of our included parameters, we also provide a tool for users to distinguish such impacts of different attacks on institutions according to different contract programs, served population size, and proportion of inactivity. Results From 2017 to 2022, we were able to identify 6 incidents in Portuguese public hospitals using public domain data (there was 1 incident each year and 2 in 2018). Financial impacts were obtained from a cost point of view, where estimated values have a minimum-to-maximum range of €115,882.96 to €2,317,659.11 (a currency exchange rate of €1=US $1.0233 is applicable). Costs of this range and magnitude were inferred assuming different percentages of affected resources and with different numbers of working days while considering the costs of external consultation, hospitalization, and use of in- and outpatient clinics and emergency rooms, for a maximum of 5 working days. Conclusions To enhance cybersecurity capabilities at hospitals, it is important to provide robust information to support decision-making. Our study provides valuable information and preliminary insights that can help health care organizations better understand the costs and risks associated with cyber threats and improve their cybersecurity strategies. Additionally, it demonstrates the importance of adopting effective preventive and reactive strategies, such as contingency plans, as well as enhanced investment in improving cybersecurity capabilities in this critical area while aiming to achieve cyber-resilience.

show abstract

Section: Discussionmentioning

confidence: 99%

Economic Impact of a Hospital Cyberattack in a National Health System: Descriptive Case Study

Portela¹,

Nogueira-Leite²,

Almeida³

et al. 2023

JMIR Form Res

View full text Add to dashboard Cite

show abstract

“…populations". This results in a narrow picture of users that assumes they are fully abled, cognitively unimpaired, and have the necessary resources and required dexterity to interact with security systems [56]. Apart from recruitment, people with disabilities can effectively be excluded by the study designs, depending on the impairment.…”

Section: Inclusive and Accessible Security And Privacymentioning

confidence: 99%

“…Apart from recruitment, people with disabilities can effectively be excluded by the study designs, depending on the impairment. Lack of research and support can leave them more vulnerable in the realm of S&P [56], [72] -and may violate existing guidelines and regulations [72]. In 2017, Wang [72] advocated for a third wave of security research, aiming at designing S&P mechanisms "that are inclusive to people with various characteristics, abilities, needs and values".…”

Section: Inclusive and Accessible Security And Privacymentioning

confidence: 99%

“…Renaud finds that especially assistive technologies pose problems for security, as they are "designed to ease the usual web-related activities, not cyber security actions" and that "usability of cyber security mechanisms is not the same as usability of a web page" [55]. Extending this argument, Renaud & Coles-Kemp [56] argue to further take into account socio-economic and political factors, as users with disabilities are not only affected by inaccessible S&P mechanisms, "but also because they often struggle with depleted resources and capabilities together with less social, economic, and political resilience". While it is argued that accessibility may benefit people without disabilities as well [55], [69], it usually still holds a "medical disability perspective" [56].…”

Section: Inclusive and Accessible Security And Privacymentioning

confidence: 99%

“…Only the new WCAG 2.2 [70] (in draft) introduces the criterion for accessible authentication. Despite these existing guidelines, norms, and laws, researchers conclude that "for many, security measures are often exasperatingly inaccessible" [56]. To ensure the secure use of digital technologies for people with different abilities, an "inclusive approach to cybersecurity" is necessary [56] -especially as more and more products and services are moved online.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

“As Usual, I Needed Assistance of a Seeing Person”: Experiences and Challenges of People with Disabilities and Authentication Methods

Erinola,

Buckmann,

Friedauer

et al. 2023

2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)

View full text Add to dashboard Cite

According to the World Health Organization, about 16% of the world's population live with a disability. While they could benefit from digital products and services, users with disabilities often face severe accessibility issues: tasks can only be completed with difficulty, a considerable investment of time, or with assistance of technologies or other people. Further, to access these products and services, they need to authenticate. The accessibility of authentication methods for users with disabilities has not been studied in depth. We use an accessible study design to conduct 13 semistructured interviews with people with physical, hearing, visual, cognitive, or multiple impairments to better understand the accessibility issues they face when using knowledge-or token-based, and biometric authentication. Our qualitative content analysis shows that none of the commonly available authentication methods is fully accessible to participants, causing them to abandon services or develop workarounds that reduce their own security and privacy. Our results also reveal the role of assistive technologies and human assistants in the authentication experience of users with disabilities. We conclude by encouraging fellow researchers and practitioners to reflect on assisted access when designing security mechanisms, to include people with disabilities using accessible study designs, and to keep in mind that accessible security is about more than usability -to further benefit users without disabilities as well.

show abstract

Privacy, Safety, and Security in Extended Reality: User Experience Challenges for Neurodiverse Users

Jones

Ghasemi

Gračanin

et al. 2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Accessible and Inclusive Cyber Security: A Nuanced and Complex Challenge

Cited by 16 publications

References 93 publications

Economic Impact of a Hospital Cyberattack in a National Health System: Descriptive Case Study

Economic Impact of a Hospital Cyberattack in a National Health System: Descriptive Case Study

“As Usual, I Needed Assistance of a Seeing Person”: Experiences and Challenges of People with Disabilities and Authentication Methods

Privacy, Safety, and Security in Extended Reality: User Experience Challenges for Neurodiverse Users

Contact Info

Product

Resources

About