Organizational Protection of Healthcare Data Against Malware and Phishing Scams: Legal and Ethical Practices Within Critical Infrastructure Security Framework
Keywords:
Digitalization, Malware, Phishing, Critical Infrastructure, CIA triadAbstract
The meteoric digitalization of healthcare organizations has not only improved clinical capabilities and patient outcomes, but it has also created a platform for data breaches, malware, and phishing campaigns against hospitals and other healthcare systems, which are a component of the national critical infrastructure. This research paper reviews the application of preventive measures for classified data and clinical systems within the healthcare environment. The study, based on present literature outlines the current threats and vulnerabilities within healthcare such as ransomware, phishing-driven intrusions, and attacks targeting networked medical devices, including Internet of Medical Things; reviews the current security and privacy frameworks and conceptual models; and determines the extent to which contemporary practices are consistent with relevant health data protection laws, cybersecurity standards, and regulatory guidance. It also considers key ethical issues, including patient privacy, informed consent, secondary use of health data, staff monitoring, and the trade-off between stringent security controls and uninterrupted clinical care. This research develops a practical framework for healthcare organizations, treating them as critical infrastructure. It connects risk-based security tools (such as technical controls) with transparent governance, internal policies, legal and regulatory requirements, and built-in ethical design principles, thereby enhancing the protection of hospitals and other providers against data leaks, malware, and phishing attacks. The findings are not only expected to assist healthcare visionaries, policymakers, and regulators in making informed decisions on investments but also to refine legal frameworks and embed ethical practices that collectively improve the CIA triad, i.e., confidentiality, integrity, and availability of healthcare services, within the context of an evolving cyber threat landscape.
References
Stoumpos AI, Kitsios F, Talias MA. Digital transformation in healthcare: Technology acceptance and its applications. Int J Environ Res Public Health. 2023;20:3407.
Liu H, Yeo J, Banfield J. Human factors in electronic health records cybersecurity breach: An exploratory analysis. Perspect Health Inf Manag. 2022;19:1i.
Baniulyte G, Rogerson N, Bowden J. Evolution – removing paper and digitising the hospital. Health Technol (Berl). 2023;13:263.
RavenTek. Why healthcare is a prime target for cybercrime. RavenTek. 2024 Jun 11. Available from: https://www.raventek.com/safeguarding-patient-data-why-healthcare-is-a-prime-target-forcybercrime/.
Javaid M, Haleem A, Singh RP. Health informatics to enhance the healthcare industry’s culture: An extensive analysis of its features, contributions, applications and limitations. Informatics Health. 2024;1:123.
Nass SJ, et al. The value and importance of health information privacy. In: Beyond the HIPAA privacy rule: Enhancing privacy, improving health through research. 2009. Available from: https://www.ncbi.nlm.nih.gov/books/NBK9579/.
Brown GW, et al. The role of health systems for health security: A scoping review revealing the need for improved conceptual and practical linkages. Glob Health. 2022;18:51.
Cyberattack on Czech hospital forces tech shutdown during coronavirus outbreak. Healthcare IT News. 2020 Mar 19. Available from: https://www.healthcareitnews.com/news/emea/cyberattackczech-hospital-forces-tech-shutdown-during-coronavirus-outbreak.
The AIIMS cyber-attack and India’s dilapidated cyber-security infrastructure. NLIU Cell for Studies in Intellectual Property Rights. 2023 Jan 26.
The AIIMS cyber-attack and India’s dilapidated cyber-security infrastructure. NLIU Cell for Studies in Intellectual Property Rights. 2023 Jan 26. Available from: https://csipr.nliu.ac.in/newsupdates/the-aiims-cyber-attack-and-indias-dilapidated-cyber-security-infrastructure/.
ETCISO.in. Indian healthcare sector most targeted by cyberattacks, followed by education: Report. ETCISO.in. 2025 Dec 7 [cited 2025 Dec 7]. Available from: https://ciso.economictimes.indiatimes.com/news/cybercrime-fraud/indian-healthcare-sector-mosttargeted-by-cyberattacks-followed-by-education-report/117592938.
Article 29 of GDPR: Processing under the authority of the controller or processor.
Health data breach: Dedalus Biologie fined 1.5 million euros. Eur Data Prot Board. 2022 [cited 2025 Dec 8]. Available from: https://www.edpb.europa.eu/news/national-news/2022/health-databreach-dedalus-biologie-fined-15-million-euros_en.
GDPR enforcement in life science & healthcare. CMS Law. 2025 [cited 2025 Dec 8]. Available from: https://cms.law/en/deu/publication/gdpr-enforcement-tracker-report/life-science-healthcare.
CrowdStrike. Healthcare cybersecurity in 2025: Staying ahead of emerging threats. 2025 [cited 2025 Dec 8]. Available from: https://www.crowdstrike.com/explore/crowdstrikecontent/whitepaper-healthcare-cybersecurity-trends.
Ransomware activity targeting the healthcare and public health sector. CISA. 2020 Nov 2. Available from: https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a.
Newcomer cybergang Orangeworm targeting healthcare sector. SC Media. 2025 [cited 2025 Dec 8]. Available from: https://www.scworld.com/news/newcomer-cybergang-orangeworm-targetinghealthcare-sector.
Cybersecurity and frequent cyber attacks on IoT devices in healthcare: issues and solutions. arXiv. 2025 [cited 2025 Dec 8]. Available from: https://arxiv.org/html/2501.11250v1.
Ibid.
Williams PAH, Woodward AJ. Cybersecurity vulnerabilities in medical devices: A complex environment and multifaceted problem. Med Devices (Auckl). 2015;8:305.
Al-Qahtani AF, Cresci S. The COVID-19 scamdemic: A survey of phishing attacks and their countermeasures during COVID-19. IET Inf Secur. 2022;16:324.
He Y, et al. Health care cybersecurity challenges and solutions under the climate of COVID-19: scoping review. J Med Internet Res. 2021;23:e21747.
ACSC-Advisory-2020-009-APT-Targeting-Australian-Health-Sector.pdf. 2020 [cited 2025 Dec 8]. Available from: https://www.cyber.gov.au/sites/default/files/2023-02/ACSC-Advisory-2020-009-APT-targeting-Australian-health-sector.pdf.
Javaid M, et al. Towards insighting cybersecurity for healthcare domains: A comprehensive review of recent practices and trends. Cyber Secur Appl. 2023;1:100016.
Cyber attacks in healthcare. SearchInform. 2025 [cited 2025 Dec 8]. Available from: https://searchinform.com/articles/cybersecurity/cyber-threats/cyber-attacks/cyber-attacks-inhealthcare/.
Volume 2 – Spaces and futures. 2023 [cited 2025 Dec 8]. Available from:
https://www.kas.de/documents/288143/14393910/4.1+Prevention+is+No+Cure.pdf.
Ibid.
Ibid.
Wolff J, Atallah N. Early GDPR penalties: Analysis of implementation and fines through May 2020. SSRN Electron J. 2020.
General Data Protection Regulation (GDPR) – legal text. 2025 [cited 2025 Dec 8]. Available from: https://gdpr-info.eu/.
Supra.
Swedish DPA imposes penalties for data transfers to Meta. 2025 [cited 2025 Dec 8]. Available from: https://www.grcreport.com/post/swedish-dpa-imposes-penalties-for-data-transfers-to-metaapoteket-and-apohem-fined.
Summary of the HIPAA Privacy Rule. HHS.gov. 2008 May 7. Available from:
https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html.
Summary of the HIPAA Security Rule. HHS.gov. 2009 Nov 20. Available from:
https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html.
Breach notification rule. HHS.gov. 2009 Sept 14. Available from: https://www.hhs.gov/hipaa/forprofessionals/breach-notification/index.html.
Vishwakarma BL, Rajkumar P, Shivansh. Mind your meds and metrics: navigating the Indian health data protection labyrinth. India Corporate Law. 2024 Jun 11.
Eviden. Beyond compliance: are cybersecurity regulations enough? 2025 [cited 2025 Dec 10].
Available from: https://eviden.com/publications/digital-security-magazine/compliance-andsecurity/are-cybersecurity-regulations-enough/.
French L. 95% of data breaches involve human error, report reveals. SC Media. 2025 Mar 11. Available from: https://www.scworld.com/news/95-of-data-breaches-involve-human-error-report-reveals.
Department of CS and IT, University of Sargodha, et al. A comprehensive survey on social engineering-based attacks on social networks. Int J Adv Appl Sci. 2024;11:139.
Chowdhury N, Gkioulos V. Cyber security training for critical infrastructure protection: A literature review. Comput Sci Rev. 2021;40:100361.
Marshall N, Sturman D, Auton JC. Exploring the evidence for email phishing training: A scoping review. Comput Secur. 2024;139:103695.
Ibid.
Ventola CL. Mobile devices and apps for health care professionals: Uses and benefits. P T. 2014;39:356.
Solomon G, Brown I. The influence of organisational culture and information security culture on employee compliance behaviour. J Enterp Inf Manag. 2021;34:1203.
Prümmer J, van Steen T, van den Berg B. A systematic review of current cybersecurity training methods. Comput Secur. 2024;136:103585.
Privacy and security concerns regarding electronic health information. NCBI Bookshelf. 2025
[cited 2025 Dec 10]. Available from: https://www.ncbi.nlm.nih.gov/books/NBK233428/.
Image encryption of medical images. Adv Comput. 2025;136:345. Available from:
https://www.sciencedirect.com:5037/science/chapter/bookseries/abs/pii/S0065245824000640.
Mistri IU, Badge A, Shahu S. Enhancing patient safety culture in hospitals. Cureus. 15:e51159.
Varkey B. Principles of clinical ethics and their application to practice. Med Princ Pract. 2021;30:17.
Ibid.
Entwistle VA, et al. Supporting patient autonomy: the importance of clinician-patient relationships. J Gen Intern Med. 2010;25:741.
HIPAA vs. GDPR compliance: what’s the difference? OneTrust. 2025 [cited 2025 Dec 10].
Available from: https://www.onetrust.com/blog/hipaa-vs-gdpr-compliance/.
Clarke GMC, et al. Evaluating the impact of healthcare interventions using routine data. BMJ. 2019;365:l2239.
Wade D. Ethics of collecting and using healthcare data. BMJ. 2007;334:1330.
Lee J, Kim H, Choi SJ. Do hospital data breaches affect health information technology investment? Digit Health. 2024;10:20552076231224164.
Kokila M, Reddy KS. Authentication, access control and scalability models in IoT security – a review. Cyber Secur Appl. 2025;3:100057.
Elendu C, et al. Legal implications for clinicians in cybersecurity incidents: A review. Medicine (Baltimore). 2024;103:e39887.
Breach notification rule. HHS.gov. Supra note 36.
Art. 33 GDPR – notification of a personal data breach to the supervisory authority. GDPR. 2025 [cited 2025 Dec 10]. Available from: https://gdpr-info.eu/art-33-gdpr/.
Li S, Surineni K, Prabhakaran N. Cyber-attacks on hospital systems: A narrative review. Am J Geriatr Psychiatry Open Sci Educ Pract. 2025;7:30.
National Institute of Standards and Technology. Framework for improving critical infrastructure cybersecurity, version 1.1. 2018.
Gellert GA, et al. Third-party access cybersecurity threats and precautions: a survey of healthcare delivery organizations. Appl Clin Inform. 2025;16:1518.
Ibid.
Third-party risk management 101: guiding principles. AuditBoard. 2025 [cited 2025 Dec 10].
Available from: https://auditboard.com/blog/third-party-risk-management-101.
U.S. Department of Health and Human Services. Health Insurance Portability and Accountability Act (HIPAA). Public Law 104-191; 1996.
European Union. General Data Protection Regulation (GDPR). Regulation (EU) 2016/679; 2016.
Nanou C, Kampyli M, Crociani M, Danilatou V. Security shortcomings in healthcare: a preliminary investigation of data protection authorities’ decisions. IEEE DRCN. 2023:1-8.
Singh G, Tiwari D, Goel P, Vishwakarma P, Gupta K, Verma A. Cybersecurity challenges in healthcare systems. IEEE IC3SE. 2024:1059-64.
ElSayed Z, Abdelgawad A, Elsayed N. Cybersecurity and frequent cyber attacks on IoT devices in healthcare: Issues and solutions. IEEE ICMI. 2025:1-12.
Yaqub N, Zhang J, Wang W. Enhancing security and privacy in healthcare: A conceptual model. IEEE iThings. 2023:188-95.
Kandasamy K, Srinivas S, Achuthan K, Rangan VP. Digital healthcare-cyberattacks in Asian organizations: An analysis of vulnerabilities, risks, NIST perspectives, and recommendations.
IEEE Access. 2022;10:12345-78.
Aitty PST, Kumar AVSH, Krishna TKV, Nadagoudar VR, Reddy NR, Turukmane AV. Cybersecurity in healthcare: IoT security for medical devices. IEEE ICCCNT. 2024:61001-15.
CrowdStrike. Global threat report 2025. CrowdStrike Holdings Inc; 2025.
Check Point Research. Healthcare security threat intelligence report. Check Point Software Technologies; 2025.
Ponemon Institute. Healthcare data breach report. Ponemon Institute LLC; 2023.
National Institute of Standards and Technology. Framework for improving critical infrastructure cybersecurity, version 1.1. NIST; 2018.
National Institute of Standards and Technology. Guide for conducting risk assessments (SP 800-30). NIST; 2012.
International Organization for Standardization. Information security management systems – requirements (ISO/IEC 27001:2013). ISO; 2013.
Office of the National Coordinator for Health Information Technology. Health IT security and privacy guidance. U.S. Department of Health and Human Services; 2016.
Sakellariadis N. Behind the rise of ransomware: Understanding evolution and infrastructure. J Cybersecur Res. 2022;15(3):234-56.
Brown D. Defending critical infrastructure: A comprehensive approach. Secur Manag Q. 2006;28(2):112-34.
Hemme K, et al. Critical infrastructure protection: Emerging challenges and solutions. Int J Secur Stud. 2015;19(4):445-67.
Tarter S. Securing critical infrastructure: Best practices and frameworks. Infrastruct Secur Rev. 2015;22(1):78-91.
Pye M. Security management: principles and implementation. J Healthc Admin. 2006;34(5):189-205.
