Case Studies in the Socio-technical Analysis of Cybersecurity Incidents: Comparing Attacks on the UK NHS and Irish Healthcare Systems

Abstract

Cybersecurity in health care is a complex socio-technical problem. In a critical infrastructure context, like hospitals, the risks of cyberthreats do not just result from technical vulnerabilities alone but also from the degradation of working practices over time. This paper argues that organizational, operational vulnerabilities, and governance structures create a pressing need for systematic socio-technical risk analysis for cybersecurity of healthcare organizations. Yet current risk analysis methodologies are not designed to detect these kinds of systemic risks. We address these problems by the use of System-Theoretic Accident Modeling Process (STAMP). In the first case study—WannaCry cyberincident on UK National Health Service (NHS)—we applied the STAMP method to identify socio-technical factors related to the incident. Our analysis shows that the STAMP-based control taxonomies tend to be generic, which provides expressive power, but also makes them hard to apply to the specific circumstances of a cyberincident. We have, therefore, integrated the US National Institute of Science and Technology (NIST) control taxonomies to provide the level of detail required to identify potential mitigations for the control failures identified using the STAMP approach. After WannaCry, governments around the world have adopted national strategies to reduce future risks. However, ransomware threats have continued to emerge, including an attack on the Irish healthcare systems, our second case study. Our results show that the integration of a more detailed taxonomy to support the higher level STAMP analysis can increase consistency between analysts and enables direct comparisons to be made between similar incidents.