A Cybersecurity Defense Framework for Healthcare: A Case of Moi Teaching and Referral Hospital, Eldoret

Abstract

In the face of escalating cybersecurity threats, tailored defense frameworks are imperative to safeguard patient data and ensure the continuity of critical healthcare services. This study pursues four primary objectives: (I) to identify and analyze evolving cybersecurity threats and challenges in the healthcare sector, (II) to establish cybersecurity strategies and countermeasures for healthcare organization systems, (III) to design and develop a cybersecurity framework specifically tailored for the healthcare sector, and (IV) to validate the cybersecurity framework within the healthcare sector. A comprehensive approach was adopted, commencing with a meticulous literature review of existing cybersecurity frameworks. Subsequently, qualitative research was conducted through interviews in key departments at Moi Teaching and Referral Hospital (MTRH), including management of HRIS, ICT, and Internal Audit departments. These departments serve as primary custodians of data governance systems, tools, and policies, providing insights into cybersecurity practices within the healthcare sector, elucidating both strengths and gaps. Identified gaps include inconsistencies in data access controls, insufficient real-time monitoring capabilities, and a lack of automated compliance monitoring mechanisms. Building upon these findings, a novel cybersecurity defense framework was meticulously crafted, incorporating elements from HL7 and the Kenya Health Act. Validation of the framework was conducted through a mixed-method approach, including questionnaires and interview schedules at MTRH. The positive responses obtained affirm the efficacy of the framework, underscoring its relevance in fortifying cybersecurity practices within the healthcare sector. Following the validation of the framework, recommendations were derived. These recommendations include the implementation of fine-grained access controls to mitigate unauthorized data access, the enhancement of real-time monitoring systems to promptly identify and respond to cybersecurity incidents, and the integration of automated compliance monitoring tools to ensure adherence to industry regulations. Additionally, the study recommends ongoing training and awareness programs for healthcare staff to bolster cybersecurity awareness and adherence to best practices. Overall, this thesis contributes to advancing cybersecurity practices, ensuring secure and uninterrupted delivery of high-quality patient care amidst a hostile digital landscape.