Cybersecurity in health – disentangling value tensions
| DOI | https://doi.org/10.1108/JICES-12-2018-0095 |
| Date | 13 May 2019 |
| Published date | 13 May 2019 |
| Pages | 229-245 |
| Author | Michele Loi,Markus Christen,Nadine Kleine,Karsten Weber |
| Subject Matter | Information & knowledge management,Information management & governance,Information & communications technology |
Cybersecurity in health –
disentangling value tensions
Michele Loi and Markus Christen
Digital Society Initiative, University of Zurich, Zurich, Switzerland, and
Nadine Kleine and Karsten Weber
Institute for Social Research and Technology Assessment,
Ostbayerische Technische Hochschule Regensburg, Regensburg, Germany
Abstract
Purpose –Cybersecurity in healthcare has become an urgent matter in recent years due to various
malicious attackson hospitals and other parts of the healthcare infrastructure.The purpose of this paper is to
provide an outline of howcore values of the health systems, such as the principles of biomedical ethics,are in
a supportiveor conflicting relation to cybersecurity.
Design/methodology/approach –This paper claimsthat it is possible to map the desiderata relevant to
cybersecurity onto the four principles of medical ethics, i.e. beneficence, non-maleficence, autonomy and
justice,and explore value conflicts in that way.
Findings –With respect to the question of how these principles should be balanced,there are reasons to
think that the priority of autonomy relative to beneficence and non-maleficence in contemporary medical
ethics couldbe extended to value conflicts in health-related cybersecurity.
Research limitations/implications –However, the tension between autonomy and justice, which
relates to the desideratum of usability of information and communication technology systems, cannot be
ignored evenif one assumes that respect for autonomy should take priorityover other moral concerns.
Originality/value –In terms of value conflicts, most discussions in healthcare deal with the conflict of
balancing efficiency and privacy given the sensible nature of health information. In this paper, the authors
provide a broaderand more detailed outline.
Keywords Ethics, Healthcare, Cybersecurity, Computer ethics, Bioethics, e-Health
Paper type Conceptual paper
1. Introduction
Recent global attacks such as the WannaCry ransomware attack in May 2017 had
considerable effects on the information and communication technology (ICT) infrastructure
of many healthcare providers, indicating that cybersecurity in healthcare is rather
underdeveloped compared to other domains such as the financial sector (ENISA, 2016).
What is the reason for this giventhat everybody agrees that health is an important value to
human beings and that health information is among the most sensitive information? We
suggest that one reason for this problem are the many valuesrelevant for healthcare that are
often in a conflicting tension with the aim of cybersecurity,as shown in Figure 1. Although
one may claim that cybersecurity prevents damage from malicious attackers (i.e. supports
© Michele Loi, Markus Christen, Nadine Kleine and Karsten Weber. Publishedby Emerald Publishing
Limited. This article is published under the Creative Commons Attribution (CC BY 4.0) licence. Anyone
may reproduce, distribute, translate and create derivative works of this article (for both commercial and
non-commercial purposes), subject to full attribution to the original publication and authors. The full
terms of this licence may be seen at http://creativecommons.org/licences/by/4.0/legalcode
Cybersecurity
in health
229
Received3 December 2018
Revised25 January 2019
Accepted29 January 2019
Journalof Information,
Communicationand Ethics in
Society
Vol.17 No. 2, 2019
pp. 229-245
EmeraldPublishing Limited
1477-996X
DOI 10.1108/JICES-12-2018-0095
The current issue and full text archive of this journal is available on Emerald Insight at:
www.emeraldinsight.com/1477-996X.htm
non-maleficence), enables the protection of privacy and in this way usually enables trust,
both moral (such as equality or care)and instrumental values (such as cost-effectiveness or
efficiency) can have a conflicting relation to cybersecurity. For example, cybersecurity
measures are costly and often effortful.
As an illustration, takethe example of autonomy. When ICT is used in healthcare, it shall
be aimed at ensuring that patients themselves determine which information is revealed to
whom. Generally, password protection and encryption are common measures that are
maintained. However, in emergencies, when patients are no longer able to make this
decision, there is a risk that important medical informationwill not be accessible. Moreover,
it might be very helpful to widely share medically relevant patient information among
healthcare professionals to improve the quality and efficiency of treatment. Cybersecurity
can thus be both supportive for privacy (understood as an aspect of autonomy) and hinder
data sharing as a means for improving healthcare; therefore, it can be an obstacle to
beneficence.
To analyze this problem, our contributionaims to answer two questions.
Q1. Which values are relevant for the ethics of cybersecurityin health?
Q2. What is the relation between the values at stake in cybersecurity and the four
principles of medicalethics?
The analysis we offer relieson a conceptualization involving three classes of concepts:
(1) the principles of medical ethics;
(2) desiderata of ICT in health; and
(3) the instrumental role of cybersecurity in facilitating or hindering the achievement
of each of these three desiderata.
We begin our analysis with the role of cybersecurity in healthcare by distinguishing
between three types of threatsbased on the target of the attack: threats against information,
information systems and medical devices.In a fundamental sense, however, all attacks can
be described as threats to the confidentiality, integrity and availability of information
(Anderson, 1972;Voydock and Kent, 1983), including disrupting a system such that
information cannotbe processed. These threats relate to four main functions of ICT systems:
improving the quality and efficiency of services, protecting confidentiality, enhancing
usability and protecting patients’safety.Finally, the tensions of these four desiderata to the
principles of biomedical ethics are explained (Figure 2). While this involves a huge
simplification of the debate, it allows us to explain in a relatively simple manner the role of
Figure 1.
Relation of health
domain valuesto
cybersecurity
Cybersecurity
Cost-awareness Trust
Nonmaleence
Privacy
Equality
Innovation
Justice
Eciency
Benecence
Autonomy
Note: Green: supportive; red: in tension
JICES
17,2
230
To continue reading
Request your trial