Close
About
FAQ
Home
Collections
Login
USC Login
Register
0
Selected
Invert selection
Deselect all
Deselect all
Click here to refresh results
Click here to refresh results
USC
/
Digital Library
/
University of Southern California Dissertations and Theses
/
A qualitative study that examines the transformational factors that prevent cybersecurity from being a funding priority in healthcare organizations
(USC Thesis Other)
A qualitative study that examines the transformational factors that prevent cybersecurity from being a funding priority in healthcare organizations
PDF
Download
Share
Open document
Flip pages
Contact Us
Contact Us
Copy asset link
Request this asset
Transcript (if available)
Content
A Qualitative Study that Examines the Transformational Factors that Prevent
Cybersecurity from Being a Funding Priority in Healthcare Organizations
By
Edward D. Young
Rossier School of Education
University of Southern California
A dissertation submitted to the faculty
in partial fulfillment of the requirements for the degree of
Doctor of Education
May 2024
© Copyright by Edward D. Young
All Rights Reserved
The Committee for Edward D. Young certifies the approval of this Dissertation
Anthony Maddox
Marc Pritchard
Monique Datta, Committee Chair
Rossier School of Education
University of Southern California
2024
iv
Abstract
The sophistication and frequency of cybercrime in businesses worldwide have considerably
changed the landscape of IT security. Consequently, healthcare organizations face a significant
challenge in defending their IT infrastructure against cyberattacks and data breaches. Research
has shown that healthcare is one of the most targeted industries for cyberattacks, yet
cybersecurity programs are not adequately funded. To explicitly examine the phenomenon, the
Burke-Litwin change model was introduced to analyze transformational factors and reveal the
antecedent conditions to understand the dilemma better. The study sought to investigate the
relationship between mission and culture, leadership and vision, and the attitudes, perceptions,
and beliefs regarding the significance of cybersecurity in healthcare organizations. The study
employed a qualitative case study and interviewed 13 target participants. Narrative inquiry was
implemented to analyze the data. Data analysis revealed a relationship between transformational
factors (strategy, leadership, and culture) and the findings. The study denotes important
implications regarding organizational culture and change management about the de-prioritization
of cybersecurity. Recommendations for the study include the implementation of an identity
access management program (IAM), establishing a dedicated cybersecurity incident response
team (CIRT), adopting a defense-in-depth (DID) model, and utilizing artificial intelligence (AI)
and machine learning (ML) to combat the threat of cybercrime.
Keywords: cybersecurity, cybercrime, transformational factors, strategy, leadership,
culture, Burke-Litwin change model.
v
Dedication
To my wife Sonedia “Woodie” and my daughter Shania, I could not have achieved this goal
without your unconditional love and support. You are both my most ardent supporters and
inspire me to be the best version of myself. You remain my purpose and keep me focused.
Words cannot express my gratitude for believing in me even when I did not believe in myself.
And to my mother and dearly departed father, I hope I made you proud!
vi
Acknowledgements
The only thing I have done alone is make unwise decisions, but enrolling in this program
has been transformative and life-altering. From the onset of this journey, I have been saddled
with self-doubt, uncertainty, and a severe case of imposter syndrome. In full disclosure, the fact
that I am writing my acknowledgments was unimaginable 3 years ago. If not for a chance
encounter with Dr. Pritchard, I may have focused my efforts on a problem of practice that merely
satisfied the course requirements but failed to inspire.
At the recommendation of a colleague, I scheduled a one-on-one session with Dr. Marc
Pritchard. Though I have never had the opportunity to take a course instructed by Dr. Pritchard,
that 1 hour working session changed my trajectory in the OCL program. Dr. Pritchard
masterfully guided me through concepts and helped solidify in 1 hour what I had been unable to
achieve in the previous 2 years, a problem of practice. In short, thank you, sir!
The second and likely single most important occurrence in my OCL journey is the
assignment of my dissertation chair, Dr. Monique Datta. I may be unable to articulate the
meaning of perfect, but Dr. Datta was my perfect dissertation chair. Dr. Datta challenged me but
was yet supportive. Dr. Datta held me accountable but always remained encouraging. Although
this path was fraught with traps and pitfalls, Dr. Datta's support and encouragement remained
strong. To the "nicest mean person" I have ever had the pleasure of meeting, thank you for
everything!
And to my mentor, confidant, and friend, Dr. Anthony Maddox. Words cannot express
what you mean to me. You have always been one of my most ardent supporters, and your belief
in me is unparalleled. I am only here because of you. Friendship is Essential to the Soul! Simply
put, thank you to the greatest dissertation chair and committee ever assembled!
vii
Table of Contents
Abstract.......................................................................................................................................... iv
Dedication....................................................................................................................................... v
Acknowledgements........................................................................................................................ vi
List of Tables .................................................................................................................................. x
List of Figures................................................................................................................................ xi
List of Abbreviations.................................................................................................................... xii
Chapter One: Overview of the Study.............................................................................................. 1
Background of the Problem ................................................................................................ 2
Setting of the Study............................................................................................................. 4
Purpose of the Study ........................................................................................................... 5
Significance of the Study.................................................................................................... 5
Overview of Theoretical Framework and Methodology .................................................... 6
Definition of Terms............................................................................................................. 7
Organization of the Study ................................................................................................... 8
Chapter Two: Review of the Literature .......................................................................................... 9
Burke-Litwin Change Model.............................................................................................. 9
Foundation of Burke-Litwin Change Model..................................................................... 11
Burke-Liwing Change Model Applied ............................................................................. 12
The Surge in Cyberattacks During COVID-19................................................................. 16
Cyberattacks Impact on The Gobal Economy .................................................................. 18
Cyberattacks Target Healthcare Sector............................................................................. 19
Healthcare Systems in The United States......................................................................... 21
Digital Transformation of the Healthcare Industry........................................................... 23
Increased Reliance on IoMT Devices............................................................................... 24
viii
The Exploitation of Vulnerabilitiees in Digital Technology ............................................ 26
Cybersecurity Posture in Healthcare Systems .................................................................. 27
Capital Spending Priorities in Healthcare Sector.............................................................. 30
Conceptual Framework..................................................................................................... 30
Conclusion ........................................................................................................................ 31
Chapter Three: Methodology........................................................................................................ 33
Research Questions........................................................................................................... 33
Overview of Methodolgy.................................................................................................. 33
Sample and Population ..................................................................................................... 34
Instrumentation ................................................................................................................. 36
Data Collection ................................................................................................................. 38
Data Analysis.................................................................................................................... 38
Credibility and Trustworthiness........................................................................................ 39
Ethics................................................................................................................................. 40
Summary........................................................................................................................... 41
Chapter Four: Findings................................................................................................................. 43
Participants........................................................................................................................ 44
Findings for Research Question 1..................................................................................... 46
Discussion for Research Question 1 ................................................................................. 54
Findings for Research Question 2..................................................................................... 57
Discussion for Research Question 2 ................................................................................. 66
Summary........................................................................................................................... 67
Chapter Five: Discussion .............................................................................................................. 69
Findings............................................................................................................................. 70
Implications for Practice ................................................................................................... 76
ix
Recommendations............................................................................................................. 77
Limitations & Delimitations............................................................................................. 87
Future Research ................................................................................................................ 88
Conclusions....................................................................................................................... 90
References..................................................................................................................................... 92
Appendix A: Screening Survey .................................................................................................. 137
Appendix B: Interview Protocol ................................................................................................. 138
x
List of Tables
Table 1: Implementation of Burke-Litwin Change Model ....................................................... 14
Table 2: Participants Demographics ......................................................................................... 45
Table 3: Research Question 1 Themes...................................................................................... 46
Table 4: Role Cost Plays in Decision-Making Responses........................................................ 49
Table 5: No Perceived Value in Cybersecurity Responses ....................................................... 51
Table 6: No Return on Investment Responses.......................................................................... 54
Table 7: Research Question 2 Themes...................................................................................... 58
Table 8: Cybersecurity is a Perceived Barrier Responses......................................................... 60
Table 9: Risk Tolerance Responses........................................................................................... 62
Table 10: Reactive Culture Responses........................................................................................ 65
xi
List of Figures
Figure 1: Burke-Litwin Organizational Change Framework ....................................................... 1
Figure 2: Conceptual Framework: Transformational Factors Input-Throughput-Output .......... 31
xii
List of Abbreviations
DitM Drone-In-The-Middle
EHR Electronic Health Records
HIPPA Health Insurance Portability and Accountability Act
IoMT Internet of Medical Things
IoT Internet of Things
OD Organizational Development
1
Chapter One: Overview of the Study
To better understand why healthcare organizations do not prioritize cybersecurity as a
funding priority, it is important to uncover the impact COVID-19 had on healthcare systems
during the 2020-2021 pandemic. Cyberattacks on healthcare information technology (IT)
infrastructures surged during the pandemic, disrupting the healthcare industry worldwide. These
disruptions to healthcare delivery systems led to the acceleration of digital transformation,
enabling service providers to expand capacity during the pandemic (Casale et al., 2021).
Furthermore, the advent of medical technology created an integrated, connected healthcare
network with more patient-specific data, resulting in a patient-centric approach and improved
medical delivery system (Sen, 2019).
At the height of COVID-19, New York Presbyterian Hospital found that 54% of all
outpatient appointments reported were virtual visits (Casale et al., 2021). This phenomenon
amplified the incorporation of technology, and the Internet of Things (IoT) provided effective
automated solutions for healthcare providers, improving patient care, diagnosis of diseases, and
streamlined access to electronically protected healthcare data (ePHI); however, these
sophisticated technologies revealed vulnerabilities in the IT Infrastructure making healthcare a
prime target for cyberattacks consequently increasing the cyberattack surface area (Kandasamy
et al., 2021). Cyberattacks can exploit an enterprise's cyberspace vulnerability to disrupt, disable,
maliciously destroy, or steal data information (National Institute of Standards and Technology,
2023). In addition, reports concluded that the healthcare industry trails behind other industries in
cybersecurity maturity, citing a weak security posture (Kandasamy et al., 2021).
The International Criminal Police Organization (INTERPOL) published a report in 2020
citing increased cyberattacks in the healthcare industry because of increased demand for clinical
2
care, medical equipment, and digital diagnostic tools (Muthuppalaniappan & Stevenson, 2020).
A survey of 223 healthcare providers revealed that 81% of the organizations reported data
breaches, and only half of the respondents felt confident about their ability to defend against
cyberattacks (Martin et al., 2017). Hawdon (2021) found that cyberattacks cost organizations
more than $6 trillion in 2021 and will exceed $10 trillion in losses by 2025 on the current trend.
Background of the Problem
The problem of why service providers continue to underfund cybersecurity as a budget
priority is a complex and multifaceted phenomenon. The healthcare industry is transforming
from paper-based processes to digital healthcare services, integrating new technologies into
existing healthcare IT infrastructures (Jahankhani & Kendzierskyj, 2019). The decision to
digitized medicine enabled healthcare providers to deliver precision-based medicine with quicker
diagnoses and instant access to medical history, resulting in improved patient outcomes
(Jahankhani & Kendzierskyj, 2019).
Consequently, integrating hospital IT infrastructures, accelerating digital medicine, and
using the Internet of Medical Things (IoMT) have amplified data creation, raising concerns about
the organization's capacity to manage sensitive electronic medical records securely (Stevens et
al., 2021). Moreover, the transmission and storage of sensitive data present security threats
around data protection, highlighting the provider's ability to defend against cyberattacks
(Jahankhani & Kendzierskyj, 2019). As a result, cybercrime spiked in 2021, costing the
healthcare industry $21 billion because of these cyberattacks (Sharma & Gahlot, 2023).
Furthermore, as the healthcare industry navigates the digital transformation and converts to
innovative cloud-based solutions and digital record repositories, data protection will continue to
present a security threat to IT infrastructures (Jahankhani & Kendzierskyj, 2019).
3
Another threat to healthcare systems is vulnerabilities regarding outdated or legacy IoT
and IoMT devices. A report concluded that 53% of the 300 hospitals possessed outdated legacy
IoT and IoMT devices containing critical cybersecurity threats (Sharma & Gahlot, 2022). Legacy
devices are outdated IT systems that use obsolete technology or hardware, cannot receive
software updates, and do not support current applications or technologies (National Institute of
Standards and Technology, 2023). The study evaluated over 10 million IoT and IoMT devices
for this report, concluding that intravenous pumps accounted for 38% of the total IoT and IoMT
medical device inventory, of which 73% of the intravenous pumps had at least one vulnerability
susceptible to the threat of a cyberattack (Sharma & Gahlot, 2022). Moreover, outdated legacy
IoT and IoMT devices can compromise medical devices, patient records, and monitoring
equipment and disable an entire healthcare IT infrastructure (Sharma & Gahlot, 2022). However,
outdated legacy IoT or IoMT devices use outdated or insecure software and hardware and,
therefore, cannot defend against new cyberattacks such as malware or ransomware, leaving
healthcare organizations ill-equipped to defend against cyber threats, putting the entire
organization at risk (Slabodkin, 2021).
In addition to the threat of data protection and outdated IoT and IoMT devices,
ineffective controls such as a lack of governance and oversight, nonexistent policies and
procedures, weak passwords, or the absence of a formalized cybersecurity plan have proven to be
barriers to bolstering the security posture of healthcare organizations (Arabo & Pranggono,
2021). Research has determined users to be the biggest threat to cybersecurity in healthcare
organizations, citing a deficiency of cybersecurity knowledge and a lack of comprehensive
security awareness training (Arabo & Pranggono, 2021; Sen, 2018;). One study reported that
only 11% of healthcare surveyed performed annual security awareness training (Dugar, 2021).
4
Lastly, healthcare providers tend to take a reactionary approach, often underinvesting in
IT cybersecurity, opting to address the symptoms of cybercrime by providing interim results
instead of performing root cause analysis and developing long-term solutions (Dugar, 2021). In
2017, cyberattacks on the global market resulted in roughly $1 trillion in losses. However,
companies only invested $1 billion to combat the threat of cybercrime (Wirth, 2017). The
research has identified vulnerabilities and threats to healthcare systems, and viable solutions
designed to protect healthcare IT infrastructures are well documented. However, a research gap
exists as to why healthcare systems continue to underfund cybersecurity with knowledge of the
looming threat of cyberattacks.
Setting of the Study
The California Cancer Research Center (CCRC), a pseudonym used to protect the
identity of the organization, is a non-profit comprehensive cancer research center based in
California, with offices throughout the Southwest, Midwest, and Southeastern parts of the United
States. CCRC is a nationally recognized cancer research, treatment, and academic center revered
for its innovative approach to cancer research and treatment. With over 11,000 employees
company-wide, CCRC is one of the largest comprehensive cancer research centers in the United
States and ranked among the nation's "Best Hospitals" for over a decade.
The mission of CCRC is to Transform healthcare through innovation and technology to
eradicate cancer. With a complex IT infrastructure integrating across different platforms, tools,
and technologies, CCRC possesses an excellent infrastructure to investigate further the problem
of why the healthcare sector is the most targeted industry for cyberattacks. However, service
providers continue to underfund cybersecurity as a budget priority.1
1
Information derived from organizational websites and documents not cited to protect anonymity.
5
Purpose of the Study
This case study explores how leaders in healthcare organizations perceive the influence
cost management and strategies have on decision-making regarding budget priorities for
cybersecurity. The two research questions guiding this study are:
1. What role does cost management play in prioritizing cybersecurity as a budget
priority?
2. What factors create barriers to implementing known cybersecurity responses that
lessen the impact of cyberattacks on healthcare systems?
Significance of the Study
The dissertation is important to the field of study because the digitization of healthcare
delivery systems will continue to integrate new technologies and digital solutions into existing IT
infrastructures, emphasizing the need for robust data protection to defend against the surge of
cyberattacks on the healthcare industry (Kandasamy et al., 2021). In addition, due to the rapid
growth of digital technologies utilized in hospitals, research indicates that 75% of healthcare
providers in the United States use a digital health record system (Stoumpos et al., 2023).
COVID-19 revealed that cyberattacks were able to expose vulnerabilities in inadequate data
security maintenance processes discovered throughout healthcare systems worldwide, making
hospitals prime targets for future attacks (Akhtar et al., 2022).
Additionally, evolving wireless connectivity to medical devices and cloud-based
solutions on healthcare systems create added channels for cybercriminals to exploit
vulnerabilities in the network, placing healthcare organizations at greater risk of cyberattacks
(Sethuraman et al., 2020). As a result, wireless connectivity and cloud-based solutions are now
susceptible to more sophisticated drone-in-the-middle (DitM) attacks, where cybercriminals
6
intercept communications between two devices, extracting and storing sensitive data remotely
(Akhtar et al., 2022). Before wireless connectivity, internal staff committed most data breaches;
however, interconnected devices enabled cybercriminals to execute cyberattacks remotely from
anywhere worldwide (Akhtar et al., 2022).
Lastly, healthcare technologies have extended to critical systems such as pacemakers,
defibrillators, drug infusion pumps, insulation pumps, and blood storage refrigerators (Akhtar et
al., 2022). However, these new technologies require the integration of wireless networks that
expose healthcare systems to additional threats of cyberattacks and data breaches (Stevens et al.,
2021). Although healthcare organizations were the most targeted industry for cyberattacks,
cybersecurity remains underfunded by healthcare providers (Kandasamy et al., 2021). Therefore,
healthcare providers must incorporate cybersecurity into the risk management process to
maintain patients' and the healthcare community's privacy, safety, and trust (Akhtar et al., 2022).
Overview of Theoretical Framework and Methodology
The study applied the Burke-Litwin change model to research the stated problem of
practice. Burke-Litwin is a causal model developed in 1992 by W.W. Burke and George Litwin,
grounded in open system theory (Boone, 2012). Moreover, the model examines the external
environment and transformational and transactional factors, which are divided into 12 individual
elements (Pruett, 2013). The 12 factors in the Burke-Litwin change model include external
environment, mission and strategy, leadership, culture, structure, management practices, systems,
work group climate, skills, individual needs and values, motivation, and organizational and
individual performance (Olivier, 2018). As a diagnostic tool, the Burke-Litwin change model
analyzes the root cause of organizational challenges and assigns the problem to one of the
7
corresponding factors (Stone, 2015). The Burke-Litwin change model is appropriate because the
data generated from the diagnosis applies to real-life organizational settings (Coleman, 2018).
The study analyzes transformational factors. Transformational factors are a subset of the
Burke-Litwin model, driven by the external environment, which has the biggest impact on
organizational change, effectiveness, performance, and productivity (Burke, 2002; Cameron &
Whetten, 2013; Grant & Osanloo, 2014).
Definition of Terms
This section defines key concepts and terms discussed throughout this study.
Cyberattacks refer to exploiting vulnerabilities in an enterprise's cyberspace to disrupt,
disable, maliciously destroy, or steal data information (National Institute of Standards and
Technology, 2023).
Cybercrime is the use of a computer to attack vulnerabilities in an organization's IT
infrastructure with the intent to commit fraud, steal an individual's identity, take financial
information, or violate policies (Martin et al., 2017),
Cybersecurity safeguards computer networks and sensitive data against breaches or
malicious attacks (Branley & Coventry, 2018).
Data breaches refer to unauthorized access to a network or computer system intending to
steal sensitive data, confidential records, or financial data (Branley & Coventry, 2018).
Digital transformation alludes to the transformation of an industry from the on-premises
pen-a-paper method to technology and cloud-based solutions (Jahankhani & Kendzierskyj,
2019).
The Internet of Medical Things (IoMT) is an interconnected medical device connected to
healthcare via the Internet (Sharma & Gahlot, 2022).
8
The Internet of Things (IoT) refers to the interconnection of technology, equipment, and
devices via the Internet (Stevens et al., 2021).
Drone-in-the-middle attacks (DiTM) intercept communication between two devices,
enabling cybercriminals to extract and store sensitive data remotely (Akhtar et al., 2022).
Legacy devices are outdated IT systems that use obsolete technology or hardware, cannot
receive software updates, and do not support current applications or technologies (National
Institute of Standards and Technology, 2023).
A phishing attack are cyberattacks that deceives recipients into clicking on a malicious
link engineered to steal sensitive data (Kandasamy et al., 2022).
Ransomware is a subset of malware that blocks users' access, locking a system and
denying users access to data unless the cybercriminals are paid a ransom (Kandasamy et al.,
2022).
Organization of the Study
The study organizes the research into five chapters. Chapter One introduces the problem
of practice, providing an overview of the study. This chapter includes the background of the
problem, study setting, research questions, theoretical framework, the significance of the study,
and key definitions. Chapter Two offers an in-depth literature review of the external factors,
mission and strategy, leadership, and culture to understand better why healthcare organizations
fail to prioritize cybersecurity as a funding priority while being the most targeted industry for
cyberattacks. Chapter Three describes the qualitative research design, data collection methods,
research protocols, and target participants. Chapter Four presents the results of the qualitative
analysis of the research study. Lastly, Chapter Five includes recommendations for future
research considerations and a conclusion.
9
Chapter Two: Review of the Literature
The following literature review examines the digitization of medicine through the lens of
the Burke-Litwin change model. Furthermore, Chapter Two analyzes the unintended
consequences of digital transformation in the healthcare industry. Subsequently, the chapter
provides a foundational overview of the Burke-Litwin change model and applies the theoretical
framework to this setting. Additionally, the literature reviews the surge in cyberattacks during
COVID-19 and the impact cyberattacks had on the global economy, highlighting how healthcare
systems became the most targeted industry for cyberattacks during the pandemic. Moreover, the
literature examines the United States' healthcare systems and the healthcare industry's
digitization.
Conversely, the chapter discusses the increased reliance on IoMT devices in the medical
field, the exploitation of digital technologies, and the cybersecurity posture of healthcare systems
(Stevens et al., 2021). After that, the literature examines the capital spending priorities in the
healthcare sector. Next, the literature explores the conceptual framework (transformational
factors), a sub-set of the Burke-Litwin change model, which analyzes the problem of practice.
Finally, Chapter Two investigates how the mission, strategy, leadership, and culture impact the
decision to underfund cybersecurity in healthcare organizations.
Burke-Litwin Change Model
The field of organizational development utilizes models to frame what is occurring in an
organization. As such, the Burke-Litwin change model is a comprehensive data-driven
diagnostic change management framework that identifies and links factors critical to successful
change initiatives (Coleman, 2018). The model establishes a cause-and-effect relationship
between different variables, enabling the framework to predict behavior and organizational
10
performance (Martins & Coetzee, 2009). The Burke-Litwin change model diagnoses
organizational problems and formulates change management strategies suited for the company
(Burke, 2017). The continuous feedback loops between the external environment and
transformational and transactional factors will drive change management initiatives and
determine organizational performance (French et al., 2021). The interconnected factors play a
significant role in improving governance, business reliance, and continuous improvement and are
a functional tool for modeling organizational change (Filej et al., 2009).
There are 12 elements to the Burke-Litwin change model, starting with the external
environment (Olivier, 2017). First, the external environment (e.g., politics, regulations, market
trends, emerging technologies) is a key factor outside an organization that impacts
transformational factors most (Martins & Coetzee, 2009). The second element of the BurkeLitwin change model is transformational factors (e.g., mission and strategy, leadership, culture),
including leadership behaviors, strategic planning, and an organization's values and norms that
guide decision-making (Burke & Litwin, 1992). Finally, transactional factors (e.g., structure,
instructional practices, systems, team climate, individual skills and task requirements, individual
needs and values, and motivation) represent the day-to-day business operations that affect
organizational performance and effectiveness (French et al., 2021).
These 12 interconnected factors interact, providing continuous feedback loops
characterized as input-throughput-output with external factors representing input,
transformational and transactional factors representing throughput, and the output representing
organizational performance (Coleman, 2018). Changes to transformational factors alter an
organization's entire ecosystem, causing changes to the structure and systems. Conversely,
changes to transactional factors likely result in continuous improvement and incremental
11
organizational change (Burke, 2017). The Burke-Litwin change model is a useful guide to
facilitating organizational change and provides leaders with a tool to drive change initiatives
(Latta, 2009).
Foundation of Burke-Litwin Change Model
The conceptual framework of the Burke-Litwin change model is rooted in a foundation of
organizational development to understand organizational challenges. As a result, Burke W.
Warner and George Litwin gave birth to one of the most significant organizational change
management frameworks, which professional consultants utilize to this day. Burke and Litwin
were industrial psychologists renowned for their work in organizational development. While at
Michigan University, George Litwin was interested in researching the impact motivation had on
performance and centered his work around Dave McClelland's theory of needs (Burke & Litwin,
1992). McClelland theorized that three permanent needs (achievement, affiliation, and power)
drive motivation, and prioritization of the needs predicted individual behavior (Pardee,1990).
Litwin and Stringer (1970) continued the research on motivation and performance, subsequently
developing the organizational climate change theory framework.
Litwin later partnered with Burke to create the Burke-Litwin change model grounded in
organizational climate theory (Burke, 2017). Litwin believed that an employee's psychological
properties or motivation could change by altering environmental conditions in the workplace,
such as organizational structure, systems, and leadership (Coruzzi, 2021). Organizational climate
theory looked at culture as a social system and tried to distinguish between the variables
influenced by climate and those influenced by culture to predict motivation and performance
(Burke & Litwin, 1992).
12
The Burke-Litwin change model also implemented elements of general systems theory,
an open-system framework (Burke, 2017). Ludwig von Bertalanffy developed general systems
theory in 1936 and theorized that systems have interrelated parts that can adapt to internal
changes and self-correct through feedback loops between the external environment and
interrelated parts of the system (Pouvreau, 2013). Climate theory and general systems theory
would later become the impetus for the Burke-Litwin change model (French et al., 2021). To
summarize, Burke and Litwin, accomplished organization change consultants, developed the
Burke-Litwin change model (Burke & Litwin, 1992). The Burke-Litwin change model is a
causal model grounded in open system theory (Martins & Coetzee, 2009).
Furthermore, the model operates on a continuous feedback loop driven by the external
environment (Pouvreau, 2013). Therefore, the Burke-Litwin model is a diagnostic tool for
examining the interconnected factors driving organizational performance (Coruzzi, 2021). As
such, applying the Burke-Litwin change model helps define the problem.
Burke-Litwin Change Model Applied
Application of the Burke-Litwin change model requires a skilled practitioner to
implement the complex framework. Moreover, the Burke-Litwin framework is a causal model
that starts by focusing on the external environment, which is the input to an organization. To that
point, fluctuations in the external environment are often the driving force behind organizational
change, either planned or unplanned, intentional or unintentional, or a matter of organizational
survival (Johnson, 2004). Moreover, change is specific to each organization and attempts to align
the company's current state to external factors such as changing market demands (Walker et al.,
2007). As such, proven change management strategies increase the likelihood of successfully
implementing change management initiatives (Jones & Harris, 2014); however, change
13
management initiatives require effective organizational diagnosis prior to implementation
(Hassin, 2010).
Burke (2017) refers to the preliminary organizational diagnoses as the prelaunch phase.
The initial diagnosis of the Burke-Litwin change model takes a multidimensional approach and
assesses all factors that impact organizational performance (Martins & Coetzee, 2009). During
the diagnostic phase, surveys collect data for the corresponding transformational or transactional
factors, assigning the problem areas to the appropriate stakeholders (Boone, 2012).
Subsequently, the model seeks to identify the need and urgency for the change initiative to
evaluate the organization's appetite and readiness for the change (Mento et al., 2002).
In addition, a clear vision and direction will serve as the organization's call to action
designed to achieve support for the change (Carton et al., 2023). Because of this, executive
leadership must develop and support a strategic plan outlining the goals, objectives, milestones,
and timelines (Altamony et al., 2016). Thus, an executive sponsor or change agent must
communicate the need for change effectively and strategically to increase employee buy-in
(Barrett, 2002). Furthermore, the Burke-Litwin change model outlines the necessity to
effectively manage resistance and negative employee reactions by developing strategies that
address emotional intelligence and build self-efficacy (Gazley & Kissman, 2015).
Hence, to sustain the change initiative once fully implemented, critical behaviors become
reinforced and normalized throughout the organization (Burke, 2008). During this phase,
executive leadership must continually communicate the vision with clarity, reemphasize the
necessity for the change, look for opportunities to find common ground, and reshape the
organizational culture to maintain commitment from the workforce (Fusch et al., 2020). Lastly,
the organization must identify a successor to replace the change agent, monitor progress, and
14
sustain the change (Burke. 2017). During this final, crucial phase, executive leadership reinforces
employee behaviors, new rules, and practices through continuous assistance and support (TingTing, 2006). Table 1 reflects the steps to implement the Burke-Litwin organization change
model.
To summarize, the Burke-Litwin framework is a causal model based on open system
theory and studies the relationship between the external environment, transformational factors,
transactional factors, and the drivers for organizational performance or change. Furthermore, the
research will examine the external factors in the context of cyberattacks during COVID-19.
Figure 1 reflects the Burke-Litwin organizational change model.
Figure 1
Burke-Litwin Change Model
Note: from “Burke-Litwin Change Model” by D.A. Noumair, 2018, Springer Link,
(https://link.springer.com/referenceworkentry/10.1007/978-3-319-52878-6_34).
15
Table 1
Implementation of the Burke-Litwin Change Model
Steps Task Approach
1 Diagnose the problems Surveys
2 Create sense of urgency Must have an urgent need for the change
3 Clear vision and direction There must be a clear plan for the change
4 Outline goals and objectives Goals, tasks, and milestones mapped
5 Communicate need for change Need for change communicated to
organization
6 Manage resistance Handle objections present value
proposition
7 Sustain change Reinforce critical behaviors and desired
outcomes
8 Identify successor Identify new champion to drive change
Note: Adapted from “Organization Change: Theory and Practice,” by W.W. Burke, 2017, SAGA
Publications, (Organization Change: Theory and Practice - W. Warner Burke - Google Books).
Copyright 2018 by SAGA Publications, Inc.
16
The Surge in Cyberattacks During COVID-19
Healthcare had to combat COVID-19 and address the surge in cyber-attacks on
healthcare systems during the pandemic. Moreover, COVID-19 disrupted the global economy,
impacting business operations worldwide, subsequently increasing reliance on online
videoconferencing platforms, network technologies, digital supply chains, and hybrid workforces
(Borrion et al., 2020). Consequently, the overreliance on digital technologies utilizing less secure
internet connections revealed vulnerabilities in information systems that cybercriminals
exploited (Chigada & Madzinga, 2021). In addition, the increased online activity exposed IT
infrastructures to a larger attack surface, resulting in a surge in cybercrime during the pandemic
(Bahl et al., 2021), with phishing attacks becoming the most common form of cyberattack
(Nimmy et al., 2022). Phishing attacks mimic legitimate entities through email to retrieve
sensitive customer data (Aleroud & Zhou, 2017). According to the Verizon Data Breach
Investigation Report (DBIR), customer emails exceeded 293 billion in 2019, with over 30% of
all data breaches resulting from phishing attacks, a trend predicted to continue (Shahbaznezhad
et al., 2021).
Another form of harmful cyberattack that has surged since the onset of COVID-19 is
malware (Aslan & Samet, 2020). Malware is malicious software that attacks computing systems
and IT infrastructures to steal data or gain unauthorized data access (Sayadi et al., 2021).
Malware is ever-evolving and categorized into different subsets of malicious software, with
ransomware, distributed denial of services (DDoS), and WannaCry ransomware being the
common forms of malware attacks that have become prevalent since the pandemic (Al-rimy et
al., 2018).
17
Ransomware is an increasing cyberattack threat to organizations that has only increased
in severity, frequency, and sophistication since COVID-19 (Silva et al., 2019). Ransomware is
one of the most harmful forms of malware, which uploads malicious software, forcing victims to
pay a ransom in exchange for encrypted data (Zhang et al., 2019). Ransomware presents a major
threat to information systems because recovery of encrypted data is impossible without an
encryption key, resulting in considerable damage to organizations (Kim et al., 2022).
DDoS is another ransomware that floods servers or websites with internet traffic,
overwhelming systems and denying access to legitimate users (Ficco & Palmieri, 2017). DDoS
attacks block internet connections and deplete resources, enabling cybercriminals to exploit
machines and networks (Akbanov et al., 2019). Due to the increase in cloud-based computing
during the pandemic, organizations reported a spike in DDoS attacks (Alashhab et al., 2022).
Cloud-based computing refers to the practice of utilizing computing resources and services via
the internet (Jiao et al., 2013). Moreover, because of the simplicity of deploying a DDoS attack,
this malware is a popular intrusion technique for cybercriminals (Virupakshar et al., 2020).
Lastly, WannaCry is another sophisticated ransomware that spreads through interconnected
computing systems using a worm component designed to encrypt files on the hard drive
(Akbanov et al., 2019). WannaCry is one of the most harmful ransomware variants due to how
rapidly the virus can propagate across networks without user interaction (McDonald et al., 2022).
WannaCry was responsible for one of the worst cyberattacks in 2017, affecting approximately
230,000.00 computers globally and crippling computer systems in over 150 countries (Mohurle
& Patil, 2017).
In short, cybercriminals exploited vulnerabilities in emerging technologies, resulting in
the theft of sensitive data, such as medical records, subsequently disrupting computer networks
18
and making data unavailable. In addition, the financial impact of cyberattacks has cost the global
economy billions of dollars in reported losses, which the study discusses further in the next
section.
Cyberattacks Impact on the Global Economy
Cybercrime has evolved into a lucrative underground economy that targeted the most
vulnerable IT infrastructures during the pandemic. The effects of COVID-19 not only threatened
healthcare organizations but severely impacted economic systems worldwide (Seshaiyer &
McNeely, 2020). In addition, cyberattacks surged during the pandemic, disrupting supply chains,
international trade, and business operations, resulting in substantial financial losses to the global
economy (Perera et al., 2022). Moreover, cybercrime has grown in scale and complexity,
becoming a very lucrative industry (Tweneboah-Kodua et al., 2018).
According to a 2021 ransomware study, approximately 37% of global organizations
reported cyberattacks by a ransomware variant, resulting in roughly $412 million in payouts to
cybercriminals (Pak et al., 2020). Additionally, McAfee reported that the global cost of
cybercrime increased from $445 billion in 2014 to $600 billion in damages in 2017 (Neyret,
2020). Emsisoft (2020) analyzed the cost of cyberattacks in 10 countries, concluding that the
estimated costs for ransomware demands exceeded $25 trillion, exceeding $42 billion in
downtime expenses. To that point, the United States dollar (USD) has lost an estimated $114
billion yearly due to cybercrime, which includes payouts and costs associated with remediation
and recovery efforts (Smith et al., 2019).
Additionally, cyberattacks accounted for $445 billion in losses for global markets,
adversely impacting returns on cryptocurrency (Sanusi & Dickason-Koekemoer, 2022), and
exceeded $600 billion in losses for organizations worldwide (Monteith et al., 2021). Moreover,
19
Wade (2021) projects that cybercrime damages to organizations will exceed $6 trillion globally
by 2021. Lastly, studies project that approximately 45% of companies will be victims of supply
chain cyberattacks, with an estimated cost of roughly $10.5 trillion in losses due to cybercrime
by 2025 (Ene, 2023). Cybercrime has significantly impacted the global economy, resulting in
substantial financial losses to industries worldwide. Due to the profitability of cybercrime,
hackers will continue to target industries with data-rich environments. Consequently, healthcare
has become the most targeted industry by cybercriminals due to the value of sensitive patient
data. As a result, cyberattacks targeting healthcare have surged.
Cyberattacks Target Healthcare Sector
Cybercrime in healthcare is an ever-present challenge that is financially and operationally
debilitating to healthcare organizations and has become a focus for cybercriminals.
Consequently, cyberattacks increased exponentially during COVID-19, targeting healthcare
systems worldwide (Gourd, 2021). Cybercrime has become a growing threat to healthcare
providers, impacting billing, scheduling, critical care services, and patient care (Ghafur et al.,
2019). For example, between 2013 and 2014, cyberattacks on healthcare systems increased by
72% (Gomez & Konschak, 2015). Thus, the healthcare industry had the highest per capita cost
per data breach (Health Sector Cybersecurity Coordination Center, 2019). In addition, Tenable
analyzed public breach disclosures and discovered that healthcare was the most targeted industry
for cyberattacks, with nearly eight million records exposed to cybercriminals in 2020 (Mace,
2021). To that point, healthcare is a desirable target for cybercriminals due to the value of patient
data on the online black market (Offner et al., 2020). Cybercriminals can monetize the dark web
by selling sensitive patient data such as social security numbers, birth certificates, and driver's
licenses, resulting in a lucrative black-market industry (Swasey, 2020).
20
Most notably, in May of 2015, Anthem Blue Cross reported a data breach of 80 million
patient and employee records (Balbi, 2015). Subsequently, cybercriminals were able to gain
unauthorized access to Anthem's parent company's system using administrator credentials to
access sensitive data (Shankar & Mohammed, 2020). Consequently, Anthem received fines by
HIPPA and lawsuits due to the breach (Storace, 2020). Additionally, Anthem agreed to pay
$39.5 million to attorney’s generals, $16 million in regulatory violation fees, and a $115 million
settlement to the affected individuals (Mensik, 2020). Moreover, Anthem’s $115 million
settlement remains one of the largest payouts ever for a consumer data breach (Swinhoe, 2019).
Similarly, San Diego-based Scripps Health also fell victim to a cyberattack in May 2020,
where cybercriminals stole the sensitive data of 150,000 patients, impacting business operations
(Hamilton-Basich, 2021). Specifically, four hospitals, including two trauma centers, went offline,
and all inbound ambulance traffic closed for four days (Sagarra, 2021). In addition, the attack on
the IT infrastructure was debilitating, forcing the hospital to resort to pen-and-paper processes
(Paxton, 2021). According to the literature, the cyberattack on Scripps Health resulted in $113
million in lost revenue, with more losses expected in the form of a class action loss suit filed on
behalf of the patients (Gourd, 2021; Liss, 2022).
Comparatively, cybercriminals targeted the University of Vermont Health Network 5
months later, impacting access to all servers and clinical systems (Nelson et al., 2021).
Malware infected over 5,000 network computers, resulting in a loss of internet connectivity,
email communications, and clinical services (Dyrda, 2020). The University of Vermont Health
Network furloughed 300 employees until network systems were fully operational (Ades et al.,
2022). More importantly, the University of Vermont Health Network reported approximately
$1.5 million per day in lost revenue during recovery and a total financial impact exceeding $63
21
million (Perry et al., 2023). Comparatively, cyberattacks on healthcare systems in the United
States have increased by 60% since 2019 (Byrne, 2021), with an annual global cost for
ransomware attacks exceeding $20 billion in 2020 (Cornish & McClintock, 2022).
Hackers have become more sophisticated at acquiring sensitive data and patient
information for financial gain (Offner et al., 2020). Healthcare organizations remain a prime
target for cybercriminals (Mace, 2021). Accordingly, cyberattacks on healthcare systems surged
during the pandemic, resulting in significant financial losses and disruption to patient care
(Sagarra, 2021). Therefore, the research will analyze healthcare systems in the United States to
examine emerging trends contributing to understanding the phenomenon.
Healthcare Systems in The United States
The United States healthcare system is one of the most complex systems in the world.
Inherently, healthcare in the United States has evolved from rudimentary medicine to large
conglomerate healthcare systems designed to promote, restore, and maintain health (Fillmore,
2001). Healthcare systems are organizations or institutions that deliver preventive, promotive,
curative, and rehabilitative medical services (Closser et al., 2022). The American Health
Association (2023) suggests two types of health systems: a single diversified system containing
one primary hospital and several post-acute healthcare organizations and a multihospital system
comprising multiple hospitals within its network. With over 200 hospitals nationwide and a
patient net revenue of over $48 billion, HCA Healthcare is the largest healthcare system in the
United States (Falvey, 2023).
Furthermore, the United States has five primary healthcare systems: governmentsponsored health insurance programs, non-profit community hospitals, for-profit hospitals,
voluntary insurance programs, and employer-sponsored plans (Toth, 2016). According to the
22
2021 Health Insurance Coverage in the United States report, 91.4% of Americans retained
medical insurance, with 66% opting for for-profit or private insurance (Keisler-Starkey & Bunch,
2020). Moreover, the United States spent 16.9% of the gross domestic product (GDP) on
healthcare, with a per capita health spending of roughly $10,000, more than any other developed
country (Tikkanen & Abrams, 2020).
However, the literature revealed that the capital investment in healthcare by the United
States had not yielded improved patient outcomes, nor has it reduced rising healthcare costs (Jee
& Kim, 2013). Accordingly, the healthcare delivery system must be redefined to accommodate a
rapidly changing healthcare environment focused on improved patient outcomes and
technological innovation (Vega et al., 2019). As such, healthcare organizations are undergoing
rapid digital transformation, improving efficiency and patient care quality (Scott et al., 2019). In
addition, emerging digital technologies must continue strengthening healthcare organizations by
changing the landscape of healthcare delivery systems in the United States, providing valuebased healthcare, and improving patient outcomes (Ridic et al., 2012).
The United States healthcare system is a complex integrated network of providers,
payers, and patients receiving care. Furthermore, the United States does not offer universal
healthcare; healthcare financing is a hybrid system of government-funded, privately funded, and
out-of-pocket healthcare services (Toth, 2016). Thus, healthcare systems are constantly evolving
to meet the changing needs of providers, payers, and patients. Fittingly, digital transformation in
healthcare has streamlined delivery systems. Therefore, the next section of this research study
will discuss digital transformation in healthcare.
23
Digital Transformation of the Healthcare Industry
Healthcare is an ever-evolving system that needs to adapt to the market's changing needs
and customer base. As a result, digital transformation has enabled healthcare systems to adopt
cutting-edge technology to advance patient care and offer digitized medicine (Kraus et al., 2021).
Consequently, COVID-19 accelerated the urgency of the digital transformation in the healthcare
industry to maintain business continuity and provide services to patients during the global
pandemic (Kruszyńska-Fischbach et al., 2022). The digitization of healthcare has been profound
and will significantly impact healthcare systems moving forward (Ricciardi et al., 2019).
Furthermore, digital technology transforms healthcare into more flexible and adaptive delivery
systems with advanced capabilities (Ghosh et al., 2023). Digital transformation refers to adopting
digital technologies to create new or modify existing methods by replacing manual or non-digital
processes with digital solutions (Verhoef et al., 2021). Thus, digital transformation is critical in
improving patient care and quality of service, cost reduction, and controlling risk (Kitsios &
Kapetaneas, 2022).
Hence, emergent technologies have shaped healthcare delivery systems, streamlining
communication between healthcare providers, increasing access to information, enabling virtual
tracking and monitoring, and improving patient outcomes (Dionisio, 2022). Additionally,
healthcare organizations are leveraging digital technologies to provide innovative solutions such
as electronic health records (EHR), e-health services, virtual medicine, and IoMT to improve
healthcare delivery (Stoumpos et al., 2023). According to a study conducted by Deloitte,
approximately 65% of healthcare organizations increased their usage of digital technologies
following the pandemic to meet the changing demands of the healthcare industry (Raimo et al.,
2023).
24
Additionally, most healthcare systems deploy some form of customer-facing technology,
enabling service providers to offer virtual medicine as an alternative to in-person visits (Khuntia
et al., 2021). The increased usage of digital technologies and internet devices, such as IoT, has
led to what the literature refers to as the digital revolution (Kraus et al., 2021), which is
transforming healthcare management and traditional healthcare systems (Seror, 2002). Although
healthcare organizations have made progress in digitizing their delivery systems, the healthcare
industry still trails behind other sectors undergoing digital transformations (Alt & Zimmermann,
2021).
In summary, the digital transformation in healthcare has revolutionized delivery systems
by incorporating digital technologies that streamline communication and offer alternative digital
medicine (Ghosh et al., 2023). In addition, digitized medicine enabled healthcare providers to
sustain business operations during COVID-19 (Dionisio, 2022). Furthermore, adopting IoMT
ushered in a new era of smart devices, subsequently improving patient outcomes (Stoumpos et
al., 2023).
Increased Reliance on IoMT Devices
The increased reliance on IoMT technology has revolutionized the healthcare industry.
As such, the digital transformation in healthcare has redesigned delivery systems, leading to a
surge in digital medicine and the integration of the IoMT (Lakhan et al., 2021). IoMT devices
and applications played a vital role during COVID-19, enabling healthcare systems to provide
remote healthcare and patient monitoring during the pandemic (Samuel et al., 2023). Intuitively,
IoMT is revolutionizing the healthcare industry, enabling providers to offer personalized patientcentric healthcare and around-the-clock virtual monitoring (Papaioannou et al., 2022). IoMT is a
collection of smart medical devices and applications, including wearable devices, mobile
25
devices, sensor-enabled hospital beds, infusion pumps, medical equipment, medical tracking
systems, and smartwatches that communicate over a network connecting physicians to their
patients remotely (Toor et al., 2020).
Furthermore, smart healthcare systems based on IoMT have resulted in quicker disease
diagnosis, real-time patient monitoring, and improved patient care (Tiwari & Sharma, 2022).
Therefore, IoMT devices and applications provide viable solutions to offset the rising costs in
healthcare by reducing the workload of hospitals and physicians (Razdan & Sharma, 2022).
Unsurprisingly, the Gartner Report predicts that the utilization of IoMT devices and applications
in healthcare systems will reach upwards of one trillion by 2025 (Garg et al., 2022).
However, IoMT devices produce large amounts of sensitive patient data, and the devices
themselves have weak security controls, making the emerging technology more susceptible to
security and privacy breaches (Kuma et al., 2022). Predictably, IoMT devices have become the
target of sophisticated multisector cyberattacks (Liaqat et al., 2020). Consequently, cyberattacks
on IoMT devices can disrupt the device's or application's operations, resulting in serious injury or
even loss of life (Narang et al., 2023). Lastly, the benefits of IoMT devices are undeniable, but
the threats surrounding data security will become more commonplace as more IoMT devices
integrate into the hospital ecosystem (Joyia et al., 2017). To summarize, the digital
transformation in healthcare has resulted in a surge in the utilization of IoMT devices (Lakhan et
al., 2021). Additionally, delivery systems can offer real-time monitoring, improved drug
management, increased patient engagement, remote medical assistance, better chronic care
management, and improved health outcomes (Papaioannou et al., 2022). Hence, implementing
cloud-based solutions has inadvertently broadened the attack surface for cybercriminals (Kuma
26
et al., 2022). Consequently, cybercriminals have exploited vulnerabilities in digital technology,
resulting in a surge in cyberattacks (Warfield, 2021).
The Exploitation of Vulnerabilities in Digital Technology
The emergence of digital technology in healthcare delivery systems has resulted in
improved patient outcomes. However, there are increased security challenges due to
vulnerabilities in digital technologies exploited by cybercriminals (Chigada & Madzinga, 2021).
Therefore, the accelerated deployment of innovative cloud-based solutions and interconnected
medical devices in healthcare systems during COVID-19 improved patient care and
inadvertently increased the attack surface for cybercriminals (Global Security Insights Report,
2021). Furthermore, employees transitioned to a hybrid workforce model, presenting additional
security threats due to unprotected personal Wi-Fi networks utilized to access healthcare
databases (Lynley, 2022). In 2021, healthcare organizations experienced, on average, 1410
cyberattacks per week, an 86% increase from the prior year (Express Computer, 2023).
Additionally, the widespread usage of remote desktop access technology exposed
healthcare IT infrastructures to software vulnerabilities targeted by cybercriminals (Warfield,
2021). As a result, cyberattacks on remote access networks increased by 786% in 2020 (Ndichu
et al., 2020). Thus, cybercriminals exploit vulnerabilities in electronic health record systems,
resulting in costly data breaches (Pilla et al., 2023). According to the CI Security Report, the
number of breached patient data records increased by 180% in 2020 (Shinkman, 2021).
Lastly, medical devices with outdated software or poor security design remain one of the
biggest threats to healthcare security (Lundin, 2023). For example, researchers concluded that
approximately 83% of magnetic resonance imaging MRI and mammogram machines were
operating on outdated Windows software with unpatched known vulnerabilities (Global Security
27
Insights Report, 2021). Therefore, legacy operating systems with discontinued hardware and
outdated software that are incompatible with current technologies expose healthcare systems to
vulnerabilities that cybercriminals can exploit and remain a threat to healthcare organizations
(Williams & Woodward, 2015).
To summarize, the digitization of healthcare has drastically improved delivery systems by
offering real-time patient monitoring, automated delivery of medicine, remote assistance via
telemedicine, streamlined workflows, and improved patient engagement (Papaioannou et al.,
2022). However, the reliance on interconnected smart devices has increased the attack surface
for cybercriminals by exploiting vulnerabilities in emerging technologies (Bahl et al., 2021). As
a result, cyberattacks on healthcare systems have increased exponentially since the onset of the
pandemic (Aslan & Samet, 2020). Consequently, combining digital technologies and legacy
systems in healthcare organizations increases the likelihood that cybercriminals will continue to
exploit vulnerabilities in healthcare IT infrastructures (Sharma & Gahlot, 2022). As a result,
healthcare systems must bolster their cybersecurity posture to defend against the onslaught of
cyberattacks. Therefore, the next section will discuss the cybersecurity posture of healthcare
systems.
Cybersecurity Posture in Healthcare Systems
A robust cybersecurity posture enables healthcare systems to build resilience, lessen the
impact of a cyberattack, and increase the likelihood of recovery. To combat the surge in
cyberattacks targeting healthcare systems, the United States Congress enacted the Cybersecurity
Information Sharing Act of 2015 (Panetta & Schroth, 2015). The Cybersecurity Information
Sharing Act of 2015 was a set of guidelines and industry best practices to reduce cyber risks to
healthcare organizations (Redhead, 2018). However, despite the efforts to implement
28
cybersecurity practices and programs, healthcare organizations continue to experience data
breaches (Sabillon, 2018). In addition, healthcare organizations lack the cybersecurity expertise
to implement safeguards for emerging technologies deployed into healthcare systems (Coventry
& Branley, 2018). Furthermore, 92% of executive leadership surveyed by Black Book Research
indicated that cybersecurity was not a major agenda item at board meetings (Howard & Harris,
2019).
Consequently, due to an underinvested IT infrastructure, limited resources, and
fragmented governance, healthcare systems need a stronger security posture (Martin et al., 2017).
As a result, SecurityScorecard ranked the healthcare industry ninth out of 18 industries assessed
due to its poor cybersecurity posture (SecurityScorecard Report, 2020). SecurityScorecard is a
third-party enterprise risk management company that assesses an organization’s infrastructure,
policies, procedures, and security controls to assign a cybersecurity risk rating and provide
recommendations (Sumanthkuluru, 2021). Therefore, security experts recommend that
healthcare organizations continue to build resilience by adopting a comprehensive cybersecurity
framework to defend against cyberattacks (Zarocostas, 2021).
In addition, the literature suggests investing in antimalware software, upgrading the IT
firewalls, enhancing security policies and procedures, encrypting all computers, and conducting
annual security awareness training to bolster the organization's security posture (Lavine, 2020).
In short, the scourge of cybercrime has inspired legislators to enact legislation to combat the
threat of cyberattacks in the healthcare sector (Panetta & Schroth, 2015). However, despite this
effort, healthcare systems continue to fall victim to cybercrime (Sabillon, 2018).
Moreover, the surge in cyberattacks highlights the necessity for a strong security posture
in healthcare systems. Consequently, healthcare organizations do not prioritize cybersecurity in
29
capital spending, resulting in a poor IT security posture (Martin et al., 2017). Furthermore,
capital spending priorities for healthcare systems focus on investing in infrastructure but lag
behind other industries in IT security (SecurityScorecard Report, 2020; Stewart, 2012).
Capital Spending Priorities in the Healthcare Sector
Capital spending priorities in the healthcare sector look for cost reduction opportunities
by focusing on land and building improvements. Consequently, healthcare systems lost an
average of $50.7 billion monthly during COVID-19 (Kaye et al., 2021). Naturally, the cost of
healthcare spiked; however, healthcare spending was trending upward prior to the pandemic
(Gallet & Doucouliagos, 2017; Regan, 2022). The World Healthcare Organization (WHO) also
reported a 6% average growth rate for healthcare expenditures but only a 4% economic growth
rate for the same period (Ćwiklicki et al., 2021). Furthermore, the United States funds the most
expensive healthcare system in the world, spending more per capita on health care than any other
developed nation (Barer & Bryan, 2018). As a result, the United States spent $4.3 trillion on
healthcare spending in 2021, which accounted for approximately 20% of the gross domestic
product (Li et al., 2023).
Hence, the literature reports that 97% of capital spending in large healthcare systems was
allocated for investments in infrastructure and moveable capital equipment (Stewart, 2012).
Additionally, projections estimate that healthcare will spend roughly $136 billion on IoMT
technology by 2021 (Faddis, 2018). Conversely, less than 6% of healthcare spending is on
cybersecurity, and nearly half of what the finance industry spends on IT security (Wirth, 2018).
However, waste in healthcare systems is eliminating the wealth created by other industries
(Girod et al., 2018).
30
Consequently, estimates project that healthcare systems will spend one-third of their
operating budget on waste by 2027 (Regan, 2022). To that point, the United States spends, on
average, between $760 billion and $935 billion annually on healthcare waste, approximately
25% of total healthcare spending (Shrank et al., 2019). Thus, the waste in healthcare spending is
greater than the 2019 United States defense budget (Khatri, 2021). Furthermore, healthcare
systems allocate most of their spending toward treatment instead of prevention because medicine
adopts an acute care paradigm (Murphy et al., 2018). However, digital transformation has
provided solutions to reduce waste and increase efficiency, but healthcare organizations need to
embrace digitized medicine to reverse the trend of rising costs in delivery systems (Hermes et al.,
2020). Therefore, the research seeks to analyze the causal relationship between transformational
factors in healthcare systems and the decision to underfund cybersecurity through the lens of the
conceptual framework.
Conceptual Framework
The Burke-Litwin change model is the theoretical framework that will provide the
foundation of the research and underline the assumption for the conceptual framework. The
conceptual framework that will drive this study is transformational factors. Transformational
factors are a subset of the Burke-Litwin change model, grounded in open systems theory (French
et al., 2021). Moreover, transactional factors are a causality framework that examines the
relationship between mission, strategy, leadership, and culture and the impact those underlining
factors have on organizational performance and change (Latta, 2009). For this purpose, the
research will analyze the cause-and-effect relationship between transactional factors and the
decision not to make cybersecurity a funding priority in healthcare organizations (Cooper, 2015).
31
More specifically, the research will examine the causal relationship between culture,
strategy, and leadership to diagnose the underlying barriers that prevent healthcare systems from
adequately funding cybersecurity and bolstering the security posture of IT infrastructures (Stone,
2015). The research will also examine the relationship between the external environment (e.g.,
digital transformation, market trends, and cyberattacks) and transactional factors to better
understand the phenomenon (Coruzzi, 2020). To visualize the causal relationship between
conceptual framework and transformation factors (Figure 2).
Figure 2
Conceptual Framework: Transformational Factors Input-Throughput-Output
Note: Adapted from “Organization Change: Theory and Practice,” by W.W. Burke, 2017, SAGA
Publications, (Organization Change: Theory and Practice - W. Warner Burke - Google Books).
Copyright 2018 by SAGA Publications, Inc.
Conclusion
The Burke-Litwin change model is an open system framework that explains the causality
of an organizational phenomenon by performing a deep diagnosis of the problem (Burke, 2008).
32
As such, healthcare organizations are open systems because they depend on continuous input
from the external environment (Scott & Davis, 2015). Furthermore, when applied in a healthcare
setting, the Burke-Litwin model will uncover the complexities of healthcare systems by
examining the causal relationship between the external environment and transformational factors
within healthcare organizations (Cooper, 2015). As a result, the study will examine the external
environment through the context of the COVID-19 pandemic, digital transformation, and the
surge in cyberattacks.
Therefore, the study seeks to analyze the cause-in-effect relationship between the
digitization of healthcare systems and the surge in cyberattacks on healthcare organizations
(Kruszyńska-Fischbach et al., 2022; Mace, 2021). More specifically, the research aims to
understand why healthcare is the most targeted industry for cyberattacks yet trails behind other
industries when investing in cybersecurity (Gourd, 2021; Wirth, 2018). Consequently,
cyberattacks on healthcare systems will continue (Ndichu et al., 2020). For this purpose, it is
important to study budget priorities in healthcare to address the issue of poor security posture
and underfunding of cybersecurity in healthcare organizations (Silva et al., 2019).
33
Chapter Three: Methodology
Chapter Three establishes the research design for the study. The study examines the
relationship between transformational factors (e.g., mission and strategy, leadership, and culture)
and the decision not to prioritize cybersecurity as a funding priority in healthcare organizations.
The chapter begins with a review of the research questions, followed by the overall design,
sample, and population. Next, the study outlines data collection approaches and data analysis
techniques. Finally, the chapter concludes with a review of validity and reliability, ethics, and a
summary.
Research Questions
This study explores how leaders in healthcare organizations perceive the influence cost
management and strategies have on decision-making regarding budget priorities for
cybersecurity. The two research questions guiding this study are:
1. What role does cost management play in prioritizing cybersecurity as a budget
priority?
2. What factors create barriers to implementing known cybersecurity responses that
lessen the impact of cyberattacks on healthcare systems?
Overview of Methodology
This section outlines the overall methodological design and research approach adopted
for the study. Research design illustrates the strategy researchers utilize to conduct research,
formulate the problem, and meet the study's objectives (Sileyew, 2019). Comparatively, research
approaches are procedures utilized to collect, analyze, and interpret data collected throughout the
research (Creswell & Creswell, 2018). Qualitative, quantitative, and mixed methods are
commonly utilized research approaches (Strijker et al., 2020). For this purpose, a qualitative
34
research design guided this study. Qualitative research aims to understand a phenomenon by
collecting non-numerical data to gain insight into the organizational problem (Merriam &
Tisdell, 2016).
Additionally, qualitative research is flexible, enabling the researcher to build new theories
based on the lived experiences of the individual (Williams, 2007). Furthermore, researchers can
apply various strategies to a qualitative design, including narrative research, phenomenological
research, grounded theory, ethnography, and case study (Merriam & Tisdell, 2016). Thus, the
research design adopted a narrative inquiry research method for this study. Narrative inquiry
enables the researcher to study the lived experiences of the individual, subsequently producing
data in the narrative form (Butina, 2015). Moreover, narrative inquiry lends a voice to
marginalized groups, providing a deeper insight into the problem (Nolan et al., 2018).
Therefore, purposeful sampling and semi-structured interviews are the methodological
approaches incorporated to collect narrative data for the study. Purposeful sampling is a nonprobability sampling design intended to select specific participants with in-depth knowledge of
the phenomenon (Patton, 2015). Conversely, semi-structured interviews allow the researcher to
explore the participant's thoughts, feelings, and beliefs and identify reoccurring themes (Adams,
2015). In summary, a qualitative research design utilizing purposeful sampling and semistructured interviews is the methodological design adopted for this study.
Sample and Population
The sampling method utilized to collect data for this study is purposeful sampling.
Qualitative researchers widely utilize purposeful sampling because the approach is ideal for
overcoming limited resources and time constraints (Merriam & Tisdell, 2016). Furthermore,
purposeful sampling is a non-probability sampling technique designed to gain an in-depth
35
understanding of the phenomenon of interest (Benoot et al., 2016). Purposeful sampling enables
the researcher to generate new conceptual insights into the problem by studying information-rich
cases (Patton, 2014). Therefore, the selection criteria require individual participants who can
contribute to understanding the phenomenon of the study (Kalu, 2019).
The research clearly defined the criteria for selection to gain greater insight into why
cybersecurity is not a funding priority in healthcare organizations. By establishing criteria for
selection ahead of time, prescreening determines which participants meet the criteria (Creswell
& Creswell, 2018). As such, participants are required to meet the following criteria: (a) certified
IT professional with a minimum of 5 years of leadership experience in healthcare IT security; (b)
experience building out complex IT infrastructures for decentralized healthcare systems; (c)
experience managing multi-million-dollar IT infrastructure budgets for nonprofit healthcare
organizations; (d) proficient with industry-standard cybersecurity tools and applications; (e)
familiar with cyber security risk assessments; (f) proficient with National Institute of Standards
and Technology (NIST) 8053 framework, and (g) employed as a full-time employee or
consultant for a nonprofit healthcare organization.
As a result, the recruitment of participants was essential to the efficacy of the research
(Mason, 2017). Hence, the recruitment strategy implemented a four-pronged recruitment
approach for the study, which included (a) identifying the target population, (b) determining
sample size, (c) selecting sample strategy, and (d) sample sourcing (Robinson, 2014). The target
population focused on IT professionals currently employed by CCRC in the United States. They
are chief information officer, technical officer, executive director, director, sr. manager, or
manager. In addition, the target population works remotely or on-premises. Finally, the
participant is employed by CCRC or contracted by the organization to provide IT infrastructure,
36
cyber operations, or information security services. Therefore, all participants were prescreened
via an online survey or by way of screening phone calls to validate the suitability of the
participants (Chandler & Paolacci, 2017).
Similarly, sample size or reaching saturation is a critical component of qualitative
research (Hennink et al., 2017). Sample saturation is important to assess the data's rigor and
adequacy and capture the data's diversity and depth (Hennink & Kaiser, 2022). For this purpose,
the research design targeted 13 participants to participate in the study. Moreover, the research
design adopted purposeful sampling as the sampling strategy for the data collection approach
(Patton, 2015). Thus, the study requires participants with comprehensive knowledge of the
phenomenon to provide information-rich data on the problem of practice (Robinson, 2014). As
such, qualified participants received reminder emails once validated.
Lastly, sample sources collected primary and secondary data (Ajayi, 2017). Primary data
is real-time data collected by the researcher, whereas secondary data is preexisting data designed
for an alternative study (Mesly, 2015). Given these points, using non-probability sampling will
recruit a specific population suitable for researching the study (Lopez & Whitehead, 2013).
Therefore, the research design requires standardized instruments to inject rigor into the data
collection methodology (Westmoreland et al., 2009).
Instrumentation
Research instruments are the tools utilized for data collection based on the type of
research study. Research instrumentation strategies include surveys, questionnaires, and
interviews (Maxwell, 2012). To that point, screening surveys and one-on-one interviews are the
approaches selected as the research instrumentation strategies for the study. Screening surveys
enable recruiters to identify qualified participants who meet specific selection criteria before
37
interviewing (Ridge et al., 2023). The benefits of screening surveys are that they help narrow the
pool of respondents to focus on the target population, which can provide rich data relevant to the
research (Kellen et al., 2010). In addition, there are three common types of interviews: (a)
structured, (b) unstructured, and (c) semi-structured (Stuckey, 2013). Structured interviews are
rigid and ask predetermined questions; respondents' responses tend to be similar (Adhabi &
Anozie, 2017). In contrast, unstructured interviews are organic and flexible but maintain less
validity and reliability than structured interviews (Chauhan, 2022). Conversely, semi-structured
interviews are a popular data collection strategy for qualitative research due to the flexibility and
versatility of the approach (Kallio et al., 2016). More specifically. Semi-structured questions
allow for more detail and richness in the responses (Stuckey, 2013).
Therefore, the data collection methodology incorporated individual interviews utilizing
semi-structured open-ended questions. A semi-structured approach is appropriate for this study
because the interview protocol utilizes flexible wording and open-ended questions to collect
information-rich data specific to the phenomenon (Creswell & Creswell, 2018). Additionally,
colleagues piloted mock interviews to evaluate the quality and efficacy of the interview
questions. Hence, the interview protocol includes experience and behavior questions to
understand better leadership behaviors and actions, knowledge questions to gain insight into the
respondent's knowledge of the phenomenon, and background questions to gauge the respondent's
experience with the phenomenon studied. Lastly, the interview questions align with the
conceptual framework, providing data that answers the research questions guiding the study.
In short, unstructured interviews allow for detailed conversations, enabling researchers to
(a) collect crucial data from human research subjects, (b) minimize errors of misrepresentation in
the data collection process, and (c) justify the occurrence of a phenomenon (Bihu, 2020).
38
Therefore, a robust data collection design is critical to the success of a study because poorly
collected data results in poor outcomes (Oppong, 2013).
Data Collection
Data collection for the study adopts a four-pronged recruitment approach to pre-qualify
participants (Robinson, 2014). Therefore, 13 CCRC employees who meet the selection criteria
outlined in the screening surveys completed the qualitative interviews. The interview protocol
includes 13 semi-structured open-ended questions with corresponding probes (Merriam &
Tisdell, 2016). Interviews take, on average, from 45 to 60 minutes to complete.
Furthermore, data collection utilizes a synchronous video conferencing platform (Zoom
et al.) to conduct interviews and record the sessions. Additionally, Otter.ai captures verbatim
transcription by integrating the web-based solution with the video conferencing platform
(Merriam & Tisdell, 2016). Lastly, encrypted thumb drives stored the video and audio recordings
from the interviews. In addition, fire-retardant file cabinets, complete with lockable drawers and
six-digit passwords, housed the interview documentation. These security measures ensured the
confidentiality of the participants.
Accordingly, video conferencing platforms and automated transcription solutions
captured information-rich data through interviews. Moreover, security controls and safeguards
secured the data to protect the confidentiality of the participants. Therefore, data analysis
achieved trustworthiness by disclosing the methodology and consistently demonstrating
precision in the analysis (Merriam & Tisdell, 2016).
Data Analysis
Data collection alone will not answer research questions. Therefore, an effective data
analysis strategy facilitates the conversion of raw data into trustworthy results (LeCompte,
39
2000). The research adopts a sequential five-pronged data analysis methodology to analyze the
qualitative data. The sequential five-pronged data analysis approach implements the following
steps: (a) organize and prepare the data for analysis; (b) review and explore the data; (c) code
data into categories; (d) a general description of themes; and (e) representing the description and
themes (Creswell & Creswell, 2018). A five-pronged data analysis approach aids in validating
the findings and demonstrating the accuracy of the codes and themes (Creswell & Creswell,
2018). Through this process, validity and reliability ensured trustworthiness and rigor in the data
collection and analysis design (Roberts & Priest, 2006).
Credibility and Trustworthiness
Meticulous attention to validity and reliability demonstrates rigor in the research design.
Validity as a construct refers to the accuracy of a measurement, while reliability denotes the
consistency or repeatability of a measure (Kimberlin & Winterstein, 2008). Furthermore,
qualitative research design emphasizes the concepts of validity and reliability to enhance the
credibility and trustworthiness of research findings (Noble & Smith, 2015). Thus, ensuring
reliability and validity in the data analysis methodology is essential to producing beneficial
results (Sürücü & Maslakci, 2020). Therefore, the research incorporated strategies to build
qualitative rigor into the study design (Cypress, 2017). The four strategies adopted to enhance
validity and reliability are as follows:
1. Reflexivity: a critical self-reflection strategy that neutralizes the researchers’ impact
on the study by counteracting biases, priorities, and prior understandings (Boesch et
al., 2013; Gentles et al., 2014).
2. Mechanically recorded data: tool utilized to capture mechanically recorded data in a
naturalistic setting, thereby reducing researcher bias (Nordstrom, 2015).
40
3. Verbatim transcription: The data collection approach to capture word-for-word audiorecorded data adds accuracy and enhances data collection quality (Halcomb &
Davidson, 2006; Hill et al., 2022).
4. Quasi-statistics: qualitative research method to make non-precise numerical data
more precise and assesses the internal generalizability of collected data
(Bärnighausen et al., 2017; Maxwell & Chimel, 2014).
To summarize, validity measures the accuracy of a measurement, whereas reliability is
the degree to which research can produce consistent results (Kimberlin & Winterstein, 2008).
Therefore, building rigor in the research design enhances the credibility and trustworthiness of
the findings (Cypress, 2017; Noble & Smith, 2015). In addition, the research design adopted
various strategies (e.g., reflexivity, mechanically recorded data, verbatim transcription, and
quasi-statistics) to increase the accuracy, rigor, validity, and reliability of the results (Maxwell &
Chimel, 2014; Payne & Williams, 2005). Consequently, validity and reliability lose credibility if
the researcher fails to employ integrity and research ethics when conducting qualitative studies
(Patton, 2015).
Ethics
Conducting research, especially studies involving human subjects requires strict
adherence to research ethics. Therefore, integrity is paramount when conducting qualitative
research (Dooly et al., 2017). Moreover, the federal government created policies, guidelines, and
codes of ethics when conducting research studies involving human subjects (Merriam & Tisdell,
2016). Thus, a fundamental moral requirement is to treat test subjects with respect and dignity
(Oliver, 2010). To that end, researchers must conduct research that analyzes potential risks and
benefits to the subject (Barrow et al., 2022).
41
As a result, the study incorporated Belmont Report's guiding principles into the research
design. Moreover, the Belmont Report is an ethical guideline for research involving human
subjects (Sims, 2010). Thus, the research integrated the guiding principles of beneficence,
justice, and respect for persons into the study's design (Siemionow, 2019). The principle of
beneficence aims not to harm and seeks to increase potential benefits while reducing potential
risks for the subject (Miracle, 2016).
Conversely, the principle of justice seeks to provide equal treatment and fairness (Sims,
2010). The second principle also reveals the requirement of informed consent and the volunteer
nature of the subject's participation (Earl, 2020). Lastly, the third principle (respect for persons)
ensures that the participants have privacy and confidentiality (Tsosie et al., 2021). Equally
important, the subject can decide to discontinue the research at their discretion (Friesen et al.,
2017).
Ethical considerations are essential when conducting qualitative research involving
human subjects (Dooly et al., 2017). Therefore, researchers are responsible for protecting the
subjects from harm or exploitation (Barrow et al., 2022; Oliver, 2010). By building ethics into
the research design, the subject's best interest remained at the forefront of the study (Earl, 2020;
Sims, 2010). Accordingly, research was conducted with honesty, fairness, and care, thereby
increasing the quality of the findings (Barrow et al., 2022; Merriam & Tisdell, 2016; Patton,
2015; Siemionow, 2019).
Summary
The study sought to uncover why healthcare organizations prioritize cybersecurity as
something other than a funding priority. As a result, qualitative research utilizing narrative
inquiry was the methodological approach adopted for the research design. As such, a narrative
42
inquiry method was appropriate to answer the research questions and generate new theories
based on the participants' lived experiences (Williams, 2007). Conversely, the research design
adopted purposeful sampling to identify and select information-rich cases from the target
population (Benoot et al., 2016). Accordingly, the target population was IT professionals
residing in the United States currently employed by CCRC. In addition, semi-structured
qualitative interviews employing open-ended questions served as the instrumentation for the
study (Patton, 2015). Lastly, encrypted thumb drives secure the mechanically recorded data and
transcription.
43
Chapter Four: Findings
This study explores how leaders in healthcare organizations perceive the influence cost
management and strategies have on decision-making regarding budget priorities for
cybersecurity. The Burke-Litwin change model served as the theoretical framework that
underlined the assumptions for the conceptual framework. The conceptual framework that
guided this study was transformational factors. Transformational factors are a subset of the
Burke-Litwin change model grounded in open theory that examines the relationship between
mission, strategy, leadership, and culture (French et al., 2021). Data analysis produced six
findings: cost-based decision-making, no perceived value in cybersecurity, no return on
investment, cybersecurity perceived as a barrier, risk tolerance, and reactive culture. The findings
mapped to transformational factors and revealed relationships to the individual components of
the conceptual framework (mission and strategy, leadership, and culture). Most notably,
participant responses suggested a relationship between mission and strategy.
Similarly, no perceived value in cybersecurity or no return on investment was mapped to
strategy. Conversely, cybersecurity was perceived as a barrier, and reactive culture revealed a
relationship to organizational culture. Lastly, risk tolerance was mapped to leadership.
Additionally, the chapter presents participant information and findings collected from narrative
data analysis gathered from semi-structured interviews. The two research questions guiding this
study are:
1. What role does cost management play in prioritizing cybersecurity as a budget
priority?
2. What factors create barriers to implementing known cybersecurity responses that
lessen the impact of cyberattacks on healthcare systems?
44
Participants
Participants for this qualitative research study included 11 full-time employees and two
contractors currently employed by a non-profit healthcare organization in the greater Los
Angeles area. Participants varied in gender, racial identity, and work experience, but all
possessed extensive experience in the healthcare sector. The participants hold various positions
in the organization and perform tasks directly or indirectly related to IT security. The makeup of
the participants included four females and eight male subjects.
Screening surveys verified that participants met the inclusion criteria to participate in the
qualitative research study. Once prequalified, participants provided their informed consent before
participating in the interviews. Each participant answered 13 semi-structured open-ended
research questions and follow-up probes as needed. All interviews administered to the
participants utilized the MS Teams teleconference platform. The interviews lasted approximately
60 minutes on average. The participants consented to allow the sessions to be video recorded and
transcribed. After the interviews concluded, participants consented to allow the sharing of deidentified data with fellow researchers and the publishing of study results. Subsequently,
transcription and key responses were validated by the participants. Lastly, participants consented
to follow-up interviews if needed. Table 2 illustrates participants' demographic information,
including gender, race or ethnicity, position, years of IT security experience, and employment
type.
45
Table 2
Participant Demographics
Participants Gender Race or
ethnicity Position
Years of
IT
experience
Employment
type
Ellen Female White Sr. InfoSec
Analyst 22 Full Time
Employee
Kim Female White Mgr. InfoSec
Risk & Comp.
11 Full Time
Employee
Keanu Male White IT Program
Mgr.
40 Full Time
Employee
Jesus Male
Asian or
Pacific
Islander
Dir.
Infrastructure &
Ops.
18 Contractor
Paul Male White Sr. Mgr.
Cybersecurity 25 Full Time
Employee
Fran Female White Dir. IT Ops. 19 Full Time
Employee
Jamal Male
Middle
Eastern Asia
or North
African
Asst. VP IT
Infrastructure 16 Contractor
Skip Male White Mgr. InfoSec
Risk & Comp.
35 Full Time
Employee
Dak Male
Black or
African
American
Dir. InfoSec
Risk & Comp.
21 Full Time
Employee
Bennit Male
Black or
African
American
VP Chief
Information
Security Officer
39 Full Time
Employee
Arnold Male White Chief
Information
Security Officer
25 Full Time
Employee
Eryka Female
Native
American of
African
Decent
Mgr. InfoSec. 15 Full Time
Employee
Davie Male Latino Sr. Architect. 16 Full Time
46
Findings for Research Question 1
The first research question sought to examine the perspectives and lived experiences of
research participants to gain deeper insight into funding priorities in the healthcare sector. The
conceptual framework guided the research question and analyzed the impact transformational
factors (e.g., mission and strategy, leadership, and culture) had on funding priorities, capital
planning, and budgeting. The analysis revealed a relationship between transformational factors
and capital budgeting approaches practiced at CCRC. More specifically, the participants
disclosed their beliefs regarding the perceived value of cybersecurity within healthcare systems.
The study revealed the following emerging themes: cost-based decision-making, no perceived
value in cybersecurity, and no return on investment. Table 3 provides an overview of themes,
explanations, and associated conceptual framework factors identified for RQ1.
Table 3
Research Question 1 Themes
Emerging themes Explanation Conceptual framework
Cost-based decision making Decisions based on costs,
return on investment, and
availability of capital.
Mission and strategy
No perceived value in
cybersecurity
Cybersecurity is viewed as a
cost center and a regulatory
requirement.
Culture
No return on investment
Cybersecurity is preventative
therefore there is a perception
that IT security does not yield
a return.
Strategy
47
Cost-Based Decision Making
All 13 participants acknowledged the implicit role cost played in decision-making in
healthcare organizations. Whether discussions centered on patient care, opportunity costs,
regulatory requirements, market trends, or growth and expansion initiatives, cost-based decisionmaking remained an underlining theme. To illustrate this point, Keanu recounted, "everything is
related to cost, return on investment, as it should be, right." Additionally, when asked a similar
question regarding decision-making, Fran believed that "it all comes down to money and how
much money they [CCRC] think they want to spend." According to the responses, cost-based
decisions were an essential component of the business model for healthcare organizations,
resulting in follow-up probes. When asked to expound on the importance of cost in the decisionmaking process, Skip asserted, "Well, it’s the main decision. They’re [leadership] mostly
numbers people, they look at budgets, they look at, you know, overall spend."
According to the participant's responses, outsourcing IT security staffing was another
cost-based decision made by CCRC. Ellen claimed that CCRC opted to outsource IT security
because leadership believed that outsourcing resulted in cost savings, asserting, "They [CCRC]
were trying to save money." Ellen later speculated that it was her experience that "They [CCRC]
want the least cost solution" as it pertained to cybersecurity. Kim supported this claim, stating, "I
think ultimately, CCRC believes that it is more cost effective to outsource, especially when you
maybe have personnel that are outside of the country, or they have a lower operating cost." Dak
echoed the sentiments, saying, "You bring in contractors to do day-to-day work, and you take
away FTE's [full time employees] who can do the same exact work just for a simple fact of
cutting cost."
48
Another topic of interest revealed during the interviews was the cost of implementing a
proposed cybersecurity strategy. Jesus suggested that he believed that healthcare organizations
want to protect their IT infrastructure. However, Jesus proclaimed, "I bring it back to cost if the
organization had healthy cashflow as such that cybersecurity expenditures were only 1% of
revenue and profit margin, they [CCRC] would invest everything under the sun to have the
proper protection." Paul provided an alternative perspective regarding cost associated to
cybersecurity, contending, "A lot of corporations don't want to spend a whole lot of money in
regard to securing connections, right. And that’s where the cost vector comes in." Paul added
context to his beliefs, claiming that "A lot of upper management teams that come into
organizations today will look at cost-effectiveness and if they [leadership] can get similar
products [cybersecurity] for cheaper, they're [CCRC] are going to go with that."
Consequently, cybersecurity is viewed as a cost center and, thus, not prioritized as a
funding objective. According to Paul, "from a cultural standpoint, cybersecurity is just not a
priority in healthcare." Cost-based decision-making is a fundamental practice in the healthcare
sector and remains vital to the sustainability of CCRC. To that end, capital expenditures and
funding priorities focus on patient care, infrastructure, and growth. As such, cybersecurity does
not generate revenue and, therefore, is not a funding priority in healthcare organizations.
Affirming this belief, Eryka noted, "leadership needs to save money for the organization [CCRC]
and make a profit. Cybersecurity is not a profitable department, like other things in healthcare,
and is viewed as a spend." Table 4 illustrates some of the participants' belief in the role cost plays
in the decision-making process.
49
Table 4
Role Cost Plays in Decision-Making Process Responses
Participant Responses
Keanu
"No matter how much money they have, they want to spend less on
expenses, right … They're trying to get rid of all expenses, and
just have all profits."
Jesus
"Costs has played a big part in that decision-making. Something that cost
too much that would eat away at the profit margin, would kind
of be questioned and alternatives … something that is the
constellation. They may not have all the features, but it's more
cost friendly. So, cost definitely has a big a large impact to the
decision making, as with many things."
Jesus
"And so that's the truth of the matter. The economy, the business, that
revenue drives a lot of things, no different than no different than
a household, that is the low priority to buy a car and trying to
pay for the most expensive warranty [cybersecurity], it doesn't
make sense, the priority is to ensure food is on the table."
Leaders in healthcare organizations are under greater pressure to develop cost-reduction
tactics that reduce expenses and increase profitability. With a surge in capital expenditures and
shrinking margins, leaders need to balance the organization's needs and the public interest. For
that reason, funding priorities driven by cost-based decision-making focus on improving margins
and patient outcomes. To that point, the participants perceive cybersecurity within healthcare as
a cost center and avoidable expense rather than a funding priority.
No Perceived Value in Cybersecurity
Healthcare as an industry operates on smaller profit margins, placing a premium on cost
management and a sound economic approach to guide organizational strategy. Inherently, the
concept of value surfaced as an alternative theme during data collection. The participants
recounted their experiences, and 11 of 13 respondents described cybersecurity as having no
50
perceived value in healthcare. Fran proclaimed, "One of the key things to me is that it feels like
our company leadership [CCRC] does not view it [cybersecurity] as an investment in the future."
Most of the participants echoed Fran's sentiments, and when asked to expound on the response,
Skip stated, "They [CCRC] don't think that we're [cybersecurity] critical to the operations." Dak
provided additional context, suggesting "they're [CCRC] more willing to focus on the growth of
the business, more so than protecting the assets of the business." Keanu expounded on this claim,
asserting, "We [cybersecurity] are in healthcare. We're an expense center that they [CCRC] wish
had stayed in the morgue." Bennet speculated, "I think, in my mind, if the CEO [CCRC] is
asking about ransomware and yet unwilling to completely fix the situation, he's looking at
security as a checkbox."
The notion of a checkbox as it pertained to cybersecurity resurfaced throughout the
participant interviews. When probed further, the participants attributed this belief to their
experience in the healthcare industry. To that end, Kim stated, "I don't know if they [CCRC]
understand how far the cyber dollar goes or has gotten us thus far." Following this response, Kim
added, "I don't know that they [CCRC] fully see a value" regarding the importance of
cybersecurity. Skip supported Kim's assertions that "Most organizations I have worked in the IT
operation, the IT people believe that information security is an insurance policy, and nobody
wants to pay for an insurance policy until something happens." Skip later expounded on these
beliefs, maintaining that "Information security is almost thought as a somewhat of an
afterthought or necessary evil." The thought of likening IT security to an insurance policy
referenced the lack of perceived value of cybersecurity in healthcare. However, this belief was
not an isolated response and was repeated by several participants.
51
Another revelation revealed during the interviews centered on the belief that healthcare
maintained a false sense of assurance regarding their security posture. As recounted by Arnold,
"Some organizations might feel that you know, since nothing's happened, they're okay. And they
might not want to invest and find any value in investing money to strengthen their defenses
[cybersecurity]." Ellen echoed Arnold's claims, affirming, "They [CCRC] don't seem to think
that the likelihood is enough for it to be an issue... Unfortunately, what's probably going to
happen is a huge breach will happen, and then they'll understand the danger of it [cyberattack]."
Dak concluded this round of questions with an analogy suggesting that "It's almost like if you
have car insurance, and you're just a good driver, you've never gotten a speeding ticket in 30
years of driving, you start to tell yourself, why am I paying all this money every month." Table 5
illustrates some of the participants' perceptions that there is no perceived value in cybersecurity.
Table 5
No Perceived Value in Cybersecurity Responses
Participant Responses
Keanu
"And our cybersecurity general, just every, you know, brings us news
articles of who's been attacked that week. Right. And that's the
only way we can justify our [cybersecurity] existence to many
folks up the there [executive leadership], even apparently, to our
own colleagues."
Keanu "They [CCRC] are not willing to invest in security due to our
entrepreneurial structure of their departments."
Skip
"Integrity of the data is more important than availability. We're
[cybersecurity] not able to communicate that and make a value
proposition to those positions."
Rising costs coupled with dwindling margins continue to plague the healthcare sector. To
combat the threat, leaders in healthcare systems are transitioning to a value-based delivery
52
model. This approach measures healthcare outcomes against the cost to produce the desired
results (Catalyst, 2017). As such, leaders allocate capital towards priorities that align with these
objectives. Thus, priorities need to exhibit perceived value to warrant capital investment.
Consequently, cybersecurity is an expense similar to an insurance policy. In that regard,
organizations would only realize the benefits of cybersecurity following a cyberattack.
Collectively, security professionals need to justify the value of cybersecurity to healthcare
organizations. However, if a cultural shift in mindset does not occur within the industry, the
perception that cybersecurity has no value in healthcare will persist.
No Return on Investment
Profitability and financial viability are key to the sustainability of healthcare
organizations. Predictably, leaders focus on investments that yield greater returns and exercise
cost avoidance when feasible. Naturally, return on investment revealed an emerging theme. All
13 participants revealed their belief that cybersecurity is perceived to have no return on
investment. When probed, Bennett affirmed, "Cybersecurity are cost centers, right? They're not
really a part of the business as generating any revenue or anything like that. It's money that the
business has to put in to do stuff they'll never see."
Eryka reaffirmed these beliefs, citing, "Because, you know, if you look at certain
organizations where you want to provide an extra layer of security, it's always a spend, spend,
spend [sic], whereas we know cybersecurity is not profitable." The consensus amongst the
participants is that CCRC perceived cybersecurity as an expense that yielded no return. To
support this claim, Keanu conceded, "And no matter how you try to justify that expense, at the
end of the day, it's an expense. Now we capitalize those expenses over x period of time as you
would a vehicle, but it's still an expense." Arnold added, "So, it's difficult at times to create a
53
case for something [cybersecurity] and prioritize that thing when it doesn't really mean that much
to whom you're speaking with [CCRS leadership]." When probed further, Ellen declared, "I don't
know if they believe if they understand how far the cyber dollar goes. Or [sic] has gotten us thus
far?"
Cost, value, and return on investment resurfaced as primary considerations for decisionmaking in healthcare in this series of interview responses. One of the prompts asked the
participants to explain why they believe healthcare shares the perception that cybersecurity does
not yield a return on investment. Davie shared his belief that "It's hard to see an investment, you
know, on that [cybersecurity] round, unless you've been hot [attacked], that's when you realize
that I probably don't see an investment right away." Jamal supported this claim, affirming,
"Some organizations might feel that … since nothing's happened [cyberattack], that they're okay.
And they might not want to invest and find any value in investing money to strengthen their
defenses [cybersecurity]." Eryka further reinforced this belief, proclaiming, "Because executive
leadership pretty much needs to save money for the organization to make a profit. Cybersecurity
is not a profitable department. Like the other like [sic], healthcare and is viewed as a spend. It's
not profitable."
The participants’ responses held steadfast to the belief that cybersecurity is not perceived
to yield a return in healthcare. According to the responses, the value of cybersecurity is
comparable to a sunken cost because the benefit can only be realized during a cyberattack. To
that point, cybersecurity yielded no revenue and no return on investment. As Keanu suggested,
"They're [CCRC] not willing to invest in security because they, at least, because of the
intrapreneur structure of their departments, they don't really have funding and structured that
way." Table 6 illustrates the participants' belief that cybersecurity has no return on investment.
54
Table 6
No Return-on-Investment Responses
Participant Responses
Keanu
"In the IT side and operating primarily it we are a cost
center. And almost everything else is a profit center.
In the healthcare organization, everybody is
generating some kind of revenue either managing in
the rental business, working in the rental business or
doing professional services, it [cybersecurity] is an
expense."
Skip
"Political side has to make money and revenue to support
the organization. It InfoSec. Up, [sic] we're just
overhead. I don't make any revenue on us."
Skip
"It is technically still an afterthought. Why? Because it's
still the cost of an insurance policy. There's no way
around it. Cybersecurity hazard costs."
Rising healthcare costs require leaders to implement innovative management strategies
and employ cost-avoidance techniques. Equally as important, investments must demonstrate
positive returns to justify committing capital funding. To achieve these objectives, healthcare
organizations customarily invest in infrastructure, growth, and expansion initiatives.
Consequently, the participants believe that cybersecurity possesses no perceived value in
healthcare, nor does it align with the financial strategies of the organization. More specifically,
there is no perceived return on cybersecurity investment. Further clarifying why healthcare trails
behind other industries in the amount of capital allocated to cybersecurity.
Discussion for Research Question 1
Participant responses revealed the role cost played in the decision-making process in
healthcare organizations. Specifically, the interviews revealed how CCRC prioritizes capital
55
expenditures. According to the participants' accounts, capital expenditures at CCRC concentrated
on infrastructure, expansion, and growth. However, the participants did not perceive
cybersecurity as a funding priority. Within the initial interview responses for Research Question
1, three emerging themes surfaced (cost-based decision-making, no perceived value in
cybersecurity, and no return on investment). Although the themes varied slightly, cost, value, and
return on investment remained underlying considerations for funding.
Of the 13 participants interviewed, the overwhelming belief confirmed the criticality of
cost-based decision-making at CCRC. With rising healthcare costs and diminishing profit
margins, leaders must develop strategic plans to maximize returns and improve patient outcomes.
As such, cost management became crucial to overseeing limited resources. To that end, costbased decision-making emerged as a key factor that drove spending and allocation of resources
at CCRC. To recount a statement by Keanu, "No matter how much money they have, they want
to spend less on expenses, right." These findings support the perception that cybersecurity was
viewed as a cost center and, therefore, not prioritized as a funding priority at CCRC. When
probed further, the participants asserted that cost-based decision-making resulted from CCRC's
mission and strategy.
Intuitively, a second theme emerged, contending that there was no perceived value in
cybersecurity. Again, the participants overwhelmingly supported the notion that cybersecurity
was an afterthought. Skip subsequently likened cybersecurity to an “insurance policy." The
consensus from the participants reaffirmed the belief that CCRC viewed cybersecurity as an
administrative function. Based on the participant's lived experiences, the healthcare sector
perceived cybersecurity as a "necessary evil" that did not support patient outcomes or growth and
expansion initiatives. In short, cybersecurity did not align with the business objectives of CCRC
56
and thus possessed no organizational value. The participants associated this shared belief of
cybersecurity with healthcare culture.
Last, no return on investment was the third theme revealed during Research Question 1.
As previously noted, healthcare organizations operate on narrow margins. This business model
requires leaders to implement strategies that minimize sunken costs and employ cost-avoidance
tactics when applicable. When asked, the participants described cybersecurity as cost centers that
yield no return. Naturally, leaders must make sound investment decisions to yield the largest
returns. Cybersecurity is preventative by design and may never produce a tangible return. Due to
this perception, the participants believe cybersecurity must justify the need for capital
investment. Once more, all 13 participants expressed their belief that healthcare as an industry
does not perceive a return on investing in cybersecurity. The participants contributed this belief
to strategy and healthcare culture. The participants' responses aligned with the conceptual
framework (e.g., mission and strategy, leadership, and culture.) and provided deeper insight into
the phenomenon.
The findings for Research Question 1 revealed a relationship between cost-based
decision-making and strategy. The participants suggested that underinvesting in cybersecurity is
part of a larger cost-cutting effort to minimize expenses. Specifically, cybersecurity was viewed
as a cost center that generated no revenue and, therefore, was expendable. Conversely,
participants claimed that no perceived value in cybersecurity resulted from cultural beliefs within
the healthcare industry. This idea stemmed from the perception that cybersecurity was likened to
an administrative function that did not enhance research or patient care. Lastly, the third finding,
no return on investment, is closely related to strategy and culture. Similar to the previous
assertions, the participants maintained the belief that CCRC leadership found no perceived value
57
in cybersecurity due to the lack of financial return. Participants shared the belief that CCRC was
a non-profit organization that primarily generated revenue from philanthropic donations, grants,
and research. As such, sound investment strategies focused on investing endeavors that produced
a financial return. To that end, the research provided supporting evidence of a relationship
between the findings and transformational factors.
Findings for Research Question 2
The second research question and associated interviews explored the transformational
factors related to cybersecurity risk reduction strategies in healthcare organizations. Particularly,
Research Question 2 concentrated on the barriers that prevented healthcare systems from
adopting known solutions regarding cybersecurity. The focus of this series of interview questions
pivoted away from financial implications to concentrate on the underlying practices, norms, and
ideologies regarding CCRC's cybersecurity strategy. The goal of Research Question 2 was to
understand better how cybersecurity is perceived and the associated value placed on IT security
in the healthcare industry. To that point, participants’ responses contextualize the phenomenon
through their lived experiences, beliefs, and perceptions of cybersecurity in healthcare. Though
several topics materialized during the interview process, key concepts surfaced by the conclusion
of data analysis. Moreover, three themes emerged for Research Question 2 (cybersecurity
perceived as a barrier, risk tolerance, and reactive culture). Table 7 highlights emerging themes,
explanations, and associated conceptual framework factors identified for Research Question 2.
58
Table 7
Research Question 2 Themes
Emerging themes Explanation Conceptual
framework
Cybersecurity perceived as a
barrier
Perceived obstacle to
business operations,
workstreams, and
patient care.
Culture
Risk tolerance
Level of risk organization is
willing to accept
regarding potential
exposure to cyber
threats.
Leadership
Reactive culture
Response based approach to
incidents and or
events. Culture
Cybersecurity Perceived as a Barrier
Ten of the 13 respondents shared their belief that cybersecurity is a perceived barrier in
healthcare organizations. When asked why leaders view cybersecurity as a barrier instead of a
vital component necessary to enhance CCRC's security posture, Ellen explained, "They're
[cybersecurity] perceived as constantly trying to make things difficult, which is not the case." As
the interviews continued, the participants provided additional context to support the claim. Skip
added, "We [cybersecurity] are viewed as an impediment to operations because we ask them
[CCRC] to slow down, you know, basically protect the confidentiality, integrity, and availability
of data." A follow-up probe asked the participants if the perception resulted from organizational
culture or leadership. Keanu indicated that "Cybersecurity and the general concept of limiting
59
access is counter to the culture of healthcare as a system, an organization, and an entity." Keanu
concluded by stating, "They [CCRC] totally do not get it [cybersecurity], care for it
[cybersecurity] or understand it [cybersecurity]." To further support the statement, Arnold
proclaimed that the general perception regarding cybersecurity is "Why do we deal with this, it’s
a pain in the, you know."
This wave of participant responses suggested that healthcare as an industry shares the
belief that cybersecurity implements safeguards that are restrictive and impede patient care.
According to the participants, this perception results in resistance and lack of support for
cybersecurity controls. Davie supported this claim, stating:
People complain about encryption and don't know why they have to request permission to
install software. … People feel that you prevented me from doing my job because I have
to call the service desk when I can do the installation myself.
However, Skip indicated that one cannot discount this belief because cybersecurity "Can
be a barrier at times." Specifically, if cybersecurity controls are perceived to limit instant access
to critical systems and patient records. Fran provided an alternative perspective stating that, "I
don't think that society at large had the perception that we needed to safeguard healthcare
information." This understanding contributes to the devaluation and de-prioritization of
cybersecurity in healthcare organizations. Kim further added her belief that "I think the barrier is
this … cybersecurity is not a lot of organizations, especially the one we're in right now; I don't
think they [CCRC] see it [cybersecurity] as important as it actually is.
The participants believe that accessibility to medical records and patient information is
crucial to healthcare organizations. These medical records and genomic data help medical
professionals better understand trends and diagnoses, which leads to improved patient outcomes.
60
Data analytics has become a driving force for evidence-based decision-making in healthcare.
However, hospitals are under siege, becoming one of the leading industries targeted by
cybercriminals (Mace, 2021); therefore, security controls aid IT security professionals in limiting
exposure to data breaches. According to the participants, a robust security posture requires
clinicians and practitioners to take additional safeguards to ensure patient data availability,
integrity, and security. The participants' responses infer that these additional security controls
often face resistance in healthcare organizations. As recounted by Paul, "When you talk about
cybersecurity, we're usually seen as the game stopper." Similarly, Ellen believed cybersecurity
was perceived as a "Nuisance in healthcare and something they [CCRC] doesn’t want to have to
deal with." Table 8 illustrates the participants' belief that cybersecurity is a perceived barrier.
Table 8
Cybersecurity is a Perceived Barrier Responses
Participant Responses
Jesus
" Because everyone for the culture, everybody would have firewalls
everywhere, everybody will be restricted to go the internet,
everybody would be, you know, just able to just do things on
their machine, just at least privileged for their work. And
then that's how it should be. But we all know, we've been the
scenarios where they're this person of high ranking, and they
will like this access just because right. And because of that,
that's an exception, because of the exception that goes
against the strategy of everybody that created a particular
policy to protect the organization."
Davie
"I went through these on previous environments where people
didn't understand why do we need to have these many
controls we complicating our employees lives … Why are
you doing this."
61
Based on the participants' lived experiences, CCRC and healthcare as an industry
perceive cybersecurity as a barrier or impediment to performing daily tasks such as accessing
medical records and clinical systems. Additionally, these beliefs place undue pressure on IT
security professionals to justify the need for cybersecurity in healthcare organizations. As
recounted by the participants, the perceptions of cybersecurity in healthcare closely aligns with
transformational factors sharing a relationship with culture and leadership.
Risk Tolerance
All 13 participants overwhelmingly cited CCRC's willingness to accept risk as a barrier
to instituting sound cybersecurity strategies within the organization. Predictably, risk tolerance
emerged as a primary theme during data collection for Research Question 2. When asked why
there is a shared belief that CCRC is willing to accept risks, Erika replied, "There's a lot of, you
know, we'll deal with that later." This series of questions yielded similar responses from the
participants. Further expounding on this belief, Bennet claimed, "Culturally, we have groups that
pretty much say that we don't care about the risk; we want to do what we want to do." Skip
supported this belief, asserting, "Most of the time, if allowed to, the risk would be accepted."
Adding nuance to the perception of risk acceptance, Kim indicated, "The organization [CCRC] is
willing to accept a risk based on the fact that it [cyberattack] hasn't happened in the past."
Throughout the interviews, the participants maintained that CCRC was willing to accept
risks because there was no perceived threat of a cyberattack. Ellen contended, "They're [CCRC]
are really not worried about the risk." Based on the interview responses, the participants believed
that healthcare organizations possessed a higher risk tolerance regarding cybersecurity. To
support this claim, Paul contended that "Instead of, you know, making a $600,000 adjustment to
do, you know, segmentation of a PCI environment, they'll just take the hit and pay the $30,000 a
62
month." Skip cooperated this claim alleging, "If something goes wrong, what was the wrong
cost? Would it be a violation of HIPAA, so we're gonna [sic] get fined $250,000? We'll live with
the risk; we'll pay the 250 instead of giving you the money." Fran provided additional context for
this claim, asserting:
I mean, you have, you have, [sic] you know, various findings, they've been prioritized.
But even for items where there's a high risk, there just doesn't seem to be enough
motivation to assign people to get the work done all the time.
Table 9 illustrates the participants' risk tolerance responses.
Table 9
Risk Tolerance Responses
Participant Responses
Paul
"So, there's some rationale behind risk acceptance, and the
cost and mitigated avoid the risk are too great to
justify given this small probability of a hazard or a
small estimate to the impact that they [CCRC]
have. So, a lot of them [CCRC] have self-insurances
and a form of risk acceptance from an insurance
perspective, so that they [CCRC] have that risk
mitigated to transfer the risk to a third party."
Bennet
"So, to me, one of the largest, if not the largest, one of the
largest threat vectors are these legacy systems, our
network. And, you know, we need a plan, not only
for the legacy systems, but the vendor operating
systems that have legacy operating systems and for
the federal control systems that are under Network
where they control the patching. So, we have these
we have these risks that we're not so focused on."
Eryka
"A system that's pretty much still has support applications
that you can still support without breaking
something and continuing operations. So, I think
that's probably why they accept the risk, because it's
going to take a lot of manpower.
63
The participants revealed the belief that healthcare organizations are willing to accept
risks instead of adequately funding cybersecurity. This assertion was grounded in the notion that
CCRC did not perceive cyberattacks as an immediate threat. Although healthcare organizations
are the most targeted industry for cyberattacks, the participants believed that CCRC maintained a
relatively high-risk tolerance. The participants asserted that risk tolerance is not a practice
restricted to CCRC, but a trend observed throughout the healthcare industry. Consequently,
healthcare leaders are more apt to accept risks due to the lack of perceived threat of cyberattacks.
This ideology not only puts healthcare organizations at greater threat of cyberattacks but limits
their ability to reduce the attack's impact. The participants shared the belief that risk tolerance in
healthcare organizations is driven by leadership; this perceived relationship between risk
tolerance and leadership aligned with the conceptual framework. Specifically, the findings
revealed a connection between the collected data and transformational factors.
Reactive Culture
Lastly, reactive culture emerged as the final theme identified for Research Question 2.
During the interviews, 13 of 13 participants alleged that healthcare organizations adopted a
reactive approach when responding to cyber threats; a perceived belief repeated throughout the
data collection. Kim contended, "It's [strategy] kind of like wait till it breaks and then fix it."
When probed further, Jesus affirmed, "From my experience, I have seen them [CCRC] more on
the reactive side, not the proactive side." Fran's responses provided additional background for
Research Question 2, proclaiming, "Our [CCRC] board members seem to react to the news more
than an objectively presented assessment." The participant responses prompted supplemental
probes to gain more insight into the phenomenon. Eryka later declared, "I think cybersecurity as
a whole is reactive."
64
During this line of questioning, the concept of strategy was raised. When asked why the
participants believed healthcare adopts a reactive approach, Keanu asserted, "There is no
strategy, they [CCRC] operate day to day, by the seats of their pants." When prompted to unpack
this assertion, Bennet proclaimed, "This is not an information security phenomenon either; it's a
human phenomenon because we usually don't pay attention to something until it slaps us in the
face." Arnold supported this assertion, claiming, "Typically, a lot of organizations don’t invest
that money until there’s a breach. And then they’ll [cybersecurity] be a priority at that time.” Dak
echoed many of the sentiments shared by the participants but added the perspective that "If given
the opportunity, I will put them [CCRC] through the hurt and pain [cyberattack] so they quickly
understand how important it is to be prepared."
Keanu shared a similar belief, declaring, "So you need to make them [CCRC] feel like
they’re on the verge of being attacked [cyberattack] to get them [CCRC] to invest.” To further
support this claim, Bennet said, "I know people that don’t buy car insurance, and then they get
into an accident and have no way to pay that insurance. And now they go on trying and find
insurance." The participant responses revealed the belief that healthcare organizations do not
perceive cybercrime as an impending threat. This belief has resulted in a reactive approach to
cybersecurity. As proclaimed by Eryka, "It's [strategy] more reactive, I would say it's [strategy]
definitely reactive."
Consequently, according to the participants, this approach resulted in sizable investments
required to mitigate the aftermath of a cyberattack. Ellen substantiated many of the participant's
responses, contending that "Unfortunately, what's probably going to happen is a huge breach will
happen, and that will make them [leadership] understand the danger of it [cyberattack]." Table 10
illustrates the participants' reactive culture responses.
65
Table 10
Reactive Culture Responses
Participant Responses
Jesus
"Maybe it was found through some audit findings, that this
needs to be prioritized and purchased. Right. And also,
maybe the news in the latest trending news, if we're
talking in driving up to cyber-related items, sometimes
the news and neighboring health systems getting, you
know, ransomware attacked or, you know, leaked, the
data is leaked, or somehow the organization became
vulnerable neighboring organizations, competing
organizations, it can dictate and reprioritize, the the
[sic] organization's ability to purchase certain things."
Jesus
"And there were accelerated accelerated [sic] cybersecurity
funds, again, reacting, reactionary move from this
organization to ensure and to protect to the best of
everybody's ability. And that that happened for a good
year and a half or so. But since then, we're not seeing
that same urgency."
Paul "The rest of the prior to that compromise action is a
standardization of we will worry about it later concept.
And that's what I that's what I've [sic] experienced."
Dak
"Do you practice fire safety in your home? Do you not think
about it until there's a fire and you think about calling
the fire department to come rescue us put that fire out?
No one thinks about the police until you need them."
Dak
"I think more so in the healthcare industry in react with cyber
theft, and cyber hacking, I believe that it's just a matter
of time to is your organization's turn."
Cyberattacks on healthcare organizations have become pervasive following COVID-19
(Gourd, 2021). These targeted attacks disrupted healthcare systems worldwide, placing a
substantial economic impact on the industry (Perera et al., 2022). However, the participants
66
affirmed that healthcare organizations fail to implement preventive strategies that could limit the
impact of cyberattacks. This perception exists because healthcare leaders have not adopted a
proactive approach to cybersecurity. The participants' responses assert that healthcare has yet to
safeguard IT infrastructures against the looming threat of cyberattacks. Consequently, healthcare
organizations are susceptible to cybercrime. If not addressed, the participants believe
cyberattacks on healthcare organizations will increase in frequency and magnitude.
Discussion for Research Question 2
Research Question 2 examined organizational factors such as culture, strategy, and
leadership contributing to the phenomenon. The participants drew on their lived experiences,
beliefs, and perceptions of healthcare organizations to answer Research Question 2. Participant's
responses exposed cultural norms in healthcare organizations that uncovered beliefs and
perceptions about cybersecurity. From this series of interviews, three themes emerged for
Research Question 2 (cybersecurity perceived as a barrier, risk tolerance, and reactive culture).
The initial theme from the participants suggested that cybersecurity is a perceived barrier
in healthcare. The participants supported this belief, stating that data drives patient care and
research. Thus, data availability is necessary to perform research, diagnosis, and treatment.
However, cybersecurity institutes security controls and safeguards to protect data by restricting
user access. These security controls require end users, such as clinicians and researchers, to
utilize complex passwords and MFA to access systems. Safeguards also limit an end user's
ability to download software or applications. To that point, participants' responses share the
belief that end users perceive cybersecurity as a barrier in healthcare.
Risk tolerance emerged as the second theme from the interviews. All 13 participants
perceive healthcare leaders as displaying a higher risk appetite and willingness to accept risk.
67
Although cyberattacks have spiked, participants revealed the belief that healthcare leaders do not
perceive cybercrime as an immediate threat. This belief has resulted in inadequate funding or
prioritization of cybersecurity in healthcare organizations. Consequently, the participants'
responses suggest that greater risk tolerance increases cyberattack exposure.
The third and final theme that emerged from Research Question 2 was reactive culture.
The participants concurred that healthcare adopts a reactive approach to cybersecurity. A
reactive cybersecurity strategy requires healthcare organizations to possess an effective and
capable response team to minimize the impact of a cyberattack. The participants’ responses
suggest that healthcare needs to be adequately funded or equipped with the necessary resources
or technology. As such, healthcare organizations are often unprepared when suffering a
cyberattack. The participants' responses suggest the need for a cultural shift in healthcare to
implement proactive strategies to better defend against cyberattacks. The findings in this series
of interview responses revealed a relationship between themes and transformational factors that
guided the study and answered Research Question 2.
Summary
This qualitative study sought to uncover the transformational factors that reveal why
cybersecurity is not a funding priority in healthcare. The study was grounded in the Burke-Litwin
Change model and adopted transformational factors as the conceptual framework. Through data
analysis, six recurring themes emerged. The themes identified for Research Question 1 included
cost-based decision-making, no perceived value in cybersecurity, and no return on investment.
These findings spoke to strategy and leadership. In comparison, the themes identified for
Research Question 2 included cybersecurity perceived as a barrier, risk tolerance, and reactive
culture.
68
Conversely, these findings mapped to organizational culture and leadership. The
transformational factors identified directly correlate to healthcare organizations' perceptions of
IT security strategies and illuminate the rationale for underfunding cybersecurity. These beliefs
not only lead to the de-prioritization of cybersecurity but expose healthcare organizations to
potential threats. Chapter Five will discuss the findings, implications for practice, future
research, and conclusion.
69
Chapter Five: Discussion
This qualitative study examined a non-profit healthcare organization to understand better
why cybersecurity is not a funding priority in the healthcare sector. The study aimed to analyze
healthcare IT professionals' beliefs, perceptions, and values to reveal the underlying antecedent
conditions that contributed to the phenomenon. The two research questions that guided this study
are:
1. What role does cost management play in prioritizing cybersecurity as a budget
priority?
2. What factors create barriers to implementing known cybersecurity responses that
lessen the impact of cyberattacks on healthcare systems?
Participants included 13 full-time employees and consultants employed by CCRC based in Los
Angeles, California. Participants occupied various roles in the organization and possessed
experience in healthcare IT security. Data collection included a prescreening survey and
interviews via MS Teams videoconferencing, consisting of open-ended semi-structured questions
and probes. Narrative inquiry was adopted to analyze the data and report the findings. The
information gathered reflected the participants' lived experiences and perceptions of the
healthcare industry. Participant responses provided insight into the healthcare sector's cultural
norms, practices, and value systems pertaining to cybersecurity. The recommendations resulting
from this study outline the framework for a comprehensive IT security program centered around
a defense-in-depth cybersecurity model coupled with adequate funding. The recommendations
provide strategies to improve CCRC's cybersecurity program's security posture and maturity
rating. This chapter will highlight the findings, limitations of the study, implications for practice,
future research, and conclusions.
70
Findings
The findings for this qualitative study were guided by two research questions centered
around cost and barriers to implementing proven cybersecurity strategies. From the responses
obtained from the 13 participants, six notable themes emerged: cost-based decision-making, no
perceived value in cybersecurity, no return on investment, cybersecurity perceived as a barrier,
risk tolerance, and reactive culture. The findings adequately answered the research questions and
revealed a connection to the literature. The findings also demonstrated a relationship between
transformational factors, mission and strategy, leadership, and culture. These underlying factors
highlight the antecedent conditions that drive decision-making and strategy in healthcare
organizations. More importantly, they influence how CCRC allocates and prioritizes capital
funding. The documented findings and corresponding recommendations provide additional
context and propose risk-reduction strategies.
Finding One: Cost-Based Decision Making
The United States holds the distinction of funding the most expensive healthcare system
in the world (Barer & Bryan, 2018). This reality places leaders in healthcare under greater
pressure to increase patient outcomes while reducing operating expenses. Consequently, the
pandemic resulted in a spike in operational costs and labor shortages, further exacerbating an
already volatile state (Gallet & Doucouliagos, 2017; Regan, 2022). These unforeseen increases
in medical expenses triggered losses of $50.7 billion in revenue per month in the healthcare
sector due to the crisis (Kaye et al., 2021). This rising trend in healthcare requires leaders to
implement sound cost-cutting strategies to drive down expenses while increasing profitability.
Naturally, cost-based decision-making emerged as a principal theme during data analysis.
71
Cost-based decision-making in healthcare effectively calculates the cost-effectiveness
ratio of capital investments to measure the associated value of said investments to foster better
decision-making (Mauskopf et al., 1998). The study participants shared the belief that cost and
return on investment directed decision-making in healthcare. As such, capital funding was
strategically allocated for growth, expansion, and infrastructure enhancements. Due to the singledigit margins historically witnessed in healthcare, the participants did not perceive cybersecurity
as a funding priority. The participant's responses suggest that cybersecurity is a sunken cost that
does not generate revenue and, therefore, is not prioritized in healthcare. The participants
attributed this belief to strategy and culture within CCRC and the healthcare industry.
Finding Two: No Perceived Value in Cybersecurity
Although cyberattacks on healthcare systems have increased exponentially, cybersecurity
has little perceived value as a function (Burkan & Tanase, 2021; Sagarra, 2021). This belief is
partly due to the perception that cybersecurity is a cost center that will only provide a modicum
of value if an organization falls victim to a cyberattack. The literature suggests that healthcare
will invest roughly $136 billion in IoMT technology by 2021 but allocate less than 6% of total
spending to cybersecurity (Faddis, 2018; Stewart, 2012). This disparity in spending raises
concerns because IoMT devices produce large amounts of sensitive patient data and possess
weak security controls, making the technology more susceptible to security breaches (Kuma et
al., 2022).
To this point, the participants shared the belief that cybersecurity is perceived as an
administrative function in healthcare, effectively reducing IT security's purposefulness. The
participants attribute this perception of cybersecurity to a need for overall knowledge and
understanding of security controls and advanced cyber technology (Coventry & Branley, 2018).
72
This lack of awareness and understanding of the vital role cybersecurity plays in protecting
patient data results in the devaluation of IT security. The findings support these claims,
attributing the beliefs to culture and strategy.
Finding Three: No Return on Investment
The availability of financial assets, a strong cash flow position, and sound investment
strategies are vital to the sustainability of healthcare systems. However, the rising costs of
healthcare continue to concern economists. The literature suggests that healthcare costs have
grown faster than the United States economy, burdening healthcare organizations and patients
(Cummings, 2022). Thus, healthcare organizations maintain a heightened reliance on
investments that yield greater cashflow returns to offset the increase in capital expenditures
(Adelino et al., 2015). Intuitively, cost-benefit analysis and cost-effectiveness ratios are
implemented to evaluate potential investments before committing capital resources. To that end,
the finding asserted that cybersecurity was a capital expenditure that yielded no return. The
participant responses suggested that executive leadership at CCRC did not regard cybersecurity
as an investment in the future and, therefore, did not need to be adequately funded.
This belief was attributed to the perception that cybersecurity did not align with the
financial goals of healthcare organizations. In short, the business model of CCRC relies on
philanthropy, research grants, government subsidies, and proprietary knowledge to generate
revenue. As such, capital investment is reserved for financially profitable ventures.
Consequently, according to participant responses, cybersecurity is often considered an expense
with little benefit. Additionally, healthcare organizations must allocate capital expenditures to
expand the infrastructure to support emerging technologies. However, large healthcare systems
invested approximately 97% of their capital in infrastructure and moveable equipment (Stewart,
73
2012). According to the participants, this investment strategy provided little funding for
cybersecurity. The participants affirmed that this financial approach is not limited to CCRC but
is a norm in the healthcare sector, which speaks to culture.
Finding Four: Cybersecurity Perceived as a Barrier
The digitization of healthcare systems has revolutionized the medical industry by
optimizing the utilization of innovative technologies such as digital medicine and artificial
intelligence. These technological advances have increased patient outcomes and improved
overall efficiency by automating processes, streamlining workstreams, and reducing inaccuracies
(Tiwari & Sharma, 2022). However, emergent technologies, such as IoMT devices, produce vast
amounts of sensitive patient data, enticing cybercriminals (Kuma et al., 2022). Additionally,
IoMT devices are known to possess poor security controls, making healthcare a target for
cyberattacks (Kuma et al., 2022; Liaqat et al., 2020). Logically, a robust cybersecurity program
would provide added defense and reduce the impact of cyberattacks on healthcare systems.
Consequently, the findings maintained that cybersecurity is perceived as a barrier at CCRC,
resulting in resistance and lack of organizational support for a robust IT security program.
Participant responses recounted their lived experiences in the healthcare industry to
highlight instances of resistance regarding increased IT security. The participants shared their
belief that enhanced cybersecurity and added security controls limited access to critical systems
and impeded workstreams. The participants supported this belief, claiming that CCRC exists on
a philosophical premise of sharing research and patient data to produce diagnoses and
subsequent treatment. Therefore, anything perceived to limit access to critical data or patient
information will ostensibly impede a clinician's ability to retrieve reports vital to patient care.
The consensus amongst the participants subscribed to the notion that clinical staff, particularly
74
researchers, desire untethered access to medical records, research data, and critical systems
without the perceived burden of safeguards or security controls. The participants attributed this
belief at CCRC to culture and leadership.
Finding Five: Risk Tolerance
As one of the more federally regulated industries, healthcare organizations implement
risk matrices to measure potential threats. One can surmise that the healthcare industry employs
conservative risk management strategies for patient care, demonstrating a lower risk tolerance
(Harris, 2023). Risk tolerance is the level of risk an organization is willing to accept (Zhan et al.,
2018). Though the risk appetite for patient care is restrained, healthcare organizations tend to
adopt a higher risk tolerance regarding technology, specifically the attitudes toward
cybersecurity. Predictably, healthcare organizations, on average, maintain an inadequate IT
security posture (Martin et al., 2017). Moreover, a primary finding from the participant responses
revealed the belief that CCRC displayed a high-risk tolerance regarding their cybersecurity
position.
The participants cited numerous examples where CCRC leadership displayed a blatant
disregard for potential risks associated with inadequate cybersecurity controls. Despite
acknowledging the presence of known vulnerabilities within the IT infrastructure, CCRC upheld
the belief that the organization possessed sufficient defense against possible cyberattacks.
According to the participants, this ill-advised position was attributed to a lack of technical
knowledge and insufficient comprehension of cybersecurity as a necessary function.
Additionally, the participants' responses revealed that CCRC opted to pay fines for regulatory
noncompliance issues related to unsatisfactory IT security controls instead of investing in
preventive cybersecurity solutions. Again, the participant's responses reaffirmed their previous
75
claims, suggesting that CCRC lacked adequate foundational knowledge to fully conceptualize
the exposure and potential threat associated with risk acceptance. The participants mapped this
finding to leadership.
Finding Six: Reactive Culture
A sound strategic plan can chart the course for an organization and set the business on a
path of growth and prosperity for years to come. Strategic planning establishes the business
objectives, develops the strategies, constructs the values and beliefs, and provides the resources
required to operationalize the strategic plan (Steiner, 2010). Due to the complexities in the
healthcare sector, effective strategic planning is an important aspect of achieving organizational
goals and objectives (Perera & Peiró, 2012). With healthcare undergoing a digital
transformation, a comprehensive strategic plan is crucial to developing the organization's future
state (Yucel, 2018). Though the reliance on digital technology and smart devices has grown
exponentially, healthcare lacks the cybersecurity expertise to implement controls to safeguard
emerging technologies (Coventry & Branley, 2018; Garg et al., 2022). To this point,
cybercriminals have targeted healthcare providers by exploiting vulnerabilities in emerging
technologies (Bahl et al., 2021). Coincidently, the last finding from data analysis highlighted
CCRC's reactive culture regarding the organization's approach to cyberattacks.
The participants' responses overwhelmingly cited reactive culture as one of the most
glaring issues regarding CCRCs' approach to cybersecurity. The participants shared their belief
that CCRC leadership does not perceive cyberattacks as an immediate threat to the organization
and, therefore, does not prioritize cybersecurity as a funding priority. This belief has resulted in
the lack of a high-level cybersecurity strategic plan, exposing CCRC to considerable risks if
targeted by cybercriminals. According to the participant responses, CCRC’s reactive approach
76
places added strain on resources to respond quickly and effectively to cyberattacks. Not only
does a reactive approach overleverage existing resources, but it also leads to a significant surge
in overhead expenses. CCRC's reactive approach is counterintuitive and fiscally irresponsible
when considering the potential cost savings of investing in a proactive cybersecurity strategy.
The participants reaffirmed the belief that CCRC has yet to fully conceptualize the cybercrime
threat and operates under the misnomer that the organization is safeguarded against cyberattacks.
Additionally, the participants' lived experiences suggest that organizations tend to adequately
fund cybersecurity after experiencing a cyberattack. The participants shared the belief that
CCRC will adopt a proactive cybersecurity strategy and adequately fund IT security once it
experiences the full weight of a cyberattack. The participants attributed this belief to culture.
Implications for Practice
The study addressed the antecedents that impacted cybersecurity funding in the
healthcare sector. Specifically, the research pinpointed strategies that can be employed to
enhance IT security in healthcare organizations. The research findings present practical
implications regarding policy, practice, and theories related to cybersecurity strategies in the
healthcare industry. Furthermore, the study highlights the need for strategic realignment and
cultural change management within CCRC. Cultural change management alludes to the process
of undergoing systemic change to redefine an organization's culture, values, behaviors, and
norms (Katzenbach et al., 2012). From an ideological standpoint, the pivot in strategy transitions
healthcare from a reactive approach to a proactive IT security strategy, bolstering the
organization's cybersecurity posture. This culture shift not only reprioritizes capital funding
initiatives but redefines IT security as a foundational element of strategic planning in healthcare.
77
Inherently, these strategic changes affect policy, patient care, and business operations by
elevating cybersecurity to a principal consideration moving forward. Additionally, an emphasis
will be placed on formalizing cybersecurity governance and oversight, establishing
accountability across the organization. More stringent safeguards and security controls will be
implemented to protect sensitive patient data and the organization's critical systems. However,
these controls will enable cybersecurity teams to respond faster to threats, reducing the impact of
cyberattacks and disruption to business operations. Moreover, by adopting a cybersecurity
mindset, healthcare organizations can reduce downtime, limit the impact on patient care, and
shrink the amount of data breaches. More importantly, the reprioritization of cybersecurity will
result in adequate funding and additional resources needed to protect the healthcare system's IT
infrastructure.
Recommendations
The findings delineated in this qualitative study revealed the need for a comprehensive
cybersecurity program in the healthcare industry. Healthcare organizations require enhanced
capacity, improved IT infrastructures, technological expertise, and strategic focus to adequately
equip healthcare systems with the resources and human capital required to support the digital
transformation the industry is undertaking. Additionally, nascent technologies such as IoMT,
remote patient monitoring, and wearable devices have increased the attack surface of IT
infrastructures. This technical transformation has led to a spike in cyberattacks on healthcare
systems, resulting in a surge in data breaches. As a countermeasure, four recommendations have
been presented for future consideration. The recommendations include developing a
cybersecurity culture, adopting a zero-trust security strategy, implementing an IAM program,
constructing a dedicated incident response team, adopting a defense-in-depth model, and
78
utilizing artificial intelligence (AI) and machine learning (ML) to enhance cybersecurity. The
proposed recommendations improve the security posture in healthcare organizations by adopting
proven cybersecurity frameworks and leveraging security tools designed to reduce the threat and
impact of cyberattacks significantly.
Recommendation 1: Develop a Cybersecurity Culture
The digitization of healthcare has transformed the industry and will profoundly impact
healthcare systems in the future (Ricciardi et al., 2019). Although digitized medicine and
technological advances have led to medical breakthroughs and improved patient outcomes, it
does not come without inherent risks (Warfield, 2021). Consequently, the healthcare industry
lags behind other industries regarding their investment in cybersecurity, which results in an
inadequate security posture (SecurityScorecard Report, 2020; Wirth, 2018). Intuitively, the
findings cited culture as the reason why cybersecurity is perceived as superfluous in the
healthcare industry. The consensus amongst the participants was that cybersecurity as a
framework contradicts healthcare ideology. This is due to the perception that cybersecurity
prevents access to data while clinical research and patient care seek to share information. To that
end, the first recommendation is for CCRC to develop a cybersecurity culture.
Developing a strong cybersecurity culture is no minor undertaking requiring a
foundational shift in CCRCs beliefs and value systems. A cybersecurity culture must be
cultivated and maintained over time, not merely constructed (Uchendu et al., 2021). The shift to
developing a cybersecurity culture includes realigning CCRCs mission, vision, beliefs, values,
cultural norms, knowledge, expertise, and best practices (Ogden, 2021). This cultural
transformation will change policies and procedures, alter hiring practices, impact capital
spending, and propel IT security to the forefront of decision-making at CCRC. Lastly,
79
developing a cybersecurity culture at CCRC will address the human factor by enhancing
awareness and altering user behaviors (Gcaza & Von Solms, 2017).
Implementing sustainable cultural change requires a shared desire for change, the
capacity to change, steadfast leadership, and unwavering resolve from the change agents. CCRC
will not simply replace procedures and workflows but transform the beliefs, values, and manner
in which the organization functions as an enterprise. Burke (2017) suggests that the change
process starts with creating a sense of urgency or need for change at CCRC. Subsequently,
CCRC leadership must establish a clear vision and chart a path for the change. This will include
outlining goals and main objectives. Executive leadership and change agents must communicate
effectively and frequently with the organization throughout the change process. It will be critical
that CCRC leadership manage resistance and present the value proposition to the organization.
Lastly, CCRC must sustain the change by reinforcing critical behaviors and desired outcomes.
Recommendation 2: Adopt a Zero Trust Security Strategy
Culture undoubtedly contributed to the underfunding of cybersecurity at CCRC, with the
second factor being the need for a sound IT security strategy. A key subtheme that emerged
during the findings revealed the lack of a robust security strategy at CCRC. Participant responses
suggested that the lack of a clear strategy at CCRC resulted in misalignment within IT,
redundancies, and shifting priorities. The absence of a comprehensive cybersecurity strategy
focused on prevention and threat monitoring exposed CCRC to the looming threat of cybercrime.
In 2021, healthcare organizations experienced, on average, 1410 cyberattacks per week, an 86%
increase from the prior year (Express Computer, 2023). The likelihood of CCRC falling victim to
a cyberattack is an inevitability. Without a sound cybersecurity strategy to combat cybercrime,
CCRC will hamper the organization's ability to adequately respond to data breaches and mitigate
80
cyberattacks (Servidio & Taylor, 2015). To that end, the second recommendation is for CCRC to
adopt a zero-trust security strategy.
Zero-trust is not a tool but a rigid security strategy that scales across different layers of IT
security to limit access to internal networks requiring authentication to access devices,
applications, cloud-based systems, and servers (He et al., 2022). A zero-trust security
architectural design interprets everything within the cloud environment as a threat until
authenticated. The four basic principles of zero-trust include: (a) authenticate users by taking
appropriate measures to ensure user identity; (b) authenticate devices therefore only trusted
endpoints are authorized to gain access to CCRC assets; (c) restrict access by providing users
with the minimum access required to perform job duties; and (d) develop adaptive policies and
controls to address emergent technologies (Ahmed et al., 2020). In short, zero-trust takes a
holistic approach to cybersecurity to establish governance, enforce policy, enable operations, and
contain risks.
The first step to implementing a zero-trust security model is to identify the attack surface
of the CCRC landscape (Patil et al., 2020). Understanding the current IT infrastructure, including
critical systems, network architecture, data management, and system vulnerabilities, is vital.
Next, CCRC must map out the data flows, illustrating data inflows and outflows and how data is
stored at the organization. This step documents how data is routed between systems and storage
points. CCRC will subsequently design the zero-trust architecture to manage security controls to
align with the data flows (Stafford, 2020). Next, policies, standards, and procedures must be
designed to enforce a zero-trust security model. Lastly, data flows must be monitored and
maintained to ensure CCRC adheres to a strict zero-trust security framework.
81
Recommendation 3: Implement Identity Access Management (IAM) Program
The findings revealed vulnerabilities in CCRC's IT security program, resulting in a poor
cybersecurity maturity posture. The participants' responses supported the findings, suggesting
CCRC lacked a formalized IAM program. Furthermore, it was determined that IT security
governance needed to be improved, policies and procedures were not enforced, auditing and
reporting were not performed regularly, and security controls failed to meet security
configuration standards. The subsequent recommendation emphasizes the necessity for a
comprehensive IAM program at CCRC. IAM is an IT infrastructure security framework that
leverages policies and procedures and governs digital identities and entitlements (Evans & Price,
2014). The proposed framework components contain governance, encompassing authentication
and authorization services (identity management). In contrast, the reporting and analytics
component of the framework administers user management and directory services (access
management) (Singh et al., 2023).
Authentication services validate the user’s identity by employing a series of security
controls such as single-sign-on, multifactor authentication, and session and token management
(Alsirhani et al., 2022). Conversely, authorization services grant the user appropriate permissions
to applications and servers using roles, rules, and privileged access (Singh et al., 2023). In short,
authentication verifies the user's identity, while authorization provides the user with the
appropriate access and permissions required to perform their job function. Alternatively, user
management services administer the provisioning of privileged accounts (e.g., administrative
level access), de-provisioning of privileged accounts, self-services, and rights delegation (Glazer
et al., 2022). The final component of the IAM framework is directory services. This framework
element focuses on directory federation, synchronization, and the virtual directory. A
82
comprehensive IAM program has the capabilities of providing CCRC with a trusted IT security
framework that can reduce operating costs, help the organization meet regulatory and
compliance requirements, and mitigate risks as it pertains to cyberattacks (Devlekar & Ramteke,
2021).
Implementing a successful IAM will often require third-party vendors with the expertise
and skill set to design a comprehensive security program. Thus, CCRC must first engage with a
third-party vendor specializing in cybersecurity to conduct a detailed cyber risk assessment of
the IT infrastructure. This will be accomplished by evaluating CCRC's people, processes, and
technology. The risk assessment will identify gaps in the IT security framework and provide a
roadmap to design an IAM program that aligns with the capabilities and security strategies of the
organization. Next, CCRC must acquire and retain talented cybersecurity professionals to
manage the program. Immediately following, robust access controls and well-defined processes
will need to be developed to provide the framework for the IAM program. Last, an investment is
required to procure the best-in-breed products that provide cutting-edge technology to support
the IAM program.
Recommendation 4: Dedicated Cybersecurity Incident Response Team (CIRT)
Similar to other industries experiencing a shortage of technically competent employees
with related IT experience, healthcare organizations encounter challenges in employing and
retaining qualified cybersecurity professionals (Kikkas & Lorenz, 2020). Due to the lack of
adequately trained cybersecurity specialists, healthcare organizations' readiness and response to
cybersecurity threats are insufficient (Helser, 2019). Moreover, the findings underline that CCRC
does not adequately fund IT security. This reality results in an unqualified and inexperienced
workforce that cannot effectively respond to cyberattacks. To that end, the following
83
recommendations propose the formation of a dedicated CIRT. Naturally, the recommendation is
a commitment from CCRC to adequately fund the talent acquisition of qualified cybersecurity
professionals. Cybersecurity incident response is a four-phased approach to events and
occurrences, which includes identification, isolation, remediation, and recovery (Thompson,
2018).
The initial phase of incident response addresses identification. The response team must
first identify the threat prior to advancing to isolation. Once identified, the incident response
team subsequently isolates the compromised system's threat, thereby minimizing residual
damage's sprawl. Next, the incident response team assesses the extent of damage to determine if
the compromised system can be remediated. Once verified, the compromised system is
remediated and scanned to ensure that the threat has been eradicated. The recovered systems will
be reintroduced to the IT environment and returned to production. Retaining a highly qualified
dedicated CIRT will increase the probability that the organization will adequately respond to
cyber threats or targeted data breaches, effectively minimizing impact and downtime on the
organization (Johansen, 2020).
There are three essential components to stand up a dedicated CIRT (team leader, incident
commander, and support staff). Acquiring an experienced and capable team leader is key to a
successful CIRT. The team leader will report directly to the CISO and oversee the CIRT
function. Once the team leader has been solidified, CCRC must identify an incident commander
to manage incident response. Incident commanders will establish incident command centers,
assign roles and responsibilities during incident response, make key decisions, and constantly
communicate with executive leadership. Finally, CCRC must equip the organization with
adequate staffing to operationalize the CISRT. Strong consideration should be given to
84
outsourcing a portion of the CIRT to contracted services to augment the staffing need for aroundthe-clock incident response.
Recommendation 5: Adopt a Defense-In-Depth (DID) Model
Advancements in cloud-based computing systems, AI technology, and machine learning
have revolutionized healthcare. These technological advances have increased efficiency and
modernized the medical industry (Newaz et al., 2021). The benefits of emergent healthcare
technology are that it improves patient quality, enables remote patient monitoring, improves
diagnosis, and increases the accuracy of effective treatment recommendations (Chang et al.,
2023). Additionally, during the COVID-19 pandemic, telemedicine technologies enabled
healthcare providers to meet the high demand for service (Kichloo et al., 2020). The advantage
of modern technology is undeniable. However, there are inherent risks that have crippled
healthcare systems that fell victim to cyberattacks.
Consequently, cybercriminals took the opportunity to exploit vulnerabilities in cloudbased technologies (Chigada & Madzinga, 2021). Most notably, cybercriminals exploited weak
security controls in IoMT devices, compromising networks and successfully exfiltrating sensitive
patient data (Kuma et al., 2022). Based on the findings, CCRC maintained poor security controls,
lacked proper configuration of security tools, and failed to sustain industry-standard
cybersecurity principles. Thus, the final recommendation is to adopt a defense-in-depth model at
CCRC to address the gaps identified and the findings and improve the organization's security
posture. No single solution can protect the expansive attack surface of interconnected networks
in healthcare systems. However, a DID model is a layered cybersecurity framework designed to
protect CCRCs IT infrastructures against cyberattacks and data breaches (Shamim et al., 2014).
DID models employ overlapping layers of defense, including firewalls, intrusion detection
85
systems (IDS), endpoint detection and response (EDR), network segmentation, principles of least
privilege, strong passwords, and patch management (Chierici et al., 2016). With cyberattacks on
healthcare systems expected to increase, a DID framework heightens CCRCs resilience against
cyber threats (Khanna et al., 2023).
To implement a layered DID cybersecurity framework, CRCC will first redefine the
organization's IT security policies and procedures to reflect more stringent guidelines about
cybersecurity. Next, DID will focus on physical security. This phase includes disposal of
equipment and e-waste, facility security, emergency procedures, and comprehensive vendor
management. Implementation will subsequently shift its focus to perimeter security. Perimeter
security addresses customer-facing websites and applications interacting with the CCRC internal
network. Security controls such as firewalls, intrusion detection systems, and secure gateway
technologies will be required to restrict external access to CCRC's internal network.
Regarding internal security, virtual local networks (VLAN), network segmentation, and strong
access controls such as lease privilege are needed to limit user access and confine network traffic
to authorized systems or applications. Next, the application phase of DID focuses on software
security. This portion of DID safeguards internal applications against threats and vulnerabilities,
requiring CCRC to implement secure coding procedures, security testing, session management,
network penetration testing, and risk assessments. Lastly, CCRC must utilize tools to protect the
organization's sensitive data. The process of implementing a DID framework will include
implementing data loss prevention DLP security technologies to monitor and audit data, manage
access controls, automate data classification, block suspicious activity, and maintain regulatory
compliance requirements.
86
Recommendation 6: Utilizing Artificial Intelligence (AI) and Machine Learning (ML)
As nascent technologies continue to revolutionize patient care offerings in the healthcare
industry, so do the sophistication and impact of cyber threats on IT infrastructures (Sethuraman
et al., 2020). Healthcare organizations have demonstrated the need to be prepared and equipped
to defend computer networking systems against the threat of cyberattacks adequately (Newaz et
al., 2021). Moreover, more qualified cybersecurity professionals in healthcare are needed to
address the problem (Swasey, 2020). The need for effective cybersecurity in healthcare
organizations is understated. The findings gathered from the participants' responses suggest that
CCRC needs more resources with adequate skills and experience to monitor and remediate cyber
threats effectively. The final recommendation is to utilize AL and ML technology to provide an
automated approach to cybersecurity.
AI utilizes advanced technology to enable computer systems to derive meaning based on
inputs, make decisions, and perform tasks reserved for humans (Patel, 2023). AI enables
technologies to mimic human behavior while instantaneously analyzing substantial data.
Conversely, ML exploits algorithms to monitor threats, employ automation, and learn human
behavior to understand patterns and suspicious activities better (Ben et al., 2021). By adopting
the recommendation to utilize AI and ML to enhance cybersecurity, CCRC can improve threat
detection, shrink response times, reduce phishing attacks, and prioritize critical vulnerabilities,
thereby reducing risks to the IT infrastructure (Vaddadi et al., 2023).
Similarly, the recommendation suggests contracting a third-party vendor specializing in
emergent AI cybersecurity technologies for healthcare systems to develop a roadmap and oversee
implementation. The IT infrastructure and security stack must be assessed before selecting the
87
appropriate AI cybersecurity solution. However, various AI cybersecurity tools on the market,
such as Darktrace, Cylance, SentinelOne, and FortiAI, enable real-time analysis, automated
scanning and patching, vulnerability mitigation, and the analysis of messages. Moreover, AI
applicants such as ChatGPT, Pecan, Python, or Kite can help develop ML models that monitor
behavior and help predict patterns and trends. Following the assessment, the third-party vendor
will recommend and implement the AI cybersecurity tools that meet the organization's immediate
needs while providing long-term solutions to enhance the efficacy of the cybersecurity program
at CCRC.
Limitations and Delimitations
I incorporated strategies to build qualitative rigor into the study design; however,
limitations and delimitations were identified. Creswell and Creswell (2018) suggest that
limitations and delimitations highlight deficiencies in the research design, including but not
limited to insufficient sample population, inadequate data collection procedures, flawed data
analysis, improper study setting, time constraints, and ethical considerations. More specifically,
limitations refer to variables outside the researcher's control that may harm the study; conversely,
delimitations address exclusions from the study design that can also negatively impact the
findings (Theofanidis & Fountouki, 2018).
The limitation identified was related to the sample population. The sample population
targeted 13 participants from one setting. The restrictive exclusion criteria eliminated
participants with a different worldview, precluding potentially data-rich information that could
have provided deeper insight into the phenomenon. Additionally, the study examined the
participants' lived experiences, beliefs, and perceptions, subjecting the study to participant bias.
88
Therefore, the limited scope of the study and participant bias reduced the generalizability of the
results.
Secondly, data collection was a key delimitation identified in the study. This
organizational study adopted purposeful sampling as the methodological approach to collect
data. Thus, non-random sampling was employed for data collection. Moreover, I am employed at
the organization of interest. As such, the study participants and I were colleagues. The
relationship shared between the participants and me revealed limitations regarding the research
design, data collection, and data analysis. These concerns were partly due to the potential of
unintentionally skewing the data, leading to flawed inferences about the results. To that end, my
relationship with the organization and research participants subjected the study to researcher
bias.
Future Research
This qualitative case study sought to examine healthcare systems and reveal the
underlying beliefs regarding cybersecurity. The basic premise of the research employed narrative
inquiry to analyze participant experiences and beliefs to understand the antecedents that led to
the de-prioritization of IT security programs. The research focused on insufficient cyber defense
funding in healthcare and mapped the findings to the conceptual framework guided by the
Burke-Litwin change model. Although the findings adequately answered the research questions,
the following topics should be evaluated for future research consideration: the Consolidated
Appropriations Act (CAA) of 2023 and third-party risk management.
The United States Congress recently legislated the Consolidated Appropriations Act
(2023), which was ratified into law on December 29, 2022 (Park et al., 2023). The CAA included
a provision granting the Food and Drug Administration (FDA) legal authority to regulate
89
medical cybersecurity devices utilized in healthcare systems (Wu & Adashi, 2023). Specifically,
the act empowers the FDA to define and enforce cybersecurity requirements for medical devices.
The new provision requires healthcare systems to implement newly adopted cybersecurity
controls on all new or modified medical devices; however, the act excludes legacy devices under
the requirements (Shang et al., 2021). Legacy devices are outdated IT systems that use obsolete
technology or hardware, cannot receive software updates, and do not support current applications
or technologies (National Institute of Standards and Technology, 2023).
Notably, legacy devices were identified in the study as a significant threat to healthcare
systems but were not the focus of the research. Nonetheless, excluding medical devices does
little to safeguard IT infrastructures against known vulnerabilities in outdated equipment or
software. With the increased reliance on cloud-based interconnected devices, the threat of
cyberattacks will only worsen due to the development of highly sophisticated threat actors that
exploit vulnerabilities in the network. All efforts to safeguard healthcare IT infrastructures will
be futile if legacy devices are not remediated. Understandably, government regulations and
capital constraints add to the complexity of this challenge. Nevertheless, there is an opportunity
for future research to examine the phenomenon by mapping the external factors to the BurkeLitwin change model and developing innovative solutions.
The second future research topic of consideration is third-party risk management. The
research revealed that CCRC leadership employed a cost-cutting business strategy, outsourcing
IT infrastructure and operations to an offshore third-party firm. Furthermore, third-party vendors
owned and managed various systems and hardware throughout the environment, preventing
CCRC from deploying IT security controls. Though this approach enabled CCRC to realize cost
savings and address certain shortfalls related to an inadequate workforce, the strategy comes with
90
inherent risks. Most notably, third-party vendors are granted privileged access to critical systems
and networks. This level of elevated access not only threatens the IT infrastructure at CCRC but
exposes the organization to data breaches.
Additionally, the recently ratified CAA will directly impact third-party vendors and alter
how firms secure medical devices moving forward. Regulatory requirements will alter the
working relationships between third-party vendors and CCRC, but further research is required.
Moreover, the phenomenon can be mapped to transformational factors, specifically strategy.
Conclusions
The digital transformation in the healthcare sector has revolutionized patient care by
automating services through a complex interconnected digital network (Belliger & Krieger,
2018). Adopting digital technologies has enriched patient-centered care, produced fewer medical
errors, improved patient outcomes, and reduced healthcare costs (Cui, 2023). The adaptive nature
of technology has equipped healthcare organizations with the capacity to meet the growing needs
of a rapidly changing industry while building a more resilient healthcare system (Tortorella et al.,
2021). However, the advent of technology in healthcare organizations has come with challenges.
Most notable was the surge in cyberattacks on healthcare systems during the pandemic (Sagarra,
2021). Cybercriminals successfully exploit vulnerabilities in cloud-based technologies, wreaking
havoc on healthcare systems worldwide (Chigada & Madzinga, 2021; Gourd, 2021).
Consequently, this trend is expected to continue due to the data-rich environment in healthcare.
To combat the looming threat of cybercrime, healthcare organizations must adopt a proactive
approach to cybersecurity.
Cyberattacks not only disrupt business operations, but they are also debilitating to
healthcare systems. Having experienced a cyberattack personally, the crippling effects of
91
cybercrime and data breaches can render healthcare IT infrastructures helpless. The criticality of
a cyberattack cannot be understated. Ironically, the nascent technologies that have led to
breakthroughs in cancer research, diagnosis, and patient care have inadvertently revealed critical
vulnerabilities in healthcare systems. The threat of future attacks on healthcare organizations is
not a probability but an inevitability. Consequently, as an industry, healthcare lacks the skill,
knowledge, or security maturity to adequately combat the threat of cybercrime, a reality known
by cybercriminals worldwide.
By implementing known cybersecurity strategies, such as investing in a robust security
posture, CCRC can strengthen its capacity to withstand the threat of cybercriminals better and
lessen the impact of cyberattacks. This approach requires a financial investment and a
commitment from CCRC executive leadership. CCRC must first undergo a cultural shift to alter
the beliefs and values of the organization and adopt an IT security mindset. Additionally,
cybersecurity must be elevated to the forefront of decision-making, prioritizing IT security
throughout the organization. Lastly, aligning cybersecurity with the mission and vision of CCRC
increases the likelihood that cybersecurity will remain a foundational objective for years.
Although the threat of cybercrime will continue to jeopardize healthcare systems, a proactive
approach to cybersecurity can equip CCRC with the capability to install safeguards to reduce
data breaches and thwart future cyberattacks.
92
References
Abulencia, J. (2021. December 11). The cost of cybercrime in the US healthcare sector.
Computer Fraud & Security.
https://doi.org/10.1016/S1361-3723(21)00117-2
Adams, W. C. (2015). Conducting semi‐structured interviews. Handbook of Practical Program
Evaluation, 492-505.
https://onlinelibrary.wiley.com/doi/abs/10.1002/9781119171386.ch19
Adelino, M., Lewellen, K., & Sundaram, A. K. (2015). Investment decisions of nonprofit
firms: Evidence from hospitals: Investment decisions of nonprofit firms. The Journal of
Finance (New York), 70, 1583–1628.
https://doi.org/10.1111/jofi.12234
Ades, S., Herrera, D. A., Lahey, T., Thomas, A. A., Jasra, S., Barry, M., & Holmes, C. (2022).
Cancer care in the wake of a cyberattack: How to prepare and what to expect. JCO
Oncology Practice, 18(1), 23-34
https://creativecommons.org/licenses/by-nc-nd/4.0/
Adhabi, E., & Anozie, C. B. (2017). Literature review for the type of interview in qualitative
research. International Journal of Education, 9(3), 86-97.
https://www.researchgate.net/profile/Christina-Anozie2/publication/320009898_Literature_Review_for_the_Type_of_Interview_in_Qualitative
_Research/links/5bca1982458515f7d9cb8733/Literature-Review-for-the-Type-ofInterview-in-Qualitative-Research
93
Ahmed, I., Nahar, T., Urmi, S. S., & Taher, K. A. (2020, January). Protection of sensitive data in
zero trust model. In Proceedings of The International Conference on Computing
Advancements (pp. 1-5).
https://dl.acm.org/doi/abs/10.1145/3377049.3377114
Ajayi, V. O. (2017). Primary sources of data and secondary sources of data. Benue State
University, 1(1), 1-6.
file:///C:/Users/17149/Downloads/PrimarySecondary_Sources_of_data%20(1).pdf
Akbanov, M., Vassilakis, V. G., & Logothetis, M. D. (2019). WannaCry ransomware: Analysis
of infection, persistence, recovery prevention and propagation mechanisms. Journal of
Telecommunications and Information Technology, 1(1), 113–124.
https://doi.org/10.26636/jtit.2019.130218
Alashhab, Z., Anbar, M., Singh, M. M., Hasbullah, I. H., Jain, P., & Taief Alaa Al-Amiedy.
(2022). Distributed denial of service attacks against cloud computing environment:
Survey, issues, challenges and coherent taxonomy. Applied Sciences, 12(23), 12441–.
https://doi.org/10.3390/app122312441
Aleroud, A., & Zhou, L. (2017). Phishing environments, techniques, and countermeasures: A
survey. Computers & Security, 68, 160–196.
https://doi.org/10.1016/j.cose.2017.04.006
Al-rimy, B., Maarof, M. A., & Shaid, S. Z. M. (2018). Ransomware threat success factors,
taxonomy, and countermeasures: A survey and research directions. Computers &
Security, 74, 144–166.
https://doi.org/10.1016/j.cose.2018.01.001
94
Alsirhani, A., Ezz, M., & Mostafa, A. M. (2022). Advanced authentication mechanisms for
identity and access management in cloud computing. Computer Systems Science &
Engineering, 43(3).
https://cdn.techscience.cn/ueditor/files/csse/TSP_CSSE-43-
3/TSP_CSSE_24854/TSP_CSSE_24854.pdf
Altamony, H., Al-Salti, Z., Gharaibeh, A., & Elyas, T. (2016). The relationship between change
management strategy and successful enterprise resource planning (ERP)
implementations: A theoretical perspective. International Journal of Business
Management and Economic Research, 7(4), 690-703.
https://www.researchgate.net/profile/HamzahAltamony/publication/318761918_The_Relationship_between_Change_Management_Str
ategy_and_Successful_Enterprise_Resource_Planning_ERP_Implementations_A_Theore
tical_Perspective/links/597c8e42458515687b2a292b/The-Relationship-between-ChangeManagement-Strategy-and-Successful-Enterprise-Resource-Planning-ERPImplementations-A-Theoretical-Perspective.pdf
Alt, K., & Zimmermann, H.-D. (2021). The digital transformation of healthcare - An
interview with Werner Dorfmeister. Electronic Markets, 31(4), 895–899.
https://doi.org/10.1007/s12525-021-00476-1
Arabo, A, & Pranggone, B. (2021). COVID-19 pandemic cybersecurity issues.
Internet Technology Letters.
https://doi.org/10.1002/itl2.247
95
Aslan, O., & Samet, R. (2020). A comprehensive review on malware detection approaches.
IEEE Access, 8, 6249–6271.
https://doi.org/10.1109/ACCESS.2019.2963724
Aspers, P., & Corte, U. (2019). What is qualitative in qualitative research. Qualitative
Sociology, 42, 139-160.
https://link.springer.com/article/10.1007/s11133-019-9413-7
Bahl, A., Sharma, A., & Asghar, M. R. (2021). Vulnerability disclosure and cybersecurity
awareness campaigns on twitter during COVID‐19. Security and Privacy, 4(6).
https://doi.org/10.1002/spy2.180
Balbi, A. (2015). Massive cyber attack at anthem. Strategic Finance (Montvale,
N.J.), 96(9), 11.
Barer, B., & Bryan, S. (2018). Health services research spending and healthcare system impact:
Comment on “public spending on health service and policy research in Canada, the
United Kingdom, and the United States: A modest proposal.” International Journal of
Health Policy and Management, 7(3), 278–281.
https://doi.org/10.15171/ijhpm.2017.92
Bärnighausen, T., Røttingen, J.-A., Rockers, P., Shemilt, I., & Tugwell, P. (2017). Quasiexperimental study designs series paper 1: Introduction: Two historical lineages. Journal
of Clinical Epidemiology, 89, 4–11.
https://doi.org/10.1016/j.jclinepi.2017.02.020
Barrett, D. (2002). Change communication: using strategic employee communication to facilitate
major change. Corporate Communications, 7(4), 219–231.
https://doi.org/10.1108/13563280210449804
96
Barrow, J. M., Brannan, G. D., & Khandhar, P. B. (2022). Research ethics. In StatPearls
[Internet]. StatPearls Publishing.
https://www.ncbi.nlm.nih.gov/books/NBK459281/
Belliger, A., & Krieger, D. J. (2018). The digital transformation of healthcare. Knowledge
Management in Digital Change: New Findings and Practical Cases, 311-326.
https://link.springer.com/chapter/10.1007/978-3-319-73546-7_19
Ben Ali, W., Pesaranghader, A., Avram, R., Overtchouk, P., Perrin, N., Laffite, S., ... & Hussin,
J. G. (2021). Implementing machine learning in interventional cardiology: The benefits
are worth the trouble. Frontiers in Cardiovascular Medicine, 8, 711401.
https://www.frontiersin.org/articles/10.3389/fcvm.2021.711401/full
Benoot, C., Hannes, K., & Bilsen, J. (2016). The use of purposeful sampling in a qualitative
evidence synthesis: A worked example on sexual adjustment to a cancer trajectory. BMC
Medical Research Methodology, 16(1), 1-12.
https://bmcmedresmethodol.biomedcentral.com/articles/10.1186/s12874-016-0114-6
Bihu, R. (2020). Using unstructured interviews in educational and social science research: The
process, opportunity and difficulty. Global Scientific Journals, GSJ, 8(10).
file:///C:/Users/17149/Downloads/SSRN-id4435828.pdf
Boesch, I., Schwaninger, M., Weber, M., & Scholz, R. W. (2013). Enhancing validity and
reliability through feedback-driven exploration: A study in the context of conjoint
analysis. Systemic Practice and Action Research, 26, 217-238.
https://link.springer.com/article/10.1007/s11213-012-9248-6
97
Boone, J. B. (2012). Improving employee engagement: Making the case for planned
organizational change using the Burk-Litwin model of organizational performance and
change. Information Management and Business Review, 4(7), 402-408.
https://ojs.amhinternational.com/index.php/imbr/article/view/994
Borrion, H., Kurland, J., Tilley, N., & Chen, P. (2020). Measuring the resilience of criminogenic
ecosystems to global disruption: A case-study of COVID-19 in China. PloS One, 15(10),
e0240077–e0240077.
https://doi.org/10.1371/journal.pone.0240077
Branley, D., & Coventry, L. (2018). Cybersecurity in healthcare. A narrative review of trends,
threats, and ways forward. El Sevier.
www.elsevier.com/locate/maturitas
Burkan, E., & Tanase, A. (2021). The perceived value of cybersecurity analyses and
frameworks for an IT company (Master's thesis, University of Agder).
AURA: The Perceived Value of Cybersecurity Analyses and Frameworks for an IT
Company (unit.no)
Burke, W. W. (2008). Organization change: Theory and practice (2nd ed.). Sage Publications.
Burke, W. W. (2011). A perspective on the field of organization development and change: The
zeigarnik effect. The Journal of Applied Behavioral Science, 47(2), 143–167.
https://doi.org/10.1177/0021886310388161
Burke, W. W. (2017). Organization change: Theory and practice. Sage publications.
Organization Change: Theory and Practice - W. Warner Burke - Google Books
98
Butina, M. (2015). A narrative approach to qualitative inquiry. Clinical Laboratory
Science, 28(3), 190-196.
http://clsjournal.ascls.org/content/ascls/28/3/190.full.pdf
Byrne, M. (2021). Cybersecurity and the new age of ransomware attacks. Journal of
Perianesthesia Nursing, 36(5), 594–596.
https://doi.org/10.1016/j.jopan.2021.07.004
Carton, A. M., Knowlton, K., Coutifaris, C. G., Kundro, T. G., & Boysen, A. P. (2023). Painting
a clear picture while seeing the big picture: When and why leaders overcome the tradeoff between concreteness and scale. Academy of Management Journal, 66(1), 43-66.
https://doi.org/10.5465/amj.2018.1019
Casale, P. N., Vyavahare, M., Coyne, S., Kronish, I., Greenwald, P., Ye, S., & Fleischut, P. M.
(2021). The promise of remote patient monitoring: lessons learned during the COVID-19
surge in New York City. American Journal of Medical Quality, 36(3), 139.
The Promise of Remote Patient Monitoring: Lessons Learned During the COVID-19
Surge in New York City - PMC (nih.gov)
Catalyst, N. E. J. M. (2017). What is value-based healthcare?. NEJM Catalyst, 3(1).
https://catalyst.nejm.org/doi/full/10.1056/CAT.17.0558
Centers for Disease Control and Prevention. (2023, May 31). Selecting Data Collection Methods.
https://www.cdc.gov/std/Program/pupestd/Selecting%20Data%20Collection%20Methods
.pdf
99
Chang, H., Choi, J. Y., Shim, J., Kim, M., & Choi, M. (2023). Benefits of information
technology in healthcare: Artificial intelligence, internet of things, and personal health
records. Healthcare Informatics Research, 29(4), 323.
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10651408/
Chandler, J.J., & Paolacci, G. (2017). Lie for a dime: When most prescreening responses are
honest but most study participants are impostors. Social Psychological & Personality
Science, 8(5), 500–508.
https://doi.org/10.1177/1948550617698203
Chauhan, R. S. (2022). Unstructured interviews: are they really all that bad? Human Resource
Development International, 25(4), 474–487.
https://doi.org/10.1080/13678868.2019.1603019
Chierici, L., Fiorini, G. L., La Rovere, S., & Vestrucci, P. (2016). The evolution of defense in
depth approach: A cross sectorial analysis. Open Journal of Safety Science and
Technology, 6(2), 35-54.
https://www.scirp.org/journal/paperinformation.aspx?paperid=70457
Chigada, J., & Madzinga, R. (2021). Cyberattacks and threats during COVID-19: A systematic
literature review. South African Journal of Information Management, 23(1), 1–11.
https://doi.org/10.4102/sajim.v23i1.1277
Closser, S., Mendenhall, E., Brown, P., Neill, R., & Justice, J. (2022). The anthropology of
health systems: A history and review. Social Science & Medicine (1982), 300, 114314–
114314.
https://doi.org/10.1016/j.socscimed.2021.114314
100
Coleman, C. (2018). Organizational diagnosis in the logistics sector in Ghana: An application
of the Burke- Litwin model “. J Entrepren Organiz Manag, 7(245), 2.
Cooper, R. (2015). The shared services organizational model in higher education enrollment
management: the application of the transactional components of the Burke-Litwin model
of organizational performance and change and the moderating effect of employee
engagement on individual motivation.
https://scholarworks.uttyler.edu/hrd_grad/9/
Cornish, T. C., & McClintock, D. S. (2022). Are you prepared? Laboratory downtime in the
ransomware era. American Journal of Clinical Pathology, 157(4), 482-484.
https://doi.org/10.1093/ajcp/aqac021
Coventry, L., & Branley, D. (2018). Cybersecurity in healthcare: A narrative review of trends,
threats and ways forward. Maturitas, 113, 48–52.
https://doi.org/10.1016/j.maturitas.2018.04.008
Creswell, J. W., & Creswell, J. D. (2018). Research design: Qualitative, quantitative, and
mixed methods approaches. Sage.
Cummings, B. (2022). Rising healthcare costs are a rising concern. Journal of Financial
Planning, 35(2), 19–19.
https://www.proquest.com/docview/2629422290?parentSessionId=T8CeSyvLYgEprw21
h1ta4ajkQsA32koPaQ0AKCuAWz0%3D&pq-origsite=primo&accounted=14749
Ćwiklicki, M., Duplaga, M., & Klich, J. (Eds.). (2021). The digital transformation of healthcare:
Health 4.0. Routledge.
101
Cypress, B. S. (2017). Rigor or reliability and validity in qualitative research: Perspectives,
strategies, reconceptualization, and recommendations. Dimensions of Critical Care
Nursing, 36(4), 253-263.
https://journals.lww.com/dccnjournal/Fulltext/2017/07000/Rigor_or_Reliability_and_Val
idity_in_Qualitative.6.aspx
Cui, D. (2023). Information technology impacts on healthcare costs and the quality of patient
care. (Doctoral dissertation, University of Pittsburgh).
http://d-scholarship.pitt.edu/44532/
Devlekar, S., & Ramteke, V. (2021). Identity and access management: High-level conceptual
framework. REVISTA GEINTEC-GESTAO INOVACAO E TECNOLOGIAS, 11(4), 4885-
4897.
http://revistageintec.net/old/wp-content/uploads/2022/03/2511.pdf
Dionisio, M., Paula, F., & Junior, S. J. de S. (2022). Innovation and digital transformation
in healthcare: A systematic review. ISPIM Conference Proceedings, 1–23.
Dooly, M., Moore, E., & Vallejo, C. (2017). Research ethics. Research-Publishing. Net.
https://files.eric.ed.gov/fulltext/ED573618.pdf
Dugar, J. (2021). The edp audit, control, and security newsletter. Holistic Healthcare
Cybersecurity, 63(4).
Dyrda, L. (2020). The 5 most significant cyberattacks in healthcare for 2020. Becker’s Health IT.
https://www.beckershospitalreview.com/cybersecurity/the-5- most-significantcyberattacks-in-healthcare-for-2020.html
102
Earl, J. (2020). The belmont report and innovative practice. Perspectives in Biology and
Medicine, 63(2), 313–326.
https://doi.org/10.1353/pbm.2020.0021
Emsisoft. (2020, February 11). The cost of ransomware in 2020. A country-bycountry analysis.
Available at https:// blog.emsisoft.com/en/35583/report-the-cost-ofransomware-in-2020-
a-country-by-country-analysis/
Ene, C. (2023, February 22). 10.5 trillion reasons why we need a United response to cyber
risk.
Forbes. https://www.forbes.com/sites/forbestechcouncil/2023/02/22/105-trillion-reasonswhy-we-need-a-united-response-to-cyber-risk/?sh=692802823b0c
Evans, N., & Price, J. (2014). Responsibility and accountability for information asset
management (IAM) in organisations. Electronic Journal of Information Systems
Evaluation, 17(1), pp113-121.
https://academic-publishing.org/index.php/ejise/article/view/200
Express Computer. (2023). 38% global increase in 2022 cyberattacks with healthcare as the most
targeted industry in India: Check point research. Express Computer.
https://www.proquest.com/docview/2764722143?parentSessionId=Ei39YDFVQK%2FH
vSj1Tws63c8Ja8vfeE8zxzP7cOJMFYc%3D&pq-origsite=primo&accountid=14749
Faddis, A. (2018). The digital transformation of healthcare technology management. Biomedical
Instrumentation & Technology, 52(s2), 34-38.
https://array.aami.org/doi/full/10.2345/0899-8205-52.s2.34
103
Falvey, A. (2023, February 28). 100 of the largest hospitals and health systems in America |
2023. Becker’s Hospital Review.
https://www.beckershospitalreview.com/lists/100-of-the-largest-hospitals-and-healthsystems-in-america-2023.html
Ficco, M., & Palmieri, F. (2017). Introducing fraudulent energy consumption in cloud
infrastructures: A new generation of denial-of-service attacks. IEEE Systems Journal,
11(2), 460–470.
https://doi.org/10.1109/JSYST.2015.2414822
Fillmore, R. (2001). The evolution of the U.S. healthcare system. In Science and Its Times:
Understanding the Social Significance of Scientific Discovery (Vol. 7, pp. 336–338)
Filej, B., Skela-Savič, B., Vicic, V. H., & Hudorovic, N. (2009). Necessary organizational
changes according to Burke–Litwin model in the head nurses system of management in
healthcare and social welfare institutions—The Slovenia experience. Health Policy
(Amsterdam), 90(2), 166–174.
https://doi.org/10.1016/j.healthpol.2008.09.013
Friesen, P., Kearns, L., Redman, B., & Caplan, A. L. (2017). Rethinking the belmont report?
American Journal of Bioethics, 17(7), 15–21.
https://doi.org/10.1080/15265161.2017.1329482
Fusch, G. E., Ness, L. R., Booker, J. M., & Fusch, P. (2020). People and process: Successful
change management initiatives. Journal of Sustainable Social Change, 12(1), 13.
Gallet, C., & Doucouliagos, H. (2017). The impact of healthcare spending on health outcomes: A
meta-regression analysis. Social Science & Medicine (1982), 179, 9–17.
https://doi.org/10.1016/j.socscimed.2017.02.024
104
Gandevia, S. B., & Vichore, S. M. (2016). Understanding the link between input-throughputoutput model of organization behavior and the input-throughput-output model for adult
learning and the learning outcomes. Asian Journal of Multidimensional Research
(AJMR), 5(7), 1-9.
https://www.indianjournals.com/ijor.aspx?target=ijor:ajmr&volume=5&issue=7&article=
001
Garg, N., Wazid, M., Singh, J., Singh, D. P., & Das, A. K. (2022). Security in IoMT‐driven
smart healthcare: A comprehensive review and open challenges. Security and Privacy,
5(5). https://doi.org/10.1002/spy2.235
Gazley, B., & Kissman, K. (2015). Implementing change. In Transformational Governance (pp.
75–114). Wiley.
https://doi.org/10.1002/9781119160540.ch04
Gcaza, N., & Von Solms, R. (2017). Cybersecurity culture: An ill-defined problem.
In Information Security Education for a Global Digital Society: 10th IFIP WG 11.8 World
Conference, WISE 10, Rome, Italy, May 29-31, 2017, Proceedings 10 (pp. 98-109).
Springer International Publishing.
https://link.springer.com/chapter/10.1007/978-3-319-58553-6_9
Gentles, S. J., Jack, S. M., Nicholas, D. B., & McKibbon, K. (2014). A critical approach to
reflexivity in grounded theory. Qualitative Report, 19(44).
https://www.researchgate.net/profile/StephenGentles/publication/267694704_Critical_Approach_to_Reflexivity_in_Grounded_Theory
/links/5457eb170cf2bccc4911199f/Critical-Approach-to-Reflexivity-in-GroundedTheory.pdf
105
Ghafur, S., Kristensen, S., Honeyford, K., Martin, G., Darzi, A., & Aylin, P. (2019). A
retrospective impact analysis of the WannaCry cyberattack on the NHS. NPJ Digital
Medicine, 2(1), 98–98.
https://doi.org/10.1038/s41746-019-0161-6
Ghosh, K., Dohan, M. S., Veldandi, H., & Garfield, M. (2023). Digital transformation in
healthcare: Insights on value creation. The Journal of Computer Information Systems,
ahead-of-print(ahead-of-print), 1–11.
https://doi.org/10.1080/08874417.2022.2070798
Girod, C., Hart, S., & Weltz, S. (2018). Milliman Medical Index. Milliman
Glazer, I., Robinson, L., & Hamlin, M. (2022). User provisioning in the enterprise. IDPro Body
of Knowledge, 1(8).
https://bok.idpro.org/article/id/84/
Gomez, J., & Konschak, C. (2015). Cyber-security in healthcare-understanding the new world
threat. Divurgent, 1-12.
https://www.divurgent.com/wp-content/uploads/2015/03/Cyber-SecurityHealthcarepdf.pdf
Goodwin, A., Wilburn, C., Wojewoda, C., Mesec, J., Cacciatore, L. S., Grove, S. A., ... &
Gourd, E. (2021). Increase in health-care cyberattacks affecting patients with cancer. The Lancet
Oncology, 22(9), 1215–1215.
https://doi.org/10.1016/S1470-2045(21)00451-4
106
Greenstone, M., & Gayer, T. (2009). Quasi-experimental and experimental approaches to
environmental economics. Journal of Environmental Economics and Management, 57(1),
21-44.
https://www.sciencedirect.com/science/article/abs/pii/S0095069608000831
Halcomb, E. J., & Davidson, P. M. (2006). Is verbatim transcription of interview data always
necessary? Applied Nursing Research, 19(1), 38-42.
https://www.sciencedirect.com/science/article/abs/pii/S0897189705000893
Hamilton-Basich, M. (2021). Patients suing Scripps health for failing to protect their data from
hackers. In 24x7 Magazine [BLOG]. Newstex.
Harris, C. (2023). Risk tolerance and attitudes among healthcare professionals and patients
regarding location of care decision-making (Doctoral dissertation, University of
Birmingham).
https://etheses.bham.ac.uk/id/eprint/13422/
Hassin, A. (2010). Effective diagnosis in organisation change management. Journal of
Business Systems, Governance and Ethics, 5(2).
https://doi.org/10.15209/jbsge.v5i2.18
Hastings, B. J., & Schwarz, G. M. (2022). Leading change processes for success: A Dynamic
application of diagnostic and dialogic organization development. The Journal of Applied
Behavioral Science, 58(1), 120–148.
https://doi.org/10.1177/00218863211019561
Hawdon, J. (2021). Cybercrime: Victimization, perpetration, and techniques. American Journal
of Criminal Justice, 46(6), 837-842.
Cybercrime: Victimization, Perpetration, and Techniques | SpringerLink
107
He, Y., Huang, D., Chen, L., Ni, Y., & Ma, X. (2022). A survey on zero trust architecture:
Challenges and future trends. Wireless Communications and Mobile Computing, 2022.
https://www.hindawi.com/journals/wcmc/2022/6476274/
Health Sector Cybersecurity Coordination Center. (2019). A cost analysis of healthcare sector
data breaches.
https://www.hhs.gov/sites/default/files/cost...
Helser, S. G. (2019). Health services at risk: An unanticipated outcome of the need for
cybersecurity. Issues in Information Systems, 20(4).
https://iacis.org/iis/2019/4_iis_2019_27-34.pdf
Hennink, M. M., Kaiser, B. N., & Marconi, V. C. (2017). Code saturation versus meaning
saturation: how many interviews are enough?. Qualitative Health Research, 27(4), 591-
608. Code Saturation Versus Meaning Saturation (sagepub.com)
Hennink, M., & Kaiser, B. N. (2022). Sample sizes for saturation in qualitative research: A
systematic review of empirical tests. Social Science & Medicine, 292, 114523.
https://www.sciencedirect.com/science/article/pii/S0277953621008558
Hill, Z., Tawiah-Agyemang, C., Kirkwood, B., & Kendall, C. (2022). Are verbatim transcripts
necessary in applied qualitative research: experiences from two community-based
intervention trials in Ghana. Emerging Themes in Epidemiology, 19(1), 5.
https://link.springer.com/article/10.1186/s12982-022-00115-w
Howard, D., & Harris, C. R. (2019). Cybersecurity: What leaders must know.
Physician Leadership Journal, 6(4), 49–53.
https://search.proquest.com/openview/3e488bf3c6caab8b339228d52e691235/1?pqorigsite=gscholar&cbl=2037550
108
Iakovakis, G., Xarhoulacos, C. G., Giovas, K., & Gritzalis, D. (2021). Analysis and
classification of mitigation tools against cyberattacks in COVID-19 Era. Security and
Communication Networks, 2021, 1–21.
https://doi.org/10.11553187205/2021/
Jahankhani, H., & Kendzierskyj, S. (2019). Digital transformation of healthcare. Blockchain and
Clinical Trial: Securing Patient Data, 31-52.
Digital Transformation of Healthcare | SpringerLink
Jee, K., & Kim, G. H. (2013). Potentiality of big data in the medical sector: Focus on how to
reshape the healthcare system. Healthcare Informatics Research, 19(2), 79-85.
https://synapse.koreamed.org/articles/1075681
Jiao, L., Friedman, R., Fu, X., Secci, S., Smoreda, Z., & Tschofenig, H. (2013). Cloud-based
computation offloading for mobile devices: State of the art, challenges and
opportunities. 2013 Future Network & Mobile Summit, 1-11.
https://ieeexplore.ieee.org/abstract/document/6633526/
Johansen, G. (2020). Digital forensics and incident response: Incident response techniques and
procedures to respond to modern cyber threats. Packt Publishing Ltd.
Johnson, D. M. (2004). Adaptation of organizational change models to the implementation of
quality standard requirements. The International Journal of Quality & Reliability
Management, 21(2), 154–174.
https://doi.org/10.1108/02656710410516961
109
Jones, M., & Harris, A. (2014). Principals leading successful organisational change: Building
social capital through disciplined professional collaboration. Journal of Organizational
Change Management, 27(3), 473–485.
https://doi.org/10.1108/JOCM-07-2013-0116
Joyia, G. J., Liaqat, R. M., Farooq, A., & Rehman, S. (2017). Internet of medical things (IoMT):
Applications, benefits and future challenges in healthcare domain. J. Commun., 12(4),
240-247.
file:///C:/Users/17149/Desktop/Chapter%202/Healthcare%20Systems%20in%20US/2017
0428025024260.pdf
Kallio, H., Pietilä, A.-M., Johnson, M., & Kangasniemi, M. (2016). Systematic methodological
review: Developing a framework for a qualitative semi-structured interview guide.
Journal of Advanced Nursing, 72(12), 2954–2965.
https://doi.org/10.1111/jan.13031
Kalu, M. E. (2019). Using emphasis-purposeful sampling-phenomenon of interest–context
(EPPiC) framework to reflect on two qualitative research designs and questions: A
reflective process. The Qualitative Report, 24(10), 2524-2535.
https://www.proquest.com/openview/19767c20abbb60d1011240a4701bb9e4/1?pqorigsite=gscholar&cbl=55152
110
Kandasamy, K., Srinivas, S., Achuthan, K., & Rangan, V. P. (2022). Digital healthcarecyberattacks in Asian organizations: An analysis of vulnerabilities, risks, nist,
perspectives, and recommendations. IEEE Access, 10, 12345-12364.
Digital Healthcare - Cyberattacks in Asian Organizations: An Analysis of Vulnerabilities,
Risks, NIST Perspectives, and Recommendations | IEEE Journals & Magazine | IEEE
Xplore
Katzenbach, J. R., Steffen, I., & Kronley, C. (2012). Cultural change that sticks. Harvard
Business Review, 90(7), 110-117.
http://cviewstrategies.com/wp-content/uploads/2014/03/HBR_Cultural-Change-ThatSticks.pdf
Kaye, A. D., Okeagu, C. N., Pham, A. D., Silva, R. A., Hurley, J. J., Arron, B. L., ... & Cornett,
E. M. (2021). Economic impact of COVID-19 pandemic on healthcare facilities and
systems: International perspectives. Best Practice & Research Clinical Anaesthesiology,
35(3), 293-306.
https://www.sciencedirect.com/science/article/pii/S1521689620301142
Keisler-Starkey, K., & Bunch, L. N. (2020). Health insurance coverage in the United States:
2019. Washington, DC: US Census Bureau.
Health Insurance Coverage in the United States: 2021 (census.gov)
Kellen, E., Bulens, P., Deckx, L., Schouten, H., Van Dijk, M., Verdonck, I., & Buntinx, F. (2010).
Identifying an accurate pre-screening tool in geriatric oncology. Critical Reviews in
Oncology/Hematology, 75(3), 243-248.
https://www.sciencedirect.com/science/article/abs/pii/S1040842809002479
111
Kichloo, A., Albosta, M., Dettloff, K., Wani, F., El-Amir, Z., Singh, J., ... & Chugh, S. (2020).
Telemedicine, the current COVID-19 pandemic and the future: A narrative review and
perspectives moving forward in the USA. Family Medicine and Community Health, 8(3).
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7437610/
Kikkas, K., & Lorenz, B. (2020, July). Training young cybersecurity talents–the case of
Estonia. In International Conference on Human-Computer Interaction (pp. 256-263).
Cham: Springer International Publishing.
https://link.springer.com/chapter/10.1007/978-3-030-50729-9_36
Kimberlin, C. L., & Winterstein, A. G. (2008). Validity and reliability of measurement
instruments used in research. American Journal of Health-System Pharmacy, 65(23),
2276-2284.
https://academic.oup.com/ajhp/article-abstract/65/23/2276/5129506
Kitsios, F., & Kapetaneas, N. (2022). Digital transformation in healthcare 4.0: Critical
factors for business intelligence systems. Information (Basel), 13(5), 247–.
https://doi.org/10.3390/info13050247
Khanna, K., Ravikumar, G., & Govindarasu, M. (2023, February). Defense-in-depth framework
for power transmission system against cyber-induced substation outages. In 2023 IEEE
Texas Power and Energy Conference (TPEC) (pp. 1-6). IEEE.
https://ieeexplore.ieee.org/abstract/document/10078481/
Khatri, N. (2021). Crony capitalism in US health care: Anatomy of a dysfunctional system.
Routledge.
112
Khuntia, J., Ning, X., & Stacey, R. (2021). Digital orientation of health systems in the
post-COVID-19 “new normal” in the United States: Cross-sectional survey. Journal of
Medical Internet Research, 23(8), e30453–e30453.
https://doi.org/10.2196/30453
Kim, G., Kim, S., Kang, S., & Kim, J. (2022). A method for decrypting data infected with hive
ransomware. Journal of Information Security and Applications, 71, 103387–.
https://doi.org/10.1016/j.jisa.2022.103387
Kraus, S., Schiavone, F., Pluzhnikova, A., & Invernizzi, A. C. (2021). Digital
transformation in healthcare: Analyzing the current state-of-research. Journal of Business
Research, 123, 557–567.
https://doi.org/10.1016/j.jbusres.2020.10.030
Kruszyńska-Fischbach, A., Sysko-Romańczuk, S., Napiórkowski, T. M., Napiórkowska,
A., & Kozakiewicz, D. (2022). Organizational e-health readiness: How to prepare the
primary healthcare providers’ services for digital transformation. International Journal of
Environmental Research and Public Health, 19(7), 3973–.
https://doi.org/10.3390/ijerph19073973
Kumar, M., Kavita, K., Verma, S., Kumar, A., Ijaz, M. F., & Rawat, D. B. (2022). ANAF-IoMT:
A novel architectural framework for IoMT-enabled smart healthcare system by enhancing
security based on recc-vc. IEEE Transactions on Industrial Informatics, 18(12), 8936–
8943.
https://doi.org/10.1109/TII.2022.3181614
113
Lakhan, A., Mohammed, M. A., Kozlov, S., & Rodrigues, J. J. P. C. (2021). Mobile‐fog‐cloud
assisted deep reinforcement learning and blockchain‐enable IoMT system for healthcare
workflows. Transactions on Emerging Telecommunications Technologies.
https://doi.org/10.1002/ett.4363
Latta, G. F. (2009). A process model of organizational change in cultural context (OC3
model): The impact of organizational vulture on leading change. Journal of Leadership &
Organizational Studies, 16(1), 19–37.
https://doi.org/10.1177/1548051809334197
Lavine, L. (2020). Take steps now to combat cyberattacks. Dental Products Report, 54(3), 68–
68.
LeCompte, M. D. (2000). Analyzing qualitative data. Theory Into Practice, 39(3), 146-154.
https://www.tandfonline.com/doi/abs/10.1207/s15430421tip3903_5?journalCode=htip20
Liaqat, S., Akhunzada, A., Shaikh, F. S., Giannetsos, A., & Jan, M. A. (2020). SDN
orchestration to combat evolving cyber threats in internet of medical things (IoMT).
Computer Communications, 160, 697–705.
https://doi.org/10.1016/j.comcom.2020.07.006
Liss, S. (2022).. HR Dive.
Litwin, G. H., & Stringer, R. A. (1970). Motivation and organizational climate. Journal of
Extension, 8(1), 47.
114
Li, L., Zhan, S., Mckendrick, K., Yang, C., Mazumdar, M., Kelley, A. S., & Aldridge, M. D.
(2023). Examining annual transitions in healthcare spending among U.S. medicare
beneficiaries using multistate Markov models: Analysis of medicare current beneficiary
survey data, 2003–2019. Preventive Medicine Reports, 32, 102171–.
https://doi.org/10.1016/j.pmedr.2023.102171
Lopez, V., & Whitehead, D. (2013). Sampling data and data collection in qualitative
research. Nursing & Midwifery Research: Methods and Appraisal for Evidence-Based
Practice, 123, 140.
file:///C:/Users/17149/Downloads/4e-2ndproof-ch7%20(1).pdf
Lundin, A. (2023). Best practices for thwarting medical device cyberattacks.
24x7 (East Providence, R.I.).
ProQuestDocuments-2023-04-23(11).pdf
https://www.proquest.com/docview/2785458370?parentSessionId=0wh5hOZo55tV%2F
w3LaRzrBVMw%2B6cG1rGA0WtzUOau4ig%3D&pqorigsite=primo&accountid=14749
Lynley, M. (2022). Protecting remote workers from cyberattacks requires a culture shift and new
ways to guard against the “weak link” of human behavior, experts say. Business Insider.
https://www.proquest.com/docview/2665063975?parentSessionId=tWKC9FLnQnUW4V
uhqU9Zwj7JZM3Cf%2BYQa%2B0ZAjaRGEU%3D&pqorigsite=primo&accountid=14749
Mace, S. (2021, January 29). Report: Healthcare most industry for cyber-ciem in 2020.
Report: Healthcare Most Targeted Industry for Cyber-Crime in 2020 | HealthLeaders
Media
115
Manríquez Roa, T., & Biller-Andorno, N. (2022). Financial incentives for participants in health
research: when are they ethical? Swiss Medical Weekly, 152(1112), w30166–w30166.
https://doi.org/10.4414/SMW.2022.w30166
Martin, G., Martin, P., Hankin, C., Darzi, A., & Kinross, J. (2017). Cybersecurity and healthcare:
How safe are we?. Bmj, 358.
Cybersecurity and healthcare: how safe are we? | The BMJ
Martins, N., & Coetzee, M. (2009). Applying the Burke-Litwin model as a diagnostic framework
for assessing organisational effectiveness: original research. SA Journal of Human
Resource Management, 7(1), 1–13.
https://journals.co.za/doi/abs/10.10520/EJC95887
Mason, J. (2017). Qualitative researching. Sage.
Mauskopf, J. A., Paul, J. E., Grant, D. M., & Stergachis, A. (1998). The role of cost—
consequence analysis in healthcare decision—making. Pharmacoeconomics, 13, 277-
288.
https://link.springer.com/article/10.2165/00019053-199813030-00002
Maxwell, J. A. (2012). Qualitative research design: An interactive approach. Sage publications.
Maxwell, J. A., & Chmiel, M. (2014). Generalization in and from qualitative analysis. The SAGE
Handbook of Qualitative Data Analysis, 7(37), 540-553.
McDonald, G., Papadopoulos, P., Pitropakis, N., Ahmad, J., & Buchanan, W. J. (2022).
Ransomware: Analyzing the impact on windows active directory domain services.
Sensors (Basel, Switzerland), 22(3), 953–.
https://doi.org/10.3390/s22030953
116
Mensik, M. (2020). Anthem to pay almost $40M to settle 2015 cyberattack
investigation. HR Dive.
Mento, A., Jones, R., & Dirndorfer, W. (2002). A change management process: Grounded in
both theory and practice. Journal of Change Management, 3(1), 45–59.
https://doi.org/10.1080/714042520
Merriam, S. B., & Tisdell, E. J. (2016). Qualitative research: A guide to design and
implementation (4th ed.). Jossey-Bass.
Mesly, O. (2015). Creating models in psychological research (1st ed. 2015.). Springer
International Publishing.
https://doi.org/10.1007/978-3-319-15753-5
Miracle, V. A. (2016). The belmont report: The triple crown of research ethics. Dimensions
of Critical Care Nursing, 35(4), 223–228.
https://doi.org/10.1097/DCC.0000000000000186
Mohurle, S., & Patil, M. (2017). A brief study of wannacry threat: Ransomware attack 2017.
International Journal of Advanced Research in Computer Science, 8(5), 1938–.
https://doi.org/10.26483/ijarcs.v8i5.4021
Monteith, S., Bauer, M., Alda, M., Geddes, J., Whybrow, P. C., & Glenn, T. (2021). Increasing
cybercrime since the pandemic: Concerns for psychiatry. Current Psychiatry Reports,
23(4), 18–18.
https://doi.org/10.1007/s11920-021-01228-w
117
Murphy, S. M. E., Hough, D. E., Sylvia, M. L., Sherry, M., Dunbar, L. J., Zollinger, R.,
Richardson, R., Berkowitz, S. A., & Frick, K. D. (2018). Going beyond clinical care to
reduce health care spending: Findings from the J-chip community-based population
health management program evaluation. Medical Care, 56(7), 603–609.
https://doi.org/10.1097/MLR.0000000000000934
Narang, M., Jatain, A., & Punetha, N. (2023). A study on cyber-attack detection in IoMT using
machine learning techniques. Available at SSRN 4387775.
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4387775
National Institute of Standards and Technology (n.d.). National Institute of Standards and
Technology.
https://www.bing.com/ck/a?!&&p=d5336b49cecf8495JmltdHM9MTcwODIxNDQwMC
ZpZ3VpZD0yYmU0NGE5Yy01MmJmLTYxOTUtMmI2Ni01YjU5NTM1MTYwZDEm
aW5zaWQ9NTIxOQ&ptn=3&ver=2&hsh=3&fclid=2be44a9c-52bf-6195-2b66-
5b59535160d1&psq=NIST+Website&u=a1aHR0cHM6Ly93d3cubmlzdC5nb3Yv&ntb=
1
Ndichu, S., McOyowo, S., Okoyo, H., & Wekesa, C. (2020). A remote access security model
based on vulnerability management. Int. J. Inf. Technol. Computer. Sci, 12(5), 38-51.
http://www.mecs-press.net/ijitcs/ijitcs-v12-n5/IJITCS-V12-N5-3.pdf
Nelson, C., Lester-Coll, N. H., Li, P. C., Gagne, H., Anker, C. J., Deeley, M. A., & Wallace, H.
J. (2021). Development of rapid response plan for radiation oncology in response to
cyberattack. Advances in Radiation Oncology, 6(1), 100613–100613.
https://doi.org/10.1016/j.adro.2020.11.001
118
Newaz, A. I., Sikder, A. K., Rahman, M. A., & Uluagac, A. S. (2021). A survey on security and
privacy issues in modern healthcare systems: Attacks and defenses. ACM Transactions
on Computing for Healthcare, 2(3), 1-44.
https://dl.acm.org/doi/abs/10.1145/3453176
Neyret, A. L. E. X. A. N. D. R. E. (2020). Stock market cybercrime. Autorite de Marches
Financiers, 2020-02.
http://www.amf-france.org/sites/institutionnel/files/2020-02/study-stock-marketcybercrime-_-definition-cases-and-perspectives.pdf
Nikander, P. (2008). Working with transcripts and translated data. Qualitative Research in
Psychology, 5(3), 225-231.
https://www.tandfonline.com/doi/abs/10.1080/14780880802314346
Nimmy, K., Sankaran, S., Achuthan, K., & Calyam, P. (2022). Lightweight and privacypreserving remote user authentication for smart homes. IEEE Access, 10, 176–190.
https://doi.org/10.1109/ACCESS.2021.3137175
Noble, H., & Smith, J. (2015). Issues of validity and reliability in qualitative research. EvidenceBased Nursing, 18(2), 34-35.
https://ebn.bmj.com/content/ebnurs/18/2/34.full.pdf
Nolan, S., Hendricks, J., Williamson, M., & Ferguson, S. (2018). Using narrative inquiry to listen
to the voices of adolescent mothers in relation to their use of social networking sites
(SNS). Journal of Advanced Nursing, 74(3), 743-751.
https://onlinelibrary.wiley.com/doi/abs/10.1111/jan.13458
119
Nordstrom, S. N. (2015). Not so innocent anymore: Making recording devices matter in
qualitative interviews. Qualitative Inquiry, 21(4), 388–401.
https://doi.org/10.1177/1077800414563804
Noumair, D.A. (2018). Burke Litwin Change Model [Clip art]. Springer Link.
https://link.springer.com/referenceworkentry/10.1007/978-3-319-52878-6_34.
Offner, K.L., Sitnikova, E., Joiner, K., & MacIntyre, C. R. (2020). Towards understanding
cybersecurity capability in Australian healthcare organisations: A systematic review of
recent trends, threats and mitigation. Intelligence and National Security, 35(4), 556–585.
https://doi.org/10.1080/02684527.2020.1752459
Ogden, S. E. (2021). Cybersecurity: creating a cybersecurity culture.
https://scholarworks.lib.csusb.edu/etd/1284/
Olivier, B. H. (2017). The use of mixed-methods research to diagnose the organisational
performance of a local government. SA Journal of Industrial Psychology, 43(1), 1–14.
https://doi.org/10.4102/sajip.v43i0.1453
Oliver, P. (2010). The student's guide to research ethics. McGraw-Hill Education.
https://books.google.com/books?hl=en&lr=&id=WIuNij1aGtoC&oi=fnd&pg=PP1&dq=r
esearch+ethics+&ots=hLXBUi_BQp&sig=dI9AaNjycNtinYmfdy1w70m2XYM#v=onep
age&q=research%20ethics&f=false
Oppong, S. H. (2013). The problem of sampling in qualitative research. Asian Journal of
Management Sciences and Education, 2(2), 202-210.
http://www.ajmse.leena-luna.co.jp/AJMSEPDFs/Vol.2(2)/AJMSE2013(2.2-21).pdf
120
Pak, A., Adegboye, O. A., Adekunle, A. I., Rahman, K. M., McBryde, E. S., & Eisen, D. P.
(2020). Economic consequences of the COVID-19 outbreak: The need for epidemic
preparedness. Frontiers in Public Health, 8, 241–241.
https://doi.org/10.3389/fpubh.2020.00241
Panetta, J. J., & Schroth, R. A. (2015). Cybersecurity act of 2015 review.
https://www.american.edu/kogod/research/cybergov/articles/upload/kogodkcgc_cybersecurity-act-of-2015-review_panetta-schroth-2016.pdf
Paradis, E., O'Brien, B., Nimmon, L., Bandiera, G., & Martimianakis, M. A. (2016). Design:
Selection of data collection methods. Journal of graduate medical education, 8(2), 263-
264.
https://meridian.allenpress.com/jgme/article/8/2/263/34418/Design-Selection-of-DataCollection-Methods
Pardee, R. L. (1990). Motivation theories of Maslow, Herzberg, McGregor & McClelland. A
literature review of selected theories dealing with job satisfaction and motivation.
https://eric.ed.gov/?id=ed316767
Park, E., Dwyer, A., Brooks, T., Clark, M., & Alker, J. (2023). Consolidated appropriations act,
2023: Medicaid and CHIP provisions explained.
https://ccf.georgetown.edu/wp-content/uploads/2023/01/Consolidated-Approp-v3a-1.pdf
Patel, H. (2023). The future of cybersecurity with artificial intelligence (AI) and machine
learning (ML).
https://www.preprints.org/manuscript/202301.0115
121
Patil, A. P., Karkal, G., Wadhwa, J., Sawood, M., & Reddy, K. D. (2020, December). Design and
implementation of a consensus algorithm to build zero trust model. In 2020 IEEE 17th
India Council International Conference (INDICON) (pp. 1-5). IEEE.
https://ieeexplore.ieee.org/abstract/document/9342207/
Patton, M. Q. (2014). Qualitative research & evaluation methods: Integrating theory and
practice. Sage publications
Paul, C., & Brookes, B. (2015). The rationalization of unethical research: Revisionist accounts of
the Tuskegee syphilis study and the New Zealand “unfortunate experiment.” American
Journal of Public Health (1971), 105(10), e12–e19.
https://doi.org/10.2105/AJPH.2015.302720
Paxton, A. (2021). AP lab maps its cyberattack recovery. CAP Today, 35(8), 1–16.
AP_lab_maps_its_cyberattack_re.pdf
Payne, G., & Williams, M. (2005). Generalization in qualitative research. Sociology (Oxford),
39(2), 295–314.
https://doi.org/10.1177/0038038505050540
Pazzaglia, A. M., Stafford, E. T., & Rodriguez, S. M. (2016). Survey methods for educators:
Selecting samples and administering surveys (Part 2 of 3). REL 2016-160. Regional
Educational Laboratory Northeast & Islands. Retrieved from
https://ies.ed.gov/ncee/edlabs/
Perera, F. D. P. R., & Peiró, M. (2012). Strategic planning in healthcare organizations. Revista
Española de Cardiología (English Edition), 65(8), 749-754.
https://ieeexplore.ieee.org/abstract/document/8947677/
122
Perera. S., Jin, X., Maurushat, A., & Opoku, D. G. J. (2022). Factors affecting reputational
damage to organisations due to cyberattacks. Informatics (Basel), 9(1), 28–.
https://doi.org/10.3390/informatics9010028
Perry, H., Tsai, E. M., Perusse, K., Herschorn, S. D., & Watson, E. J. (2023, February). Breast
imaging during a cyberattack and global pandemic: What we did to pick up the pieces. In
Seminars in Ultrasound, CT and MRI (Vol. 44, No. 1, pp. 18-22). WB Saunders.
https://doi.org/10.1053/j.sult.2022.10.001
Pilla, R., Oseni, T., & Stranieri, A. (2023). A study into the impact of data breaches of
electronic health records. In Proceedings of the 2023 Australasian Computer Science
Week (pp. 252-254).
https://dl.acm.org/doi/abs/10.1145/3579375.3579415
Pollini, Callari, T. C., Tedeschi, A., Ruscio, D., Save, L., Chiarugi, F., & Guerri, D. (2022).
Leveraging human factors in cybersecurity: An integrated methodological approach.
Cognition, Technology & Work, 24(2), 371–390.
https://doi.org/10.1007/s10111-021-00683-y
Prada-Ramallal, G., Takkouche, B., & Figueiras, A. (2019). Bias in pharmacoepidemiologic
studies using secondary health care databases: A scoping review. BMC Medical Research
Methodology, 19, 1-14.
https://link.springer.com/article/10.1186/s12874-019-0695-y
Pranggono, B., & Arabo, A. (2021). COVID‐19 pandemic cybersecurity issues. Internet
Technology Letters, 4(2).
https://doi.org/10.1002/itl2.247
123
Pruett, M. M. (2013). Instructional coaching: Leadership styles and practices. ProQuest LLC.
789 East Eisenhower Parkway, PO Box 1346, Ann Arbor, MI 48106.
https://eric.ed.gov/?id=ED558700
Raimo, M., De Turi, I., Albergo, F., & Vitolla, F. (2023). The drivers of the digital
transformation in the healthcare industry: An empirical analysis in Italian hospitals.
Technovation, 121, 102558.
https://doi.org/10.1016/j.technovation.2022.102558
Razdan, S., & Sharma, S. (2022). Internet of medical things (IoMT): Overview, emerging
technologies, and case studies. Technical Review - IETE, 39(4), 775–788.
https://doi.org/10.1080/02564602.2021.1927863
Redhead, C. S. (2018). Digital health information and the threat of cyberattack [Library of
Congress public edition]. Congressional Research Service
Regan, E. A. (2022). Changing the research paradigm for digital transformation in healthcare
delivery. Frontiers in Digital Health.
https://drive.google.com/file/d/18AaYjXhlv593VfJNssoTQfI0ZHwPIVHq/view
Ricciardi, W., Pita Barros, P., Bourek, A., Brouwer, W., Kelsey, T., Lehtonen, L.,
Anastasy, C., Barry, M., De Maeseneer, J., Kringos, D., McKee, M., Murauskiene, L.,
Nuti, S., Siciliani, L., & Wild, C. (2019). How to govern the digital transformation of
health services. European Journal of Public Health, (29), 7–12.
https://doi.org/10.1093/eurpub/ckz165
124
Ridge, D., Bullock, L., Causer, H., Fisher, T., Hider, S., Kingstone, T., Gray, L., Riley, R., Smyth,
N., Silverwood, V., Spiers, J., & Southam, J. (2023). “Imposter participants” in online
qualitative research, a new and increasing threat to data integrity? Health Expectations:
an International Journal of Public Participation in Health Care and Health Policy,
26(3), 941–944.
https://doi.org/10.1111/hex.13724
Ridic, G., Gleason, S., & Ridic, O. (2012). Comparisons of health care systems in the United
States, Germany and Canada. Materia Socio-Medica, 24(2), 112.
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3633404/
Roberts, P., & Priest, H. (2006). Reliability and validity in research. Nursing Standard, 20(44),
41-46.
https://go.gale.com/ps/i.do?id=GALE%7CA149022548&sid=googleScholar&v=2.1&it=r
&linkaccess=abs&issn=00296570&p=HRCA&sw=w&userGroupName=anon%7E36ba2
2ac&aty=open+web+entry
Robinson, O. C. (2014). Sampling in interview-based qualitative research: A theoretical and
practical guide. Qualitative Research in Psychology, 11(1), 25–41.
https://doi.org/10.1080/14780887.2013.801543
Robinson, S. B., & Firth Leonard, K. (2019). Designing quality survey questions. Sage
Sabillon, S. (2018). A practical model to perform comprehensive cybersecurity audits.
Enfoque UTE : Revista Científica, 9(1), 127–137.
https://doi.org/10.29019/enfoqueute.v9n1.214
125
Samuel, O., Omojo, A. B., Onuja, A. M., Sunday, Y., Tiwari, P., Gupta, D., Hafeez, G., Yahaya,
A. S., Fatoba, O. J., & Shamshirband, S. (2023). IoMT: A COVID-19 healthcare system
driven by federated learning and blockchain. IEEE Journal of Biomedical and Health
Informatics, 27(2), 1–1.
https://doi.org/10.1109/JBHI.2022.3143576
Sanusi, K., & Dickason-Koekemoer, Z. (2022). Cryptocurrency returns, cybercrime and stock
market volatility: GAS and regime switching approaches. International Journal of
Economics and Financial Issues, 12(6), 52–64.
https://doi.org/10.32479/ijefi.13555
Sagarra, S. (2021). Lessons from a cyberattack. EMS World, 50(11), 16–17.
LESSONS_FROM_A_CYBERATTACK.pdf
Scott, I., Sullivan, C., & Staib, A. (2019). Going digital: A checklist in preparing for hospitalwide electronic medical record implementation and digital transformation. Australian
Health Review, 43(3), 302–313.
https://doi.org/10.1071/AH17153
Scott, W. R., & Davis, G. F. (2015). Organizations and organizing: Rational, natural and open
systems perspectives. Routledge.
Seror, A. C. (2002). Internet infrastructures and health care systems: A qualitative
comparative analysis on networks and markets in the British national health service and
Kaiser Permanente. Journal of Medical Internet Research, 4(3), E21–E21.
https://doi.org/10.2196/jmir.4.3.e21
126
Servidio, J. S., & Taylor, R. D. (2015). Safe and Sound: Cybersecurity for Community
Banks. Journal of Taxation & Regulation of Financial Institutions, 28(4).
https://search.ebscohost.com/login.aspx?direct=true&profile=ehost&scope=site&authtyp
e=crawler&jrnl=15473996&AN=102071237&h=YxBU2lKGGFIhpkLyC%2Fsa3dbcU6h
vtbA7sSirQ2RlzJ4XYAogNK%2Bmpe3NAuGDzWQT4wq45Lem9ME9llAJSK35eg%3
D%3D&crl=c
Sen, R. (2018). Challenges in cybersecurity: Current state of affairs. Communications of The
Association for Information Systems, 43(2).
https://aisel.aisnet.org/cais/vol43/iss1/2
Seshaiyer, P., & McNeely, C. L. (2020). Challenges and opportunities from COVID‐19 for
global sustainable development. World Medical and Health Policy, 12(4), 443–453.
https://doi.org/10.1002/wmh3.380
Sethuraman, S. C., & Vijayakumar, V., & Walczak, S. (2020). Cyber attacks on healthcare
devices using unmanned aerial vehicles. Journal of Medical Systems, 44(29).
http://doi.org/10.1007/s10916-019-1489-9
Shahbaznezhad, H., Kolini, F., & Rashidirad, M. (2021). Employees’ behavior in phishing
attacks: What individual, organizational, and technological factors matter? The Journal of
Computer Information Systems, 61(6), 539–550.
https://doi.org/10.1080/08874417.2020.1812134
Shamim, A., Fayyaz, B., & Balakrishnan, V. (2014, August). Layered defense in depth model for
it organizations. In Proceedings of the 2nd International Conference on Innovations in
Engineering and Technology, Bengaluru, India (pp. 21-23).
http://iieng.org/images/proceedings_pdf/8285E0914047.pdf
127
Shang, T., Zhang, J. Y., & Klonoff, D. C. (2021). The FDA pilot accreditation scheme for
conformity: will it pertain to cybersecurity of diabetes devices?. Journal of Diabetes
Science and Technology, 15(3), 535-538.
https://link.springer.com/chapter/10.1007/978-3-031-33902-8_11
Shankar, N., & Mohammed, Z. (2020). Surviving data breaches: A multiple case study
analysis. Journal of Comparative International Management, 23(1), 35-54.
Surviving Data Breaches: A Multiple Case Study An… – Journal of Comparative
International Management – Érudit (erudit.org)
Sharma, S., Parihar, A., & Gahlot, K. (2022). Blockchain-based IoT architecture. Blockchain,
Artificial Intelligence, and the Internet of Things: Possibilities and Opportunities, 187-
205.
Blockchain-Based IoT Architecture | SpringerLink
Shinkman, R. (2021). COVID-19 leads to explosion in cyberattacks, data breaches. HR Dive.
https://www.proquest.com/docview/2490580910?parentSessionId=F3F7to5FXYrHZ%2F
jySCGbemLNE1jHVAvpsfJZpI5firc%3D&pq-origsite=primo&accountid=14749
Shrank, W. H., Rogstad, T. L., & Parekh, N. (2019). Waste in the US health care system:
estimated costs and potential for savings. Jama, 322(15), 1501-1509.
Waste in the US Health Care System: Estimated Costs and Potential for Savings | Health
Care Reform | JAMA | JAMA Network
Siemionow, M. (2019). Ethical considerations. In Face to Face (pp. 93–105). Springer
International Publishing AG.
https://doi.org/10.1007/978-3-030-06055-8_
Sileyew, K. J. (2019). Research design and methodology (pp. 1-12). Rijeka: IntechOpen.
128
Silva, A., López, L. I. B., Caraguay, Á. L. V., & Hernández-álvarez, M. (2019). A survey on
situational awareness of ransomware attacks-detection and prevention parameters.
Remote Sensing (Basel, Switzerland), 11(10), 1168.
https://doi.org/10.3390/rs1110116
Sims, J. M. (2010). A brief review of the belmont report. Dimensions of Critical Care
Nursing, 29(4), 173–174.
https://doi.org/10.1097/DCC.0b013e3181de9ec5
Singh, C., Thakkar, R., & Warraich, J. (2023). IAM identity access management—importance
in maintaining security systems within organizations. European Journal of Engineering
and Technology Research, 8(4), 30-38.
https://www.ej-eng.org/index.php/ejeng/article/view/3074
Slabodkin, G. (2021). FDA wants to require timely updates, patches for legacy devices: cyber
chief. HR Dive.
https://www.proquest.com/docview/2549681487?parentSessionId=kY5Y5%2FXyNunG
A9z3LUf6PFnYg3%2B5%2FqaYkfwDqTxSCeE%3D&pqorigsite=primo&accountid=14749
Smith, K., Jones, A., Johnson, L., & Smith, L. M. (2019). Examination of cybercrime and its
effects on corporate stock value. Journal of Information, Communication & Ethics in
Society (Online), 17(1), 42–60.
https://doi.org/10.1108/JICES-02-2018-0010
Stafford, V. A. (2020). Zero trust architecture. NIST special publication, 800, 207.
https://nvlpubs.nist.gov/nistpubs/specialpublications/NIST.SP.800-207.pdf
Steiner, G. A. (2010). Strategic planning. Simon and Schuster.
129
Stevens, G., De Bosschere, K., & Verdonck, P. (2021). Is healthcare ready for a digital future?.
In HiPEAC vision 2021: High performance embedded architecture and compilation
(pp. 198-205). HiPEAC.
Stevens, G., De Bosschere, K., & Verdonck, P. (2021). Is healthcare ready for a digital future?.
In HiPEAC vision 2021: High performance embedded architecture and compilation
(pp. 1 98-205). HiPEAC.
Stone, K. B. (2012). Lean transformation: Organizational performance factors that influence
firms’ leanness. Journal of Enterprise Transformation, 2(4), 229-249.
https://www.tandfonline.com/doi/abs/10.1080/19488289.2012.664611
Stone, K. B. (2015). Burke-Littwin organizational assessment survey: Reliability and
validity. Organization Development Journal, 33(2).
https://web.p.ebscohost.com/abstract?direct=true&profile=ehost&scope=site&authtype=c
rawler&jrnl=08896402&AN=103722557&h=3pBkgCIMeUazYz3v3ASCjoBrvh86XGhI
6QItlLYOOYKu051sLvqHiKPUYlf0QNjOUChM%2fWMUEIHRICj8HZBK9w%3d%3
d&crl=c&resultNs=AdminWebAuth&resultLocal=ErrCrlNotAuth&crlhashurl=login.asp
x%3fdirect%3dtrue%26profile%3dehost%26scope%3dsite%26authtype%3dcrawler%26j
rnl%3d08896402%26AN%3d103722557
Storace, R. (2020). Anthem reaches $39.5M settlement with 43 states over data breach.
BenefitsPRO.
130
Stowman, A. M. (2022). Anatomy of a cyberattack: Part 2: Managing a clinical pathology
laboratory during 25 days of downtime. American Journal of Clinical Pathology, 157(5),
653-663.
Anatomy of a Cyberattack: Part 2: Managing a Clinical Pathology Laboratory During 25
Days of Downtime | American Journal of Clinical Pathology | Oxford Academic
(oup.com)t
Stoumpos, A. I., Kitsios, F., & Talias, M. A. (2023). Digital transformation in healthcare:
Technology acceptance and its applications. International Journal of Environmental
Research and Public Health, 20(4), 3407.
Strijker, D., Bosworth, G., & Bouter, G. (2020). Research methods in rural studies:
Qualitative, quantitative and mixed methods. Journal of Rural Studies, 78, 262-270.
https://www.sciencedirect.com/science/article/abs/pii/S074301671830740X
Stuckey, H. L. (2013). Three types of interviews: Qualitative research methods in social health.
Journal of Social Health and Diabetes, 1(2), 056–059.
https://doi.org/10.4103/2321-0656.115294
Sumanthkuluru, L. (2021). Securityscorecard offers cybersecurity ratings for enterprises.
GlobalData plc.
Sürücü, L., & Maslakci, A. (2020). Validity and reliability in quantitative research. Business
& Management Studies: An International Journal, 8(3), 2694-2726.
https://www.bmij.org/index.php/1/article/view/1540
Swasey, K. (2020). Insufficient healthcare cybersecurity invites ransomware attacks and sale of
phi on the dark web. Center for Anticipatory Intelligence Student Research Reports.
https://www.usu.edu/cai/files/studentpaper-swasey.pdf
131
Swinhoe, D. (2019). The biggest data breach fines, penalties and settlements so far.
CSO (Online).
Taherdoost, H. (2021). Data collection methods and tools for research; A step-by-step guide
to choose data collection technique for academic and business research projects.
International Journal of Academic Research in Management (IJARM), 10(1), 10-38.
https://hal.science/hal-03741847/
Tarka, M., Blankstein, M., & Schottel, P. (2023). The crippling effects of a cyberattack at an
academic level 1 trauma center: An orthopedic perspective. Injury, 54(4), 1095–1101.
https://doi.org/10.1016/j.injury.2023.02.022
Tikkanen, R., & Abrams, M. K. (2020). US health care from a global perspective, 2019: Higher
spending, worse outcomes? The commonwealth fund. US Health Care from a Global
Perspective, 2019| Commonwealth Fund, 30.
U.S. Health Care from a Global Perspective, 2019 | Commonwealth Fund
Ting-Ting, L. (2006). Nursing and healthcare management and policy: Adopting a personal
digital assistant system: Application of Lewin’s change theory. Journal of Advanced
Nursing, 55(4), 487
https://onlinelibrary.wiley.com/doi/abs/10.1111/j.1365-2648.2006.03935.x
Tiwari, S., & Sharma, N. (2022). Idea, architecture, and applications of 5g enabled IoMT
systems for smart health care system. ECS Transactions, 107(1), 5499–5508.
https://doi.org/10.1149/10701.5499ecst
Theofanidis, D., & Fountouki, A. (2018). Limitations and delimitations in the research
process. Perioperative Nursing-Quarterly Scientific, Online Official Journal of
GORNA, 7(3 September-December 2018), 155-163.
https://www.spnj.gr/en/limitations-and-delimitations-in-the-research-process-p160.html
132
Thompson, E. C. (2018). Cybersecurity incident response: How to contain, eradicate, and
recover from incidents. Apress.
Toor, A., Usman, M., Younas, F., Fong, A. C. M., Khan, S. A., & Fong, S. (2020). Mining
massive e-health data streams for IoMT enabled healthcare systems. Sensors (Basel,
Switzerland), 20(7), 2131.
https://doi.org/10.3390/s20072131
Tortorella, G. L., Saurin, T. A., Fogliatto, F. S., Rosa, V. M., Tonetto, L. M., & Magrabi, F.
(2021). Impacts of healthcare 4.0 digital technologies on the resilience of hospitals.
Technological Forecasting and Social Change, 166, 120666.
https://www.sciencedirect.com/science/article/pii/S0040162521000986?casa_token=AtN
4joecLTgAAAAA:q30eUTRKqOoPHEDLLv_IK_hEsL383ROa8H97V9zctnG0Z_wQW
SfvmE41zzDlK4IdCtERxI16
Toth, F. (2016). Classification of healthcare systems: Can we go further?. Health
Policy, 120(5), 535-543.
https://www.sciencedirect.com/science/article/abs/pii/S0168851016300562
Tsosie, K., S., Claw, K. G., & Garrison, N. A. (2021). Considering “respect for sovereignty”
beyond the belmont report and the common rule: Ethical and legal implications for
American Indian and Alaska native peoples. American Journal of Bioethics, 21(10), 27–
30.
https://doi.org/10.1080/15265161.2021.1968068
Tweneboah-Kodua, S., Atsu, F., & Buchanan, W. (2018). Impact of cyberattacks on stock
performance: A comparative study. Information and Computer Security, 26(5), 637–652.
https://doi.org/10.1108/ICS-05-2018-0
133
Uchendu, B., Nurse, J. R., Bada, M., & Furnell, S. (2021). Developing a cyber security culture:
Current practices and future needs. Computers & Security, 109, 102387.
https://www.sciencedirect.com/science/article/pii/S016740482100211X
Vaddadi, S. A., Vallabhaneni, R., & Whig, P. (2023). Utilizing AI and machine learning in
cybersecurity for sustainable development through enhanced threat detection and
mitigation. International Journal of Sustainable Development Through AI, ML and
IoT, 2(2), 1-8.
https://ijsdai.com/index.php/IJSDAI/article/view/25
Vega, R., Jackson, G. L., Henderson, B., Clancy, C., McPhail, J., Cutrona, S. L., & Bhatnagar,
S. (2019). Diffusion of excellence: accelerating the spread of clinical innovation and best
practices across the nation’s largest health system. The Permanente Journal, 23.
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6836565/
Verhoef, P., Broekhuizen, T., Bart, Y., Bhattacharya, A., Qi Dong, J., Fabian, N., &
Haenlein, M. (2021). Digital transformation: A multidisciplinary reflection and research
agenda. Journal of Business Research, 122, 889–901.
https://doi.org/10.1016/j.jbusres.2019.09.022
Virupakshar, K., Asundi, M., Channal, K., Shettar, P., Patil, S., & Narayan, D. G. (2020).
Distributed denial of service (DDoS) attacks detection system for open stack-based
private cloud. Procedia Computer Science, 167, 2297–2307.
https://doi.org/10.1016/j.procs.2020.03.282
134
VMware Releases 2021 Global Security Insights Report Detailing the Surge in Cyberattacks
Targeting the Anywhere Workforce. (2021). Normans Media Ltd.
https://www-magonlinelibrary-com.libproxy2.usc.edu/doi/abs/10.1016/S1353-
4858%2821%2900060-X
Wade, M. (2021). Digital hostages: Leveraging ransomware attacks in cyberspace.
Business Horizons, 64(6), 787–797.
https://doi.org/10.1016/j.bushor.2021.07.014
Walker, H. J., Armenakis, A. A., & Bernerth, J. B. (2007). Factors influencing organizational
change efforts: An integrative investigation of change content, context, process and
individual differences. Journal of Organizational Change Management, 20(6), 761–773.
https://doi.org/10.1108/09534810710831000
Walliman, N. (2021). Research methods: The basics. Routledge.
Warfield, N. (2021). Why healthcare keeps falling prey to ransomware and other
Cyberattacks. In Threatpost [Blog]. Newstex.
https://www.proquest.com/docview/2547561283?parentSessionId=OudA6m4Zo5IZO5e
ChMqlH4%2BuPtakQwp5013KBem0boQ%3D&pq-origsite=primo&accountid=14749
Westmoreland, H., Bouffard, S., O'Carroll, K., & Rosenberg, H. (2009). Data collection
instruments for evaluating family involvement. Harvard Family Research Project.
https://eric.ed.gov/?id=ED505809
Williams, C. (2007). Research methods. Journal of Business & Economics Research
(JBER), 5(3).
https://clutejournals.com/index.php/JBER/article/view/2532
135
Williams, P., & Woodward, A. J. (2015). Cybersecurity vulnerabilities in medical devices: A
complex environment and multifaceted problem. Medical Devices: Evidence and
Research, 305–316.
https://doi.org/10.2147/MDER.S50048
Wirth, A. (2017). The economics of cybersecurity. Biomedical Instrumentation &
Technology, 51(6), 52-59.
The Economics of Cybersecurity | Biomedical Instrumentation & Technology
(allenpress.com)
Wirth, A. (2018, February 28). Healthcare cyber security: Is that light at the end of the tunnel?
Symantec Enterprise Blogs.
https://symantec-enterprise-blogs.security.com/blogs/feature-stories/healthcare-cybersecurity-light-end-tunnel
Worldofwork.io. (2019). Burke Litwin organizational change framework [Clip art]. World of
Work Project. The Burke-Litwin Organizational Change Framework: A Simple Summary
- The World of Work Project
Wu, J. H., & Adashi, E. Y. (2023). The consolidated appropriations act, 2023: Implications for
the nation’s mental health crisis. American Journal of Psychiatry, 180(12), 878-879.
https://ajp.psychiatryonline.org/doi/full/10.1176/appi.ajp.20230300
Yucel, S. (2018, December). Estimating the benefits, drawbacks and risk of digital
transformation strategy. In 2018 International Conference on Computational Science and
Computational Intelligence (CSCI) (pp. 233-238). IEEE.
https://ieeexplore.ieee.org/abstract/document/8947677/
136
Zarocostas, J. (2021). Health under cyberattack. The Lancet (British Edition), 398(10303), 829–
830.
https://doi.org/10.1016/S0140-6736(21)01968-1
Zhan, X., Nah, F. F. H., & Cheng, M. X. (2018). An assessment of users’ cyber security risk
tolerance in reward-based exchange. In HCI in Business, Government, and
Organizations: 5th International Conference, HCIBGO 2018, Held as Part of HCI
International 2018, Las Vegas, NV, USA, July 15-20, 2018, Proceedings 5 (pp. 431-441).
Springer International Publishing.
https://link.springer.com/chapter/10.1007/978-3-319-91716-0_34
Zhang, H., Xiao, X., Mercaldo, F., Ni, S., Martinelli, F., & Sangaiah, A. K. (2019). Classification
of ransomware families with machine learning based on n-gram of opcodes. Future
137
Appendix A: Screening Survey
This survey will take only a couple of minutes and will be very valuable for completing
our research. The responses you give will stay anonymous. Please read each question carefully
and circle the answer that applies. No information or questionnaire answers are shared with
anyone outside the research committee.
Table A1
Screening Survey
Question Open or
closed?
Level of
measurement.
(nominal, ordinal,
interval, ratio)
Response options
(Select one)
1. I am a certified IT
professional with a minimum
of 5 years of leadership
experience in healthcare IT
security.
Closed Nominal Yes No
2. I have experience building out
complex IT infrastructures for
decentralized healthcare
systems.
Closed Nominal Yes No
3. I have experience managing
multi-million-dollar IT
infrastructure budgets for
nonprofit healthcare
organizations
Closed Nominal Yes No
4. I am proficient with industrystandard cybersecurity tools
and applications.
Closed Nominal Yes No
5. I am familiar with cyber
security risk assessments. Closed Nominal Yes No
6. I am proficient with National
Institute of Standards and
Technology (NIST) 8053
framework.
Closed Nominal Yes No
7. I am employed as a full-time
employee or consultant for a
non-profit healthcare
organization.
Closed Nominal Yes No
138
Appendix B: Interview Protocol
Introduction to the Interview:
Thank you for agreeing to talk to me today [ ]. My name is Ed Young, and I am a
Doctoral student at the Rossier School of Education, and I am conducting research. The purpose
of this study will examine transformational factors (e.g., leadership, mission & strategy, and
culture) of your organization to understand the security posture of your healthcare organization.
Let me give you an outline of what to expect during the interview process. I will you a series of
questions and follow-up questions based on your responses. The interview process will take 45
to 60 minutes; make sure you are available to commit at least 60 minutes of uninterrupted time to
conduct the interview.
Additionally, I would like to record our session and take interview transcripts. The
purpose of the recording will be to confirm my notes and validate your responses. The
confidential recordings are securely stored and not shared with anyone. Lastly, you have no
obligation to answer any questions that make you uncomfortable and can end the interview
anytime. If there are no further questions, do I have your informed consent to conduct the
interview and record our session? Please print and sign your name on the informed consent form
and let us begin.
Conclusion to the Interview:
This concludes our interview. I will now review my notes, transcribe the recording, and
analyze the data. Do I have your permission to contact you if I have a follow-up question? As
stated, the recordings will help transcribe the audio, but the contents will not be shared with
anyone. If you have any questions, please do not hesitate to contact me. Once again, thank you
for agreeing to talk to me.
139
Table B1
Interview Protocol
Interview questions Potential probe RQ Key concept
1. How long have you
worked IT?
What brought you to
the healthcare sector? RQ1 Report building and
trying to establish trust.
2. Describe to me how the
organization prioritizes
capital expenditures for the
fiscal year?
What is your role in
the capital planning
process?
RQ1
Transformational factors
such as strategic
planning and
organizational culture.
3. How might you describe
your roll in the strategic
planning process?
Tell me more about
that?
RQ1
Transactional factors
and transactional
factors such as
procedures and
organizational culture.
4. How does the current IT
security strategy align with
the strategic goals of the
organization?
Can you expound on
that? RQ1/RQ2
Transformational factors
such as mission and
vison of the
organization.
5. How confident are you
about the strategy to
improve IT security of the
organization?
RQ1/RQ2
Transformational and
transactions factors
such strategic planning,
and processes.
6. How might you describe
the organization’s capacity
to expand the IT
infrastructure?
Would you do
something different? RQ2
Transactional factors
such as process,
procedures, and
capabilities.
7. What barriers, if any, do
you believe prevent the
organization from
committing more resources
to enhance cybersecurity?
Can you tell me more
about that? RQ1/RQ2
Transformational factors
such as strategy,
organizational culture,
and leadership.
8. Can you describe to me
what roll cost plays in the
decision-making process?
Can you walk me
through an example? RQ2
Transformational factors
such as strategy, and
leadership.
9. How might leadership
address the issue of an
ineffective IT security
strategy?
Are you empowered to
provide alternative
solutions?
RQ1/RQ2
Transformational factors
such as strategy, and
leadership.
10. Does the organization
prefer to outsource its IT
team or have dedicated inhouse IT staff?
Why do you think that
is? RQ1/RQ2 Transformational factors
such as strategy.
140
Interview questions Potential probe RQ Key concept
11. How does the organization
perceive the value of
improving IT
infrastructure?
RQ1/RQ2 Transformational factors
such as strategy.
12. Can you describe how
leadership develops IT
security strategies?
Can you walk me
through the process? RQ1/RQ2 Transformational factors
such as strategy.
13. If provided the
opportunity, what would
you do to bolster the
security posture of the
organization?
Please expound. RQ2
Transformational factors
such as strategy, and
leadership.
Abstract (if available)
Linked assets
University of Southern California Dissertations and Theses
Conceptually similar
PDF
Identifying diversity solutions for the cybersecurity workforce shortage: a phenomenological qualitative study
PDF
Embedding and sustaining change in digital transformations within financial services
PDF
IT belongingness: from outcasts to technology leaders in higher education – a promising practice
PDF
Leadership in turbulent times: a social cognitive study of responsible leaders
PDF
Healthcare leaders developing highly reliable organizations
PDF
Investigating the personal and organizational factors influencing the departure of female physicians from healthcare leadership roles
PDF
Understanding cross-cultural knowledge sharing in Ghana’s energy sector: an exploratory study
PDF
Key factors for successful adoption of culturally relevant and impact driven grantmaking practices
PDF
Impact of training on leader's ability to effectively lead during a crisis
PDF
The underrepresentation of African American officers in senior leadership positions in the United States Army
PDF
Knowledge, motivation, and organizational influences within leadership development: a study of a business unit in a prominent technology company
PDF
Casualties of conflict: trauma and belonging in refugee and immigrant youth
PDF
An examination of the impact of diversity initiatives and their supporting roles on organizational culture: an experiential study from the perspective of diversity personnel
PDF
Secrets from the C-suite: women leaders on the bridging gap
PDF
Workplace bullying of women leaders in the United States
PDF
“Black” workplace belonging: an examination of the lived experiences of Black faculty sense of belonging factors in community colleges
PDF
Chameleons and kungas: the perceptions and experiences of military veteran faculty members in their transitions to academic service
PDF
An examination of factors that contribute to the shortage of behavioral health providers in the United States Navy
PDF
Physician burnout during a global pandemic: an evaluation study
PDF
The spouse factor: how a partner’s career impacts U.S. Navy officer retention
Asset Metadata
Creator
Young, Edward
(author)
Core Title
A qualitative study that examines the transformational factors that prevent cybersecurity from being a funding priority in healthcare organizations
School
Rossier School of Education
Degree
Doctor of Education
Degree Program
Organizational Change and Leadership (On Line)
Degree Conferral Date
2024-05
Publication Date
03/28/2024
Defense Date
03/06/2024
Publisher
Los Angeles, California
(original),
University of Southern California
(original),
University of Southern California. Libraries
(digital)
Tag
Burke-Litwin change model.,culture,cybercrime,cybersecurity,leadership,OAI-PMH Harvest,strategy,transformational factors
Format
theses
(aat)
Language
English
Contributor
Electronically uploaded by the author
(provenance)
Advisor
Datta, Monique (
committee chair
), Maddox, Anthony (
committee member
), Pritchard, Marc (
committee member
)
Creator Email
eddyoung28@yahoo.com,edyoung@usc.edu
Permanent Link (DOI)
https://doi.org/10.25549/usctheses-oUC113859108
Unique identifier
UC113859108
Identifier
etd-YoungEdwar-12730.pdf (filename)
Legacy Identifier
etd-YoungEdwar-12730
Document Type
Dissertation
Format
theses (aat)
Rights
Young, Edward
Internet Media Type
application/pdf
Type
texts
Source
20240328-usctheses-batch-1132
(batch),
University of Southern California
(contributing entity),
University of Southern California Dissertations and Theses
(collection)
Access Conditions
The author retains rights to his/her dissertation, thesis or other graduate work according to U.S. copyright law. Electronic access is being provided by the USC Libraries in agreement with the author, as the original true and official version of the work, but does not grant the reader permission to use the work if the desired use is covered by copyright. It is the author, as rights holder, who must provide use permission if such use is covered by copyright.
Repository Name
University of Southern California Digital Library
Repository Location
USC Digital Library, University of Southern California, University Park Campus MC 2810, 3434 South Grand Avenue, 2nd Floor, Los Angeles, California 90089-2810, USA
Repository Email
cisadmin@lib.usc.edu
Tags
Burke-Litwin change model.
cybercrime
cybersecurity
strategy
transformational factors