The weakest link in healthcare cybersecurity is often not the software but the people who use it
Image
A new doctoral dissertation from the University of Vaasa argues that healthcare cybersecurity will remain fragile unless technology, humans and organisational processes are treated as a single unified system. According to Pius Ewoh, the healthcare sector needs socio-technical solutions rather than purely technical defences to protect patient data and maintain trust.
From electronic health records to medical devices, the rapid digitalisation of healthcare has improved efficiency and access to care. At the same time, it has expanded the number of entry points that attackers can exploit. In his doctoral research in information systems science, Pius Ewoh argues that protecting healthcare requires more than technical fixes.
– Humans are often the weakest link in the cybersecurity chain. Staff may lack training or awareness, fall for phishing attempts, or use applications that are not standardised. When these everyday actions meet outdated systems or unclear routines, the risks multiply quickly, Ewoh states.
While Finland’s healthcare system is comparatively advanced in cybersecurity, vulnerabilities remain around legacy systems and third-party applications. Legacy systems are often prone to security breaches because they no longer receive necessary updates, and most third-party applications are not compliant with regulations like GDPR (General Data protection Regulations), HIPAA (Health Insurance Portability and Accountability Act), and other applications security standards.
– The analysis of Finnish healthcare and IT professionals’ responses shows that even a highly developed system needs three things to stay resilient: frequent audits and assessments, clearer policies and better communication across the whole system, says Ewoh.
A new framework for strengthening healthcare resilience
To address these challenges, Ewoh has developed a socio-technical cyber security framework tailored specifically to healthcare organisations. The framework combines human behaviour monitoring, organisational learning and intelligent incident-response capabilities to identify, prevent vulnerabilities, and respond to cyberattacks in healthcare systems.
Alongside the framework, the dissertation offers practical compliance standards to follow and checklists that help organisations evaluate their policies, routines, and technical systems. These checklists guide hospitals in areas such as security in the design of medical devices, secure data exchange, anonymisation, multi-factor authentication and third-party application management.
– With clear guidance and a structured way to review their practices, healthcare organisations can strengthen their systems to avoid breaches that could disrupt care or compromise sensitive health information, Ewoh concludes.
Dissertation
Ewoh, Pius (2025). Cybersecurity of Healthcare: Socio-technical Analysis and Solutions. Acta Wasaensia 576. Doctoral dissertation. University of Vaasa.
Public defence
The public examination of MBA Pius Ewoh’s doctoral dissertation ”Cybersecurity of Healthcare: Socio-technical Analysis and Solutions” will be held on Monday 15 December 2025 at 12 at the University of Vaasa, auditorium Kurtén.
It is possible to participate in the defence also online:
https://uwasa.zoom.us/j/67070899524?pwd=VauraIs1jb7tAlW1f03Wyxzp6aXroG.1
Password: 784681
Professor Reima Suomi (University of Turku) will act as opponent and Professor Tero Vartiainen as custos.
Tietolaatikko
Further information
Pius Ewoh, tel. +358 41 488 8477, pius.ewoh@uwasa.fi
Pius Ewoh was born in Nigeria. He graduated with a Bachelor’s degree in Business Information Systems from the University of East London in 2011 and a Master of Business Administration from Federation University Australia 2013. He has also completed a Higher National Diploma in Physiology and Pharmacology from the University of Port Harcourt, Nigeria. Ewoh currently works as a doctoral researcher in information systems science at the University of Vaasa.