Digital Healthcare - Cyberattacks in Asian Organizations: An Analysis of Vulnerabilities, Risks, NIST perspectives, and Recommendations

Cyberattacks on healthcare institutions are on an upsurge all over the world. Recently, Asian hospitals have become targets of numerous cyberattacks. While Western countries like the United States have implemented security-related laws, policies, standards, and other protective measures to deal with the healthcare cyberattacks, Asian countries are lagging. The Healthcare insurance portability and accountability act (HIPAA), enacted by the United States federal government, is a classic example of a law that has been in existence for a quarter-century now. Awareness about electronic health records (EHR) and their importance is increasing in Asia. Many hospitals and healthcare systems successfully implement solutions to protect healthcare data, including sensitive patient data. However, protecting healthcare data involves a sophisticated technology and compliance-driven approach due to the high value associated with the data. In this research, an earnest attempt is made to investigate the recent cyberattacks in Asian healthcare institutions. Based on the investigation, five types of cyberattacks are found to dominate Asian healthcare institutions. A detailed analysis of these attacks, their vulnerabilities, and associated risks are performed as a part of this study. In many countries with higher cybersecurity maturity, risk frameworks are successfully employed to manage the risks associated with healthcare data. In this study, the cyberattacks on Asian healthcare institutions are also analyzed through the lens of the National Institute of standards and technology (NIST) risk framework. Based on the literature review, a few unique recommendations are included in this research study to be used as risk mitigation measures by Asian healthcare organizations and researchers to manage and improve the growing situation of cyberattacks.


I. INTRODUCTION
The Healthcare industry has been rapidly migrating from paper-based systems to electronic health record (EHRs) systems to provide efficient and cost-effective services. EHR has brought a lot of improvement in patient care, diagnosis of diseases, accessibility of information, and even in medical practices [1]. Access to healthcare applications and data has become ubiquitous, increasing the cyber-attack surface area. The arrival of the Internet of Things (IoT) technology in healthcare is an example of technological sophistication impacting the attack surface of healthcare IT systems [2]. Security or privacy violations in healthcare information technology might severely affect patients' treatment and overall health conditions. Data security standards need to be improved to bring about better outcomes in the diagnostic and treatment process of individual patients [3].

A. WORLDWIDE HEALTHCHARE CYBERATTACKS
Several major healthcare data breaches have been reported in recent times. In 2018, the number of healthcare data breaches was 536, out of the total 2216 data breaches spanning 65 countries, with the impact on the healthcare industry being the maximum [4]. In 2019, the number of worldwide healthcare data breaches was 505, resulting in the exposure of 41.2 million healthcare records [5]. The number of individuals affected by healthcare data breaches was 157.40 million in the last five years [6].
Healthcare data has become the target for hackers due to its demand. Administrative data, Electronic health records, clinical data are the different types of healthcare data. Medical data has a higher value than credit card information in the black market [7]. A systematic literature review on cyber Risk in the healthcare sector presented in [8] concludes that the literature lacks research contributions to counter the healthcare sector's cyber risk management challenges and highlights the scientific community's insufficient attention to this topic. Cyberattacks are the most frequent causes of medical data breaches [9]. Healthcare systems collect and preserve patient data in their databases, electronic medical recording (EMR) systems, order communication systems (OCS), and picture archiving and communication systems (PACS) [10]. As data security is an inherent part of cybersecurity, these cybersecurity risks pose a grave danger to patient data, leading to patient information leakage, patient misdiagnosis, and mistreatment [11], [12], [13]. According to the Cybersecurity Survey by Healthcare Information and Management Systems Society (HIMSS), nearly 60 percent of hospital representatives and healthcare IT professionals in the US said that email was the most common point of information compromise [14]. Hackers commonly employ phishing scams and other forms of email fraud.

B. HEALTHCARE CYBERATTACKS IN ASIA
Based on the cyberattacks data on Asian healthcare organizations, gleaned from legitimate academic data sources and technology news articles, it is found that five significant categories of cyberattacks dominate these data sources, as given in Table 1 below. In this research, a sincere attempt is made to analyze the vulnerabilities and risks associated with these five types of cyberattacks. The popular National Institute of Standards and Technology (NIST) risk assessment framework and its principles are explored in the light of these attacks [15]. Given the relatively lower levels of maturity associated with information risk management in Asian health care organizations, analytical exploration of the risks inherently connected to these cyberattacks becomes an imminent need. Asia pacific region scored low in the Global Cybersecurity Index and Cyber Maturity index [16]. This research study has chosen the Asian healthcare systems as they are exposed to many cyberattacks due to the lack of security maturity [13]. In 2018, one of the most significant data breaches happened in Singapore, exposing 1.5 million health records of patients [17], [18]. The hackers have accessed the sensitive data by compromising a single SingHealth workstation with malware and were then able to obtain privileged account credentials to access the patient database. This incident revealed the lack of anti-malware protection.
The phishing attack is yet another frequently occurring attack in Asian healthcare organizations, wherein an attacker impersonates trusted organizations and individuals to steal sensitive data from victims. The number of phishing URLs detected by the Cyber Security Agency of Singapore (CSA) is 47,500 in 2019 alone [17]. The ransomware called WannaCry/ WannaCrypt/WanaCrypt0r 2.0, or Wanna Decryptor, hit nearly all the computers in two hospitals in Jakarta, Indonesia, resulting in the lock-up of IT systems that contained patient records and billing [17], [19].
The Global State of Information Security Survey (GSISS 2016) results show that 65% of Asian organizations' boards do not actively participate in their cyber risk review and the risk management process [20]. In addition, the Asiaspecific healthcare cyberattack data extracted from legitimate data sources and academic sources point to a few Asian countries that recently experienced cyberattacks from 2018 to 2020. These countries include Singapore, India, Saudi Arabia, the Philippines, Thailand, Malaysia, and Indonesia [18], [21], [22].

C. ORGANIZATION OF THIS RESEARCH WORK AND CONTRIBUTIONS
This research work is organized into the following sections. Section 2 deals with the categories of cyberattacks in Asian healthcare organizations. Section 3 explains the above cyberattacks in detail, including the root causes and mitigation techniques. The vulnerabilities causing those attacks are described in section 4. Section 5 discusses the risk management practices for healthcare systems from the perspective of the NIST framework. Section 6 gives recommendations to Asian healthcare organizations in vulnerability and cybersecurity risk management. Section 7 concludes this research with possible future possibilities in this area. Towards improving the cyber security posture in Asian healthcare systems, this work contributes to a few novel ideas TO 2020 as briefly listed here.
• Analysis of five significant cyberattacks in Asian healthcare systems and the connected vulnerabilities.
• An innovative means of computing EVPS (Enriched Vulnerability priority Score) to help in prioritizing the vulnerabilities. • NIST best practices and approaches to handle healthcare risks and vulnerabilities. • Two scientifically validated self-assessment survey instruments (questionnaires) for vulnerability management and risk management that can be employed in many Asian healthcare IT organizations as a quick self-assessment tool is a unique contribution of this research work.
• Five experts connected to the healthcare IT domain have validated the face and content validity of the above instruments.

II. ASIAN HEALTHCARE INSTITUTIONS -HIGH IMPACT CYBERATTACKS
Asia pacific healthcare cybersecurity market report has epitomized the impact of cyberattacks on the Asian healthcare industry [23]. As per this report, the intensification of the attacks will spur the growth of the healthcare cybersecurity market in Asia. Weak cyber security infrastructure is one of the major contributors to data breaches in healthcare systems in Asian countries. The Asian region has just started implementing cybersecurity best practices in the healthcare industry. Some of the focus areas are risk assessment, awareness and training, and compliance related to healthcare.

A. ASIA CYBERATTACK REPORTS -STATISTICS AND ANALYSIS
Cybersecurity maturity in healthcare traditionally lags other industries, despite increasing concerns around healthcare cyberattacks and breaches [24]. The WannaCry attack in 2017 is a widely recognized example of the potential consequences of cyberattacks on the healthcare sector. WannaCry was a ransomware attack that affected over 100 countries [25], [19].

A. TROJAN ATTACK
Malware is malicious software installed on someone's device without their knowledge to gain personal information or damage the device, usually for financial gain. Different malware include viruses, spyware, ransomware, and Trojan horses [38]. For example, Trickbot banking trojan is used as a dropper to deploy Ryuk ransomware to cause ransomware attacks in hospitals. There has been a 71% increase in ransomware attacks on the healthcare sector in the USA during October 2020, and Ryuk ransomware was behind 75% of these incidents. A Trojan attack recently hit the Alaska Department of Health and Social Services, and two computers were found to have malicious software that masqueraded as legitimate applications [39]. It is a possibility that the Trojan horse had already created a backdoor through which patients' records were exposed. Trojans generally do not attempt to inject themselves into other files or propagate themselves [40].
Orangeworm is a cybercrime alliance that installs Trojans [41]. Amongst Asia's healthcare organizations, the most significant number of Orangeworm victims are found in India and Saudi Arabia, 7% each [42], [22] as stated in Table 1. Orangeworm group infiltrates the victim's network in an attack instance and deploys a backdoor Trojan called Kwampirs, giving the attackers remote access to the compromised computer. When executed, Kwampirs decrypts and extracts a copy of its primary payload. Before writing the payload to disk, it inserts a randomly generated string into the middle of the decrypted payload to evade hash-based detections. Kwampirs also collects basic information about the compromised computer, including basic network adapter information, system version information, and language settings. One of the largest communities of patients, 1.5 million members (including outpatients) of Singapore's well-known healthcare group (SingHealth) have had their sensitive personal data compromised due to this malware. The hackers accessed the exposed data by compromising a single SingHealth workstation with malware and obtaining privileged account credentials that helped access the entire patient database [ 18].

B. PHISHING ATTACKS
Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. The recipient is tricked into clicking a malicious link, which can lead to the installation of malware or ransomware, leading to loss of sensitive information. [43] observes that, in the context of phishing emails, employee compliance intention and compliance behavior might not be strongly linked, and hence, hospitals must remain vigilant with vulnerabilities that cannot be easily managed. Antiphishing tools are generally deployed to prevent phishing attacks [44]. Employees should be actively encouraged to question the authenticity of any email that deviates from its standard format. They should carefully consider the sender and context and report the email to the organization's security team. All staff should be educated regarding the potential dangers of malicious email attachments. Specifically, staff should never 'verify' any details from an email, click on hyperlinks, or open attachments that may be malicious [45].
There were 9,430 cybercrime cases reported in 2019 in Singapore alone, and the phishing attacks dominate the critical findings released from the Singapore Cyber Landscape 2019 report [35]. The healthcare sector has been the worst hit in Singapore, with the number of phishing attacks multiplying by almost 200 times from January to April 2020 [46] as given in Table 1. According to the Australian Cyber Security Center (ACSS), in 2020, cybercriminals compromised email servers of health sector entities in Australia. This was done to distribute COVID-19 related phishing emails to deploy malicious software, including ransomware [47]. According to the Symantec Internet Security Threat Report (ISTR) 2018 study, Malaysia ranks third for phishing attacks in Asia.

C. RANSOMWARE
Ransomware is a unique subset of malware that limits or blocks users' access by locking the system and data unless a ransom is paid [48]. Outdated  The deployment of any ransomware decryptor and antithreat toolkit helps to prevent this ransomware attack. The contribution of [53] is an automatic, intelligent, and realtime system to detect, classify, and mitigate ransomware in Integrated clinical environments (ICE). Recommendations [54] for the above-mentioned Wannacry vulnerability CVE-2017-0143 are to a) apply appropriate patches provided by Microsoft to vulnerable systems immediately after performing vulnerability scanning. b) disable version1 of Server Message Block (SMBv1) on all systems and utilize SMBv2 or SMBv3 after appropriate testing. c) run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

D. ADVANCED PERSISTENT THREAT (APT)
An advanced persistent threat (APT) attack is a high-scale attack deployed over a longer duration. It is a selective attack that obtains unauthorized access to information and communication systems to exfiltrate confidential data [30]. The objective of an APT attack is to steal data and sabotage organizational infrastructures or surveillance systems for a long time. The eight-stage process of an APT attack [55] are: (i) Initial Recon, (ii) Initial Compromise, (iii) Establish Foothold, (iv) Escalate Privileges, (v) Internal Recon, (vi) Move Laterally, (vii) Maintain Presence, and (viii) Complete Mission.
The geopolitical landscape and the Covid-19 pandemic were exploited by advanced persistent threat (APT) groups to advance their motives in Southeast Asia in 2020 [56]. In August 2019, an Indian healthcare website was attacked by a Chinese APT group (APT22), and 68 lakh records were stolen [32] as stated in table 1. APT22 has a nexus to China and has been operational since early 2014, carrying out intrusions and attack activity against public and private sector entities [57]. The pie chart in Figure 1 shows that the APT critical vulnerabilities have the most significant share of the pie, indicating that mitigation of APT vulnerabilities is a very high priority for the Asian healthcare sector. [58] aims to facilitate the detection and analysis of Advanced Persistent Threats (APTs) and anomalous activities on healthcare organizations and expand the sector awareness on cyber threats and risks.

E. MALWARE -CREDENTIAL COMPROMISE
Malware (Malicious Software) is a common form of cyberattack which executes unauthorized actions on the victim's system. This includes spyware, ransomware, trojan etc. A classic example of a typical malware attack (credential compromise) is briefed in this section. Credential compromise is the first step during any major cyber-attack. [59] discusses the leaked 100 email accounts via paste sites, underground forums, and virtual machines infected with malware.
[60] presents the study of how miscreants obtain stolen credentials and bypass risk-based authentication schemes to hijack a victim's account. In 2018, 1.5 million members of Singapore's largest healthcare group have had their personal data compromised [17]. The hackers have accessed the sensitive data by compromising a single SingHealth workstation with malware and were then able to obtain privileged account credentials with which they accessed the patient database.

F. ONTOLOGY OF VULNERABILITY MANAGEMENT AND ITS RELEVANCE
An anatomy of any cyber-attack will always point to three components; vulnerability, threat and the exploit. Of the three components involved in the attack, vulnerability plays a key role either in facilitating or blocking an attack depending on whether the vulnerability was successfully exploited or not. It is important to understand the ontological aspects of vulnerability before scrutinizing the vulnerabilities that are connected with the cyber-attacks explained above. Ontology is knowledge represented in a formal and structured form. [61] introduced the concept of ontology for vulnerability management (OVM) in their acclaimed work. The standardized language and vocabulary connected with vulnerability management are well integrated in the definition of OVM. For example, Common vulnerability enumerator (CVE) invented by researchers at MITRE are part of OVM design. OVM supports researchers who attempt to analyze and recommend innovative solutions to vulnerabilities. Ontology for Vulnerability Management (OVM) helps to capture the relationships between IT products, vulnerabilities, attackers, security metrics, and countermeasures. This system introduces the design and reasoning within the ontology with examples in vulnerability analysis and assessment. OVM integrates common standards such as CVE (Common Vulnerabilities and Exposures), Common Vulnerability Scoring System (CVSS), CWE (Common Weakness Enumeration), CPE (Common Platform Enumeration), and CAPEC (Common Attack Pattern Enumeration and Classification) into its model.
OVM lays a solid foundation for this research to further the cause of vulnerability management. OVM defines the key concepts in vulnerability management and captures their inherent nature and relationship with each other. CVSS and its relevance are mentioned in OVM for Information Security Automation Program (ISAP). This research has used many foundational aspects of OVM, the most important being the National vulnerability database (NVD). CVSS scores and NVD are extensively used in this research, both for analysis and recommendations. Failure Mode and Effect Analysis (FMEA) is another theoretical construct applicable for the vulnerability management. Healthcare FMEA includes testing to ensure that the system functions effectively and new vulnerabilities have not been introduced in any aspect of the healthcare information systems [62]. Crown jewel analysis (CJA) refers to identifying those cyber assets that are most critical to an organization's business goals [63], which helps healthcare organizations prioritize cyber assets and apply limited resources effectively for cyber resiliency. OVM, FEMA, and CJA form a solid ontological and theoretical research foundation for vulnerability analysis and research.

IV. ASIAN HEALTHCARE SYSTEMS -MAIN VULNERABILITIES
This section describes the different types of vulnerabilities that lead to cyberattacks on the Asian healthcare systems, identified in the earlier sections. In addition, a minor analysis of the cloud-related healthcare vulnerabilities is also included.

A. Vulnerabilities causing five types of Cyberattacks
A vulnerability that has the potential to be exploited by a threat triggers a risk. Measurement of organizations' preparedness to deal with vulnerabilities depends on the strength of its security program and the policies that govern vulnerability management [64]. National Vulnerability Database (NVD) data enables automation of vulnerability management, security measurement, and compliance [65]. Each vulnerability is categorized into the following types: critical, high, medium, and low. Common Vulnerabilities and Exposures (CVE) is a list of publicly disclosed computer security flaws. Some critical vulnerabilities that were exploited in the cyberattacks in the Asian healthcare systems were extracted from the NVD database. The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to the threat. In addition, scores are calculated based on the ease of the exploit and the impact of the exploit.
Vulnerability management is the process of identifying, evaluating, treating, and reporting on security vulnerabilities in systems and the software that runs on them. A vulnerability scanner enables organizations to monitor their networks, systems, and applications for security vulnerabilities [66]. Most security teams utilize vulnerability scanners to bring to light security vulnerabilities in their computer systems, networks, applications, and procedures. There are cloud-based, hostbased, network-based, and database-based vulnerability scanners. W3AF, OpenSCAP, OpenVAS, and Nmap are some of the open-source vulnerability scanners.
As mentioned earlier, Table 2 lists some of the vulnerabilities with critical and high severity for the cyberattacks in Asian healthcare systems. CVSS Scores range from 0 to 10, with ten being the most severe. Some of the high and critical vulnerabilities that have the potential to trigger one of the five attacks, along with their CVE scores, are included in Table 2. These vulnerabilities are extracted from the National vulnerability database (NVD) database. Table 2 is intended for all cybersecurity practitioners and researchers connected to Asian healthcare IT systems.

Table 2. Asian healthcare organizations -Vulnerability Heat map
It is essential to understand the vulnerabilities and severity for each of the five attacks discussed in Sections 1 and 2. A vulnerability heat map is included in Table 2 to summarize the distribution of vulnerability counts across severities and pertains to three years (Jan'2018 -Jan' 2021). These vulnerability counts were extracted from the National vulnerability database (NVD) [65] and are presented here to underscore the importance of mitigating these vulnerabilities by the Asian healthcare organizations.
The Pie chart in Figure 1 is a drill-down of the vulnerability counts from the heat map (Table 2) extracted from NVD as mentioned earlier. It depicts only the Critical vulnerabilities across all five types of cyberattacks. The APT attack has the maximum number of critical vulnerabilities, thereby accentuating the need to prioritize its mitigation. Pie chart is chosen because of the need to underscore the proportion of these attacks in terms of critical vulnerabilities in Asian healthcare systems.  Table-2) With the above discussion on vulnerabilities, it is amply clear that there is a need for an immediate focus on the vulnerability and risk management practice in Asian healthcare systems to detect, prioritize, and mitigate the risks created by the vulnerabilities across the five categories of attacks. . NIST also covers the CIA triad (Confidentiality, Integrity, and Availability) and IoT standards. The following section introduces the NIST risk management framework, its suitability, and applicability to Asian healthcare systems.

V. NIST AND RISK MANAGEMENT FOR ASIAN HEALTHCARE SYSTEMS
This section introduces NIST cyber security framework and analyses its suitability to Asian healthcare systems. NIST's vulnerability management, risk management, and security controls are also analyzed, keeping in view the Asian cyberattacks. This analysis helps to understand the suitability of NIST in Asian healthcare systems.

A. NIST -An introduction
The NIST-CSF (National Institute of Standards and Technology -Cyber Security Framework) is organized into five core functions: identity, protect, detect, respond, and recover to address risk management decisions, threats, and vulnerabilities. The NIST CSF provides a standard structure that is flexible and adaptable for managing cybersecurity risk. NIST risk management framework is currently adopted by many healthcare organizations worldwide as a baseline [72]. Gaps between NIST CSF and other risk frameworks are analyzed. An Information Security Maturity Model (ISMM) is proposed to fill in the gaps and measure NIST CSF implementation progress [73].
Based on the five main functions of NIST, healthcare organizations typically identify physical and software assets, their interconnections, and defined roles and responsibilities along with the identification of current risks and exposure. NIST framework aids in controlling access to digital and physical assets, provides awareness and training to personnel, and includes a recovery plan. NIST Framework can shift the cybersecurity landscape internationally, especially in places that largely favor a voluntary approach to enhancing cybersecurity, including the United Kingdom, Asian countries, and the European  Union [74].

B. Suitability of NIST to Asian Healthcare institutions
NIST framework ensures effective information security risk management using its core elements, implementation tiers, and a profile that aligns with business requirements, financial capabilities, and risk tolerance.

C. Vulnerability Management in NIST
Vulnerability management is a process of identifying vulnerabilities and mitigating them. The vulnerability scanning process, which is the first step, includes detecting and classifying system weaknesses in networks, communications equipment, and computers [79]. In addition to identifying security holes, the vulnerability scans also provide countermeasures for any threat or attack [80]. Penetration testing (Pentest) is a key part of the vulnerability assessment process used to assess an IT system's ability to withstand intentional attempts to circumvent system security. It is an authorized simulated cyberattack on a computer system performed to evaluate the security of the system [81]. Its objective is to test the IT system from a threat-source viewpoint and identify potential failures in the IT system protection schemes. IT system component areas can include applications, ports, websites, services, networks, and systems external customers or users access.
[82] elaborates the testing and assessment of healthcare data security using the Nmap (network mapper) tool in Asian hospitals.
NIST framework categorizes vulnerabilities using a tierbased approach. The organization level (tier 1), business process level (tier 2), and information system level (tier 3) are the three tiers. Vulnerabilities related to organizational governance and external dependencies like electrical power, supply chain, and telecommunications are identified at Tier 1. However, most vulnerability identification occurs at Tiers 2 and 3. At Tier 2, process and architecture-related vulnerabilities, including Malware and APTs, are more likely to be identified. At Tier 3, information system vulnerabilities are the primary focus. These vulnerabilities are commonly found in the hardware, software, and firmware components of information systems or in the environments in which the systems operate as per NIST SP800-39 [83]. Phishing, Ransomware, APT, Trojans, and Malware -Credential-Compromise attacks dealt with within this research work will fall under tiers 2 and 3. NVD provides vulnerability scores based on CVSS; this score gives only the severity of the vulnerabilities. Severity describes the impact of the vulnerability but does not directly help in prioritizing it. Given the lesser maturity of the cybersecurity domain in Asian healthcare organizations, a faster and innovative approach to prioritize vulnerabilities will be a welcome approach. This unique proposed approach is described in the next section.

D. Enriched Vulnerability Priority Score (EVPS)
A vulnerability priority score is commonly a rolled-up representation of the priority of a vulnerability. This score helps the cybersecurity team to prioritize the fix for a vulnerability. To prioritize vulnerabilities, one would consider a few more not so common aspects related to the vulnerabilities as follows: (i) if a vulnerability has caused any suspicious security event earlier within the organization, (ii) if the hospital or healthcare system has already encountered the same vulnerability, (iii) if any healthcare system in the country has encountered this vulnerability. The popular CVSS scores are enriched based on the answers (weightage) to questions Q1 through Q5, leading to Enriched Vulnerability priority Score (EVPS).
Some vulnerability examples connected to the Asian healthcare cyberattack types discussed earlier in this paper are provided in Table 3. The questions given below help the cybersecurity technical staff to understand these features and build a near-accurate score. and Q4 answers are no, and hence they both get a score of 0. For questions Q2 and Q3, the score is 0.25 each since the response is yes for both. Since the age of the vulnerability is more than a year, Q5 gets a score of 0.5. Hence the total score = Base score of 8.1+ 1.0=9.1.
Given the depiction of the cyberattack situation in Asian healthcare organizations in the earlier sections, every organization must have a quick self-assessment process to understand its vulnerabilities. Therefore, the authors have developed a scientifically validated self-assessment questionnaire (SAQ) that vulnerability management practitioners can employ towards this goal.

E. Asian healthcare Cyberattacks -Vulnerability and threat pair
The threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the current controls to determine the likelihood of a future adverse event. The vulnerability and threat pair concept is introduced in the vulnerability identification section of NIST SP800-30 [84]. Vulnerability identification is the first step from the vulnerability sources. Open Web Application Security Project (OWASP) lists the top ten vulnerabilities from an application perspective [85]. Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerability is exploited, such an attack can facilitate severe data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts. OWASP's secure medical device deployment standard serves as a comprehensive guide to the secure deployment of medical devices within a healthcare facility [86]. NIST refers to the NVD database [65] to list the possible vulnerabilities along with their severities. The next section provides the classification of the top five Asian healthcare cyberattacks into NIST tiers, as per the NIST framework.  . It presents a combination between Fault Tree Analysis (FTA) and Event Tree Analysis (ETA). FTA explores the causes of systemlevel failures. ETA is an inductive failure analysis performed to determine the consequences of a single failure for the overall system risk or reliability. ETA and FTA describe the relationships between the undesirable event, its causes, and implications for a systematic hazard representation. A threat-vulnerability pair is a matrix that matches all the threats in a threat listing with the current or hypothetical vulnerabilities that could be exploited by the threats [88]. Figure 2 provides the Bowtie diagram for the threat-vulnerability pair for the five types of cyberattacks experienced by the Asian IT healthcare organizations.

F. NIST Orientation -Security controls and risk management
In an information security scenario, a risk may be defined as the potential for loss or damage when a threat exploits a vulnerability. From a quantitative perspective, the likelihood and impact are the main components of a risk equation [83]. Risk mitigation in healthcare systems involves prioritizing, evaluating, and implementing the appropriate risk-reducing controls recommended by the cybersecurity risk management journal [89]. Different risk mitigation options are risk acceptance, risk avoidance, risk reduction, and risk transference. Risk mitigation strategy [84] helps organizations choose appropriate mitigation options and implement the proper security controls to mitigate the risks. Healthcare data, considered valuable in the Hacker's market, will attract serious violations leading to security incidents, including data breaches. Therefore, it is worth assessing the security risks associated with the five cyberattacks for Asian healthcare organizations.
NISTIR-8228, which provides considerations for managing IoT cybersecurity and privacy risks, also helps assess the cyber risks of medical devices connected to the internet, i.e., the internet of medical things (IoMT) for healthcare systems [90]. NIST

Malware
System and/or email server is not protected Spying system or data access Tier-3 (software/Firmware)

G. Asian Healthcare Cyberattacks -Analysis through the NIST lens
The Asian cyberattacks mentioned earlier are analyzed through the vulnerability and risk management sections of NIST SP800-30 [84] and NIST SP800-39 [83]. For each cyberattack, the recommendations from NIST have been briefly explored and presented here to the research community and the practitioners.

1) Phishing attack
In general, awareness training given to the IT staff and employees on Phishing attacks orients them on the possibilities of phishing attacks through social media. [94] describes the effect of a mandatory training program for employees that repeatedly clicked on simulated phishing emails. Preventive management security control of NIST SP800-30 explains the importance of conducting security awareness and technical training to ensure that the endusers know their responsibilities in protecting the information systems [84]. Given the Phishing attack data on Asian healthcare institutions provided in Section 3.2, it is of paramount importance that the impacted healthcare IT systems in Asian countries plan on implementing Phishing awareness training with the help of many modern training platforms.

2) Ransomware
As per the HIMSS Healthcare survey conducted in 2018, ransomware contributed 11% of the total healthcare cyberattacks [14]. As discussed in the earlier section, ransomware attacks cause the data to be encrypted by the attackers leading to high ransom demands. Table 1 provides the details on two instances of a Ransomware attack in Asia. Cryptographic keys must be securely managed, and the data needs to be protected using encryption to prevent this attack. Cryptographic key management includes key generation, distribution, storage, and maintenance. Hence, the Cryptographic Key Management concepts from the supporting technical control of NIST risk mitigation [84] are very relevant and applicable to the Asian healthcare IT organizations.

3) Malware -Credential Compromise
SingHealth attack described in the earlier section was a malware-driven attack [17], [18]. NIST special publication SP800-39 [83] gives the evaluation procedures for responding to such an attack. It also provides details about detecting such an attack and protecting the data. For example, to detect a potential insertion of malware into the hardware, firmware, or software, the following three methods are suggested. (i) providing users with clean laptops; (ii) removing hard drives from laptops and letting them operate from CDs or DVDs; or (iii) having laptops or endpoints go through a detailed assessment before being allowed to connect to organizational networks. A combination of detecting and protective measures can be selected based on the budgetary constraints, consistency with investment management strategies, and privacy protection.

4) Advanced Persistent Threat (APT)
The APT attack is found to have the maximum number of critical vulnerabilities, as explained in the Vulnerability heat map for Asian healthcare organizations ( Table 2). The web defacement attack described in Table 1 was a wellorchestrated APT attack. Implementing NIST controls assumes a lot of significance in the context of the Asia cyberattack scenario. Preventive technical control of NIST SP800-39 [83] methods, including authentication, authorization, access control mechanism, protected communication using encrypted methods, helps to prevent APT attacks.
[95] describes a study on cyber threat prediction based on intrusion detection events for APT attack detection. NIST SP 800-66R1 explains the information security terms used in the HIPAA Security Rule [75], which are quite helpful to understand attacks like APT. As a part of risk response to APT attacks, organizational information systems provide a failover mode that helps to ensure that failed components trigger appropriate backup components with similar capability.

Trojans
NIST Computer Security incident handling guide SP800-61R2 gives details on the ports to be checked for trojan horse [96]. It also includes trojan analysis, evidence gathering procedures, and mitigation techniques. The incident response life cycle with four steps: preparation, detection & analysis, Containment eradication & recovery, and the post-incident recovery procedures are elucidated in detail to handle the trojan and similar malware attacks. The preparation step provides introductory advice on preparing to manage incidents and on preventing incidents. The detection and analysis step details the trojan detection mechanisms and incident prioritization. Containment provides time for developing a tailored remediation strategy. Eradication and recovery step is necessary to eliminate components of the incident, such as deleting trojan and disabling breached user accounts, and identifying and mitigating all vulnerabilities that were exploited. Finally, the post-incident activity includes learning and improving that evolves to reflect new threats, improved technology, and lessons learned.

VI. RECOMMENDATIONS FOR HEALTHCARE INFORMATION SECURITY PRACTICE
A good amount of analysis was presented in Sections 3 and 4 on the vulnerabilities and risks associated with Asia's five types of healthcare cyberattacks introduced in Section 2. The analysis was done to bring more awareness and cybersecurity discipline to the cybersecurity practitioners and researchers in the Asian healthcare IT domain. However, it will be a tough climb for organizations to go through the cybersecurity maturity ladder. One of the most daunting challenges will be in procuring the budget that drives all the needed changes that bring up maturity. In 2021, 59% of businesses state that their cybersecurity budget is below its needs [3], [17]. A useful set of selfassessment questionnaires (SAQ), both from a vulnerability and risk management perspective, gleaned from the principles discussed in earlier sections is presented here. These questionnaires can be employed in many of the Asian healthcare IT organizations as a quick self-assessment tool to understand cybersecurity maturity from a vulnerability and risk perspective. This section introduces two selfassessment questionnaires that were field-tested with five experts in the Healthcare IT domain.: the vulnerability Self-Assessment Questionnaire (VSAQ) and the risk Self-Assessment Questionnaire (RSAQ).

A. Field testing of Questionnaires -Content and Face Validity
Field testing involves administering an early version of a survey to a sample of the target audience. A field test typically consists of two components: face validity and content validity [97]. Face validity refers to researchers' subjective assessments of the presentation and relevance of the measuring instrument as to whether the items in the instrument (questionnaire) appear to be relevant, reasonable, unambiguous. The face validity for these two questionnaires was established by validating for comprehensiveness and completeness of the content. All the five field test participants also ensured that the questionnaires (instrument) can be easily filled by them [98]. Content validity is defined as "the degree to which items in an instrument reflect the content universe to which the instrument will be generalized" [99]. The CVR (content validity ratio) is a linear transformation of a proportional level of agreement on how many "experts" within a panel rate an item (question) "essential". The following steps were followed to establish content validity.
1. An exhaustive literature review was done to extract the questions for VSAQ and RSAQ questionnaires. 2. Five experts from the IT healthcare domain assessed each question using a three-point scale with three options; not necessary, useful but not essential, and essential

CVR = [ −( /2)] / ( /2)
"ne" is the total number of panel members who voted "essential" for any given question in the questionnaire, and N is the total number of panel members. The final evaluation to retain the question based on the CVR depends on the number of panel members. 5. Items that are not significant at the critical level were eliminated i.e., even if one member of a panel has voted a question as 'not essential', the question is eliminated based on the CVR calculations.
The CVR ratio for each item (question) has been calculated and approved only when CVR=1 (i.e., when all panel members indicate the item as "essential") and rejected the item when the CVR < 1. Few questions were considered as 'not essential' at least by one of the panel members. CVR value for such questions was computed as 0.6, and hence these questions were removed from the group.

B. Vulnerability Self-Assessment Questionnaire (VSAQ):
While many reputed organizations can help assess the cybersecurity maturity of Asian healthcare IT organizations, organizational and budgetary constraints will slow down and delay assessments. Ideally, researchers in the cybersecurity domain must collaborate with healthcare IT organizations to improve maturity. Table 5 depicts the vulnerability self-assessment questionnaire that may be utilized by any Asian healthcare IT organization for the purpose of self-assessing their vulnerability management practice. The columns in this table are explained here; "Type" can be one of the two values, vulnerability culture or vulnerability process, and technology. Culture refers to the level of awareness about vulnerability management and its practices. Process and technology refer to the maturity of operations and technology in the vulnerability space within the organization. A value of 0 or 10 is given based to "Base Score" depending on whether the answer to the question is a No or a Yes respectively. "Asia attack-based weightage" is defined based on the relevance of the question to one of the five types of cyberattacks that are at the core of this research study. The weights given to the questions belong to three categories: Medium (10), High (15), Critical (20). The base score column in the above table has assumed a Yes or a No, for all the questions. For example, the answer is assumed to be a "No" for Q1 and Q4 under vulnerability management culture, and hence get the value of 0 for the base-score (B). The questions are closed-ended questions with a Boolean approach (yes or no answers). This is a quantitative approach to building questionnaires [101].

1) Maturity Score computation for Vulnerability Management Culture (VMC):
Based on the weightage and base scores, the Vulnerability management Culture (VMC) total score is calculated. An example is provided below. Vulnerability management Culture (VMC) Total score = Sum of (Asian attack-based weightage (W) * Base-score (B)). Based on the Total score column values, for Q1 through Q7, in Table 5, VMC's total maturity score is 800. The maximum possible score is 1050 (assuming an answer of Yes for all the questions in the VMC section. The three maturity levels for vulnerability management culture (VMC) and the scores are defined below. 0 -450 = Low maturity level; 500-950 = Medium maturity level; 1000-1400 = High maturity level Based on the example values in Table 5, the VMC maturity is medium (score of 800).

2) Maturity Score computation for Vulnerability Process and Technology (VPT):
Based on the weightage and base scores, the Vulnerability process and Technology total score is calculated. An example is provided below.
Vulnerability process and Technology (VPT) Total score = Sum of (Asian attack-based weightage (W) * Base score (B)). Based on the Total score column values in Table 5, for Q8 through Q19, VPT's Total maturity score is 900. The maximum possible score is 1600 (assuming an answer of Yes for all the questions in the VPT section. The three maturity levels for vulnerability process and technology (VPT), along with the scores, are defined below. 0-800 = Low maturity level; 850-1600 = Medium maturity level; 1650-2400 = High maturity level Based on the example values in Table 5, the VPT maturity is medium. Table 6 shows the Risk self-assessment questionnaire that the Asian healthcare systems could use to conduct a selfassessment about their risk management practice. The columns in this table are explained here; type can be one of the two values, risk culture or risk process, and technology. Culture refers to the level of awareness about risk management and its practice. Process and technology refer to the maturity of processes and technology within the risk space in the organization. A Base score of 0 or 10 is given based on whether the answer to the question is a "No" or a "Yes". Likelihood weightage is defined based on the close relationship of the question to the earlier analysis done on cyberattacks and their vulnerabilities. The weights given to the questions belong to three categories: Medium (10), High (15), Critical (20). The base score column in the above table has assumed either a Yes or a No, for all the questions. For example, for Q1 and Q4, the answer is assumed to be a No and hence get the value of 0 for the base-score (B).

1) Maturity Score computation for Risk Management Culture (RMC):
Based on the weightage and base scores, Risk Management Culture (RMC) total score is calculated. An example is provided below. Risk management Culture Total score = Sum of (Asian attack-based weightage (W) * Base-score (B)). Based on the Total score column values, for Q1 through Q8, in Table 6, RMC's total score is 500. The maximum possible score is 950 (assuming an answer of Yes for all the questions in the RMC section. The three maturity levels for Risk Management Culture (RMC) and the scores are defined below. 0 -350 = Low maturity level; 400-600 = Medium maturity level; 650-950 = High maturity level Based on the example values in Table 6, the RMC maturity is medium.

2) Maturity Score computation for Risk Process and Technology (RPT):
Based on the weightage and base scores, the total score of Risk Process and Technology (RPT) is calculated. An example is provided below. Risk Process and Technology Total score = Sum of (Asian attack-based weightage (W) * Base score (B)). Based on the values in the Total score column in Table 6, RPT's Total score is 1650. The maximum possible score is 2450 (assuming an answer of Yes for all the questions in the RPT section. The three maturity levels for Risk Process and Technology (RPT) and the scores are defined below. 0-950 = Low maturity level; 1000-1700 = Medium maturity level; 1750-2450 = High maturity level. Based on the example values in Table 6, the RPT maturity is medium.
The bar charts below (Figures 3 and 4) show the score results for both VSAQ and RSAQ, respectively. This research team strongly recommends using cyber risk management frameworks like ISO, NIST, and HIPAA depending upon the nature and maturity of the organization [71]. [47] has proposed the Vulnerability-Driven National Cyber Security Maturity Model for measuring the readiness levels of national critical infrastructure protection efforts. Healthcare organizations in Asia can adopt a similar approach. Healthcare organizations with lower maturity can adapt the ISO model, and medium maturity organizations can adapt the NIST framework. ISO 27799:2016 gives guidelines for healthcare organizational information security standards and information security management practices, including selecting, implementing, and managing controls. This approach takes into consideration the healthcare organization's information security risk landscape.
[102] created a software platform called Cyber Risk Vulnerability Management (CYRVM) that can be used for cyber risk management using the standard NIST 800-30. This platform uses the combination of vulnerability assessment based on open source vulnerability scanning method and risk analysis based on custom programming.

VII. CONCLUSION AND FUTURE WORK
Five major types of recent cyberattacks in Asian healthcare institutions were identified and presented in this research work. Depiction of a vulnerability heat map and a pie chart captured the vulnerability landscape in Asian healthcare organizations. This work also presented a detailed analysis of these healthcare cyberattacks, their anatomy, associated vulnerabilities, threats, and risks. The National Institute of standards and technology (NIST) risk framework is leveraged in this research work to analyze the five cyberattacks on Asian healthcare institutions. NIST mitigation recommendations to these attacks are elucidated. A unique and enriched vulnerability priority score system (EVPS) was recommended to prioritize the vulnerabilities. This work also presented a few special recommendations, including the vulnerability and risk self-assessment questionnaires (scientifically validated with the help of healthcare IT experts) that Asian healthcare organizations can adopt to improve cybersecurity maturity leading to a better cyber posture against the five types of cyber-attacks. In the future, possible extensions to this work will involve studying the cybersecurity healthcare risk practices in specific Asian countries using quantitative processes. Identifying success factors that impact the cybersecurity maturity in Asian healthcare organizations and understanding correlations amongst them will help to improve the cybersecurity posture in these organizations. Studying cybersecurity best practices in Asian healthcare IT organizations in different Asian countries will increase awareness and maturity.
IoT Security, Public Safety, Innovation, and Educational Technologies & Entrepreneurship. She also leads research teams focused on the enhancement of laboratory education through virtual laboratories. She holds 33 US patents and has published over 50 publications in Journals and Conferences. She has played an active role in several strategic initiatives for Govt. of India and served as the Principal Investigator. He is an internationally recognized pioneer of research in multimedia systems and Internet E-Commerce. In 1993, he founded the first International Conference on Multimedia: ACM Multimedia 93, for which he was the Program Chairman. This is now the premier worldwide conference on multimedia. He also founded the first International Journal on Multimedia:ACM/Springer-Verlag Multimedia Systems, which is now the premier journal on multimedia.