<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE article PUBLIC "-//NLM//DTD Journal Publishing DTD v3.0 20080202//EN" "http://dtd.nlm.nih.gov/publishing/3.0/journalpublishing3.dtd">
<article xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink" dtd-version="3.0" xml:lang="en" article-type="research article">
 <front>
  <journal-meta>
   <journal-id journal-id-type="publisher-id">
    etsn
   </journal-id>
   <journal-title-group>
    <journal-title>
     E-Health Telecommunication Systems and Networks
    </journal-title>
   </journal-title-group>
   <issn pub-type="epub">
    2167-9517
   </issn>
   <issn publication-format="print">
    2167-9525
   </issn>
   <publisher>
    <publisher-name>
     Scientific Research Publishing
    </publisher-name>
   </publisher>
  </journal-meta>
  <article-meta>
   <article-id pub-id-type="doi">
    10.4236/etsn.2025.142003
   </article-id>
   <article-id pub-id-type="publisher-id">
    etsn-144050
   </article-id>
   <article-categories>
    <subj-group subj-group-type="heading">
     <subject>
      Articles
     </subject>
    </subj-group>
    <subj-group subj-group-type="Discipline-v2">
     <subject>
      Computer Science 
     </subject>
     <subject>
       Communications
     </subject>
    </subj-group>
   </article-categories>
   <title-group>
    CARE Framework for Healthcare Cybersecurity Defense: A Human-Centric Approach
   </title-group>
   <contrib-group>
    <contrib contrib-type="author" xlink:type="simple">
     <name name-style="western">
      <surname>
       Mostafa
      </surname>
      <given-names>
       Rahmany
      </given-names>
     </name>
    </contrib>
    <contrib contrib-type="author" xlink:type="simple">
     <name name-style="western">
      <surname>
       Arunmozhi
      </surname>
      <given-names>
       Selvi
      </given-names>
     </name>
    </contrib>
   </contrib-group> 
   <aff id="affnull">
    <addr-line>
     aDepartment of Data and Cybersecurity, British University College, Ajman, United Arab Emirates
    </addr-line> 
   </aff> 
   <pub-date pub-type="epub">
    <day>
     30
    </day> 
    <month>
     06
    </month>
    <year>
     2025
    </year>
   </pub-date> 
   <volume>
    14
   </volume> 
   <issue>
    02
   </issue>
   <fpage>
    23
   </fpage>
   <lpage>
    30
   </lpage>
   <history>
    <date date-type="received">
     <day>
      8,
     </day>
     <month>
      June
     </month>
     <year>
      2025
     </year>
    </date>
    <date date-type="published">
     <day>
      27,
     </day>
     <month>
      June
     </month>
     <year>
      2025
     </year> 
    </date> 
    <date date-type="accepted">
     <day>
      27,
     </day>
     <month>
      June
     </month>
     <year>
      2025
     </year> 
    </date>
   </history>
   <permissions>
    <copyright-statement>
     © Copyright 2014 by authors and Scientific Research Publishing Inc. 
    </copyright-statement>
    <copyright-year>
     2014
    </copyright-year>
    <license>
     <license-p>
      This work is licensed under the Creative Commons Attribution International License (CC BY). http://creativecommons.org/licenses/by/4.0/
     </license-p>
    </license>
   </permissions>
   <abstract>
    The health sector remains a key target for cyberattacks due to the sensitive information and critical services it manages. Technical safety measures alone are insufficient when the human factor, frequently the weakest link in the security chain, is not addressed. This paper develops a new human-centric conceptual model, the 
    <b>CARE</b> model, which proposes a structured route to creating a robust Cyber Defense Capability within healthcare. CARE is an acronym for 
    <b>Culture, Awareness, Responsibility</b>, and 
    <b>Engagement</b>. The framework posits that a secure organization must be part of a broader culture of safety, where security education is role-based and context-aware. Within this model, Security Awareness underpins a non-negotiable, shared Responsibility for cybersecurity across all roles, which in turn fosters active Engagement. The CARE framework aims to instigate a paradigm shift, anchoring resilient healthcare controls not only in technology, but across the entire socio-technical stack of people, processes, and technology.
   </abstract>
   <kwd-group> 
    <kwd>
     Social Engineering
    </kwd> 
    <kwd>
      Insider Threat
    </kwd> 
    <kwd>
      Healthcare
    </kwd> 
    <kwd>
      Human Factor
    </kwd> 
    <kwd>
      CARE Framework
    </kwd> 
    <kwd>
      Security Culture
    </kwd> 
    <kwd>
      Human-Computer Interaction
    </kwd> 
    <kwd>
      Cybersecurity
    </kwd> 
    <kwd>
      Cybersecurity
    </kwd> 
    <kwd>
      Socio-Technical Systems
    </kwd> 
    <kwd>
      Change Management
    </kwd>
   </kwd-group>
  </article-meta>
 </front>
 <body>
  <sec id="s1">
   <title>1. Introduction</title>
   <p>The increasing digitization of the healthcare industry, from Electronic Health Records (EHR) to the Internet of Medical Things (IoMT), has significantly enhanced patient care but has also broadened the attack surface for malicious actors. Healthcare institutions are particularly attractive targets due to the high value of their data, the critical need for 24/7 operational status, and the frequent use of legacy equipment <xref ref-type="bibr" rid="scirp.144050-1">
     [1]
    </xref>. Data breaches can lead to severe consequences, including significant financial penalties, reputational damage, loss of public trust, and, most critically, risks to patient safety <xref ref-type="bibr" rid="scirp.144050-2">
     [2]
    </xref>.</p>
   <p>Traditionally, healthcare risk management has been driven by compliance with regulations like the Health Insurance Portability and Accountability Act (HIPAA), focusing primarily on implementing technology-based controls. However, even with clear technical and administrative guidance from standards bodies, such as the National Institute of Standards and Technology (NIST) <xref ref-type="bibr" rid="scirp.144050-3">
     [3]
    </xref> and the International Organization for Standardization (ISO) <xref ref-type="bibr" rid="scirp.144050-4">
     [4]
    </xref>, the human element remains a persistent and critical vulnerability. The continued success of phishing and social engineering attacks, which remain a top threat action in the healthcare sector <xref ref-type="bibr" rid="scirp.144050-5">
     [5]
    </xref>, highlights a systemic failure to comprehend and effectively address human behavior in high-pressure clinical contexts.</p>
   <p>Although security culture and awareness are common topics in cybersecurity literature, the components are often addressed in isolation. The unique contribution of the CARE framework is its innovative structure, which integrates four pillars into a self-reinforcing sequence tailored for a healthcare audience. It argues that a strong security posture cannot be achieved by focusing on these facets independently. Rather, it is the four-step cycle of Culture, Awareness, Responsibility, and Engagement that enables holistic defenses against human-targeted attacks. This paper presents this detailed, actionable model as a bridge between high-level security theory and the operational realities of healthcare.</p>
  </sec><sec id="s2">
   <title>2. Literature Review</title>
   <sec id="s2_1">
    <title>2.1. The Changing Shape of the Risk Spectrum in Healthcare</title>
    <p>The healthcare risk landscape is exceptionally demanding. For the 15th consecutive year, healthcare has reported the highest average cost per data breach of any industry <xref ref-type="bibr" rid="scirp.144050-1">
      [1]
     </xref>. Personal Health Information (PHI) is of extreme value on the black market, making healthcare data a prime target. Furthermore, the life-or-death nature of healthcare services makes organizations acutely vulnerable to ransomware attacks that can halt operations. The attack surface is both wide and deep, ranging from sophisticated social engineering to vulnerabilities in unpatched medical devices <xref ref-type="bibr" rid="scirp.144050-2">
      [2]
     </xref>. While compliance drivers such as HIPAA provide a baseline for security, mere adherence to a framework is insufficient to protect against a dynamic and aggressive threat landscape.</p>
   </sec>
   <sec id="s2_2">
    <title>2.2. The Human Factors, The Frontliners</title>
    <p>A majority of significant security incidents—approximately 73%—involve a human element, which includes everything from simple errors to social engineering and privilege misuse <xref ref-type="bibr" rid="scirp.144050-6">
      [6]
     </xref>. Many current security training programs are ineffective because they do not account for the diverse roles, work habits, and situational contexts of employees, often leading to apathy rather than fostering a strong “human firewall” <xref ref-type="bibr" rid="scirp.144050-7">
      [7]
     </xref>. This is compounded by issues like alert fatigue, where the sheer volume of system warnings causes clinicians to ignore critical security alerts, a well-documented issue in high-pressure environments that can lead to increased medical errors <xref ref-type="bibr" rid="scirp.144050-8">
      [8]
     </xref>.</p>
   </sec>
   <sec id="s2_3">
    <title>2.3. The Emergence of a Security Culture</title>
    <p>The recognition of the inadequacy of traditional training has led to an emphasis on fostering a “security culture”. A strong security culture, as defined by organizational theorists like Edgar Schein, is one where security is a shared value, actively supported by leadership, and integrated into the organization’s daily operations and priorities <xref ref-type="bibr" rid="scirp.144050-9">
      [9]
     </xref>. When security is viewed as a collective responsibility rather than just an “IT problem”, individuals are more likely to take ownership and adopt secure practices.</p>
   </sec>
  </sec><sec id="s3">
   <title>3. Methodology of Framework Development</title>
   <p>This paper puts forward a conceptual framework and is not an empirical study. Its methodology is based on a systematic integration of three core areas:</p>
   <p>The CARE framework was distilled from a thematic analysis of this synthesized information, designed as a pragmatic, theoretically-grounded model for practical application.</p>
  </sec><sec id="s4">
   <title>4. The Proposed CARE Framework</title>
   <p>The CARE-model is a sociotechnical model for containing cybersecurity in a healthcare organization. It is built on four guiding principles that are interdependent and generate a cycle of continuous enhancement. Below is the CRAE Framework Cycle (<xref ref-type="fig" rid="fig1">
     Figure 1
    </xref>).</p>
   <fig id="fig1" position="float">
    <label>Figure 1</label>
    <caption>
     <title>Figure 1. The CARE framework cycle.</title>
    </caption>
    <graphic mimetype="image" position="float" xlink:type="simple" xlink:href="https://html.scirp.org/file/2370252-rId17.jpeg?20250717105523" />
   </fig>
   <p>This figure is a conceptual diagram illustrating the interdependent and cyclical nature of the framework’s four pillars and is not based on quantitative data.</p>
   <p>To help organizations operationalize the framework, the following maturity model (<xref ref-type="table" rid="table1">
     Table 1
    </xref>) outlines concrete stages of implementation.</p>
   <table-wrap id="table1">
    <label>
     <xref ref-type="table" rid="table1">
      Table 1
     </xref></label>
    <caption>
     <title>
      <xref ref-type="bibr" rid="scirp.144050-"></xref>Table 1. CARE framework maturity model.</title>
    </caption>
    <table class="MsoTableGrid custom-table" border="0" cellspacing="0" cellpadding="0"> 
     <tr> 
      <td class="custom-bottom-td acenter" width="12.70%"><p style="text-align:center">Pillar</p></td> 
      <td class="custom-bottom-td acenter" width="21.82%"><p style="text-align:center">Initial/Ad-Hoc (Level 1)</p></td> 
      <td class="custom-bottom-td acenter" width="21.83%"><p style="text-align:center">Developing (Level 2)</p></td> 
      <td class="custom-bottom-td acenter" width="21.83%"><p style="text-align:center">Mature (Level 3)</p></td> 
      <td class="custom-bottom-td acenter" width="21.83%"><p style="text-align:center">Optimized (Level 4)</p></td> 
     </tr> 
     <tr> 
      <td class="custom-top-td acenter" width="12.70%"><p style="text-align:center">Culture</p></td> 
      <td class="custom-top-td acenter" width="21.82%"><p style="text-align:center">Security is seen as an IT problem. Leadership involvement is minimal and reactive.</p></td> 
      <td class="custom-top-td acenter" width="21.83%"><p style="text-align:center">Leadership begins to message the importance of security. Security is discussed as a compliance requirement.</p></td> 
      <td class="custom-top-td acenter" width="21.83%"><p style="text-align:center">Security is explicitly linked to patient safety in communications. Annual security culture surveys are conducted.</p></td> 
      <td class="custom-top-td acenter" width="21.83%"><p style="text-align:center">Security is a core organizational value. Leadership consistently models secure behaviours. Security is integrated into strategic planning.</p></td> 
     </tr> 
     <tr> 
      <td class="acenter" width="12.70%"><p style="text-align:center">Awareness</p></td> 
      <td class="acenter" width="21.82%"><p style="text-align:center">Generic, annual, check-the-box training. Phishing simulations are rare or non-existent.</p></td> 
      <td class="acenter" width="21.83%"><p style="text-align:center">Some role-based training is introduced. Phishing simulations are conducted quarterly.</p></td> 
      <td class="acenter" width="21.83%"><p style="text-align:center">Training is fully role-based and context-aware, using healthcare scenarios. Phishing simulation results are used to tailor training.</p></td> 
      <td class="acenter" width="21.83%"><p style="text-align:center">Training is continuous, adaptive, and integrated into workflows. Near-misses are used as real-time learning opportunities.</p></td> 
     </tr> 
     <tr> 
      <td class="acenter" width="12.70%"><p style="text-align:center">Responsibility</p></td> 
      <td class="acenter" width="21.82%"><p style="text-align:center">Security responsibility is not defined outside of the IT department.</p></td> 
      <td class="acenter" width="21.83%"><p style="text-align:center">Security tasks are assigned but not formalized in job descriptions.</p></td> 
      <td class="acenter" width="21.83%"><p style="text-align:center">Security duties are explicitly included in all job descriptions and performance reviews. A shared responsibility model is officially adopted.</p></td> 
      <td class="acenter" width="21.83%"><p style="text-align:center">Individuals proactively take ownership of security within their roles. Cross-departmental security champions are established and empowered.</p></td> 
     </tr> 
     <tr> 
      <td class="acenter" width="12.70%"><p style="text-align:center">Engagement</p></td> 
      <td class="acenter" width="21.82%"><p style="text-align:center">Reporting is punitive and discouraged. Staff are passive recipients of policy.</p></td> 
      <td class="acenter" width="21.83%"><p style="text-align:center">A formal, non-punitive channel for reporting security concerns is created.</p></td> 
      <td class="acenter" width="21.83%"><p style="text-align:center">Staff are actively invited to participate in policy review and tool selection. A security recognition program is in place.</p></td> 
      <td class="acenter" width="21.83%"><p style="text-align:center">Staff actively collaborate with IT to co-create security solutions. Security is a regular topic in team meetings, driven by staff.</p></td> 
     </tr> 
    </table>
   </table-wrap>
   <sec id="s4_1">
    <title>4.1. Pillar 1: Culture</title>
    <p>Implanting and implementing the CARE Framework begins with a “security-first” culture. This starts with leadership demonstrating an unwavering commitment to security, ensuring it is a non-negotiable aspect of the organization’s operations. The organizational narrative must clearly link cybersecurity to the core mission of patient safety.</p>
   </sec>
   <sec id="s4_2">
    <title>4.2. Pillar 2: Awareness</title>
    <p>While culture sets the environment, awareness provides the knowledge and skills for safe behavior. The CARE framework advocates for role-based and context-aware training programs. This means tailoring training to the specific threats faced by different roles (e.g., medical staff vs. IT administrators) and using real-world healthcare scenarios that address regulations like HIPAA.</p>
   </sec>
   <sec id="s4_3">
    <title>4.3. Pillar 3: Responsibility</title>
    <p>A common failure is viewing information security as solely the IT department’s responsibility. The CARE model promotes a culture of collective ownership. This shared responsibility model clarifies that while IT manages the infrastructure, every employee is responsible for its secure use. These responsibilities should be formally defined in job descriptions and performance evaluations.</p>
   </sec>
   <sec id="s4_4">
    <title>4.4. Pillar 4: Engagement</title>
    <p>Beyond mere compliance, active engagement is crucial. The framework encourages involving staff in the development of security policies to foster a sense of ownership. It also emphasizes the need for open and non-punitive channels for reporting security issues and mistakes. Simulating incidents with both clinical and administrative staff can provide practical experience in responding to security events.</p>
   </sec>
  </sec><sec id="s5">
   <title>5. Discussion and Implications</title>
   <p>Adopting the CARE framework signifies a shift from a compliance-driven to a culture-driven, continuous security program. A primary implication is enhanced organizational resilience, where the “human firewall” becomes an active network for threat detection and response. By distributing security ownership, the organization reduces its reliance on the central IT team.</p>
   <p>However, implementation requires long-term commitment from leadership, dedicated resources for customized training, and a willingness to redefine roles. Overcoming institutional inertia and moving from a culture of blame to one of transparent, non-punitive error reporting is a significant challenge. It is crucial to remember that the CARE framework complements, rather than replaces, essential technical safeguards.</p>
  </sec><sec id="s6">
   <title>6. Real-World Case Analyses: Applying the CARE Framework</title>
   <p>To demonstrate the framework’s practical application, this section analyses two significant, real-world healthcare breaches through the lens of the CARE pillars.</p>
   <sec id="s6_1">
    <title>6.1. Case Analysis 1: The 2024 Change Healthcare Ransomware Attack</title>
   </sec>
   <sec id="s6_2">
    <title>6.2. Case Analysis 2: The 2020 Universal Health Services (UHS) Ransomware Attack</title>
   </sec>
  </sec><sec id="s7">
   <title>7. Conclusion and Future Researches</title>
   <p>As the healthcare industry remains a top target for cyberattacks, a new approach to security is imperative. The CARE framework offers a strategic, human-centric solution that moves beyond compliance to address the root organizational causes of security breaches. By systematically fostering a positive Culture, building relevant Awareness, defining clear Responsibility, and promoting active Engagement, healthcare organizations can embed a robust security posture into their operational core.</p>
   <p>Future research should focus on validating the CARE framework through case studies and longitudinal studies within healthcare organizations. Developing a standardized maturity model to quantitatively measure the implementation of the framework would be a valuable contribution, along with research to establish a direct causal link between the adoption of the model and a reduction in security incidents and an improvement in the overall safety culture.</p>
  </sec>
 </body><back>
  <ref-list>
   <title>References</title>
   <ref id="scirp.144050-ref1">
    <label>1</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     IBM Security (2025) Cost of a Data Breach Report 2025. Ponemon Institute.
    </mixed-citation>
   </ref>
   <ref id="scirp.144050-ref2">
    <label>2</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Ponemon Institute (2023) Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care.
    </mixed-citation>
   </ref>
   <ref id="scirp.144050-ref3">
    <label>3</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     National Institute of Standards and Technology (2024) The NIST Cybersecurity Framework (CSF) 2.0. NIST CSWP 29.
    </mixed-citation>
   </ref>
   <ref id="scirp.144050-ref4">
    <label>4</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     International Organization for Standardization (2022) ISO/IEC 27001:2022 Information Security, Cybersecurity and Privacy Protection—Information Security Management Systems—Requirements.
    </mixed-citation>
   </ref>
   <ref id="scirp.144050-ref5">
    <label>5</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Z-CERT (2025) Cybersecurity Threat Landscape in Healthcare 2025.
    </mixed-citation>
   </ref>
   <ref id="scirp.144050-ref6">
    <label>6</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Verizon (2025) 2025 Data Breach Investigations Report. Verizon Enterprise Solutions.
    </mixed-citation>
   </ref>
   <ref id="scirp.144050-ref7">
    <label>7</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     SANS Institute (2024) The 2024 SANS Security Awareness Report: The Human Risk.
    </mixed-citation>
   </ref>
   <ref id="scirp.144050-ref8">
    <label>8</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Ancker, J.S., Edwards, A., Nosal, S., Hauser, D., Mauer, E. and Kaushal, R. (2017) Effects of Workload, Work Complexity, and Repeated Alerts on Alert Fatigue in a Clinical Decision Support System. BMC Medical Informatics and Decision Making, 17, Article No. 36. &gt;https://doi.org/10.1186/s12911-017-0430-8
    </mixed-citation>
   </ref>
   <ref id="scirp.144050-ref9">
    <label>9</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Schein, E.H. (2004) Organizational Culture and Leadership. 3rd Editon, Jossey-Bass.
    </mixed-citation>
   </ref>
   <ref id="scirp.144050-ref10">
    <label>10</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Witty, A. (2024) Testimony before the U.S. Senate Committee on Finance. United Health Group. As Reported by Multiple News Outlets.
    </mixed-citation>
   </ref>
   <ref id="scirp.144050-ref11">
    <label>11</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     United Health Group (2024) United Health Group Reports First Quarter 2024 Results.
    </mixed-citation>
   </ref>
   <ref id="scirp.144050-ref12">
    <label>12</label>
    <mixed-citation publication-type="other" xlink:type="simple">
     Bleeping Computer (2020) UHS Hospitals Hit by Ryuk Ransomware Attack, Systems Shutdown. As Reported by Multiple Cybersecurity News Outlets.
    </mixed-citation>
   </ref>
  </ref-list>
 </back>
</article>