Table of Contents
Fetching ...

A Defender-Attacker-Defender Model for Optimizing the Resilience of Hospital Networks to Cyberattacks

Stephan Helfrich, Emilia Grass

TL;DR

This work addresses protecting networks of hospitals from coordinated cyberattacks by developing a defender-attacker-defender optimization that jointly selects proactive (operational and IT) and reactive responses over a time horizon. It integrates attack graphs with interdependencies between hospital services and IT infrastructure, and formulates resilience as a time-dependent, multi-objective MILP with six components, $R^{ ext{loss}, ext{delay}}$, $R^{ ext{loss}, ext{unmet}}$, $R^{ ext{rec}, ext{delay}}_{oldsymbol{ au}}$, $R^{ ext{rec}, ext{unmet}}_{oldsymbol{ au}}$, $R^{ ext{res}, ext{delay}}$, and $R^{ ext{res}, ext{unmet}}$, aggregated into $R(oldsymbol{ heta})$ using weights $w^{ullet}$. The model advances three stages: the defender’s proactive investments in cooperation, backups, and IT controls under $B^{ ext{def}}$; the attacker’s worst-case attack path constrained by $B^{ ext{att}}$ and exploitability; and the defender’s post-attack reallocation and backup activation. A German case study demonstrates that urban backup cooperation combined with broad IT strengthening yields notable resilience gains, with backups mitigating immediate losses and cooperation enabling faster mid- to long-term recovery, while evenly strengthening IT across hospitals reduces rural concentration of impact. The work highlights scalability as a key challenge and suggests extensions to cascading cyberattacks and multi-player settings for future research, offering practical guidance for budgeted resilience planning in healthcare networks.

Abstract

Considering the increasing frequency of cyberattacks affecting multiple hospitals simultaneously, improving resilience at a network level is essential. Various countermeasures exist to improve resilience against cyberattacks, such as deploying controls that strengthen IT infrastructures to limit their impact, or enabling resource sharing, patient transfers and backup capacities to maintain services of hospitals in response to realized attacks. However, determining the most cost-effective combination among these wide range of countermeasures is a complex challenge, further intensified by constrained budgets and competing priorities between maintaining efficient daily hospital operations and investing in disaster preparedness. To address these challenges, we propose a defender-attacker-defender optimization model that supports decision-makers in identifying effective strategies for improving the resilience of a network of hospitals against cyberattacks. The model explicitly captures interdependence between hospital services and their supporting IT infrastructures. By doing so, cyberattacks can be directly translated into reductions of service capacities, which allows to assess proactive and reactive strategies on both the operational and technical sides within a single framework. Further, time-dependent resilience measures are incorporated as design objectives to account for the mid- to long-term consequences of cyberattacks. The model is validated based on the German hospital network, suggesting that enabling cooperation with backup capacities particularly in urban areas, alongside strengthening of IT infrastructures across all hospitals, are crucial strategies.

A Defender-Attacker-Defender Model for Optimizing the Resilience of Hospital Networks to Cyberattacks

TL;DR

This work addresses protecting networks of hospitals from coordinated cyberattacks by developing a defender-attacker-defender optimization that jointly selects proactive (operational and IT) and reactive responses over a time horizon. It integrates attack graphs with interdependencies between hospital services and IT infrastructure, and formulates resilience as a time-dependent, multi-objective MILP with six components, , , , , , and , aggregated into using weights . The model advances three stages: the defender’s proactive investments in cooperation, backups, and IT controls under ; the attacker’s worst-case attack path constrained by and exploitability; and the defender’s post-attack reallocation and backup activation. A German case study demonstrates that urban backup cooperation combined with broad IT strengthening yields notable resilience gains, with backups mitigating immediate losses and cooperation enabling faster mid- to long-term recovery, while evenly strengthening IT across hospitals reduces rural concentration of impact. The work highlights scalability as a key challenge and suggests extensions to cascading cyberattacks and multi-player settings for future research, offering practical guidance for budgeted resilience planning in healthcare networks.

Abstract

Considering the increasing frequency of cyberattacks affecting multiple hospitals simultaneously, improving resilience at a network level is essential. Various countermeasures exist to improve resilience against cyberattacks, such as deploying controls that strengthen IT infrastructures to limit their impact, or enabling resource sharing, patient transfers and backup capacities to maintain services of hospitals in response to realized attacks. However, determining the most cost-effective combination among these wide range of countermeasures is a complex challenge, further intensified by constrained budgets and competing priorities between maintaining efficient daily hospital operations and investing in disaster preparedness. To address these challenges, we propose a defender-attacker-defender optimization model that supports decision-makers in identifying effective strategies for improving the resilience of a network of hospitals against cyberattacks. The model explicitly captures interdependence between hospital services and their supporting IT infrastructures. By doing so, cyberattacks can be directly translated into reductions of service capacities, which allows to assess proactive and reactive strategies on both the operational and technical sides within a single framework. Further, time-dependent resilience measures are incorporated as design objectives to account for the mid- to long-term consequences of cyberattacks. The model is validated based on the German hospital network, suggesting that enabling cooperation with backup capacities particularly in urban areas, alongside strengthening of IT infrastructures across all hospitals, are crucial strategies.
Paper Structure (16 sections, 41 equations, 6 figures, 5 tables)

This paper contains 16 sections, 41 equations, 6 figures, 5 tables.

Figures (6)

  • Figure 1: Illustration of the defender-attacker-defender framework across the time horizon.
  • Figure 2: (a), (b), (c) Spatial distribution of defender's investments into cooperation, backup service capacities, and controls, respectively. (d) Geographical pattern of the attack scenario's impacts on service capacity of hospitals.
  • Figure 3: Service capacities (y-axis) per time step $t$ (x-axis) that are (a) activated within cooperative agreements, $\sum_{h,h' \in H} \sum_{p \in P} \bar{y}_{t,p,h,h'}$, and (b) activated as backup service capacities in response to the attack, $\sum_{h\in H} \sum_{p \in P} z_{t,p,h}$, along with resilience curves representing, per time step $t$, the amount of (c) delayed procedures, $f^{\text{delay}}_t$, and (d) unmet demand, $f^{\text{unmet}}_t$. Colours indicate the respective share of each procedure type. The red-shaded time interval highlights the downtime duration $\tau^{ub}$ caused by the cyberattack.
  • Figure 4: Impact of the attacker’s and defender’s budget variation on the objectives loss in delay (a), resistance in delay (b), recovery in delay (c), loss in unmet demand (d), resistance in unmet demand (e), and recovery in unmet demand (f).
  • Figure 5: Impact of weight variations between delay and unmet demand on the objectives loss in delay (a), resistance in delay (b), recovery in delay (c), loss in unmet demand (d), resistance in unmet demand (e), and recovery in unmet demand (f).
  • ...and 1 more figures

Theorems & Definitions (1)

  • Definition 3.1