A Defender-Attacker-Defender Model for Optimizing the Resilience of Hospital Networks to Cyberattacks
Stephan Helfrich, Emilia Grass
TL;DR
This work addresses protecting networks of hospitals from coordinated cyberattacks by developing a defender-attacker-defender optimization that jointly selects proactive (operational and IT) and reactive responses over a time horizon. It integrates attack graphs with interdependencies between hospital services and IT infrastructure, and formulates resilience as a time-dependent, multi-objective MILP with six components, $R^{ ext{loss}, ext{delay}}$, $R^{ ext{loss}, ext{unmet}}$, $R^{ ext{rec}, ext{delay}}_{oldsymbol{ au}}$, $R^{ ext{rec}, ext{unmet}}_{oldsymbol{ au}}$, $R^{ ext{res}, ext{delay}}$, and $R^{ ext{res}, ext{unmet}}$, aggregated into $R(oldsymbol{ heta})$ using weights $w^{ullet}$. The model advances three stages: the defender’s proactive investments in cooperation, backups, and IT controls under $B^{ ext{def}}$; the attacker’s worst-case attack path constrained by $B^{ ext{att}}$ and exploitability; and the defender’s post-attack reallocation and backup activation. A German case study demonstrates that urban backup cooperation combined with broad IT strengthening yields notable resilience gains, with backups mitigating immediate losses and cooperation enabling faster mid- to long-term recovery, while evenly strengthening IT across hospitals reduces rural concentration of impact. The work highlights scalability as a key challenge and suggests extensions to cascading cyberattacks and multi-player settings for future research, offering practical guidance for budgeted resilience planning in healthcare networks.
Abstract
Considering the increasing frequency of cyberattacks affecting multiple hospitals simultaneously, improving resilience at a network level is essential. Various countermeasures exist to improve resilience against cyberattacks, such as deploying controls that strengthen IT infrastructures to limit their impact, or enabling resource sharing, patient transfers and backup capacities to maintain services of hospitals in response to realized attacks. However, determining the most cost-effective combination among these wide range of countermeasures is a complex challenge, further intensified by constrained budgets and competing priorities between maintaining efficient daily hospital operations and investing in disaster preparedness. To address these challenges, we propose a defender-attacker-defender optimization model that supports decision-makers in identifying effective strategies for improving the resilience of a network of hospitals against cyberattacks. The model explicitly captures interdependence between hospital services and their supporting IT infrastructures. By doing so, cyberattacks can be directly translated into reductions of service capacities, which allows to assess proactive and reactive strategies on both the operational and technical sides within a single framework. Further, time-dependent resilience measures are incorporated as design objectives to account for the mid- to long-term consequences of cyberattacks. The model is validated based on the German hospital network, suggesting that enabling cooperation with backup capacities particularly in urban areas, alongside strengthening of IT infrastructures across all hospitals, are crucial strategies.
