An Examination of Threats and Countermeasures Relating to Healthcare Cyber Risks. The Case of Kenyatta National Hospital (KNH)

Abstract

The increasing reliance on digital technologies in Kenya’s healthcare sector has heightened the need for robust cybersecurity measures to protect sensitive patient data and ensure operational continuity. This study examined cybersecurity threats and countermeasures at Kenyatta National Hospital (KNH), the country’s largest public referral hospital, to develop a contextually relevant framework for enhancing data protection and institutional resilience. Specifically, the research investigated perceived cyber risks, the influence of the Kenya Cybercrime Act, and ethical data protection practices on the effectiveness of the hospital’s cybersecurity framework. Guided by the Socio-Technical Systems (STS) Theory, the study adopted a descriptive cross-sectional research design, utilizing a quantitative approach. A stratified random sample of 370 KNH staff, including ICT personnel, clinicians, and health records and admins, were surveyed using structured questionnaires, achieving a 98.6% response rate (365 valid responses). Data analysis involved descriptive statistics, correlation, and multiple regression techniques, ensuring robust insights into the relationships among key variables. Findings on cybersecurity threats revealed high perceived risks, particularly from external attacks (M = 4.18, SD = 1.09, Var = 1.19), device vulnerabilities (M = 3.99), and insider threats (M = 3.92). Correlation analysis showed that threats were strongly associated with the Cybercrime Act (r = 0.602, p < 0.01) and moderately with ethical guidelines (r = 0.485, p < 0.01), but insignificantly with the cybersecurity framework itself (r = 0.055, p = 0.297). Regression confirmed a significant negative coefficient for threats (B = -0.182, p = 0.007), indicating that heightened threats weaken the framework’s effectiveness. Analysis of the Kenya Cybercrime Act demonstrated moderate correlations with ethical guidelines (r = 0.539, p < 0.01) and a weaker positive correlation with the cybersecurity framework (r = 0.191, p < 0.01). In regression, the Act had a positive but marginally insignificant coefficient (B = 0.136, p = 0.054; Beta = 0.129), suggesting that while legal provisions support cybersecurity, their influence is not yet robust. For ethical guidelines, results showed a moderate correlation with the cybersecurity framework (r = 0.294, p < 0.01). Regression identified ethical guidelines as the most influential predictor (B = 0.303, p < 0.001; Beta = 0.309), confirming their pivotal role in strengthening KNH’s cybersecurity posture. The overall regression model was statistically significant (F(3,361) = 14.267, p < 0.001) with R = 0.326, R² = 0.106, and Adjusted R² = 0.099, indicating that the three predictors jointly explained about 10.6% of the variance in the hospital’s cybersecurity framework. The study concludes that ethical data protection guidelines are the strongest determinant of a resilient cybersecurity framework, while rising threats undermine readiness and the Cybercrime Act contributes moderately. It recommends strengthening ethical enforcement, embedding role-based staff training, enhancing legal compliance, and allocating resources to mitigate threats. Future research should simulate incident scenarios and assess patient data literacy across hospitals.

Keywords: Cyber Threats, Cybersecurity, Data Security Framework, Ethical Data Protection, Healthcare, Kenyatta National Hospital, Kenya Cybercrime Act, Socio-Technical Systems Theory