Article Content

IN TODAY'S INCREASINGLY "connected" world, where much of the patient information that we handle is in electronic form, we can't maintain patient privacy without information security. Patient information must be protected at all stages of the information lifecycle: when the information is created, received, transmitted, maintained, and destroyed. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule mandates the protection of electronic health information with physical, technical, and administrative safeguards.1 It also requires covered entities and business associates to implement cybersecurity awareness and training for all members of the workforce, including management.1 In addition, the HIPAA Privacy Rule governs the permitted or required uses and disclosures of protected health information, regardless of the medium.2


Protecting information isn't just a function of the information technology (IT) department, it's the shared responsibility of everyone within an organization. This responsibility extends to end users, such as nurses, physicians, unlicensed assistive personnel, technicians, and other staff, including interns, volunteers, consultants, contractors, and researchers. Technology safeguards alone can't make an organization secure; however, knowledgeable employees can help reduce risks.3 This article discusses what nurses must do to promote cybersecurity and maintain patient confidentiality.


Safeguarding information

We all make decisions every day that significantly influence the security or insecurity of our organization's data; for example, clicking on a malicious link for a "phishing" website, opening a malicious e-mail attachment, divulging sensitive information to a "social engineer," or allowing unauthorized personnel in restricted areas may result in serious adverse consequences. Any compromise of patient information may pose a risk to patient safety.4


People tend to be the weakest link in an organization's information security program, and this is especially true if employees are unaware of the risks that they may introduce. Breaches can happen very quickly given fast network speeds and ready access to data, even via mobile devices or web-based cloud applications.


Accordingly, employees should regularly be taught about good "cyber hygiene," including what to do, what not to do, and why, by participating in mock exercises that simulate phishing and social engineering. Besides simulating cyberattacks, these exercises can help determine the effectiveness of the current cybersecurity awareness and training program, and identify employees who may need more training.


Key points include educating others about cybersecurity awareness to prevent data leakage; thinking before you communicate or disclose via e-mail, social media, or other means; and avoiding sharing your usernames and passwords with anyone or letting someone else use your computer while you're signed in.


Another integral part of the cybersecurity awareness and training program is the concept of "see something, say something." If an employee receives a suspicious e-mail, phone call, or text message, or a computer displays unusual behavior, such as a system freeze or crash, the presence of sent e-mails you don't recall sending, or the presence of installed programs you don't recall installing, be sure to notify your organization's IT department immediately. Delaying the report of an incident may result in harm, such as data being breached, corrupted, or encrypted and held for ransom (known as "ransomware").


Cybersecurity awareness programs should be conducted during onboarding and at least annually. Additionally, employees can receive more frequent awareness reminders and tips via screensavers, e-newsletters, intranet messages, and so on. As security incidents occur, awareness and training programs, as well as the information security program as a whole, should be reevaluated to identify any gaps. If gaps are detected, a plan must be developed to address them in both the short and long term.

Figure. HIMSS infogr... - Click to enlarge in new windowFigure. HIMSS infographic for Data Privacy Day

Ideally, your cybersecurity awareness and training program should provide a hybrid perspective from both the clinician and IT perspectives, including lessons learned from recent and past security incidents. It should also be easy to understand and implement, regardless of staff members' levels of technical sophistication. Whether an organization is starting a new cybersecurity awareness and training program, implementing an existing program, or looking to revamp a program, the Healthcare Information and Management Systems Society (HIMSS) offers materials that can be incorporated.5 See HIMSS infographic for Data Privacy Day for an example.


In addition to the HIMSS awareness tools, the National Cyber Security Alliance (NCSA) provides free online resources for those who want to learn more about staying safe online.6 The NCSA also offers templates and other materials to help organizations bolster their cybersecurity awareness and training programs with initiatives such as STOP.THINK.CONNECT., National Cyber Security Awareness Month, Data Privacy Day, and RE: Cyber.6


You don't necessarily need to wait for your organization's next cybersecurity awareness and training program to implement good cyber hygiene practices. No matter where you are, your computer and mobile devices should always be physically safeguarded.7 Never leave laptops, tablets, smart phones, or mobile devices unattended, and don't connect to unsecured public wireless networks.7 Always use complex passwords that are difficult for others to guess but easy for you to remember, regularly change your passwords, and use a unique password for each account.8


Be the gatekeeper

In today's "cyberworld," safe and responsible use of technology helps safeguard patient information. Nurses can achieve this goal by educating themselves about cybersecurity awareness and good cyber hygiene. Working with others involved with patient care, nurses can make their healthcare organizations stronger and more resistant to cyberattacks and compromises by taking these proactive steps.


Learn the lingo

Cybersecurity awareness: an approach to enabling a broad, organization-wide understanding of information security and motivating employees to practice good cyber hygiene to help protect valuable and sensitive information9


Cyber hygiene: the process of ensuring that one is protecting and maintaining systems and devices appropriately and using cybersecurity best practices10


Phishing: a fraudulent e-mail and/or website used to solicit personal or sensitive information under false pretenses11


Social engineering: A method used to convince someone to do something and/or divulge information (for example, click on a malicious link, visit a malicious website, or divulge patient or other sensitive information) that often involves deceit, influence, and/or manipulation12


Ransomware: a type of malicious software (malware) that uses encryption to deny authorized users access to systems or data; a ransom is then demanded for access13


Breach: the impermissible use or disclosure of protected health information that compromises the security or confidentiality of the information.14




1. U.S. Department of Health and Human Services. HIPAA security rule. [Context Link]


2. U.S. Department of Health and Human Services. HIPAA privacy rule. [Context Link]


3. Healthcare Information and Management Systems Society. HIMSS cybersecurity position statement. [Context Link]


4. Independent Security Evaluators. Hacking hospitals. [Context Link]


5. Healthcare Information and Management Systems Society. Privacy and security awareness initiatives. [Context Link]


6. National Cyber Security Alliance. Get involved. [Context Link]


7. Healthcare Information and Management Systems Society. The healthcare industry's guide to keeping information safe and secure when you are mobile. [Context Link]


8. Healthcare Information and Management Systems Society. 2016 Healthcare organization's guide to keeping passwords safe and secure. [Context Link]


9. (ISC)2 blog. The true meaning of "security awareness training." [Context Link]


10. Center for Internet Security. Cyber hygiene. [Context Link]


11. U.S. Computer Emergency Readiness Team. Report phishing sites. [Context Link]


12. Social engineering. [Context Link]


13. Incidents of ransomware on the rise. [Context Link]


14. U.S. Department of Health and Human Services. Breach notification rule. [Context Link]