So much has been written about the need to keep personal, professional, and patient information safe that you might think all nurses by now are following basic cybersecurity precautions, such as not clicking on unfamiliar links or not giving out passwords and other private data. That's a common misperception, according to nursing informatics professionals. "I would push back on the notion that most nurses and health care workers understand the risks and are taking appropriate safeguards," said Mark H. Johnson, MHA, RN-BC, CPHIMS, FHIMSS, a member of the American Nursing Informatics Association board of directors and senior director of Iatric Systems, a health care technology company. "If that were the case, ransomware, for example, wouldn't be such an issue." Ransomware is a type of malicious software that locks or prevents use of computers or certain files unless the user-usually an institution or organization-pays a fee.
Laura J. Wood, DNP, MS, RN, NEA-BC, senior vice president of patient care services and chief nursing officer at Boston Children's Hospital, considers cybersecurity to be part of nurses' role to maintain patient safety and privacy. It's "a contemporary element of 'first, do no harm,'" she said. "The threats to data security are increasing all over, so we have to continue to strengthen all health care systems-including points of connection between patients, families, providers, and health care delivery system networks-and appreciate there are folks out there who are constantly looking to defeat whatever infrastructure exists."
A report from the Health Care Industry Cybersecurity (HCIC) Task Force, created as part of the Cybersecurity Act of 2015, warned that "our nation must find a way to prevent our patients from being forced to choose between connectivity and security[horizontal ellipsis]. Data collected for the good of patients and used to develop new treatments can be used for nefarious purposes[horizontal ellipsis]. Most importantly, cybersecurity attacks disrupt patient care." In 2014, when the threat first became evident, the FBI sent a "private industry notification" to health care providers, pointing out that health data is much more valuable to cyber criminals than other data. The alert noted that partial electronic health records (EHRs) could be sold for $50, compared with $1 for a stolen social security or credit card number. The "EHR can then be used to file fraudulent insurance claims, obtain prescription medication, and advance identity theft," the FBI said. "EHR theft is also more difficult to detect, taking almost twice as long as normal identity theft."
CONDITION CRITICAL
Overall, health care cybersecurity is in "critical condition," according to the HCIC Task Force report. The report says this is owing to the employment of too few full-time security personnel by health care organizations, the use of old operating systems and equipment, and an emphasis on overconnectivity rather than secure design and implementation, among other issues. The group noted that "organizational culture shifts" will be needed to prioritize cybersecurity. It needs to be viewed as a public health priority rather than an information technology (IT) challenge.
Wood said that at her institution, the emphasis on data security risk mitigation for nurses and all employees starts with such seemingly simple things as password security. "The hospital also stresses the importance of being vigilant about hidden vulnerabilities to recognize what could be a pathway for malicious viruses, often through attachments and e-mails seemingly sent from people we recognize," she noted. "You need to open each e-mail with a questioning attitude. Nurses play a key role, given they are often coordinating communication with a large, extended care team."
Catchy phrases can provide helpful security reminders. Deborah Chasco, DNP, APRN, CNS, CCRN-E, director of nursing informatics at University Medical Center of El Paso, uses slogans like "Cybersecurity-your best defense is common sense" and "Got an e-mail from a stranger? Caution, danger" with colleagues as a reminder of security threats.
DEVICE VULNERABILITIES
Internet-connected devices are another vulnerability. Earlier this year, the Food and Drug Administration (FDA) released Medical Device Safety Action Plan: Protecting Patients, Promoting Public Health to help ensure the safety of these devices. As this action plan notes, "Medical devices from insulin pumps to implantable cardiac pacemakers are becoming more interconnected, which can lead to safer, more effective technologies. However, like computers and the networks they operate in, these devices can be vulnerable to security breaches, and exploitation of a device vulnerability could threaten the health and safety of patients."
The FDA said it has taken steps to promote an approach that embraces "vigilance, responsiveness, recovery, and resilience" for the life cycle of these devices. For example, the agency has updated the premarket guidance it gives to manufacturers regarding design and development to better protect against risks such as ransomware and remote cyberattacks.
In its report, the HCIC Task Force noted several cybersecurity risks associated with networked medical devices. These include a failure to provide software updates and patches to medical devices and networks and to address vulnerabilities in older devices as well as malware that alters data on the diagnostic device. In addition, the device can be reprogrammed-by malware or unauthorized users-in a way that changes its intended function. Denial-of-service cyberattacks can shut down the devices, and there is always the potential for an unauthorized transfer of patient data or protected health information from the network.
Chasco explained that cybersecurity risks have also increased because many more devices are now in use. "Nursing leaders can assist in identifying ways to secure devices and data via regulatory requirements," she said. "The intention is not to limit evidence-based practice or research to improve patient care, but rather to secure the information in a way that facilitates patient safety and health care improvement."
Johnson cautioned that taking shortcuts can affect the protection of patient privacy. "Nurse managers need to not only set the standard in terms of best practices with passwords and e-mail protocols but also continuously reinforce education and awareness, since inside and outside threats will most likely continue to grow," he said. "Nursing informatics professionals can be a great resource for nurse managers struggling with staff compliance or training."
Best practices for password security differ from institution to institution, and these recommendations have changed in just the past year or two. For this reason, nurses should follow the rules and policies set by their institution's IT specialists, who will also ensure that these practices are compliant with the Health Insurance Portability and Accountability Act.
Wood notes that her institution requires cybersecurity training for new employees. In addition, it sends out test e-mails, routinely and randomly, to all staff. "If you click on something you shouldn't, you have to take mandatory classes," she says. "These are meant to be teachable moments. And I will tell you that many people who have fallen for some of these things have said, 'thank you, I really learned from that,' and then they tell other people how important it is as nurses and health care team members to be alert at all times."-Serena Stockwell
Resources
National Cyber Security Alliance
https://staysafeonline.org
Sponsors the Stay Safe Online campaign, which includes fact sheets and other helpful information.
National Initiative for Cybersecurity Careers and Studies
https://niccs.us-cert.gov/glossary
A U.S. Department of Homeland Security webpage containing a list of cybertechnology definitions.