How to protect yourself, your coworkers, and your patients.
- Healthcare data breaches reached record levels in April 2019, with 44 attacks affecting nearly 687,000 people.
- Security breaches can lead to serious consequences, including complete system or network shutdown and life-and-death situations.
- Much like we encourage patients to practice good personal hygiene to promote health and well-being, healthcare organizations and nurses must practice good cyber hygiene.
Cybersecurity has become a pressing issue in healthcare organizations. Each year, more organizations are targeted by individuals who want to gain access to protected health information (PHI) to file false insurance claims, buy medical equipment, and order prescription drugs. Healthcare data breaches reached record levels in April 2019, with 44 attacks affecting nearly 687,000 people.
Healthcare cybersecurity defends computers, servers, wearables, medical devices, and electronic health records and other sources of PHI from malicious attacks. Nurses who learn about cybersecurity, are aware of threats, remain alert to them, and are familiar with mitigation and incident response can help protect patients and organizations.
Consequences of cyberattacks
Security breaches can lead to serious consequences, including complete system or network shutdown and life-and-death situations. For example, a hacked insulin pump could increase the insulin delivery rate, leading to severe complications or death. An experienced hacker can exploit vulnerable computer networks in minutes, but recovery from cyberattacks can take years, damaging an organization’s reputation, future business, and short- and long-term finances. Patients who are victims of medical theft will lose hours of work and productivity while they try to restore and secure their stolen information. Many victims suffer emotionally and financially, and fear of future attacks can result in anxiety and stress. And if the breach was internal (perpetrated by an employee), morale in the workplace could be affected.
Types of attacks
Hackers gain access to devices physically and virtually. Physical access is acquired by stealing portable devices or accessing computers in public areas using stolen credentials.
Virtual access occurs when hackers send phishing and spear-phishing emails via networks to seek out personal information such as usernames and passwords. The emails, many of which appear credible, may contain embedded links that recipients are asked to click on.
Another form of virtual access is a ransomware attack. Hospital operations have been shut down by these attacks, which invade network systems, encrypt data, take control of the system and lock it down, and then demand a ransom to decrypt the data. Paying the ransom doesn’t ensure data restoration.
Much like we encourage patients to practice good personal hygiene to promote health and well-being, healthcare organizations and nurses must practice good cyber hygiene. Think of protecting PHI as primary prevention, conducting risk assessments and performing regular maintenance as secondary prevention, and stabilizing and restoring systems after a cyberattack as tertiary prevention.
In 2018, the National Institute of Standards and Technology (NIST) developed a framework that can be used by any business, including healthcare organizations, to improve security and resistance against cyberattacks. The framework provides structural guidance that organizations can use to develop an individualized cybersecurity risk plan. (See Building a security framework.) Organizations can use the nursing process to design comprehensive reviews that allow nurses to collect the information necessary to complete, implement, evaluate, and revise the NIST framework profile.
Formal and informal risk assessments conducted by a team of nurses and members of the information technology (IT) and health informatics staff should include an inventory of hardware (computers, connected devices, and mobile devices), software (all programs installed on the network and used by everyone), applications, and data storage (onsite, off-site, and cloud storage). The assessment should review how staff are currently trained on cybersecurity awareness and cyber hygiene best practices. In addition, the assessment should look for vulnerabilities at all levels and include interviews with nurses about their cybersecurity awareness, understanding of potential threats, and current knowledge, attitudes, and behaviors related to cybersecurity practices.
Finally, the assessment should include a formal review of the organization’s cybersecurity and cyber hygiene policies and procedures. (See Protection review.)
After the risk assessment is completed, the chief information officer or administrative leadership team should make a determination about the risk for a cyberattack and present recommendations. Based on these recommendations, changes may include removing outdated hardware, patching or removing software programs, writing policies and procedures, improving the current education program, developing a mitigation plan, consistently backing up data, and increasing annual employee training. An organization also may want to consider purchasing cybersecurity insurance. HealthITSecurity.com reported that on average it takes $1.4 million to recover from a cyberattack. Cyber insurance can help organizations cover some of the costs incurred during a breach; however, policies may not cover all expenses, including replacing or repairing equipment damaged during attacks or subsequent litigation.
Helpful training includes recognizing and avoiding phishing scams, practicing good password management, following safe internet practices, and increasing device safety.
Even an initially small breach can eventually involve thousands of patients, making a mitigation plan important. Sometimes a breach can be solved easily by shutting down a group of computers on one unit, but other times a more complicated solution—such as turning away patients and temporarily closing—may be required.
The quicker a problem is reported, the less damage will occur to the organization, so most mitigation plans require staff to immediately report an incident to the IT department. Mitigation plans should be followed exactly, and they require educating staff about the Health Insurance Portability and Accountability Act breach notification rule, 45 CFR §§ 164.400-414, which requires that healthcare organizations notify individuals who are affected by a breach no later than 60 days after the occurrence. In some cases (for example, if more than 500 residents of one state are affected by a breach), organizations are required to notify media outlets and the secretary of the Department of Health and Human Services. Organizations also need to be aware of and follow any state requirements for reporting breaches.
The goal of implementing a cybersecurity plan is to protect PHI. Similar to event drills for bioterrorism, active shooter, or mass casualties, mock cybersecurity exercises help organizations conduct a variety of scenarios and evaluate their preparedness for an attack. During the mock exercise, participants follow the incident response plan to understand their roles in the event of an attack and practice their response. The organization also will be able to determine how well it responds to a crisis and secures information.
A formal evaluation should be conducted immediately after a mock exercise or an actual cyberattack to determine what parts of the plan worked and what parts didn’t. The evaluation may reveal areas of strength and weakness, as well as lessons learned. Ultimately, the organization should incorporate changes to ensure it’s always prepared and remains aware of and follows security best practices.
Cyberattacks are increasing in frequency and severity. Being aware of the most common attacks will improve nurses’ abilities to recognize, avoid, and respond to them. And a framework that guides developing a cybersecurity risk plan specific to nursing will give nurses a better understanding of how to protect themselves, their coworkers, the organization, and their patients.
Marti Jordan is a visiting assistant professor at the University of Southern Mississippi School of Leadership and Advanced Nursing Practice in Hattiesburg, Mississippi.
Cohen JK. Healthcare data breaches reach record high in April. Modern Healthcare. May 10, 2019. modernhealthcare.com/cybersecurity/healthcare-data-breaches-reach-record-high-april
Davis J. What is cyber insurance for healthcare organizations? HealthITSecurity.com. February 5, 2019. healthitsecurity.com/features/what-is-cyber-insurance-for-healthcare-organizations
Gupta BB, Tewari A, Jain AK, Agrawal DP. Fighting against phishing attacks: State of the art and future challenges. Neural Comput Appl. 2017;28(12):3629-54.
Kruse CS, Frederick B, Jacobson T, Monticone DK. Cybersecurity in healthcare: A systematic review of modern threats and trends. Technol Health Care. 2017;25(1):1-10.
Lötter A, Futcher LA. A framework to assist email users in the identification of phishing attacks. Information & Computer Security. 2015;23(4):370-81.
National Institute of Standards and Technology. Framework for Improving Critical Infrastructure Cybersecurity. Version 1.1. April 16, 2018. nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
Spence N, Bhardwaj N, Paul DP, Coustasse A. Ransomware in healthcare facilities: A harbinger of the future? Perspect Health Inf Manag. 2018;Summer:1-22. perspectives.ahima.org/ransomwareinhealthcarefacilities
Stafford T. Tackling healthcare cybersecurity with risk identity, assessment [webinar]. Xtelligent Healthcare Media. vimeo.com/359520062
U.S. Department of Health and Human Services. Health information privacy: Breach notification rule. July 26, 2013. hhs.gov/hipaa/for-professionals/breach-notification/index.html