NCM 32 (LAB) A1 LESSON 1 NOTES
(Notes From Video Source)
I. What is Nursing Informatics?
Nursing Informatics
➢ It takes nursing science and
analytical and information sciences
and and combines them all together
➢ It puts together a framework for how
we support patient care at the
bedside and how we can support
nurses and in their daily work
➢ Nursing informaticists are weaved
into healthcare systems and a variety
of different roles
Some Examples:
➢ Electronic medical records
○ involved at looking at how
the documentation supports
nursing practice at the
bedside how it aligns with
policy what the implications
are for workflow reporting
➢ Virtual Care
II. Nursing Informatics Jobs
➢ Clinical Informaticist
➢ Nursing Informaticist
➢ Healthcare Informaticist
➢ ETC
III. Impact on Patient Outcomes
IV. Certification
Lesson 1: Understanding Health
Informatics
I. Concepts, Components, & and lab results over an
Frameworks
Health Information System (HIS)
➢ A system designed to manage
healthcare data.
➢ This includes systems that collect,
store, manage and transmit a
patient’s electronic medical record
(EMR), a hospital’s operational
management or a system supporting
healthcare policy decisions.
Prepared by: Rigo Gray Marshall K. Kirit
➢ It also includes those systems that
handle data related to the activities
of providers and health
organizations.
➢ As an integrated effort, these may be
leveraged to improve patient
outcomes, inform research, and
influence policy-making and
decision-making.
➢ Because health information systems
commonly access, process, or
maintain large volumes of sensitive
data, security is a primary concern.
Examples of HIS:
➢ Electronic Medical Record (EMR)
and Electronic Health Record (EHR)
○ It replaces the paper version
of a patient’s medical history.
○ It includes more health data,
test results, and treatments.
It also is designed to share
data with other electronic
health records so other
healthcare providers can
access a patient’s healthcare
data.
➢ Practice Management Software
○ It helps healthcare providers
manage daily operations such
as scheduling and billing
➢ Master Patient Index (MPI)
○ It connects separate patient
records across databases.
➢ Patient Portals
○ It allows patients to access
their personal health data
such as appointment
information, medications
internet connection
➢ Remote Patient Monitoring (RPM)
○ It allows medical sensors to
send patient data to
healthcare professionals
➢ Clinical Decision Support (CDS)
○ It analyzes data from various
clinical and administrative
systems to help healthcare
providers make clinical
decisions.
 NCM 32 (LAB) A1 LESSON 1 NOTES

needed for the planning,

Understanding Health Information implementation, and evaluation of
Systems public health practice. Such
surveillance can:
I. Concepts, Components, and ○ serve as an early warning
Frameworks system for impending public
health emergencies;
A. Concepts ○ document the impact of an
Health Information Systems intervention, or track
➢ any system that captures, stores, progress towards specific
manages or transmits information goals; and
related to the health of individuals or ○ monitor and clarify the
the activities of organizations that epidemiology of health
work within the health sector problems, to allow priorities
➢ incorporates things such as to be set and to inform public
○ district level routine health policy and strategies.
information systems,
○ disease surveillance systems, Laboratory Information Systems (LIS)
and ➢ computer software that processes,
○ also includes laboratory stores and manages data from all
information systems, stages of medical processes and
○ hospital patient tests.
administration systems ➢ A laboratory information system
(PAS) and (LIS) is a computer system that
○ human resource helps to manage many aspects of a
management information medical laboratory, including
systems (HRMIS). inputting, processing, and storing
the information and data of a lab.
Routine Health Information Systems For example, when Larry went to the
(RHIS) medical laboratory to get his blood
➢ comprise data collected at regular drawn and analyzed, the LIS helped
intervals at public, private, and to manage all the information that
community-level health facilities and related to his visit. This information
institutions. The data give a picture included:
of health status, health services, and ○ The date of his visit
health resources. ○ His primary care physician
➢ Most of the data are gathered by ○ Pertinent patient information
healthcare providers as they go and demographics
about their work, by supervisors, ○ The type of sample that was
and through routine health facility drawn
surveys. The sources of those data ○ Physician test orders
are generally individual health ○ Who got billed for his visit
records, records of services ○ When the test results were
delivered, and records of health sent to his physician
resources.
Patient Administration System (often
Surveillance Systems Public health abbreviated to PAS)
surveillance ➢ developed out of the automation of
➢ the continuous, systematic administrative paperwork in
collection, analysis and healthcare organizations,
interpretation of health-related data particularly hospitals, and are one of

Prepared by: Rigo Gray Marshall K. Kirit

NCM 32 (LAB) A1 LESSON 1 NOTES

the core components of a hospital's

IT infrastructure. The PAS records
the patient's demographics (e.g.
name, home address, date of birth)
and details all patient contact with
the hospital, both outpatient and
inpatient.

Health Information Systems

➢ An integrated effort to collect,
process, report and use health
information and knowledge.
➢ Decision-making at:
○ all levels of a health system
requires reliable health
statistics that are
disaggregated by sex, age and
socioeconomic
characteristics.
➢ policy level, decisions
informed by evidence
contribute to more efficient
resource allocation
1. Health Information Systems
➢ delivery level, information
Resources
about the quality and
➢ These include the legislative,
effectiveness of services can
regulatory and planning frameworks
contribute to better outcomes
required for a fully functioning
health information system, and the
★ Overall, a well-functioning HIS is an
resources that are required for such
integrated effort to collect, process,
a system to be functional. Such
report and use health information
resources involve personnel,
and knowledge to influence policy
financing, logistics support,
and decision making, programme
information and communications
action, individual and public health
technology (ICT), and coordinating
outcomes, and research.
mechanisms within and between the
★ Sound decision-making at all levels
six components
of a health system requires reliable
health statistics that are
2. Indicators
disaggregated by sex, age and
➢ A core set of indicators and related
socioeconomic characteristics.
targets is the basis for a health
★ At a policy level, decisions informed
information system plan and
by evidence contribute to more
strategy. Indicators need to
efficient resource allocation and, at
encompass determinants of health;
the delivery level, information about
health system inputs, outputs and
the quality and effectiveness of
outcomes; and health status
services can contribute to better
outcomes.
3. Data Sources
➢ These can be divided into two main
B. Components and Framework
categories;

Prepared by: Rigo Gray Marshall K. Kirit

NCM 32 (LAB) A1 LESSON 1 NOTES

○ (1) population-based ➢ Decreased physical exertion

approaches (censuses, civil
registration and population
surveys)
○ (2) institution-based data
(individual records, service
records and resource
records).
➢ A number of data-collection
approaches and sources do not fit
into either of the above main
categories but can provide important
information that may not be
available elsewhere. These include
occasional health surveys, research,
and information produced by
community based organizations.
4. Data Management
➢ This covers all aspects of data
handling from collection, storage,
quality-assurance and flow, to
processing, compilation and
analysis.
5. Information Products
➢ Data must be transformed into
information that will become the
basis for evidence and knowledge to
shape health action.
6. Dissemination and Use
➢ The value of health information is
enhanced by making it readily
accessible to decision-makers and by
providing incentives for, or
otherwise facilitating, information
use.
II. Emerging Trends and
Applications
What is the importance of technology in
nursing practice?
Technology in Nursing has many benefits:
➢ Faster Communication
➢ Efficient Charting
➢ Increased Patient Safety
➢ Faster Lab Results and Improved
Scheduling
➢ Increased productivity
Digital and mobile technologies are
bringing huge benefits to the healthcare
sector. By embracing these new
technologies, healthcare organizations can
improve patient health outcomes, be
cost-effective, and provide timely care.
Patients will also be able to better manage
and control their health and medical
information.
This shows that technology can help
ensure a brighter, healthier future for
everyone.
A. Medical Apps
➢ Necessity of daily life and may be the
most popular mHealth device
➢ Example: diabetic patients using
mobile apps to enter their glucose
readings, diet and exercise data that
is sent remotely to their physician
for review and a message is sent
back to the patient with feedback
B. Wearable Healthcare
Technology (Healthcare IoMT)
➢ One of the hottest technology trends
in healthcare is the IoT
➢ Medical companies develop new
products:
○ Smart contact lenses\smart
medical apparel
○ Neurological devices
○ Monitoring skin patches
➢ Uses of IoMT:
○ Asset Tracking
○ Drug management: “Digital
Pill”
○ Smart Biosensors - monitor
vital signs and other health
conditions
➢ Example:
○ FitBit - to track fitness
activities, blood pressure,
sleep patterns and calories

Prepared by: Rigo Gray Marshall K. Kirit

NCM 32 (LAB) A1 LESSON 1 NOTES
C. Big Data and Artificial
Intelligence
➢ In Big Data
○ tying in patient data to health
insurance providers to
encourage patients to take
ownership of their healthcare
needs
➢ Uses of AI in healthcare include
○ Supporting clinical
decision-making
○ Identifying patient health
risk factors in advance
○ Support diagnostics
D. Privacy and Data Security
➢ Data from clinical and non-clinical
sources will need to be protected as
it is being shared across platforms to
unlock new opportunities in health
service innovation
➢ Blockchain may be implemented for
privacy and security
○ Currently the hottest trend
that is widely expected to
revolutionize data security
across industry sectors
○ The fundamental building
block that facilitates the use
of AI and Big Data solutions
in healthcare
E. VR and 3D Printing
➢ 3D printing of tissues could bring a
revolution in transplantation
➢ Augmented and virtual reality
○ integrate deeper into medical
education
○ Enhance the learning
experience (anatomy,
surgical procedures)
F. Medical Robots
➢ Assists surgeons
➢ Made up of cameras and articulated
robotic arms
➢ Specialized video cameras peer into
the area of the body being operated
upon
Prepared by: Rigo Gray Marshall K. Kirit
➢ The surgeon has to control the robot,
software minimizes the minute
errors that any surgeon can make
➢ Benefits:
○ Greater precision
○ Shorter hospitalization
○ Smaller incisions
○ Reduced pain and discomfort
III. Privacy, Security, and Ethical Use
of ICT
A. Computer Security Risks
➢ any event or action that could
cause a loss of or damage to
computer hardware,
software, data, information,
or processing capability.
A cybercrime is an online or Internet-based
illegal act
Computer Security Risks
1. Hacker
➢ Any skilled computer expert
that uses their technical
knowledge to overcome a
problem
2. Cracker
➢ One who breaks into or
otherwise violates the system
integrity of remote machines
with malicious intent
3. Script kiddie
➢ A person who uses existing
computer scripts or code to
hack into computers, lacking
the expertise to write their
own.
4. Corporate espionage
➢ The improper or unlawful
theft of trade secrets or other
knowledge proprietary to a
competitor for the purpose of
achieving a competitive
advantage in the marketplace
5. Cyberextortion
➢ A form of online crime which
occurs when a person uses
the Internet to demand
NCM 32 (LAB) A1 LESSON 1 NOTES

money or other goods or ➢ A malicious program that

behavior (such as sex), from hides within or looks like a
another person by legitimate program
threatening to inflict harm to
his person, his reputation, or 4. Rootkit
his property. ➢ Program that hides in a
6. Cyberterrorism computer and allows
➢ Any "premeditated, someone from a remote
politically motivated attack location to take full control
against information,
computer systems, computer An infected computer has one or more of
programs, and data which the following symptoms:
results in violence against ➢ Operating system runs much slower
noncombatant targets by than usual
sub-national groups or ➢ Available memory is less than
clandestine agents." expected
➢ Files become corrupted
➢ Screen displays unusual message or
image
➢ Music or unusual sound plays
randomly
➢ Existing programs and files
disappear
➢ Programs or files do not work
properly
➢ Unknown programs or files
mysteriously appear
B. Internet and Network Attacks ➢ System properties change
➢ Information transmitted over ➢ Operating system does not start up
networks has a higher degree ➢ Operating system shuts down
of security risk than unexpectedly
information kept on an
organization’s premises A firewall is hardware and/or software that
➢ An online security service is a protects a network’s resources from
Web site that evaluates your intrusion.
computer to check for
Internet and e-mail Intrusion Detection Software
vulnerabilities. ➢ Analyzes all network traffic
➢ Assesses system vulnerabilities
1. Computer Virus ➢ Identifies any unauthorized
➢ Affects a computer negatively intrusions
by altering the way the ➢ Notifies network administrations of
computer works. suspicious behavior patterns or
security breaches
2. Worm Honeypot
➢ Copies itself repeatedly, ➢ Vulnerable computer that is set up to
using up resources and entice an intruder to break into it
possibly shutting down the
computer or network C. Unauthorized Access and Use

3. Trojan Horse Unauthorized Access

Prepared by: Rigo Gray Marshall K. Kirit

 NCM 32 (LAB) A1 LESSON 1 NOTES
➢ The use of the computer or network
without permission
Unauthorized Use
➢ The use of a computer or its data for
unapproved or possibly illegal
activities
A possessed object is any item that you must
carry to gain access to a computer or
computer facility
➢ Often are used in combination with a
personal identification number
(PIN)
A biometric device authenticates a person’s
identity by translating a personal
characteristic into a digital code that is
compared with a digital code in a computer.
D. Hardware Theft and Vandalism
Hardware Theft
➢ Act of stealing computer equipment
Hardware Vandalism
➢ Act of defacing or destroying
computer equipment
E. Software Theft
➢ Steals software media
➢ Internationally erases programs
➢ Illegally copies a program
➢ Illegally registers and/or activates a
program
F. Information Theft
➢ Information theft occurs when
someone steals personal or
confidential information
➢ Encryption is a process of
converting readable data into
unreadable characters to prevent
unauthorized access
G. System Failure
➢ A system failure is the prolonged
malfunction of a computer
➢ A variety of factors can lead to
system failure, including:
○ Aging hardware –Natural
disasters
Prepared by: Rigo Gray Marshall K. Kirit
○ Electrical power problems
➢ Noise, undervoltages, and
overvoltages
○ Errors in computer programs
Two ways to protect from system failures
caused by electrical power variations
include surge protectors and
uninterruptible power supplies (UPS)
H. Health Concerns of Computer
Use
➢ The widespread use of computers
has led to health concerns
○ Repetitive strain injury (RSI)
○ Carpal tunnel syndrome
(CTS)
○ Computer vision syndrome
(CVS)
Hand Exercises
➢ Spread fingers a[art for several
seconds while keeping wrists
straight
➢ Gently push back fingers and then
thumb
➢ Dangle arms loosely at slides and
then shake arms and hands
Techniques to Ease Eye Strain
➢ Every 10 to 15 minutes, take an eye
break
○ Look into the distance and
focus on an object for 20 to
30 seconds
○ Roll your eyes in a complete
circle
○ Close your eyes and rest
them for at least one minute
➢ Blink your eyes every five seconds
➢ Place your display device about an
arm’s length away from your eyes
with the top of the screen at eye level
or below
➢ Use larger fonts
➢ If you wear glasses, ask your doctor
about computer glasses
➢ Adjust the lighting
 NCM 32 (LAB) A1 LESSON 1 NOTES
Ergonomics is an applied science devoted to
incorporating comfort, efficiency, and safety
into the design of items in the workplace.
Computer addiction
➢ Occurs when the computer
consumes someone’s entire social
life
➢ Symptoms of users include:
○ Craves computer time
○ Overjoy hen at the computer
○ Unable to stop computer
activity
○ Irritable when not at the
computer
○ Neglects family and friends
○ Problems at work or school
I. Ethics and Society
➢ Computer ethics are the moral
guidelines that govern the use of
computers and information systems
➢ Information accuracy is a concern
○ Not all information on the
Web is correct
Intellectual property rights
➢ The rights to which creators are
entitled for their work
○ A copyright protects any
tangible form of expression
➢ An IT code of conduct is a written
guideline that helps determine
whether a specific computer action is
ethical or unethical
IT Code of Conduct
1. Computers may not be used to harm
other people
2. Employees may not interfere ith
others’ computer work
3. Employees may not meddle in
others’ computer flies
4. Computers may not be used to steal
5. Computers may not be used to bear
false witness
6. Employees may not copy or use
software illegally
7. Employees may not use others;
computer resources without
authorization
Prepared by: Rigo Gray Marshall K. Kirit
8. Employees may not use others’
intellectual property as their own
9. Employees shall consider the social
impact of programs and systems
they design
10. Employees always should use
computers in a way that
demonstrates consideration and
respect for fellow humans
Green computing involves reducing the
electricity and environmental waste while
using a computer.
Green Computer Suggestions
1. Use computers and devices that
comply with the ENERGY STAR
program
2. Do not leave the computer running
overnight
3. Turn off the monitor, printer, and
other devices when not in use
4. Use LCD monitors instead CRT
monitors
5. Use paperless methods to
communicate
6. Recycle paper
7. Buy recycled paper
8. Recycle toner cartridges
9. Recycle old computer, printer, and
other devices
10. Telecommunicate to save gas
11. Use video conferencing and VoIP for
meetings
➢ Information privacy refers to the
right of individuals and companies
to deny or restrict the collection and
use of information about them
➢ Huge databases store data online
➢ It is important to safeguard your
information
How to Safeguard Personal Information
1. Fill in only necessary information on
rebate, warranty, and registration
forms
2. Do not preprint your telephone
number or Social Security number
on personal checks
NCM 32 (LAB) A1 LESSON 1 NOTES
3. Have an unlisted or unpublished
telephone number
4. If Called ID is available in your area,
find out how to block your number
from displaying on the receiver’s
system
5. Do not write your telephone number
or charge credit receipts
6. Ask merchants not to write credit
card numbers, telephone numbers,
Social Security numbers, and
driver’s license numbers on the back
of your personal checks
7. Purchase goods with cash, rather
than credit or checks
8. Avoid shopping club and buyer cards
9. If merchants ask personal questions,
find out why they want to know
before releasing information
10. Inform merchants that you do not
ant them to distribute your personal
information
11. Request, in writing, to be removed
from mailing lists
12. Obtain your credit report once a year
from each of the three major credit
reporting agencies (Equifax,
Experan, and TranUnion) and
correct any errors
13. Request a free copy of your medical
records once a year from the Medical
Information Bureau
14. Limit the amount of information you
provide to websites. Fill in only
required information
15. Install a cookie manager to filter
cookies
16. Clear your history file when you are
finished browsing
17. Set up a free email address for
merchant forms
18. Turn off file and printer sharing on
your internet connection
19. Install personal firewall
20. Sign up for free email filtering
through your Internet access
provider or use an anti-spam
program such as Brightmail
21. Do not reply to spam for any reason
22. Surf the web anonymously oth a
program such as Freedom
Prepared by: Rigo Gray Marshall K. Kirit
WebSecure or through an
anonymous Website such as
Anonymizer.com
➢ A cookie is a small text file that a
Web server stores on your computer
➢ Web sites use cookies for a variety of
reasons:
○ Allow for personalization
○ Store users’ passwords
○ Assist with online shopping
○ Track how often users visit a
site
○ Target advertisements
How do Cookies Work?
1. When you type the Web address of a
Website in a browser window, the
browser program searches your hard
disk for a cookie associated with the
website.
2. If the browser finds a cookie, it sends
information in the cookie file to the
website.
3. If the website does not receive cookie
information, and is expecting it, the
site creates an identification number
for you in its database and sends
that number to your browser. The
browser in turn creates a cookie file
based on that number and stores the
cookie file on your hard disk. The
website now can update information
in the cookie file whenever you
access the site.
➢ Spam is an unsolicited e-mail
message or newsgroup posting
➢ Phishing is a scam in which a
perpetrator sends an official looking
e-mail message that attempts to
obtain your personal and financial
information
➢ Pharming is a scam where a
perpetrator attempts to obtain your
personal and financial information
via spoofing
—--------------------------------------------------
Other Supplemental Resources
 NCM 32 (LAB) A1 LESSON 1 NOTES
I. Knowing the benefits of electronic
health information systems for
clinicians (3-minute YouTube video)
II. Digital Citizenship (45-minute
YouTube video)
III. What cyber criminals want from
your healthcare organization
Introduction
Cybercriminals target the medical industry
for a gold mine of personal and financial
data.
➢ As 21st century health records have
moved from paper to digital and as
the healthcare infrastructure
handling smart medical devices and
network-connected systems has
become increasingly complex,
cybercriminals have taken note.
Unfortunately, while the personally
identifiable information (PII) stored
on endpoints is valuable to patients,
physicians, and healthcare
providers, it’s also highly sought
after by cybercriminals.
➢ Unlike stolen credit cards, electronic
patient records contain PII that
never expires, which can be
repeatedly used for malicious intent.
With stolen PII, criminals can falsify
insurance claims and tax returns,
obtain fraudulent credit cards, open
bank accounts to write bad checks,
and obtain government-issued
passports to create new identities.
The opportunities are endless.
➢ Every day, the medical sector is
exposed to cyberthreats like Trojans,
ransomware, insider threats, and
other forms of malware—with the
most disruptive coming from
information stealing Trojans and
ransomware attacks. Threat
detections have increased from
about 14,000 healthcare-facing
endpoint detections in Q2 2019 to
Prepared by: Rigo Gray Marshall K. Kirit
more than 20,000 in Q3, a growth
rate of 45 percent.1
➢ In 2020, healthcare organizations
remained a target. In April, the
international law enforcement
agency Interpol warned that, amidst
the broader global pandemic,
hackers were targeting healthcare
systems with ransomware. The
agency’s warning came just days
after Microsoft told several dozen
hospitals that their gateway and VPN
appliances were vulnerable to
attacks.
➢ For healthcare organizations to
effectively implement security
measures unique to their
environment, they must first
understand why cybercriminals are
trying to breach their networks. This
paper identifies the top four
healthcare targets for cybercriminals
and the impact of their compromise
on medical staff, patients, and daily
operations.
Top 4 Healthcare Targets for
Cybercriminals
1. Patient PII
2. Operations, systems and files for
ransom
3. Technology providers, vendors and
suppliers
4. Broad attack surface
A. Patient PII
➢ While some healthcare organizations
have opted to house pertinent
patient and medical data they keep
on record in the cloud, many choose
to store theirs locally. Per patient,
they store a wide range of PII that’s
valuable to a criminal to orchestrate
identity theft, such as name, date of
birth, home address, email address,
and Social Security number (SSN).
➢ Then there’s the wealth of electronic
protected health information (ePHI)
that the medical sector stores on
each patient, including health
 NCM 32 (LAB) A1 LESSON 1 NOTES
records, images from medical exams,
blood tests and other test results, as
well as diagnosis and treatment
information. Combined with stolen
PII, when bad actors gain access to
patient records, they have, in
essence, a goldmine to commit
insurance fraud.
➢ Cybercriminals can sell information
deemed valuable either individually
or as a data set, which underground
criminals refer to as “fullz”—a selling
jargon that means the full identity
package of a person. Patient data is
highly sought after by
cybercriminals. In fact, healthcare
records fetch a high price with
individual records commanding
$1,000 on the dark web.
➢ That’s a lot of financial profit for
cybercriminals, and, unfortunately,
stolen records come at a steep cost
for the medical sector. Healthcare
organizations have the highest
industry costs associated with data
breaches at $6.45 million—65
percent higher than the global
average of all industries. Healthcare
costs rank well above other
industries because the sector
experiences an average total cost per
stolen record of $429, which is
significantly higher than less
regulated industries.
Impact of PII theft on patients and staff
➢ A cybercriminal owning a single data
set on a patient or a staff member
working in a healthcare organization
can fully take over their identities by
posing as them when dealing with
governments and private
institutions, whether that’s for tax
purposes or taking out a loan.
➢ They can also mix up or combine
certain data to create a new identity
profile. These new profiles are called
“synthetic identities,” which is the
fastest growing financial crime.
Prepared by: Rigo Gray Marshall K. Kirit
B. Operations, systems, and files for
ransom
➢ The healthcare sector is an essential
critical infrastructure entity that
must remain operational
around-the-clock to serve the local
community and surrounding region.
This makes ransomware attacks
especially dangerous to the
healthcare industry with the risk of
causing significant financial,
reputational, health, and safety
harm. Ransomware attacks usually
deny access to the healthcare
organization’s systems and files until
a ransom is paid. And in the event it
isn’t paid, some attackers may
threaten to sell the “captured” PII on
the black market.
➢ Ransomware accounts for most
healthcare malware attacks. And
when they hit, they cripple
operations. Life Saving surgeries
must be postponed, appointments
canceled, and medical tests halted.
It’s safe to say that the consequences
of ransomware for the healthcare
industry far outweigh any other
organization, as essential devices,
systems, and files are locked out.
Impact of ransomware on healthcare
➢ Even with lives on the line,
cybercriminals are not showing any
signs of mercy with their
ransomware attacks on the medical
sector. According to analysis by
Coveware, not only did the average
ransomware demand rise 184
percent to $36,295, but the
healthcare industry accounted for
13.6 percent of ransomware targets.5
In addition to the cost of paying the
ransom (if the organization makes
that decision), impacted
organizations must notify patients of
the data breach and inform them
that their information may have
been exposed.
NCM 32 (LAB) A1 LESSON 1 NOTES
➢ And, what better way to
demonstrate the impact
ransomware has on healthcare
operations than to share some
examples that occurred in 2019 and
2020?
○ All three DCH Health System
hospitals in Alabama were
temporarily closed to new
patients following a targeted
ransomware attack.
○ The Cancer Center of Hawaii
temporarily suspended
cancer radiation treatments
at two centers due to a
ransomware attack.
○ Wood Ranch Medical went
out of business after a
ransomware attack caused
the health provider to lose all
access to their patients’
medical records.
○ Campbell County Health
suspended new inpatient
admissions and canceled
some surgeries following a
ransomware attack.
○ Seneca Nation Health System
as well as Olean Medical
Group lost access to their
computer and EHR systems
following a ransomware
attack on both of the
healthcare organizations.
○ Brookside ENT & Hearing
Services in Michigan closed
the medical practice after a
successful ransomware
attack deleted every medical
record, bill, and
appointment, including the
backups.
○ University of Arkansas for
Medical Sciences shut down
its information network after
detecting a “malware virus.”
○ Hammersmith Medicines
Research rebuffed a with
ransomware attack in real
time, but the threat actors
managed to swipe and
Prepared by: Rigo Gray Marshall K. Kirit
publish patient records
online.
C. Technology Providers, Vendors, and
Third-party Suppliers
➢ Weak security of third-party vendors
in the supply chain was revealed as a
new threat vector after
cybercriminals breached Target
through one of their refrigeration
contractors. Unfortunately,
healthcare organizations are not
immune to supply chain attacks.
Such attacks happen against medical
centers through unsecured medical
technology applications, vendors,
and other suppliers.
➢ In some cases, threat actors target
third parties as a means to an end,
looking for a less secure, easier entry
into healthcare networks. For
example, cybercriminals might first
compromise a third-party and lay
dormant on their network, pouncing
at the first opportunity to grab login
credentials to the healthcare
network.
➢ In well-coordinated attacks,
criminals lodge social engineering
attacks against healthcare personnel
pretending to be an authorized
vendor with the intent to redirect
huge sums of money from vendor
accounts to their own.
➢ On the other hand, cybercriminals
also target vendors directly, knowing
that they, too, store patient
information. This is especially true
of medtech companies that provide
medical management apps that
patients download on their mobile
devices or access on their home
computers. While the security of
medical management apps is
managed by third parties, the apps
must interface and communicate
the overall security
infrastructure of their associated
healthcare organization. In addition,
the presence of advertising or
 NCM 32 (LAB) A1 LESSON 1 NOTES
analytics trackers increases
processing time, which could
increase the app’s vulnerability to
breach.
Impact of vendor compromise on healthcare
➢ In scenarios where healthcare
technology providers, vendors, and
third-party suppliers are breached
for patient data, the healthcare
organizations, themselves, are not
liable to pay any post-breach costs.
Sadly, the result is still the theft and
sale of data about patients in
underground markets on the dark
web with the risk of identity theft
and account takeovers becoming
high.
➢ In addition, medical organizations,
already on tight budgets, might need
to come up with additional funds to
pay the real vendors if criminals
stole from vendor accounts. Finally,
patients connecting to compromised
medical technology platforms from
home can endanger their home
networks and infect additional
devices.
D. Broad Attack Surface
➢ The infrastructure of
network-connected devices inside
healthcare organizations is
incredibly complex. In addition to
multiple users with access to patient
healthcare information (PHI),
healthcare organizations use a wide
variety of devices in their IT
ecosystems, such as central servers,
desktops, mobile devices, MRI
machines, radiology equipment,
PACs medical imaging files, and
other equipment. Often, these
systems are running old operating
systems and legacy software. And
these devices can all connect to the
same network and central databases
with little knowledge of device
security.
➢ With a combination of legacy
systems and new, innovative
Prepared by: Rigo Gray Marshall K. Kirit
medtech systems, the healthcare
sector has a unique cybersecurity
challenge. Digital expansion of PHI
and a variety of healthcare devices
create a broad attack surface with
potential gaps in security controls
and processes that create
opportunities for cyber criminals to
target the PHI stored on these
devices.
➢ At the heart of the issue: many of
these systems were not designed
with security in mind. As noted by
Yarmela Pavlovic, legal expert who
advises digital health and mobile
health tech companies, “… there are
a lot of companies grappling with
legacy products and trying to
implement cybersecurity controls
based on more modern technology
for products where those concerns
were not part of the original design
and development.”
Impact of broad attack surface on
healthcare organizations and patients
➢ Medical IoT devices offer new ways
to monitor patients and equipment
while improving care,
responsiveness, and lowering costs.
But this broadens the attack surface
with unknown security protections.
Connected medical devices—from
WiFi enabled infusion pumps to
smart MRI machines—increase the
attack surface of devices sharing
information and create security
concerns, including device
tampering, PII risks, and potential
regulatory violations.
➢ For example, in July 2019 it was
discovered that MiniMed Insulin
Pumps had a cybersecurity
vulnerability that could allow a
hacker to wirelessly connect to other
devices within range and change the
pump’s settings. As a result, the FDA
issued a Class 1 recall (the most
serious type of recall) on several
product models that had been in
 NCM 32 (LAB) A1 LESSON 1 NOTES

distribution to healthcare patients 3. Republic Act - 8792 (E-Commerce Act of

since 1999. 2000
➢ Cybercriminals will, no doubt, 4. Republic Act - 11293 (Philippine
continue to focus their targets on a Innovation Act)
large number of endpoints that are 5. Republic Act - 10844 (Department of
less secure than traditional Information And Communications
enterprises who are comparatively Technology Act of 2015)
more invested in security that boast
the same numbers. They find it a lot
easier and more lucrative at the V. Blockchain in Healthcare (2-minute
same time. YouTube video)

Conclusion

When it comes to making a buck out

of stolen information, cybercriminals have
always targeted vulnerable systems and
people, whether it’s local government
bodies, schools, nonprofits, or individuals
who are not technically savvy.
Cybercriminals don’t discriminate. And
unfortunately, the healthcare sector remains
a highly attractive target.

It is important for healthcare

executive boards and IT professionals to be
reminded that they have a fiduciary
responsibility to ensure that patient and
staff PII, including financial information,
are protected; healthcare ecosystems run as
normal; and operational hours are
continuous. Fortunately, there are several
tactics they can take to fulfill these.
Because cybercriminals have
adopted a multivector offensive
technique—a mixture of malware, social
engineering, and hacking— implementing a
multi-vector defensive stance to protect
endpoints is the next logical step. This is
done by combining good security hygiene
practices and technologies that provide
layered protection and detection.

IV. IT-related Laws in the Philippines

1. Republic Act - 10173 (Data Privacy Act of

2012)
2. Republic Act - 10175 (Cybercrime
Prevention Act of 2012)

Prepared by: Rigo Gray Marshall K. Kirit