TECH NOTES

Cybersecurity awareness:
Downloaded from http://journals.lww.com/nursing by BhDMf5ePHKav1zEoum1tQfN4a+kJLhEZgbsIHo4XMi0hCywCX

Protecting data and patients

1AWnYQp/IlQrHD3i3D0OdRyi7TvSFl4Cf3VC1y0abggQZXdgGj2MwlZLeI= on 01/29/2024

By Lee Kim, JD, BS, CIPP/US, CISSP, FHIMSS

IN TODAY’S INCREASINGLY addition, the HIPAA Privacy Rule Safeguarding information

“connected” world, where much governs the permitted or required We all make decisions every day
of the patient information that we uses and disclosures of protected that significantly influence the se-
handle is in electronic form, we health information, regardless of curity or insecurity of our organi-
can’t maintain patient privacy with- the medium.2 zation’s data; for example, clicking
out information security. Patient Protecting information isn’t just a on a malicious link for a “phish-
information must be protected at function of the information technol- ing” website, opening a malicious
all stages of the information life- ogy (IT) department, it’s the shared e-mail attachment, divulging sensi-
cycle: when the information is responsibility of everyone within an tive information to a “social engi-
created, received, transmitted, organization. This responsibility ex- neer,” or allowing unauthorized
maintained, and destroyed. The tends to end users, such as nurses, personnel in restricted areas may
Health Insurance Portability and physicians, unlicensed assistive per- result in serious adverse conse-
Accountability Act (HIPAA) Secu- sonnel, technicians, and other staff, quences. Any compromise of pa-
rity Rule mandates the protection including interns, volunteers, con- tient information may pose a risk
of electronic health information sultants, contractors, and research- to patient safety.4
with physical, technical, and ad- ers. Technology safeguards alone People tend to be the weakest
ministrative safeguards.1 It also can’t make an organization secure; link in an organization’s informa-
requires covered entities and however, knowledgeable employees tion security program, and this is
business associates to implement can help reduce risks.3 This article especially true if employees are
cybersecurity awareness and train- discusses what nurses must do to unaware of the risks that they may
ing for all members of the work- promote cybersecurity and maintain introduce. Breaches can happen
force, including management.1 In patient confidentiality. very quickly given fast network
speeds and ready access to data,
even via mobile devices or web-
Learn the lingo based cloud applications.
Accordingly, employees should
Cybersecurity awareness: an approach to enabling a broad, organization-wide
understanding of information security and motivating employees to practice
regularly be taught about good
good cyber hygiene to help protect valuable and sensitive information9 “cyber hygiene,” including what to
do, what not to do, and why, by
Cyber hygiene: the process of ensuring that one is protecting and maintaining participating in mock exercises
systems and devices appropriately and using cybersecurity best practices10
that simulate phishing and social
Phishing: a fraudulent e-mail and/or website used to solicit personal or engineering. Besides simulating
sensitive information under false pretenses11 cyberattacks, these exercises can
Social engineering: A method used to convince someone to do something help determine the effectiveness of
and/or divulge information (for example, click on a malicious link, visit a the current cybersecurity aware-
malicious website, or divulge patient or other sensitive information) that ness and training program, and
often involves deceit, influence, and/or manipulation12 identify employees who may need
Ransomware: a type of malicious software (malware) that uses encryption to
more training.
deny authorized users access to systems or data; a ransom is then demanded Key points include educating
for access13 others about cybersecurity aware-
ness to prevent data leakage; think-
Breach: the impermissible use or disclosure of protected health information
ing before you communicate or
that compromises the security or confidentiality of the information.14
disclose via e-mail, social media,

www.Nursing2017.com June l Nursing2017 l 65

Copyright © 2017 Wolters Kluwer Health, Inc. All rights reserved.

 TECH NOTES
Downloaded from http://journals.lww.com/nursing by BhDMf5ePHKav1zEoum1tQfN4a+kJLhEZgbsIHo4XMi0hCywCX
or other means; and avoiding shar-
ing your usernames and passwords
with anyone or letting someone else
1AWnYQp/IlQrHD3i3D0OdRyi7TvSFl4Cf3VC1y0abggQZXdgGj2MwlZLeI= on 01/29/2024
use your computer while you’re
signed in.
Another integral part of the
cybersecurity awareness and train-
ing program is the concept of “see
something, say something.” If an
employee receives a suspicious
e-mail, phone call, or text message,
or a computer displays unusual
behavior, such as a system freeze
or crash, the presence of sent
e-mails you don’t recall sending, or
the presence of installed programs
HIMSS infographic for Data Privacy Day
66 l Nursing2017 l Volume 47, Number 6
Copyright © 2017 Wolters Kluwer Health, Inc. All rights reserved.
you don’t recall installing, be sure
to notify your organization’s IT de-
partment immediately. Delaying
the report of an incident may re-
sult in harm, such as data being
breached, corrupted, or encrypted
and held for ransom (known as
“ransomware”).
Cybersecurity awareness programs
should be conducted during on-
boarding and at least annually. Ad-
ditionally, employees can receive more
frequent awareness reminders and
tips via screensavers, e-newsletters,
intranet messages, and so on. As se-
curity incidents occur, awareness and
training programs, as well as
the information security program
as a whole, should be reevaluated
to identify any gaps. If gaps are
detected, a plan must be developed
to address them in both the short
and long term.
Ideally, your cybersecurity
awareness and training program
should provide a hybrid perspec-
tive from both the clinician and IT
perspectives, including lessons
learned from recent and past secu-
rity incidents. It should also be
easy to understand and implement,
regardless of staff members’ levels
www.Nursing2017.com
Downloaded from http://journals.lww.com/nursing by BhDMf5ePHKav1zEoum1tQfN4a+kJLhEZgbsIHo4XMi0hCywCX
of technical sophistication. Wheth-
er an organization is starting a new
cybersecurity awareness and train-
1AWnYQp/IlQrHD3i3D0OdRyi7TvSFl4Cf3VC1y0abggQZXdgGj2MwlZLeI= on 01/29/2024
ing program, implementing an
existing program, or looking to
revamp a program, the Healthcare
Information and Management
Systems Society (HIMSS) offers
materials that can be incorporated.5
See HIMSS infographic for Data
Privacy Day for an example.
In addition to the HIMSS
awareness tools, the National
Cyber Security Alliance (NCSA)
provides free online resources
for those who want to learn more
about staying safe online.6 The
NCSA also offers templates and
other materials to help organiza-
tions bolster their cybersecurity
awareness and training programs
with initiatives such as STOP.THINK.
CONNECT ., National Cyber Security
Awareness Month, Data Privacy
Day, and RE: Cyber.6
You don’t necessarily need to
wait for your organization’s next cy-
bersecurity awareness and training
program to implement good cyber
hygiene practices. No matter where
you are, your computer and mobile
devices should always be physically
safeguarded.7 Never leave laptops,
tablets, smart phones, or mobile de-
vices unattended, and don’t connect
to unsecured public wireless net-
works.7 Always use complex pass-
words that are difficult for others to
guess but easy for you to remember,
regularly change your passwords,
and use a unique password for each
account.8
Be the gatekeeper
In today’s “cyberworld,” safe and
responsible use of technology
helps safeguard patient informa-
tion. Nurses can achieve this goal
by educating themselves about
cybersecurity awareness and good
www.Nursing2017.com
Copyright © 2017 Wolters Kluwer Health, Inc. All rights reserved.
cyber hygiene. Working with
others involved with patient care,
nurses can make their healthcare
organizations stronger and more
resistant to cyberattacks and com-
promises by taking these proactive
steps. ■
REFERENCES
1. U.S. Department of Health and Human Services.
HIPAA security rule. https://www.hhs.gov/hipaa/
for-professionals/security/index.html.
2. U.S. Department of Health and Human Services.
HIPAA privacy rule. https://www.hhs.gov/hipaa/
for-professionals/privacy/index.html.
3. Healthcare Information and Management
Systems Society. HIMSS cybersecurity position
statement. www.himss.org/sites/himssorg/files/
Tab%2001%20Cybersecurity%20Position%20
Statement%20UPDATED.pdf.
4. Independent Security Evaluators. Hacking
hospitals. www.securityevaluators.com/hospitalhack.
5. Healthcare Information and Management
Systems Society. Privacy and security awareness
initiatives. www.himss.org/library/healthcare-
privacy-security/initiatives.
6. National Cyber Security Alliance. Get involved.
https://staysafeonline.org/get-involved.
7. Healthcare Information and Management Systems
Society. The healthcare industry’s guide to keeping
information safe and secure when you are mobile.
www.himss.org/ncsam/keeping-information-safe-
and-secure-when-mobile.
8. Healthcare Information and Management
Systems Society. 2016 Healthcare organization’s
guide to keeping passwords safe and secure.
www.himss.org/library/healthcare-privacy-security/
passwords-secure-safe.
9. (ISC)2 blog. The true meaning of “security
awareness training.” http://blog.isc2.org/isc2_
blog/2010/12/the-true-meaning-of-security-
awareness-training.html.
10. Center for Internet Security. Cyber hygiene.
www.cisecurity.org/cyber-pledge.
11. U.S. Computer Emergency Readiness Team.
Report phishing sites. https://www.us-cert.gov/
report-phishing.
12. FBI.gov. Social engineering. https://www.fbi.
gov/audio-repository/ftw-podcast-social-
engineering-101416.mp3/view.
13. FBI.gov. Incidents of ransomware on the rise.
https://www.fbi.gov/news/stories/incidents-of-
ransomware-on-the-rise.
14. U.S. Department of Health and Human
Services. Breach notification rule. https://www.
hhs.gov/hipaa/for-professionals/breach-
notification.
Lee Kim is the Director of Privacy and Security for
HIMSS North America.
The author has disclosed no financial relationships
related to this article. “CE Connection.”
DOI-10.1097/01.NURSE.0000516242.05454.b4
June l Nursing2017 l 67