In today's increasingly “connected” world, we can't achieve patient privacy without information security. Much of the patient information that we handle is in electronic form. Moreover, patient information must be protected at all stages of the information lifecycle: when the information is created, received, transmitted, maintained, and destroyed. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule ensures the protection of electronic health information with physical, technical, and administrative safeguards.1 It also requires covered entities and business associates to implement cybersecurity awareness and training for all members of the workforce, including management.1 Further, the HIPAA Privacy Rule governs the permitted or required uses and disclosures of protected health information, regardless of the medium.2
Why's cybersecurity awareness and training so important? Protecting information isn't just a function of the information technology (IT) department, it's the shared responsibility of everyone within an organization. This responsibility extends to end users, such as nurses, unlicensed assistive personnel, and other staff (interns, volunteers, consultants, contractors, researchers, and so on). Technology safeguards alone can't make an organization secure; however, knowledgeable employees can help reduce risks.3
We all make decisions every day that significantly influence the security or insecurity of our organization's data; for example, clicking on a malicious link for a “phishing” website, opening a malicious e-mail attachment, divulging sensitive information to a “social engineer,” or allowing unauthorized personnel in restricted areas may result in serious, adverse consequences. (See Table 1.) Plus, any compromise of patient information may pose a risk to patient safety.4 People tend to be the weakest link in an organization's information security program, and this is especially true if employees are unaware of the risks that they may introduce. Breaches can happen very quickly given fast network speeds and ready access to data, even via mobile devices or web-based cloud applications.
Accordingly, employees should regularly be taught about good “cyber hygiene,” including what to do, what not to do, and the reasons why, through the use of mock exercises that simulate phishing and social engineering. In addition to simulating cyberattacks, these exercises can help determine the effectiveness of the current cybersecurity awareness and training program, and identify employees who may need additional training based on the results of the exercises.
Key points include educating others about cybersecurity awareness to prevent data leakage; thinking before you communicate or disclose via e-mail, social media, or other means; and avoiding sharing your usernames and passwords with anyone else (or letting anyone else use your computer while you're signed in).
Another integral part of the cybersecurity awareness and training program is the concept of “see something, say something.” If an employee receives a suspicious e-mail, phone call, or text message, or a computer is displaying unusual behavior, be sure to notify your organization's IT department immediately. Delaying the report of an incident may result in harm, such as data being breached, corrupted, or encrypted and held for ransom (known as “ransomware”).
Cybersecurity awareness programs should be conducted during onboarding and at least annually. Additionally, employees can receive more frequent awareness reminders and tips via screensavers, e-newsletters, intranet messages, and so on. As security incidents occur, awareness and training programs, as well as the information security program as a whole, should be reevaluated to determine if there are any gaps. If gaps are detected, a plan must be developed to address them in both the short and long term.
Ideally, your cybersecurity awareness and training program should provide a hybrid perspective from both the clinician and IT perspectives, including lessons learned from recent and past security incidents. It should also be easy to understand and implement, regardless of staff members' levels of technical sophistication. Whether you're starting your own cybersecurity awareness and training program, implementing your organization's program, or looking to revamp a program, the Healthcare Information and Management Systems Society (HIMSS) offers materials that you can incorporate.5 See Figure 1 for an example.
In addition to the HIMSS awareness tools, the National Cyber Security Alliance (NCSA) provides free online resources for those who want to learn more about staying safe online.6 The NCSA also offers templates and other materials to help organizations bolster their cybersecurity awareness and training programs with iniatives such as STOP.THINK.CONNECT., National Cyber Security Awareness Month, Data Privacy Day, and RE: Cyber.6
You don't necessarily need to wait for your organization's next cybersecurity awareness and training program to implement good cyber hygiene practices. No matter where you are, your computer and mobile devices should always be physically safeguarded.7 Never leave laptops, tablets, smart phones, or mobile devices unattended, and don't connect to unsecured public wireless networks.7 Always use complex passwords that are difficult for others to guess but easy for you to remember, regularly change your passwords, and use a unique password for each account.8
Be the gatekeeper
As a nurse manager, you lead by example every day, playing a critical role in managing and overseeing patient care, including preserving patient safety. In today's “cyberworld,” safe and responsible use of technology aids in safeguarding patient information. You can help achieve this goal by educating your staff about cybersecurity awareness and good cyber hygiene. Together, we can make our healthcare organizations stronger and more resilient to cyberattacks and compromises by taking these proactive steps.
1. U.S. Department of Health and Human Services. HIPAA security rule. https://http://www.hhs.gov
2. U.S. Department of Health and Human Services. HIPAA privacy rule. https://http://www.hhs.gov
3. Healthcare Information and Management Systems Society. HIMSS cybersecurity position statement. http://www.himss.org
5. Healthcare Information and Management Systems Society. Privacy and security awareness initiatives. http://www.himss.org
6. National Cyber Security Alliance. Get involved. https://staysafeonline.org/get-involved.
7. Healthcare Information and Management Systems Society. The healthcare industry's guide to keeping information safe and secure when you are mobile. http://www.himss.org
8. Healthcare Information and Management Systems Society. 2016 healthcare organization's guide to keeping passwords safe and secure. http://www.himss.org
9. (ISC)2 blog. The true meaning of “security awareness training.” http://blog.isc2.org/isc2_blog/2010/12/the-true-meaning-of-security-awareness-training.html.
11. U.S. Computer Emergency Readiness Team. Report phishing sites. https://http://www.us-cert.gov
12. FBI.gov. Social engineering. https://http://www.fbi.gov
13. FBI.gov. Incidents of ransomware on the rise. https://http://www.fbi.gov
14. U.S. Department of Health and Human Services. Breach notification rule. https://http://www.hhs.gov