The topic of cybersecurity, including cyber-attacks and major breaches, appears frequently in the news, but, you may ask: why does it matter to me?1 If my organization hasn't experienced a cyber-attack, why should I be concerned? The answers to these questions are simple. We need to care about cybersecurity because it's necessary to deliver appropriate, high-quality care to our patients.
Negative impacts to patient privacy and safety, business and clinical operations, and potential litigation may arise if an organization's cybersecurity program is lax, nonexistent, or inconsistently enforced.2 Just think of all of the computers in your organization, all of the medical devices that are connected to your computer network, and everything else that's computer-driven or computer-enabled in some way. If any of these systems or devices are compromised, you and your staff members' ability to do your work will likely suffer. Time is much better spent taking care of patients and managing that care, rather than fighting with technology.
Cybersecurity is everyone's concern and all of us can be part of the solution.3 You don't have to work as a cybersecurity or information technology (IT) professional to make a difference. As an end user in your organization, you can make sound security decisions to positively influence and improve the security posture in your organization by practicing good cyber hygiene. You can also help educate your staff members. By doing these things, you and your team can be your organization's first line of defense.
Know what not to do
End-user security is very important. Surprisingly, the top threat for many healthcare organizations isn't the black hat (malicious) hacker, but rather its end users.4 Unfortunately, convenience often means that proper security takes a backseat. Knowing what not to do is as important as knowing what to do. Here are some real-world examples of what not to do.
Posting usernames and passwords on a sticky note under your keyboard, on your monitor, on your computer, in an insecure location where someone else can find them, or in a file or other electronic document. Leaving usernames and passwords somewhere on your computer, such as in a file, is never a good idea. Although it may be convenient for you, it's also very convenient for a cyber-attacker to use your credentials.5 After a cyber-attacker has infiltrated your system, he or she will usually conduct a postexploitation review of your system to determine what else may be found; looking for credentials is part of that list.6 Remember that security through obscurity doesn't work. Some productivity software offers the ability to encrypt, but please bear in mind that it can be fairly trivial to crack or bypass these passwords.
Reusing the same or similar password, or using a weak or default password. Password reuse, weak passwords, and default passwords are also certainly never a wise idea.7 You may be tempted to use the same or similar password for all of your accounts, but remember that the main purpose of passwords is to keep others out while letting authorized users into the system. Once a cyber-attacker has determined what your password is for one system, he or she may use password cracking tools to “brute force” your password on other systems.8
As an example, let's say your hospital has an online patient portal. You happen to have the same password for that online patient portal as your computer system at work. In addition, you can remotely access your computer system when you aren't at work in order to work after hours or off-site. A frequently used technique by cyber-attackers is to try to reuse credentials. The cyber-attacker will attempt to log into your computer system remotely using the same credentials as the web application. In other words, the cyber-attacker relies on careless mistakes that users or administrators make. Cyber-attackers also know that the average end user reuses his or her password.
Weak passwords include those using words that you can find in the dictionary.9 The wordlists cyber-attackers frequently use contain these words. You may be surprised at how prevalent wordlists are; type into your favorite search engine “password wordlist” and you'll find many, and you'll get even more results without using the quotation marks. It's common for wordlists to include stolen passwords from previous breaches of online systems.
In addition, adding special characters (such as $, #, !) to your password, which may be a dictionary word, may not necessarily strengthen it because password cracking programs and tables account for such variations in complexity. As an example, “p@ssw0rd!” may not be a very strong password.10 So, it's best to use arbitrary letters, numbers, and symbols in passwords, but not something weak such as “1qaz2wsx”(sequential strokes on a keyboard). Instead, a strong password is something arbitrary, such as “C$@p^9L2z[y!”w%.”11
Also beware of using a password based on things that are easily discoverable about you and/or your organization, such as via social media profiles and your organization's website. Sometimes, cyber-attackers may guess your password as a result of their efforts in the information gathering phase. For example, the cyber-attacker may visit your bio page on your corporate website and your personal and professional social media pages. This is why you may frequently hear the sage advice to be careful about what you post on social media. Passwords may be reset using answers to security questions, or may be guessed or cracked based on information gathered about you and used against you and your organization. For example, your organization's website may be “scraped” to derive a customized wordlist, which may enable the cyber-attacker to either guess or crack your password.12
Default passwords are quite trivial because the cyber-attacker needs to only look up the manual for the software or search an online message board to determine the default password. Just type “default password” into your favorite search engine and you may be astounded by the amount of information you'll find.
Downloading unauthorized software, web browser plug-ins, or web extensions or add-ons from the Internet. Downloading and using software/tools from the Internet may be tempting, but there are dangers in doing so without preapproval from your IT department.13 A lot of malicious software (malware) is present on the Internet. Malware may be hidden in the software/tools that you download and your antivirus program may not necessarily detect it. Cyber-attackers can embed malicious computer instructions in the software/tools in such a way that antivirus software and other security programs may be evaded.14 Even if security solutions detect malicious activity after a few minutes, a cyber-attacker may have already infiltrated your system and stolen the keys to the kingdom, such as your password and sensitive patient information, or he or she may revisit your system several times. This is why it's very important to always check with your IT department first before downloading software/tools from the Internet and report anything unusual happening with your computer, such as frequent application or system crashes, unusual slowness, and low memory warnings, that may be a sign of a malware infection and/or your system being hacked.
Opening e-mails or unusual attachments that you aren't expecting. E-mails are a soft spot because a cyber-attacker may send a phishing e-mail requesting confidential information, such as your username and password, or convince you to click on a malicious link or attachment. Clicking on a malicious link or attachment in an e-mail may lead to a malware infection on your computer and other computers connected to yours. Cyber-attackers can easily embed malware in something seemingly innocuous, such as a document, spreadsheet, image, photo, video, or PDF file. Once you open the attachment, the malware executes on your machine, infecting your computer and other computers on your organization's network. Cyber-attackers may then execute arbitrary commands on these compromised machines and potentially even add accounts with administrator-level access so that such access can be maintained.15
Delaying the installation of updates approved by your IT administrator. Updating your system in a timely manner whenever your IT department pushes through software, operating systems, firmware, and device driver updates is essential. When the WannaCry ransomware attacked healthcare organizations worldwide, many healthcare organizations proactively patched their systems as soon as the patch was issued. But even in the wake of “normal” situations where there isn't an international cyber-attack occurring, software updates are important to implement as soon as possible. Although it may seem that software updates come through at inconvenient moments during the workday, they're pushed out for good reason. A cyber-attacker has a longer window of opportunity if you delay the updating of your system. If more facilities and end users regularly update their systems, fewer healthcare organizations will be hacked.16
Leaving protected health information or personally identifiable information in a presentation, publication, or other public-facing document. Sensitive patient information or other information in plain view opens the door to a breach situation. Whether it's hospital scheduling information, radiology, pharmacy, electronic health records, or otherwise, the consequences for the organization and staff may be significant. A patient, visitor, employee, or contractor who doesn't have authorized access can gain access to sensitive data and systems. This may be a reportable breach under the HIPAA Breach Notification Rule or applicable state and/or federal law, or other laws and regulations in your jurisdiction.17
If you're publishing a paper or giving a presentation with personally identifiable information and/or protected health information, make sure that this information is blacked out or otherwise deleted and can't be reconstituted.18 Ensuring the privacy of individual patients is essential and we need to be very careful when using any patient or individual data in public-facing documents. Looking at your work product with a fresh set of eyes is always a good practice, especially if you use a snapshot of actual patient information or data.
Other problematic behaviors include:
- leaving your computer system unlocked while you aren't in the room. (This can open the door for an unauthorized individual to access your system and potentially retrieve sensitive information.)19
- failing to clear your web browser's cache. (Cookies, browsing history, and other data may be accessed by an unauthorized individual. For example, a patient may be filling out an intake form on a tablet, but other patients' protected health information may be accessible if the cache hasn't been cleared.)20
- backing up your data to an online service that hasn't been approved by your IT department.21
What happens if my organization experiences a breach?
Experiencing a breach or a cyber-attack may be inevitable. Cyber-attackers are evolving their skill, sophistication, and knowledge. They take the lessons learned and refine their techniques based on successful cyber-attacks or information that's been developed as a proof of concept.22 This is why we frequently hear about “blocking and tackling.” Some cyber-attacks can be prevented (blocked); however, with constantly evolving hacking techniques, we can't prevent everything. Accordingly, we need to tackle any incidents that aren't blocked as quickly as possible. Otherwise, a small breach can turn into a very large breach involving thousands of patient records.23
Without a doubt, breaches and cyber-attacks can cripple an organization. The consequences are multidimensional in nature; reputational, legal, financial, operational, and clinical concerns may all compound.24 In the healthcare sector, we've seen the impact of ransomware. Patients have been turned away, computers have been shut off, and clinical and business operations have been disrupted.25 In fact, many phishing e-mails contain malicious links or attachments infected with ransomware.26 But e-mail isn't the only way ransomware is spread; simply accessing a legitimate website infected with ransomware may lead to infection.27
Keep in mind that even though ransomware is quite prevalent and its impact on healthcare organizations is significant, there are many other types of cyber-attacks and compromises that can disrupt a healthcare organization and its ability to provide and coordinate high-quality patient care. These include denial of service attacks in which legitimate users have problems accessing a system or service.28 Other examples include credential stealing malware, which steals usernames and passwords from infected machines.29 Cyber-attackers may also do things such as taking screenshots of what's being displayed on a compromised machine.
With this in mind, the following are best-practice tips in case of a suspected or actual security incident. (See Tools and Resources.)
See something, say something. Report the incident immediately to your IT department and your supervisor. In all likelihood, the problem you're experiencing won't go away by itself. The longer you wait, the more damage there may be to your organization, your staff members' ability to do their work, and your team's ability to provide and coordinate patient care. Your organization's legal team, whether it's in-house or outside counsel, should also be immediately involved. Depending on your organization's policies, your communication team may also be involved throughout this process, both in terms of internal and external communication.
Document what happened. Who? What? Where? When? Why? Document what's happened and always follow your organization's policies. The more facts and quality information you have to give to those in your organization who are involved in incident response, the better. This information will enable them to assess what's happening, prioritize the incident, determine the root cause (if possible), and remediate and/or resolve the situation.
Get the right people involved. Was this a privacy incident, such as unauthorized disclosure, or was it a security incident, such as a phishing e-mail or ransomware attack? Be sure to get in touch with the appropriate points of contact. It may end up that both your privacy and security teams have to work together to assess what's happening and resolve it.
Follow guidance and instructions, with no workarounds. This goes without saying, but it's very important to follow guidance and instructions from your IT staff and other personnel, as appropriate. If you really need to access a restricted resource or system, or need to do something else that runs contrary to guidance and instructions, communicate with your IT staff about what you need to do. Don't attempt a workaround on your own; this may end up making matters worse.
Encourage information sharing. Often, staff members can be hesitant and reticent when a breach or other security incident, such as a lost laptop or accidental posting of protected information, has occurred. A weak point of many organizations is the lack of a culture of information sharing. If there's an opportunity to do so, make sure to communicate with your organization's leadership about why information sharing is important. After all, what's the best outcome: waiting to respond to an incident or breach after 1 day or waiting to respond to an incident after 1 month or more? Obviously, the consequences of not responding to a security incident will quickly grow if the problem isn't addressed in a timely manner.
We all must do our part to keep our systems and data secure, and our patients safe. In today's online and connected world, “protect the data, protect the patient” is a mantra that we need to keep in mind and enforce. We can collectively improve the state of healthcare cybersecurity for our sector and our patients by enhancing our cybersecurity knowledge and know-how. Let's all take a step forward and commit to cybersecurity defense through empowerment of ourselves, our teams, and our entire organization by making sound security decisions, practicing good cyber hygiene, and educating and informing others to do the same.
Tools and resources
We can all improve the state of cybersecurity within our organizations by enhancing our cybersecurity literacy and our “cyber IQ.” The more we can educate others about good cyber hygiene, how cyber-attackers think, and how to defend against cyber-attacks, the better off we'll be in both the short and long term.
Consider the following resources from the Healthcare Information and Management Systems Society:
INSTRUCTIONS Cybersecurity matters
- Read the article. The test for this CE activity is to be taken online at http://nursing.ceconnection.com.
- You'll need to create (it's free!) and login to your personal CE Planner account before taking online tests. Your planner will keep track of all your Lippincott Professional Development online CE activities for you.
- There's only one correct answer for each question. A passing score for this test is 13 correct answers. If you pass, you can print your certificate of earned contact hours and access the answer key. If you fail, you have the option of taking the test again at no additional cost.
- For questions, contact Lippincott Professional Development: 1-800-787-8985.
- Registration deadline is February 29, 2020.
Lippincott Professional Development will award 1.0 contact hour for this continuing nursing education activity.
Lippincott Professional Development is accredited as a provider of continuing nursing education by the American Nurses Credentialing Center's Commission on Accreditation.
This activity is also provider approved by the California Board of Registered Nursing, Provider Number CEP 11749 for 1.0 contact hour, and the District of Columbia, Georgia, and Florida CE Broker #50-1223.
Payment: The registration fee for this test is $12.95.
1. National Cyber Security Alliance. Health information privacy—why should we care? https://staysafeonline.org
2. American Bar Association. Data breach response—basic principles under U.S. state and federal law. https://www.americanbar.org
/content/dam/aba/publications/litigation_committees/intellectual/core-knowledge-re-data-breach-re-aba-litigation-section-2015.authcheckdam.pdf. (See also Miliard M. Commentary: why information security is a patient safety issue. http://www.healthcareitnews.com
3. Centers for Medicare and Medicaid Services. Everyone is responsible for the privacy and security of health information. https://www.cms.gov
4. Kam R. The biggest threat to data security? Humans, of course. https://iapp.org
5. Open Web Application Security Project. Password plaintext storage. https://www.owasp.org
7. Daileda C. Basically everyone reuses their passwords. http://mashable.com/2017/02/28/passwords-reuse-study-keeper-security.
8. Open Web Application Security Project. Brute force attack. https://www.owasp.org
9. Titcomb J. Do you have one of the most common passwords? They're ridiculously easy to guess. http://www.telegraph.co.uk
10. Thorsheim P. Password^12—automatic wordlists mangling rules generation. https://www.youtube.com
12. Malcolm H. Social media gives clues to security questions. https://www.usatoday.com
13. U.S. Federal Bureau of Investigation. Ransomware on the rise: FBI and partners working to combat this cyber threat. https://www.fbi.gov
15. Sjouwerman S. Scam of the week: secure document phishing attacks trap employees. https://blog.knowbe4.com
16. Siwicki B. WannaCry and now EternalBlue threats prove cybersecurity review is a must. http://www.healthcareitnews.com
17. U.S. Department of Health and Human Services. Breach notification rule. https://www.hhs.gov
18. Gaskell A. Can de-identified health data be re-identified? https://www.huffingtonpost.com
19. Beasty C. Unattended computers are security risks. http://www.destinationcrm.com
20. Open Web Application Security Project. Session hijacking attack. https://www.owasp.org
21. HIMSS Cloud Computing Work Group. Using the cloud for data backup. http://www.himss.org
/using-cloud-data-backup. (See also Musthaler L. Five ways shadow IT in the cloud hurts your enterprise. https://www.networkworld.com
22. PC Magazine. Definition of: PoC exploit. https://www.pcmag.com
/encyclopedia/term/58148/poc-exploit. (See also Finkle J, Hosenball M. Exclusive: more well-known U.S. retailers victims of cyber attacks—sources. https://www.reuters.com
23. Nadeau M. How to survive the worsening cyber threat landscape. https://www.csoonline.com
24. U.S. Federal Trade Commission. Data breach response: a guide for business. https://www.ftc.gov
25. Haynes J. Wannacry and ransomware impact on patient care could “cause fatalities.” https://eandt.theiet.org
26. Korolov M. 93% of phishing emails are now ransomware. https://www.csoonline.com
28. U.S. Computer Emergency Readiness Team. Understanding denial-of-service attacks. https://www.us-cert.gov
29. Rankin B. Password-stealing malware remains key tool for cybercriminals. https://www.lastline.com