Nurses and cyber security what you need to know

In 2015, hospitals and healthcare systems were the number one victims of cyber attacks. No industry is immune, but hospitals and healthcare systems seem to have become a favorite target of hackers out to profit from insufficiently secure networks, so much so that IBM called 2015 the "year of the healthcare security breach." Almost 100 million healthcare records were compromised last year.

Although numbers of cyber attacks on hospitals and health systems are not publicly available, at least three major attacks have taken place so far this year. An attack on MedStar forced the US capital region’s largest healthcare system to shut down much of its computer network earlier this spring, and hospitals in Kentucky and Los Angeles have also fallen victim to recent ransomware attacks.In March, the Los Angeles Times reported that two more Southern California hospitals were compromised by hackers.

This crisis is expected to worsen, because hackers are getting more sophisticated and many businesses have failed to adopt the security measures needed to thwart such attacks. The US and Canadian governments have issued an alert to hospitals, businesses, and individuals about ransomware attacks, including information on how users can prevent and mitigate against such attacks.

Humans are the weakest link, and human error is to blame for most cyber attacks on hospitals and healthcare systems. What nurses (and other employees) do or fail to do in their interactions with those systems can compromise security and facilitate malicious, and extremely expensive, attacks on the system. Online attacks are estimated to cost $150 billion annually,but it’s hard to put a price on the loss of public trust in the healthcare institution’s shattered reputation.

Medscape spoke with Satish M. Mahajan, PhD, MStat, MEng, RN, about the increasing problem of cyber attacks, and what nurses need to know both in preventing and responding to attacks on their hospitals and healthcare computer networks. Dr Mahajan is uniquely qualified to address the issues of cyber security and nurses. In an unusual career move, after majoring in engineering, Dr Mahajan went to nursing school, earning a PhD in nursing from the University of California. Working as a critical care nurse provided an invaluable perspective on how nurses interact with computer systems in the course of care, and the ways in which nurses might inadvertently open the doors of those systems and invite hackers in. Dr Mahajan now combines his IT and nursing backgrounds, often applying his skills to educating hospital employees about their role in preventing cyber attacks.

Hospitals are primarily concerned with safety, security, and the protection of patients’ health data. They tend to be prudent and cautious, but this can make them slow to respond and adapt to a rapidly changing situation. Some hospitals may also be using outdated technology, or have failed to fully update their systems because of the expense. Hackers know these things, and take advantage of them. From a hacker’s perspective, when trying to find vulnerabilities to exploit for financial gain, why not choose a target that is inefficient or moves slowly?

Another factor in the rise in hospital attacks is the level of penetration in terms of information retrieval. Hackers can gain temporary financial advantage with credit card fraud, but stealing health records exposes a lot more information about people: Social Security numbers, addresses, telephone numbers, demographic details, personal health disabilities, insurance information, and more. This information is at the core of a person’s identify, and hence we call it "medical identity theft." This situation provides a pipeline of financial incentives rather than a one-time small benefit for hackers.

Yet another factor is the nature of the services that hospitals offer—the primary goal of these services is to provide help related to health issues. Most services are characterized by openness, social interaction, urgency, and intensity. So the doors must be kept open, and staff must have access to patient records to prevent errors and delays in treatment.

Hospitals also rely on their reputations as being safe environments, and their mission of taking care of people when they are in vulnerable positions. They can’t simply shut down and wait it out when a cyber attack occurs. For these reasons, hospitals are more likely to pay a ransom rather than risk delays that could compromise patient care and result in death and lawsuits.

Ransomware is a software virus that infiltrates systems and demands that owners pay a ransom in some form, such as the online currency Bitcoin, before the hackers will restore the system’s functionality and unlock access to its data. Earlier this year, the Washington, DC-based MedStar Health was victim to a ransomware attack, although they declined to pay the ransom and restored their computer systems themselves.

Malware is software that tries to update some parts of the computer operating system or core applications and their settings. This could range from disabling the system completely or crippling it so that certain applications do not work as intended. The malware itself could advertise to fix your system at a price, or at least result in user annoyance and lost productivity.

A Trojan attack occurs when users try to download something benign and known to them—such as a newer version of their favorite browser—but fail to recognize that the download site is malicious and has malware included in the browser installer. When the users install the new version on their systems, the malware gets installed on their systems as well.

Dr Mahajan: Most hacking involves exploitation of vulnerabilities, of which there are many. Hackers are on the lookout for these vulnerabilities. One type of attack is when the user (employee) goes and seeks some information on the Internet: The user goes to a specific website and downloads something from that website that harbors what we call a "malicious payload," which is then installed on the user’s machine. From there, it spreads.

Sophisticated hackers often take another route. They are looking for the public systems on the periphery of the organization—Web or communications servers that are open to the public. They scan the network ports on those systems. If they find an open port, they write a program to push something through that port into the gateway server. From there, it is executed and malicious code is spread to the internal network.

When the goal is identity theft, one method of acquiring information is through social engineering. For example, the hacker might strike up a casual conversation with a hospital staff member, either on the phone or in person, to find out an entry point (such as an email address) into hospital operations or patient details. Hospital staff members are more vulnerable to such scenarios because patients come and go on daily basis, phone calls seeking information are frequent, and staff are used to talking to strangers. In a hurry, they might answer a question before it occurs to them to verify who they are speaking to. It is important for staff to be able to distinguish between a genuine situation related to a patient enquiry and an attempt to get exploitable information that may permit entry into hospital operations.

Dr Mahajan: Most, but not all, clinical and patient care devices are Internet-connected these days. Server-side (where devices are connected at the other end) security and use of encrypted communications are important product design considerations. The onus of fortifying against vulnerabilities largely rests with the vendors of such devices.

Devices are typically located (or supposed to be located) on the secure parts of the healthcare network. Biomedical departments are generally responsible for installation, configuration, and maintenance of such devices, and they should give careful consideration to the security aspect of patient care devices—they should discuss with and follow recommendations from the vendors when deploying the devices in operations. The healthcare workers have very little control over these vulnerabilities, but they need to cooperate in installation, simulation, and testing of the devices to do their part in mitigating device security breaches.

Dr Mahajan: Nurses need more education about cyberattacks and security—including how attacks take place and how to prevent them. At our hospital, we hold mandatory information systems, security, and privacy training for every employee in the organization who interacts with the hospital systems. We use video clips with practical scenarios to teach staff about how to react or not react in certain situations, especially in handling emails and during telephone conversations. We teach staff to not click on or open an email when they don’t recognize the sender. If they do receive an email from an unknown person, they should not open any attachments to the email or follow any links within the message.

One thing that many hospitals and healthcare systems have done is to separate their networks into layers of increasing privacy and security. A fortified, secure network (the inner core) is devoted to patient data and patient care systems, such as the EHR. The next level is a general organizational network, on which staff can use email, and conduct other hospital business. The third, least secure network is for public or guest access.

Dr Mahajan: Incorporate everything you learn in security training into your daily workflow. Lock computer systems when they are not in use. Be aware of who is using which systems around your workspace. Avoid visiting unknown websites from the hospital network. Train junior and other colleagues in the safe use of digital resources in on-the-job situations. Notify your supervisor and involve the facility’s information security officer immediately if there is even a suspicion of misuse of network resources or evidence of a malware attack.

Healthcare workers should not download such applications as Dropbox, TeamViewer, and the like and install them on the machines in their organizations. Frequently, end users do not have privileges to install such applications anyway and instead are required to call the IT helpdesk with justification for their use. IT analysts typically assess the threat and harm possibilities, as well as test such applications in an isolated environment, before making them available to the end users.

Strong passwords are typically a combination of both upper- and lowercase letters, numbers, and special symbols. Each of these letters is represented by a separate code inside the computer operating system. As we use more categories of letters, the number of repetitive permutations that needs to be used for unlocking the user login increases exponentially. This reduces the possibility of unlocking the account even if hackers use automated programs to try various combinations of letters.

Dr Mahajan: The most important thing is to immediately suspend (stop, but not shut down, and not continue to use or allow others to use) the potentially infected computer and contact your supervisor, IT helpdesk, and information security officer for further instructions. The websites opened by the users should not be closed (although IT analysts can look into the history of websites and pages visited). If this ability is disabled on the computers, the information security officer may interview the end user in detail; truthful information helps in determining the root cause of the problem.

Dr Mahajan: Typically, most healthcare organizations have spare backup computers for patient care areas so that care operations continue in case of emergencies. If the extent or severity of failure is so large that backup computers are not sufficient or useful, the care team is advised to go to paper documentation. Generally speaking, there are procedures for various failures that are part of standard operating procedure in emergencies, and equipment or network failure is part of these.

Another, and a better, approach is to view all employees—including nurses, doctors, and all others who work in the system—as partners in the organization’s mission. Making everyone aware of what has happened allows you to have multiple eyes looking at the same problem. Everyone will be on the alert, and if employees know what to watch for and how to report something out of the ordinary, then you might be able to catch these incidents faster and respond more effectively.

Dr Mahajan: Having a nursing background is really helpful to work in the health information technology domain, because you are very familiar with the processes, workflow, and activities that take place in hospital and healthcare environments. It is, however, not sufficient to tackle the issues related to information technology or cyber security that occur in these environments.

A certification or a bachelor’s degree in information technology is really helpful. This education provides basic understanding of the hardware, software, and application systems that are commonly deployed in healthcare organizations. Understanding of cybersecurity requires additional concentration in coursework related to network and operating system security. There is a great need for individuals who understand both clinical and technical languages, which are commonly spoken in day-to-day operations in healthcare organizations.