The U.S. Department of Health and Human Services posts information about healthcare cyberattacks and health information breaches affecting 500 or more people on its website.
A recent search showed the Office for Civil Rights was investigating 548 such breaches in the last 24 months. These included health information breaches at hospitals, cancer centers, hospice facilities, group practices and more.
Perhaps as concerning as the rate at which these healthcare cyberattacks occur is the lack of cybersecurity training at U.S. healthcare facilities. A quarter of U.S. healthcare employees have never received on-the-job training, according to a report released in August by the cybersecurity company Kaspersky. The firm surveyed 1,004 U.S. and 754 Canadian healthcare employees in a variety of roles for the report.
Nearly 20% of U.S. healthcare employees don’t believe there’s a need for workplace cybersecurity training, according to the Kapersky report. Only 34% of those responding from the U.S. were aware of their employers’ workplace cybersecurity policies and had only read them once.
While 100% of surgeons in the U.S. and Canada were most likely to be aware of cybersecurity measures in place at their organizations to protect information technology devices, such as computers, laptops, tablets and mobile phones, the report said only 61% of nurses were aware of those measures.
“On a positive note, we asked if you receive an email at work from someone that you aren’t familiar with asking for protected health information or systems information like passwords or log ins, what would you do?” said Rob Cataldo, vice president of enterprise sales at Kaspersky. “In response, 77% of nurses said they would report the email to their employer’s information technology team; 16% said they would not do anything and 1% said they would only provide protected health information. So that’s concerning, but it’s only 1%.”
Healthcare cyberattacks, including healthcare information breaches, not only expose patients’ personal information to groups that might use it illegally, but they also cost an average of $408 per patient to recover each healthcare record and up to $1.75 million in advertising to help reverse damage to the facility’s reputation, according to the report.
Why is cybersecurity training important?
Here’s one scenario in which a nurse might inadvertently cause a facility-wide breach. A nurse at work in the hospital is checking general administrative emails and finds one that looks just like the ones she gets from the hospital’s human resources department.
The email asks the nurse to click on a link, log in and verify information that might include personally identifiable information for that nurse, such as social security number, date of birth or employer ID. The nurse clicks on the link, thinking it’s from the HR department, but the link doesn’t go to HR.
“This can happen many times over to many employees and, next thing you know, they find out the site they were being directed to was actually being hosted by an outside cybercriminal who was harvesting information to use to create fake identifications and to start stealing information from those employees,” Cataldo said.
Cybercrime is becoming more complicated and cybercriminals are more targeted with their techniques to steal anything from valuable information or data to money, according to Cataldo.
This includes using malware, or malicious software, designed to gain access to a computer, often without the owner or user knowing it has happened, according to Norton, a maker of antivirus software.
Employees are often at the frontline of breaches, unknowingly sharing information or responding to emails from cybercriminals. In healthcare organizations and facilities, those employees might be healthcare professionals. Cybersecurity awareness training stresses the importance of protecting patient data and patient safety, Cataldo said.
“With the number of connected devices growing, many of these devices have protected healthcare information on them,” he said. “It means that all of those systems are becoming highly vulnerable to hacking or to malware.”
Cybercriminals can hack into and control lifesaving devices that are IT-connected, such as some insulin pumps. It’s vital that employers secure those systems and train employees on best practices for preventing hackers from accessing them, Cataldo said.
What should training include?
Training for nurses and other healthcare providers should highlight and emphasize the importance of understanding cybersecurity and the impact of healthcare cyberattacks and best practices for following the right protocols inside the organization, according to Cataldo.
“Cybersecurity training can be tailored for specific industries, like healthcare, or even for specific employees, such as nurses,” he said.
Training for nurses might include best practices for using strong passwords or a password manager that will create sophisticated passwords automatically. Then, the nurse needs to remember only one password to unlock all the credentials for logins needed to access clinical and other applications.
Cybersecurity training should encompass awareness of email phishing techniques and can include simulated phishing attacks, which are referred to as ethical hacking. In these cases, attacks are set up internally just to see how employees might react, according to Cataldo.
Today’s hackers can design emails that mimic internal and other legitimate emails, which can lead to healthcare cyberattacks. Cybersecurity training might go so far as to cover hazards such as someone impersonating an IT employee.
“That can be over computer or over phone or even in person,” he said. “Then, the training generally will cover security policy and protocols to follow if and when something suspicious is encountered.”
Healthcare employers need to make sure their nurses get training in the employer’s cybersecurity IT policy and in how the organization protects IT devices, according to Cataldo.
Simple things nurses can do
To avoid unknowingly contributing to healthcare cyberattacks, nurses should practice with cybersecurity in mind, specifically when it comes to spam and phishing attacks.
“Those continue to be the most successful methods for breaching an organization,” Cataldo said. “So, healthcare employees can play a major role in mitigating those types of threats just by practicing sound email behaviors and practices.”
Cataldo encourages nurses to make sure their mobile devices are secured as more and more healthcare organizations move to mobile devices to conduct business.
“A lot of tablets will now have clinical applications on them, so it’s vitally important that those devices remain protected,” he said. “If they see that a device is not secured or are unaware of whether that device is secured, it’s very prudent for a nurse to ask their IT department whether there is security on that device. It’s definitely a situation where you’d rather be safe than sorry.”
Nurses should create unique passwords or use a password manager to help thwart possible healthcare cyberattacks.
When creating passwords, nurses and others should realize what they think is personal, such as the name of a pet, might be information that’s easily accessible by cybercriminals who troll social media pages. “It happens more often than people think,” Cataldo said.
Cataldo advises healthcare employees to hold their employer, IT or information security teams accountable for having a clearly defined and well-communicated security policy in place.
“Also, hold those same teams accountable for investing in strong security awareness training and security tools for all systems and devices so the protection of patient data and safety becomes a hallmark for that employer’s brand,” he said.
Take these courses to learn more about protecting patient information:
HIPAA and Confidentiality: Practice May Change, But Principles Endure
(1 contact hr)
In this course, you will learn about parts of HIPAA, especially as they concern nursing and other health professionals and the protection of healthcare information. Because you play a key role in the production of healthcare information, you play a key role in its protection.
Legal Landscape of Electronic Prior Authorization (ePA) and Its Effect on Patients and Prescribers
(1 contact hr)
The goal of this presentation is to discuss ePA mandates, points of access to ePA, the role of plans, and the effect of ePA solutions on patient care and outcomes. Upon completion of the webinar, participants will be able to explain the electronic prescription drug prior authorization process and recall named standards, identify states that have legislation surrounding electronic submission of PA requests, identify access points to ePA solutions and the effect of ePA legislation on prior authorization process, and more.
Interoperability: Better Care Through Better Information Sharing
(1 contact hr)
Interoperability is the ability of different information systems and devices that can exchange data and interpret that shared data. This continuing education module provides nurses with an overview of interoperability in the context of health information technology with a focus on how interoperability affects healthcare delivery.