Posts
Health Information Technology Security
by Dawn Pisturino
Abstract
Due to threats of cybercrime and malware
infestations, healthcare organizations all across the world are now forced to
upgrade and monitor their cybersecurity systems on a constant basis for the
sake of protected patient health information, financial stability, and
uninterrupted operations. Money that
would normally be spent on patient care is being diverted to IT professionals,
who are hired to keep cybersecurity systems intact.
Health Information Technology
Security
Protecting patient health information,
as mandated by law, has become a priority for healthcare facilities all around
the world. From doctors’ offices to
medical devices to ransomware, the healthcare industry is under attack by cyber
threats that compromise the health, safety, and privacy of patients everywhere.
Nurses are at the forefront in efforts
to secure patient and employee information, promote responsible use of computer
technology, and report possible threats and violations in a timely manner.
Cybersecurity
is Crucial
Almost every day, a news story comes out
that a corporation, nonprofit organization, or government agency has been
hacked. The healthcare industry is no
different, and the attacks are becoming more frequent and more serious. This is such an important issue at the
hospital where I work, it seemed pertinent to write a paper on it. Our IT department frequently makes us aware
of e-mail threats, blocks blog sites, mandates automatic logoffs and timed
reboots, requires frequent password changes, and regularly reminds us to turn
off our computers, log off when finished, and to not share passwords. Cybersecurity is crucial to protecting
patient health information and network systems.
All Healthcare
Organizations are at Risk
Smaller healthcare clinics and doctors’
offices must follow the same mandates as larger organizations when it comes to
protecting patient health information.
Healthcare personnel divulging protected information to unauthorized
people and hackers using stolen information in identity
theft scams are huge concerns that must be addressed (Taitsman, Grimm, &
Agrawal, 2013). Not only must these
smaller organizations take appropriate measures to secure patient health
information, but personnel must strictly follow policies and protocols. Simple safeguards, such as screening phone
calls, logging off computers, shredding documents, background checks for
employees, automatic logouts, and activity audits, protect and safeguard
patients and organizations alike (Taitsman, Grimm, & Agrawal, 2013). Insurance companies, too, must safeguard
patients against fraudulent claims.
Consumers must be educated in ways to protect their own healthcare
information (Taitsman, Grimm, & Agrawal, 2013).
Nurses all across the healthcare
spectrum are increasingly required to use computer technology, and they must
honor patient privacy, confidentiality, and consent while doing so. Use of the Internet opens the doorway to
viruses, worms, adware, spyware, and other forms of malware
(Damrongsak & Brown, 2008).
Something as simple as using a shared address book can infect an entire
system. Logging off the computer when
the nurse has finished and frequently backing up data can prevent unauthorized
intrusions and corrupted data (Damrongsak & Brown, 2008). Most medical facilities use an intranet, or
closed system, in addition to the Internet, that restricts data to a smaller
group of people. Firewalls, encryption,
and the use of virtual private networks provide additional security (Damrongsak
& Brown, 2008).
Large government agencies, such as the Veterans
Administration, have increased efforts to stave off cyber-attacks, which
compromise patient health information and medical devices. IT specialists have removed medical devices
from the VA hospital’s main network systems and connected them to virtual-local
area networks (VLANs) (Rhea, 2010).
Without access to the Internet, these devices can be used without fear
of attack. In the past, the main focus
has been on identity
theft. But with the rise of
international terrorism, there is a growing fear that medical devices may be
hacked and used to intentionally harm patients (Rhea, 2010). Healthcare IT systems have already been
crippled by hackers looking to profit from cybercrime. In 2009, healthcare facilities around the
world found medical devices infected with the Conficker virus (Rhea, 2010). Downtime caused by malware is expensive and
inconvenient. Hospitals are forced to
spend money on security that normally would have gone to patient care (Rhea,
2010). FDA regulations are also a
hindrance to quick development of security patches (Rhea, 2010).
According to author W.S. Chee (2007), a
member of the Department of Diagnostic Imaging at K.K. Women’s and Children’s
Hospital in Singapore, medical devices connected to a hospital’s network system
can lead to critical threats and infestations of malware in these devices. Hospitals need to act proactively to prevent
intrusions and respond immediately if a system becomes infected (Chee, 2007). Equipment vendors play a huge role because
they supply the security measures which protect medical devices (Chee, 2007). But they can be slow in providing updates and
patches. The FDA, furthermore,
determines when and how changes can be made to biomedical equipment
systems. This places the burden on
hospitals to protect themselves (Chee, 2007).
Thomas Klein (2014), managing editor of Electronic Medical Device Technology,
asserts that intentional sabotage of medical devices is only a matter of
time. According to researchers,
vulnerabilities have been found in infusion pumps, x-ray machines, cardiac
defibrillators, and other devices (Klein, 2014). Since these devices are frequently connected
to the Internet, they are vulnerable to malware. If the network systems are not fully
protected, the devices are subject to malicious attack. The use of USB ports opens a doorway to
security breaches and malware
(Klein,
2014). The risk is so great the FDA
became involved and now requires that manufacturers consider cybersecurity risks
when developing new products (Klein, 2014).
The expansion of healthcare information
technology improves profitability while exposing healthcare facilities to
greater risks (Elliot, 2005). Facilities
must create and enforce policies that secure patient health information across
all forms of networks and technology.
One solution for managing remote devices is the use of on-demand
security services that cease to work once the remote device is no longer in use
(Elliot, 2005). The problem, then, is
security on the other end, where patient health information can be leaked or
accessed by the user. This is called
post-delivery security (Elliot, 2005).
Solutions include user malware protection, restrictions on use of data,
and audits on computer use. Developing
and enforcing security policies that protect patient health information,
especially information transmitted to remote devices, is tantamount to avoiding
security breaches and corrupted data (Elliot, 2005).
The latest, and most serious, threat
comes in the form of professional IT criminals who use ransomware to extort
money from hospitals (Conn, 2016). One
such threat, Locky, acts through ordinary-looking e-mail (Conn, 2016). When opened, a virus activates software that
encrypts the hospital’s IT system. Then,
a window pops up with a ransom demand.
Samas, another threat, uploads encryption ransomware through a
hospital’s Web server (Conn, 2016). A
more sophisticated ransomware, CryptoLocker, demands bitcoin as payment because
it is nearly impossible to trace (Conn, 2016).
Once paid, the criminals unlock the data in an infected system. But, should hospitals pay in the first
place? Cybersecurity has become a
booming business, with medical facilities now being forced to employ their
services. There is a major concern that
medical devices will be the next systems to be hit by cybercriminals (Conn,
2016).
Topic Availability
This topic, as it
relates to Nursing Informatics, is too important to ignore. I used seven resources from scholarly and
peer-reviewed publications for this paper.
I pulled my resources primarily from CINAHL and ProQuest. I found enough materials to give me a broad
overview of the topic, but I was disappointed that more current articles could
not be found. Technology changes so
rapidly that even a few months can make a difference in security
innovations. I used both the basic and
advanced search features and the key words “medical device malware security.”
Information
Availability
This information is
available in scholarly and peer-reviewed journals and other publications. Although the information was geared toward
professionals, some publications include short articles that educate the
general public about cybersecurity and protecting patient health information. Nurses benefit from all of these resources
because many do not understand the extent of the threat.
Personal Views
The information I read
shocked me (cyberterrorism), confirmed what I see our IT specialists changing
at my hospital, and disturbed me (ransomware cybercrime.) The general public does not seem to be aware
of these threats. As a nurse who uses
computer technology every day, I was not aware of the seriousness of this
problem. It never occurred to me that a
glucometer or infusion pump could be infected with a virus or that an
unscrupulous person would deliberately sabotage somebody’s pacemaker. When I mention this to other nurses, they are
equally dismayed
by the possibilities. They always ask,
“Why would somebody maliciously hack into a medical device?” For people who devote their lives to saving
people, the idea is unthinkable.
The changing landscape in healthcare
makes it crucial that ALL medical personnel understand the seriousness of the
threats. As technology becomes more
sophisticated, so do the means by which cybercriminals hack into and infect
network systems. Information is
compromised, and patient health and well-being are put at risk.
Conclusion
In conclusion, whether
it’s a small private practice or a large healthcare system, the increased use
of technology poses significant threats to protected patient health
information,medical
devices, and cybersecurity systems.
Users all across the healthcare spectrum have a duty to behave
responsibly when accessing patient records, divulging information, searching
the Internet,
managing e-mail and faxes, and interacting with colleagues. Nurses should provide feedback and input
about vulnerabilities in security policies and protocols for the protection of
themselves and their patients. They must
educate themselves about current threats so they can adapt their practice to
avoid unintentional security breaches.
Nurses can also educate their patients in the use of computer
technology, accessing patient portals, and protecting patient health
information.
Technology will continue to be a driving
force in healthcare. Along with the
downside comes the possibility of lower costs to facilities and patients,
improved outcomes, more accurate measurements, increased research, and greater
opportunities for nurses to expand their involvement and role in improving
healthcare and healthcare informatics.
Requiring nursing students to study nursing informatics increases their
awareness of the problems and benefits of
technology. Hopefully, our physicians and administrators
are being trained in this area, as well.
Health information technology specialists are enjoying a surge in
employment opportunities as
healthcare
systems realize the importance of their specialty. Technology is expensive, but the threats of
cybercrime and cyber-attacks are more damaging.
References
Chee,
W.S. A. (2007). IT security in biomedical imaging informatics: The hidden
vulnerability. Journal of Mechanics in Medicine and Biology, 7(1), 101-106.
Conn,
J. (2016, April). Ransomware scare: Will hospitals pay for protection. Modern
Healthcare,
46(15), 8-8.
Damrongsak,
M., & Brown, K.C. (2008). Data security in occupational health. AAOHN
org/docview/219399232?accountid=63787.
Elliot,
M. (2005, September). Securing the healthcare border. Health Management Technology,
26(9), 32-35.
Klein,
T. (2014, September). How to protect medical devices against malware.
Operating
Theatre Journal, 14-14.
Rhea,
S. (2010, December). Cyberbattle: Providers work to protect devices, patients. Modern
Healthcare, 40(50), 33-34.
Taitsman,
J. K., Grimm, C. M., Agrawal, S. (2013, March). Protecting
Patient privacy and data security. The New England Journal of Medicine, 368,
977-979.
doi: 10.1056/NEJMp1215258. Retrieved from
http://www.NEJM.org.
Dawn Pisturino
Nursing 340, Thomas Edison State University, New Jersey
Copyright 2016 Dawn Pisturino. All Rights Reserved.
(The references would not format properly.)
Dawn Pisturino
Nursing 340, Thomas Edison State University, New Jersey
Copyright 2016 Dawn Pisturino. All Rights Reserved.
(The references would not format properly.)
