Nurses and Cyber Security: What You Need to Know

Laura A. Stokowski, RN, MS; Satish M. Mahajan, PhD, MStat, MEng, RN

Disclosures

June 16, 2016

Defending the System

Medscape: What role should be played by staff members, including nurses, in thwarting cyber attacks?

Dr Mahajan: Nurses need more education about cyberattacks and security—including how attacks take place and how to prevent them. At our hospital, we hold mandatory information systems, security, and privacy training for every employee in the organization who interacts with the hospital systems. We use video clips with practical scenarios to teach staff about how to react or not react in certain situations, especially in handling emails and during telephone conversations. We teach staff to not click on or open an email when they don't recognize the sender. If they do receive an email from an unknown person, they should not open any attachments to the email or follow any links within the message.

One thing that many hospitals and healthcare systems have done is to separate their networks into layers of increasing privacy and security. A fortified, secure network (the inner core) is devoted to patient data and patient care systems, such as the EHR. The next level is a general organizational network, on which staff can use email, and conduct other hospital business. The third, least secure network is for public or guest access.

Medscape: Other than being careful about email links and attachments, and more cautious when answering questions on the phone, what can nurses and other staff do to prevent cyber attacks?

Dr Mahajan: Incorporate everything you learn in security training into your daily workflow. Lock computer systems when they are not in use. Be aware of who is using which systems around your workspace. Avoid visiting unknown websites from the hospital network. Train junior and other colleagues in the safe use of digital resources in on-the-job situations. Notify your supervisor and involve the facility's information security officer immediately if there is even a suspicion of misuse of network resources or evidence of a malware attack.

Staff should be aware of their facility's network layers of security and know which system they are on when they use email, visit PubMed or a government health website, or use work computers for personal business, or which layer patients are on when they are doing surveys or other activities on the facility's computers.

Healthcare workers should not download such applications as Dropbox, TeamViewer, and the like and install them on the machines in their organizations. Frequently, end users do not have privileges to install such applications anyway and instead are required to call the IT helpdesk with justification for their use. IT analysts typically assess the threat and harm possibilities, as well as test such applications in an isolated environment, before making them available to the end users.

Many applications are also driven through browser interfaces these days; their scope is determined by the browser settings, which are preestablished by the IT department after careful consideration and are unchangeable by the end users. Request to use such applications should be similarly routed through IT helpdesks.

Medscape: What is the role of passwords in permitting hackers to infiltrate a system? How important is it to have a strong password?

Dr Mahajan: Once hackers have information about computers that contain potentially valuable information, the next step is to try to log into it with a user account. A password is needed for this step, and it is very important to have a strong password to foil such attempts.

Strong passwords are typically a combination of both upper- and lowercase letters, numbers, and special symbols. Each of these letters is represented by a separate code inside the computer operating system. As we use more categories of letters, the number of repetitive permutations that needs to be used for unlocking the user login increases exponentially. This reduces the possibility of unlocking the account even if hackers use automated programs to try various combinations of letters.

Comments

3090D553-9492-4563-8681-AD288FA52ACE
Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.
Post as:

processing....