Nurses and Cyber Security: What You Need to Know

Laura A. Stokowski, RN, MS; Satish M. Mahajan, PhD, MStat, MEng, RN


June 16, 2016

If You Are Attacked

Medscape: What should users do if they think that they have clicked on or opened something they shouldn't have? Should they delete it? What should they do if they see unusual messages (such as those demanding ransom payment) popping up on their screens?

Dr Mahajan: The most important thing is to immediately suspend (stop, but not shut down, and not continue to use or allow others to use) the potentially infected computer and contact your supervisor, IT helpdesk, and information security officer for further instructions. The websites opened by the users should not be closed (although IT analysts can look into the history of websites and pages visited). If this ability is disabled on the computers, the information security officer may interview the end user in detail; truthful information helps in determining the root cause of the problem.

Users should not delete the attached files and not click any buttons on the dialogue boxes that have popped up. The action of deleting the file may not actually destroy the contents of the malware. Similarly, clicking additional buttons on the spurious dialogue boxes may further enable the malware.

Medscape: What happens to the workflow when hospital systems go down?

Dr Mahajan: Typically, most healthcare organizations have spare backup computers for patient care areas so that care operations continue in case of emergencies. If the extent or severity of failure is so large that backup computers are not sufficient or useful, the care team is advised to go to paper documentation. Generally speaking, there are procedures for various failures that are part of standard operating procedure in emergencies, and equipment or network failure is part of these.

Medscape: Some have suggested that cyber attacks occur more often than reported in the media. Are hospitals reluctant to advertise the fact that they have been hacked?

Dr Mahajan: Hospitals might approach this in two different ways. Some organizations might think that it's best not to let anyone know and do the fixes themselves. Let the information technology and security departments deal with this and fortify the systems and its boundaries.

Another, and a better, approach is to view all employees—including nurses, doctors, and all others who work in the system—as partners in the organization's mission. Making everyone aware of what has happened allows you to have multiple eyes looking at the same problem. Everyone will be on the alert, and if employees know what to watch for and how to report something out of the ordinary, then you might be able to catch these incidents faster and respond more effectively.

Cyber attacks can involve more than the medical records of patients. Employees must realize that patients are not the only vulnerable group. The personal information of staff members is also at risk.

Nurses and Cyber Security

Medscape: What do you recommend for nurses who want to work in information technology or cyber security? What kind of degree should they seek, and what types of job opportunities are available to nurses with this education?

Dr Mahajan: Having a nursing background is really helpful to work in the health information technology domain, because you are very familiar with the processes, workflow, and activities that take place in hospital and healthcare environments. It is, however, not sufficient to tackle the issues related to information technology or cyber security that occur in these environments.

A certification or a bachelor's degree in information technology is really helpful. This education provides basic understanding of the hardware, software, and application systems that are commonly deployed in healthcare organizations. Understanding of cybersecurity requires additional concentration in coursework related to network and operating system security. There is a great need for individuals who understand both clinical and technical languages, which are commonly spoken in day-to-day operations in healthcare organizations.


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.
Post as: