Nursing and the Importance of Cyber Security

In 2015, hospitals and healthcare systems were the number one victims of cyber attacks. No industry is immune, but hospitals and healthcare systems seem to have become a favorite target of hackers out to profit from insufficiently secure networks, so much so that IBM called 2015 the "year of the healthcare security breach." Almost 100 million healthcare records were compromised last year.

Protected health information has a high resale value on the black market. Electronic health records (EHRs) contain not only personal health and medical information, but also Social Security numbers, employment details, and banking and financial information.

Although numbers of cyber attacks on hospitals and health systems are not publicly available, at least three major attacks have taken place so far this year. An attack on MedStar forced the US capital region's largest healthcare system to shut down much of its computer network earlier this spring, and hospitals in Kentucky and Los Angeles have also fallen victim to recent ransomware attacks.In March, the Los Angeles Times reported that two more Southern California hospitals were compromised by hackers.

This crisis is expected to worsen, because hackers are getting more sophisticated and many businesses have failed to adopt the security measures needed to thwart such attacks. The US and Canadian governments have issued an alert to hospitals, businesses, and individuals about ransomware attacks, including information on how users can prevent and mitigate against such attacks.

Humans are the weakest link, and human error is to blame for most cyber attacks on hospitals and healthcare systems. What nurses (and other employees) do or fail to do in their interactions with those systems can compromise security and facilitate malicious, and extremely expensive, attacks on the system. Online attacks are estimated to cost $150 billion annually,but it's hard to put a price on the loss of public trust in the healthcare institution's shattered reputation.

Medscape spoke with Satish M. Mahajan, PhD, MStat, MEng, RN, about the increasing problem of cyber attacks, and what nurses need to know both in preventing and responding to attacks on their hospitals and healthcare computer networks. Dr Mahajan is uniquely qualified to address the issues of cyber security and nurses. In an unusual career move, after majoring in engineering, Dr Mahajan went to nursing school, earning a PhD in nursing from the University of California. Working as a critical care nurse provided an invaluable perspective on how nurses interact with computer systems in the course of care, and the ways in which nurses might inadvertently open the doors of those systems and invite hackers in. Dr Mahajan now combines his IT and nursing backgrounds, often applying his skills to educating hospital employees about their role in preventing cyber attacks.

Why Healthcare?

Medscape: Why do hackers target hospitals and nurses? Are hospitals and nurses too trusting, or are they just not tech savvy? Are there other factors that make healthcare a tempting target?

Dr Mahajan: It doesn't have anything to do with the staff who work in hospitals, per se. It has more to do with the motivation of the hackers. The main motivation for hacking a hospital or health system is for ransom and monetary benefit, and to a much lesser extent, for publicity or revenge.

Hospitals are primarily concerned with safety, security, and the protection of patients' health data. They tend to be prudent and cautious, but this can make them slow to respond and adapt to a rapidly changing situation. Some hospitals may also be using outdated technology, or have failed to fully update their systems because of the expense. Hackers know these things, and take advantage of them. From a hacker's perspective, when trying to find vulnerabilities to exploit for financial gain, why not choose a target that is inefficient or moves slowly?

Another factor in the rise in hospital attacks is the level of penetration in terms of information retrieval. Hackers can gain temporary financial advantage with credit card fraud, but stealing health records exposes a lot more information about people: Social Security numbers, addresses, telephone numbers, demographic details, personal health disabilities, insurance information, and more. This information is at the core of a person's identify, and hence we call it "medical identity theft." This situation provides a pipeline of financial incentives rather than a one-time small benefit for hackers.

Yet another factor is the nature of the services that hospitals offer—the primary goal of these services is to provide help related to health issues. Most services are characterized by openness, social interaction, urgency, and intensity. So the doors must be kept open, and staff must have access to patient records to prevent errors and delays in treatment.

Hospitals also rely on their reputations as being safe environments, and their mission of taking care of people when they are in vulnerable positions. They can't simply shut down and wait it out when a cyber attack occurs. For these reasons, hospitals are more likely to pay a ransom rather than risk delays that could compromise patient care and result in death and lawsuits.


The read the origional Nurses Arena Forum post, Click Here