Dawn Pisturino's Blog

My Writing Journey

Health Information Technology Security

on June 10, 2022

Abstract       

Due to threats of cybercrime and malware infestations, healthcare organizations all across the world are now forced to upgrade and monitor their cybersecurity systems on a constant basis for the sake of protected patient health information, financial stability, and uninterrupted operations.  Money that would normally be spent on patient care is being diverted to IT professionals, who are hired to keep cybersecurity systems intact.

Health Information Technology Security       

Protecting patient health information, as mandated by law, has become a priority for healthcare facilities all around the world.  From doctors’ offices to medical devices to ransomware, the healthcare industry is under attack by cyber threats that compromise the health, safety, and privacy of patients everywhere.       

Nurses are at the forefront in efforts to secure patient and employee information, promote responsible use of computer technology, and report possible threats and violations in a timely manner.

Cybersecurity is Crucial       

Almost every day, a news story comes out that a corporation, nonprofit organization, or government agency has been hacked.  The healthcare industry is no different, and the attacks are becoming more frequent and more serious.  This is such an important issue at the hospital where I work, it seemed pertinent to write a paper on it.  Our IT department frequently makes us aware of e-mail threats, blocks blog sites, mandates automatic logoffs and timed reboots, requires frequent password changes, and regularly reminds us to turn off our computers, log off when finished, and to not share passwords.  Cybersecurity is crucial to protecting patient health information and network systems.

All Healthcare Organizations are at Risk       

Smaller healthcare clinics and doctors’ offices must follow the same mandates as larger organizations when it comes to protecting patient health information.  Healthcare personnel divulging protected information to unauthorized people and hackers using stolen information in identity theft scams are huge concerns that must be addressed (Taitsman, Grimm, & Agrawal, 2013).  Not only must these smaller organizations take appropriate measures to secure patient health information, but personnel must strictly follow policies and protocols.  Simple safeguards, such as screening phone calls, logging off computers, shredding documents, background checks for employees, automatic logouts, and activity audits, protect and safeguard patients and organizations alike (Taitsman, Grimm, & Agrawal, 2013).  Insurance companies, too, must safeguard patients against fraudulent claims.  Consumers must be educated in ways to protect their own healthcare information (Taitsman, Grimm, & Agrawal, 2013).       

Nurses all across the healthcare spectrum are increasingly required to use computer technology, and they must honor patient privacy, confidentiality, and consent while doing so.  Use of the Internet opens the doorway to viruses, worms, adware, spyware, and other forms of malware (Damrongsak & Brown, 2008).  Something as simple as using a shared address book can infect an entire system.  Logging off the computer when the nurse has finished and frequently backing up data can prevent unauthorized intrusions and corrupted data (Damrongsak & Brown, 2008).  Most medical facilities use an intranet, or closed system, in addition to the Internet, that restricts data to a smaller group of people.  Firewalls, encryption, and the use of virtual private networks provide additional security (Damrongsak & Brown, 2008).       

Large government agencies, such as the Veterans Administration, have increased efforts to stave off cyber-attacks, which compromise patient health information and medical devices.  IT specialists have removed medical devices from the VA hospital’s main network systems and connected them to virtual-local area networks (VLANs) (Rhea, 2010).  Without access to the Internet, these devices can be used without fear of attack.  In the past, the main focus has been on identity theft.  But with the rise of international terrorism, there is a growing fear that medical devices may be hacked and used to intentionally harm patients (Rhea, 2010).  Healthcare IT systems have already been crippled by hackers looking to profit from cybercrime.  In 2009, healthcare facilities around the world found medical devices infected with the Conficker virus (Rhea, 2010).  Downtime caused by malware is expensive and inconvenient.  Hospitals are forced to spend money on security that normally would have gone to patient care (Rhea, 2010).  FDA regulations are also a hindrance to quick development of security patches (Rhea, 2010).       

According to author W.S. Chee (2007), a member of the Department of Diagnostic Imaging at K.K. Women’s and Children’s Hospital in Singapore, medical devices connected to a hospital’s network system can lead to critical threats and infestations of malware in these devices.  Hospitals need to act proactively to prevent intrusions and respond immediately if a system becomes infected (Chee, 2007).  Equipment vendors play a huge role because they supply the security measures which protect medical devices (Chee, 2007).  But they can be slow in providing updates and patches.  The FDA, furthermore, determines when and how changes can be made to biomedical equipment systems.  This places the burden on hospitals to protect themselves (Chee, 2007).       

Thomas Klein (2014), managing editor of Electronic Medical Device Technology, asserts that intentional sabotage of medical devices is only a matter of time.  According to researchers, vulnerabilities have been found in infusion pumps, x-ray machines, cardiac defibrillators, and other devices (Klein, 2014).  Since these devices are frequently connected to the Internet, they are vulnerable to malware.  If the network systems are not fully protected, the devices are subject to malicious attack.  The use of USB ports opens a doorway to security breaches and malware (Klein, 2014).  The risk is so great the FDA became involved and now requires that manufacturers consider cybersecurity risks when developing new products (Klein, 2014).       

The expansion of healthcare information technology improves profitability while exposing healthcare facilities to greater risks (Elliot, 2005).  Facilities must create and enforce policies that secure patient health information across all forms of networks and technology.  One solution for managing remote devices is the use of on-demand security services that cease to work once the remote device is no longer in use (Elliot, 2005).  The problem, then, is security on the other end, where patient health information can be leaked or accessed by the user.  This is called post-delivery security (Elliot, 2005).  Solutions include user malware protection, restrictions on use of data, and audits on computer use.  Developing and enforcing security policies that protect patient health information, especially information transmitted to remote devices, is tantamount to avoiding security breaches and corrupted data (Elliot, 2005).       

The latest, and most serious, threat comes in the form of professional IT criminals who use ransomware to extort money from hospitals (Conn, 2016).  One such threat, Locky, acts through ordinary-looking e-mail (Conn, 2016).  When opened, a virus activates software that encrypts the hospital’s IT system.  Then, a window pops up with a ransom demand.  Samas, another threat, uploads encryption ransomware through a hospital’s Web server (Conn, 2016).  A more sophisticated ransomware, CryptoLocker, demands bitcoin as payment because it is nearly impossible to trace (Conn, 2016).  Once paid, the criminals unlock the data in an infected system.  But, should hospitals pay in the first place?  Cybersecurity has become a booming business, with medical facilities now being forced to employ their services.  There is a major concern that medical devices will be the next systems to be hit by cybercriminals (Conn, 2016).

Topic Availability

This topic, as it relates to Nursing Informatics, is too important to ignore.  I used seven resources from scholarly and peer-reviewed publications for this paper.  I pulled my resources primarily from CINAHL and ProQuest.  I found enough materials to give me a broad overview of the topic, but I was disappointed that more current articles could not be found.  Technology changes so rapidly that even a few months can make a difference in security innovations.  I used both the basic and advanced search features and the key words “medical device malware security.”

Information Availability 

This information is available in scholarly and peer-reviewed journals and other publications.  Although the information was geared toward professionals, some publications include short articles that educate the general public about cybersecurity and protecting patient health information.  Nurses benefit from all of these resources because many do not understand the extent of the threat.

Personal Views 

The information I read shocked me (cyberterrorism), confirmed what I see our IT specialists changing at my hospital, and disturbed me (ransomware cybercrime.)  The general public does not seem to be aware of these threats.  As a nurse who uses computer technology every day, I was not aware of the seriousness of this problem.  It never occurred to me that a glucometer or infusion pump could be infected with a virus or that an unscrupulous person would deliberately sabotage somebody’s pacemaker.  When I mention this to other nurses, they are equally dismayed by the possibilities.  They always ask, “Why would somebody maliciously hack into a medical device?”  For people who devote their lives to saving people, the idea is unthinkable.       

The changing landscape in healthcare makes it crucial that ALL medical personnel understand the seriousness of the threats.  As technology becomes more sophisticated, so do the means by which cybercriminals hack into and infect network systems.  Information is compromised, and patient health and well-being are put at risk.

Conclusion

In conclusion, whether it’s a small private practice or a large healthcare system, the increased use of technology poses significant threats to protected patient health information, medical devices, and cybersecurity systems.  Users all across the healthcare spectrum have a duty to behave responsibly when accessing patient records, divulging information, searching the Internet, managing e-mail and faxes, and interacting with colleagues.  Nurses should provide feedback and input about vulnerabilities in security policies and protocols for the protection of themselves and their patients.  They must educate themselves about current threats so they can adapt their practice to avoid unintentional security breaches.  Nurses can also educate their patients in the use of computer technology, accessing patient portals, and protecting patient health information.        

Technology will continue to be a driving force in healthcare.  Along with the downside comes the possibility of lower costs to facilities and patients, improved outcomes, more accurate measurements, increased research, and greater opportunities for nurses to expand their involvement and role in improving healthcare and healthcare informatics.  Requiring nursing students to study nursing informatics increases their awareness of the problems and benefits of  technology.  Hopefully, our physicians and administrators are being trained in this area, as well.  Health information technology specialists are enjoying a surge in employment opportunities as healthcare systems realize the importance of their specialty.  Technology is expensive, but the threats of cybercrime and cyber-attacks are more damaging.  

References

Chee, W.S. A. (2007). IT security in biomedical imaging informatics: The hidden vulnerability. Journal of Mechanics in Medicine and Biology, 7(1), 101-106.

Conn, J. (2016, April). Ransomware scare: Will hospitals pay for protection. Modern Healthcare, 46(15), 8-8.

Damrongsak, M., & Brown, K.C. (2008). Data security in occupational health. AAOHN

 Journal, 56(10), 417-421. Retrieved from 

http://search.proquest.com.resources.njstatelib.org/docview/219399232?accountid=63787.

Elliot, M. (2005, September). Securing the healthcare border. Health Management Technology,

 26(9), 32-35.

Klein, T. (2014, September). How to protect medical devices against malware. Operating Theatre Journal, 14-14.

Rhea, S. (2010, December). Cyberbattle: Providers work to protect devices, patients. Modern

 Healthcare, 40(50), 33-34.

Taitsman, J. K., Grimm, C. M., Agrawal, S. (2013, March). Protecting Patient privacy and data security. The New England Journal of Medicine, 368, 977-979. doi: 10.1056/NEJMp1215258. Retrieved from http://www.NEJM.org.

~

PowerPoint presentation shared at Flagstaff Medical Center in 2016. See it here on Dropbox:

https://www.dropbox.com/s/4o62z11sbzmg5tz/NUR-340%20Power%20Point%20Presentation%20Pisturino%20%281%29.pptx?dl=0

~

Dawn Pisturino
Thomas Edison State University

August 31, 2016; June 10, 2022
Copyright 2016-2022 Dawn Pisturino. All Rights Reserved.

(The references would not format properly.)


8 responses to “Health Information Technology Security

  1. utahan15 says:

    run the scan
    if too scary
    call gary~!

    Liked by 1 person

  2. This is a very important topic. I hope everyone takes it more seriously!!!

    Liked by 2 people

  3. muunyayo says:

    Reblogged this on muunyayo and commented:
    This is the type of insights that are needed in my industry (network security)…insights from the “end-user”, if you will…

    Liked by 2 people

  4. […] Health Information Technology Security […]

    Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: