Listen to this article.
In the age of EHR, storing info on a cloud, and working on smart phones, it’s also a prime time for hacking. Nurses need to protect the security and privacy of their patients’ personal and health care-related info so it’s important to educate yourself about cybersecurity best practices. So, how do you go about it?
We connected with Casey Crane, a cybersecurity journalist at SectigoStore.com, who has written for a variety of cybersecurity industry publications, including Hashed Out at The SSL Store, HackerNoon, Experfy and Infosec Insights. Crane answered our questions about cybersecurity and what you absolutely need to know.
What are the best ways for nurses to protect their patients’ information?
One of the best ways that nurses can protect their patients’ personal and health care-related information is to inform themselves about cybersecurity best practices. If your organization doesn’t offer cyber awareness training, request that they do so. This type of training can help you understand cyber threats like malicious websites, phishing emails, and other tactics that cybercriminals use to carry out attacks.
Here are a few other good cybersecurity best practices that you can use right away:
Always use unique passwords for your accounts.
One of the biggest mistakes that people across all industries make is using the same password for multiple accounts. A poll from Google and Harris shows that 52% of users reuse passwords across multiple accounts, and another 13% indicate that they use the same passwords across all accounts.
This means that all of your accounts should have unique passwords. This prevents hackers from using the same password to access multiple accounts in the event that one of your accounts becomes compromised.
Never plug personal devices (or unauthorized devices) into workstations or work devices.
If a device has previously been plugged into another device infected with malicious software, then you could inadvertently infect your workstation with the same malware. This gives hackers direct access to your network.
Don’t click on attachments or links in emails without first inspecting the messages.
Check to see if the sender’s name and email match, and if any links are legitimate. If the name and email don’t match, or if the link is from some unknown web address, that should send up a red flag. For example:
- If you normally get emails from your boss (email@example.com) but suddenly receive an email from an email address like firstname.lastname@example.org or email@example.com, that would be suspicious.
- If there’s a link embedded in the email, hover your mouse over the link (without clicking on it!) and it should display the true web address where the link would take you.
- If you receive an email from a suspicious address that contains a PDF, Excel file, or Word doc, don’t click on it. It’s possible that the file may contain malware.
If you receive an unusual or urgent request, call to confirm.
A common tactic that cybercriminals use to get you to do something or to provide information is to create an urgent situation. If you get an email or phone call from someone asking (or demanding) that you send them sensitive information, tell them you’re going to call them back to confirm. Use the contact information that’s provided through your organization’s official contact directory—never respond using an email address or phone number provided by the person who reached out to you!
Be aware of what’s going on around you.
Not all data breaches occur because of cyber attacks—sometimes, they come in the form of physical security breaches. Is there someone hanging around the nurses’ station that you don’t recognize or who doesn’t belong there? Ask them if they need help. This proactive approach can help to prevent cybercriminals from gaining physical access to records and other data by accessing computers at those stations or stealing portable devices from the area.
Much like how you sanitize your hands and wear protective gear to keep yourself and your patients healthy, having strong “cyber hygiene” is what keeps your organization (and your patients’ data) safe and secure.
Why do nurses need to protect their own email accounts, social media accounts, or their phones? Why do hackers start there?
Your personal email and social media accounts are a goldmine of data for cybercriminals. They can use information that they learn about you through those channels to guess your work account passwords. It also serves as fodder for social engineering tactics.
Nowadays, people tend to use their mobile devices and apps for banking, sending emails, and for handling other sensitive data. If a cybercriminal gets a hold of your cell phone or another mobile device that you use to access those accounts, then they have control of those accounts.
What are the most common tricks that hackers use?
Cybercriminals use the tactics that demonstrate the best outcomes with the least amount of effort. Needless to say, it’s a lot easier to trick someone into handing over their credentials than it is to hack through their organization’s network security defenses.
That’s why phishing is among the most common tactics used by cybercriminals. Phishing relies on the use of social engineering tactics, which often involves them pretending to be a colleague, manager, or another authority figure. Cybercriminals use strong social skills and charm to disarm you while also evoking a sense of urgency, fear, or curiosity that compels you to act. Their ultimate goal is to trick you into doing something you’d normally never do.
For example, you’d never just give a stranger your employee credentials or a patient’s health records or personal information. But if you receive a fraudulent email from someone pretending to be your organization’s IT team saying that your password has been compromised and that you need to reset it via a link they provide, you may be doing precisely that without even knowing it.
Cybercriminals use phishing emails to get users to download malicious software or to click on malicious links. Continuing with the previous example, if you enter your username and password in a password reset form on a fraudulent website that looks like your organization’s site, then you’re giving them the ability to log in to your accounts and access any systems your account touches.
What kind of information are hackers trying to get? What do they do with it?
Hackers love all types of data. They can choose to use it themselves to carry out crimes or sell it to other cybercriminals through a market known as the dark web for profit. Some of the types of data they look for include:
- Personally identifiable information (PII) such as names, phone numbers, addresses, social security numbers, etc.
- Financial information such as credit or debit card information, bank account numbers, etc.
- Protected health information (PHI) such as health records and insurance-related information
- Proprietary data and intellectual property
- Usernames, passwords, and other account credentials
User credentials and passwords are particularly valuable to cybercriminals. If they have your username and password, then they have the virtual keys to the kingdom. Hackers can use this information to access your organization’s network, databases, patient files, or any other systems that your account touches.
What would readers be most surprised about regarding cybersecurity?
Unless an organization chooses to eliminate everything digital within their environments, there’s no way to prevent every cyber attack. Hackers are always going to find vulnerabilities and weaknesses to exploit. But what you can do is follow cybersecurity best practices to make yourself and your organization tougher targets.
Firewalls, antivirus software, and other technologies can protect your organization from some threats but not all. You and your fellow health care providers are what constitute the “human firewall” of your organization.
Is there anything else that is important for our readers to know?
- Cybercriminals are capitalizing on the COVID-19 pandemic to carry out phishing scams and other cyber attacks.
- Data from Black Book Market Research shows that “Over 93% of healthcare organizations have experienced a data breach since Q3 2016 and 57% have had more than five data breaches during the same timeframe.”
- Researchers at Vanderbilt University believe that there may be a link between ransomware attacks and data breaches and an increase in heart-related deaths among patients at hospitals hit by those attacks. According to Brian Krebs, a cybersecurity expert and author: “Hospitals that have been hit by a data breach or ransomware attack can expect to see an increase in the death rate among heart patients in the following months or years because of cybersecurity remediation efforts.”
- You can complete cyber awareness training on your own. The U.S. Department of Defense offers free cyber awareness training online in the form of its DoD Cyber Awareness Challenge.