By Alexandra Paslidis, BS, MS; Thompson Boyd, MD, FHIMSS, FACHE, FABQAURP, CPHIMS, CHFP, CHCQM, CSBI; and Nick Paslidis, MD, PhD, MHCM, FACP, FABQAURP
When a patient codes, the main concern of medical personnel is the well-being of the patient in trouble, not making sure the computer is appropriately locked so personnel can leave and help. In a fast-paced environment where professionals are regularly faced with life-and-death decisions, it is easy to understand how cybersecurity could fall through the cracks of daily concerns. As technology advances and innovation is brought to the medical field, devices and technology must be protected. Locks on a building are irrelevant if an employee leaves a window open; similarly, cybersecurity protocol is irrelevant if medical personnel are not trained to ensure protection of the network. Like the continuous battle surrounding antibiotics and antibiotic-resistant pathogens, the fight between cybersecurity measures and hackers is also ongoing.
Once a hacker infiltrates a hospital network, they have free rein to cause severe damage to the institution by interfering with the three tenets of information security as set forth in U.S. law (44 U.S.C. § 3542, 2011): confidentiality, integrity, and availability of protected health information (PHI), which we can refer to in short as the “cybersecurity triad” (Table 1). Confidentiality interference allows unauthorized parties to access PHI (e.g., medical records, addresses, and family members). Integrity interference is any manipulation of PHI, such as a change of medication dose or deletion of patient notes. Availability interference is a denial of service (DOS) attack, often portrayed in the news, where a hacker makes PHI unavailable to users. Any interference can disrupt medical care and cause irreparable harm to a patient, medical personnel, or the institution’s functionality and reputation. Medical personnel can work to uphold cybersecurity by understanding phishing attacks, networking vulnerabilities, and standard cybersecurity procedures
Table 1: CYBERSECURITY TRIAD
CONFIDENTIALITY: Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
INTEGRITY: Guarding against improper information modification or destruction; includes ensuring information nonrepudiation and authenticity.
AVAILABILITY: Ensuring timely and reliable access to and use of information.
Vigilance against potential phishing attacks is a simple but effective way to remain secure. Phishing occurs when a malicious party sends a communication that is disguised as coming from a benign party, but that will introduce malware or otherwise compromise a system if the user opens the message. Spear-phishing is a more focused attack; an example may be an email sent to a hospital worker that purports to seek information on COVID-19 statistics. The hacker may craft the email to mimic a reputable source; for example, the email may appear to come from “The US Department of Health and Human Services” and include a realistic title and graphics. Even if the user was not expecting such a communication, these legitimate-appearing elements may be enough to overcome the user’s hesitation. Once a user clicks the link to input the requested statistics, any number of malicious downloads may begin, and the cybersecurity triad is affected. This was the case in several Massachusetts hospitals in November 2020, when three CEOs were sent emails from supposedly “trusted” sources (Jercich, 2020). Thankfully there was no lasting harm to the users, but many may not be so lucky. Once a link is clicked or an attachment opened, a virus may be automatically downloaded (sometimes invisibly to the user). From there, malicious code may send the virus to email lists, transmit information to another party, or spread into the network. A user who accesses their personal emails on a hospital’s internal network (connected to an institution’s internet) is a golden opportunity for a hacker to gain access to that network—that is, if the user opens the untrusted email or link.
Therein lies the key to preventing phishing attacks; a user must open an email, click a link, or download an attachment in order for the malicious code to enter a computer. Updating a computer system with the latest security software and maintaining constant vigilance is a surefire way to prevent phishing attacks. Looking closely at email senders’ names may also help determine the validity of an email. Rather than firstname.lastname@example.org, for example, a hacker may substitute email@example.com. When in doubt, err on the side of caution and notify IT personnel without opening or forwarding the email to anyone.
Understanding basic networking vulnerabilities is another way to protect the cybersecurity triad within the medical field. Computer networking vulnerabilities mainly occur when a user is careless with their wireless internet connections. As stated previously in the example of opening a personal email on a hospital device, connecting a hospital computer to an unprotected internet server can introduce malware or viruses onto that computer, and once the computer is reconnected to the hospital network, the virus can spread. Inserting unknown or suspicious USB drives or CDs into a hospital computer may also defeat hospital network security measures. As with phishing emails, a download may be programmed to begin automatically when the USB drive or CD is inserted into the user’s computer. An example of this is from 2016, when the American Dental Association unintentionally sent out malware-infected USB drives to users; the drives were infected during production (Alder, 2016). Solutions to network vulnerabilities such as this are similar to phishing solutions. Remain vigilant and look at everything with a critical eye. Protect your network from external threats by not plugging anything unknown into any work asset. When in doubt, discuss potential threats with security personnel. To protect any asset from an external network, invest in a VPN to mask your internet connection.
Lastly, familiarity with some general cybersecurity procedures may help protect medical personnel and their work assets. One such procedure is to regularly change passwords and keep the passwords unique using additional characters. A “unique” password is one that is not easily guessed by human or computer (i.e., avoid family names and birthdays and alternate words with symbols). Programs can be written to guess passwords if given a definite character/number limit; Bigboss123! is not a safe password. A much better and more difficult password to guess, while still keeping the same theme, would be B1gB0$$95, where numbers and symbols are embedded into the password. Another simple protocol to follow is to lock any and all assets while not in use. Hackers are often thought of as solely an external threat, but internal threats exist as well. A disgruntled coworker or patient with access to a device they are not authorized to use can present another interference with the cybersecurity triad.
In any setting, PHI is sensitive information that should be protected. With the increasing digitization of medical care and data storage, it is imperative to remain vigilant regarding the cybersecurity triad. Cyber awareness training should be implemented on multiple levels within a medical setting, though the information security officer should focus on administrative protection and risk analyses. When a security risk analysis reveals a vulnerability, it must be dealt with as soon as possible. Often by the time a vulnerability is found, a breach has already occurred, and the longer the threat has been present, the more costly the remedy will be. A system grows more vulnerable the longer it goes without security updates and patches. By remaining compliant with national security protocol such as that recommended by the U.S. Department of Health and Human Services (2020), there is a lower chance of a high-impact hack.
As technology expands, so do the threats to interfere with the protection measures surrounding it. Preventive medicine proactively keeps a body healthy and strong to ward off potential diseases. Cybersecurity exists to protect a facility from threats as well.
Alexandra N. Paslidis, BS, MMS, is a second-year master’s student at Embry Riddle Aeronautical University, specializing in cyberintelligence and security. She has a master’s in medical sciences and just completed an internship at Raytheon Missiles and Defense. Thompson Boyd III, MD, CHCQM, CPHIMS, FABQAURP, is a full-time consultant who was previously medical director of Informatics/Physician Liaison at Hahnemann University Hospital in Philadelphia, Pennsylvania. Boyd also serves on the ABQAURP Board of Directors. Nick J. Paslidis, MD, PhD, MHCM, FACP, FABQAURP, CHCQM, is a senior medical director for Molina Healthcare regarding Medicare and Medicaid Managed Care Services (since 2012), along with maintaining a continuous part-time private practice for over 32 years. He also is currently serving as chairman of the board at ABQAURP.
Abomhara, M., & Køien, G. M. (2015). Cyber security and the internet of things: Vulnerabilities, threats, intruders and attacks. Journal of Cyber Security and Mobility, 4(1), 65–88. https://doi.org/10.13052/jcsm2245-1439.414
Alder, S. (2016, April 29). American Dental Association mails malware-infected USB drives to members. HIPAA Journal. https://www.hipaajournal.com/american-dental-association-mails-malware-infected-usb-drives-to-members-3410/
IBM Corporation. (2021). Cost of a data breach report 2021. https://www.ibm.com/security/data-breach
Jang-Jaccard, J., & Nepal, S. (2014, August). A survey of emerging threats in cybersecurity. Journal of Computer and System Sciences, 80(5), 973–993. https://doi.org/10.1016/j.jcss.2014.02.005
Jercich, K. (2020, November 5). Hospitals said to tighten email security in response to CEO spear phishing attempts. Healthcare IT News. https://www.healthcareitnews.com/news/hospitals-said-tighten-email-security-response-ceo-spear-phishing-attempts
U.S. Department of Health & Human Services. (2020, September 23). The Security Rule. https://www.hhs.gov/hipaa/for-professionals/security/index.html
Williams, E. J., Hinds, J., & Joinson, A. N. (2018). Exploring susceptibility to phishing in the workplace. International Journal of Human-Computer Studies, 120, 1–13. https://doi.org/10.1016/j.ijhcs.2018.06.004
Ponemon Institute: https://www.ponemon.org/
U.S. Department of Health & Human Services, The Office of the National Coordinator for Health Information Technology: https://www.healthit.gov/