How nurses can immunize your organization against cyberattacks

May 15, 2018 |  Security, Nursing, Big Data, Patient Safety, Healthcare IT

Pretty young nurse pressing modern medical type of buttons-1

Every day, nurses collect and analyze information to ensure that patients are getting the right care at the right time. That same preventative approach is critical to improving cybersecurity at the point of care.

Healthcare is a fast-paced environment which faces the dual challenge of sharing health information in a timely manner so that patient safety is not compromised, while securing these same records from snooping and tampering.

Additionally, patient information is valuable — both to you as a healthcare provider, and to criminals. Ransomware exploits that fact, and uses the threat of losing that information to get payment for returning the data to its original state.

Just as nurses are critical members of the patient care team, they are also key contributors to the strategy of prevention, education, and recovery that every hospital can use to minimize damage from cyber attacks.

Think about what someone could do with stolen medical information; as just one example, consider what a hacker could do with all of the information on a patient’s medical insurance card. Aside from using the patient’s identity outside the hospital, hackers could use the information to get free healthcare and even set up a fake medical billing company to file claims.

On top of the personal risk with identity theft, there is a significant increase in possible drug diversion, which is the act of obtaining prescription drugs for illegal purposes. This costs health insurers about $72.5 billion per year, according to a report by Pharmacy Times. The report also notes several instances where providers diverted prescription drugs for their own illegal use and describes strategies for addressing the insider threat.

Setting up a ‘human firewall’ against ransomware

Just as a literal firewall prevents fires from spreading through a building, a computer firewall works to prevent hackers from gaining access. Unfortunately, human users have the ability to let the hackers in, opening the door to them, as it were. This is where nurses and front-line providers can become the “human firewall” for their organizations.

On a system-wide level, ransomware has become a favored tactic for hackers who want to make quick money by locking an organization’s data and demanding payment to unlock it again. Two of the most common methods for ransomware attacks are through “phishing emails,” which is typically an email that looks like it comes from someone you know or do business with, or infected websites that employees innocently visit.

The user may click on a link within an email which takes them to a malicious website. The malicious website typically will be disguised as a legitimate website, and it may prompt them to enter personally identifying information like the username and password they use for accessing work email and other systems. With your username and password, the hackers can now log on to your legitimate account. Another possibility is that the malicious website tries to install software directly to your device that is actually malware, a program that will disrupt your device’s operations, record your personal information, or take control of the device.

Another common phishing email scenario is that the email may have an attached file. Frequently it is a Microsoft Word document or PDF which is masquerading as something else - an invoice, a report, etc. If you download and open the report, it will launch the malware. In the case of many variants of ransomware, once the malware gets into the first computer, it links to open file shares on the network and infects more machines, encrypting data as it goes.

Before long, an entire hospital or provider network can have its computer systems shut down. Then, the organization has a choice: pay the ransom, or work to recover from the ransomware. MEDITECH encourages each organization to make an informed decision for themselves. We have shared this page which provides a detailed analysis on the subject of paying the ransom or not.

Avoiding the ‘hook’ of spear phishing

Aside from ransomware, another common hacking strategy is spear phishing. As the name implies, it’s related to phishing, the practice of sending emails that attempt to collect personally identifiable information from recipients.

What makes spear phishing more difficult to detect is that the emails are designed to look like they come from a known or trusted sender. In some cases, it’s very difficult to tell the difference between a spear phishing email and the real thing. The “from address” in the email may actually say the person’s name, but the actual email address may be wrong. The web links may go to a similarly named website. For example, in one prominent case the links went to we11ness.com instead of wellness.com. It’s a common strategy to use similar looking characters to trick people into going to the fake website.

Hackers are also using social media to spread viruses by hijacking someone’s account and sharing links to malicious websites with their friends list. Usually they just look like a link being shared from someone you know, which might not seem strange. However, the hacker is banking on you just assuming that the link is safe.

Reducing risk through system-wide tech solutions

As we’re surrounded more and more with tech, the potential for critical data to be stolen or compromised has grown with it. It seems like we hear about another cyberattack every week that leaves us feeling powerless.

One of the most effective technologies to prevent cyber attacks is multi-factor authentication (or MFA), meaning a system that requires more than a username and password to access. After logging in with your username and password, many sites and apps are starting to ask you to provide a “second factor” of authentication.

From an IT perspective, the best MFA uses two of these three elements: something you know [a username and password], something you are [a human being with a fingerprint], and something you have [a badge or other device].

In order to make this as convenient as possible in the healthcare industry, many hospitals use an ID badge as the second factor. Now, someone would have to know your password and steal your badge in order to log on to the system. This higher level of security allows your IT staff to consider other security projects such as Single Sign On (SSO). With SSO, you can sign on and access devices in different physical locations or switch between prescription, lab order, and financial systems without being prompted for your username and password.

Once these security measures are incorporated into a nurse’s workflow, they become as natural as hourly bed checks. Most importantly, these preventative steps protect patient information, adhere to HIPAA guidelines, and ensure that hackers can’t get to critical data or disrupt the hospital’s operations.

Backing up prevention with strong recovery systems

Generally speaking, there are very few reasons why you should be asked to click a link and provide confidential information. If you get an email that looks like it’s from someone at your organization, but you’re a bit skeptical, do not reply to the email.

Instead, you should send them a separate email or give them a call to confirm that they’re actually looking for that information. Be aware that sometimes the hacker has control of that person’s email account.

There have been occasions where the hacker was actively responding to the person’s emails, too. So if you get a suspicious email, replying and asking if it’s a legitimate request or website may not be the best way to prevent a cyber attack. Someone would ask “is this a legitimate web page?” and the hacker would respond with “Yes.”

In the case of Facebook messages, one way to defeat potential attacks is by checking to see if the message you’ve received with a URL also includes a preview. If it doesn’t, that’s a major sign that the link may not be safe. In that case, you’ll want to reach your friend or contact through another method to have them check to see if their account has been hacked. It may seem strange, but it’s a quick step that will help you avoid a lot of hassle.

If the email you’ve received is from your bank, credit card company, or an online retail store, you can simply navigate directly to their website in a browser and log into your account to see if they actually have sent any messages to for you. When in doubt, contact the organization by phone, email, or through their website.

Even with the best prevention plans, though, an organization can still fall victim to hackers — spotting suspicious activity and being extra careful with your online activity still may not stop 100 percent of cyber attacks.

Here’s where having a clear recovery program is critical. The best-prepared organizations have layers of backups in place — whether on separate cloud-based servers or a remote physical location where electronic records are kept. In addition, they build recovery right into the nurse’s daily workflow and regular training.

By having these strategies in place, hospitals that get hit with cyberattacks can quickly shut down the system, locate infected files and hardware, rid the system of malicious code, and get back to full functionality with a minimum of downtime.


Watch this On-Demand Webinar by Southwestern Vermont Medical Center (SVMC) on the socioeconomic factors that can make or break your patient outcomes.

Watch The Social Determinants of Health Webinar Recording

Written by Justin Armstrong, Security Architect, MEDITECH

Justin Armstrong is responsible for the security of MEDITECH applications and platforms, including coordinating critical updates to MEDITECH software and communicating with customers when questions arise about MEDITECH’s security stance. Justin stays up to date on evolving security standards and regulations, best practices, threats, and software vulnerabilities by remaining active in the security community inside and outside of MEDITECH. He is a Certified Information Systems Security Professional (CISSP) and a proud member of the FBI’s InfraGard program as well as (ISC)2, ISSA, the Cyber Health Working Group (CHWG), OWASP, EHRA Privacy and Security Workgroup, and the NH-ISAC. Justin earned a Bachelor of Science in Physics and a Bachelor of Arts in Mathematics from the University of Massachusetts at Amherst. He obtained his Masters in Information Security Leadership at Brandeis University.
Find me on: