Cyber-security: A nurse leader’s nightmare

Cyber-security: A nurse leader’s nightmare

By Cynthia Plonien, DNP, RN, CENP

As strategically planned, the healthcare industry has implemented electronic records. Consequentially, the healthcare industry has become dependent on e-information for business operations and the provision of patient care. The dependency on e-records and e-communication places healthcare organizations at high risk for cyber-crime. Escalating the risk is the interface of healthcare data necessary for patient care. Electronic information flows to and from multiple providers, insurers, health plans, pharmaceuticals, and business associates.

In a benchmark study, published by the Ponemon Institute in 2013, 94 percent of hospitals reported experiencing data breeches.²By 2015, the Ponemon Institute related that breaches in security were rapidly shifting from accidental, to intentional with criminal attacks up 125 percent.³Permera Blue Cross, licensed by Blue Cross Blue Shield, described a cyber-attack occurring in 2014 that affected 11 million customers, giving access to Social Security numbers, bank accounts, contact information, and claims data.⁴ Cyber-attacks and espionage are certainly not limited to U.S. borders. One of the largest U.S. hospital groups, Community Health Systems Inc., became the victim of a cyber-attack originating in China, affecting 4.5 million patients—including theft of personal data and Social Security numbers.⁵

Economic and fiscal consequences are alarming. Rick Kam, founder of ID Experts, estimates the annual impact of data breaches to the U.S. healthcare to be $6.97 billion.⁶ Causes for a data breach falls into four categories: Loss of equipment—46 percent, employee errors—42 percent, criminal attacks—33 percent, and technology glitches—31percent.⁶

Patients are especially vulnerable to cyber-attacks that interfere with medical devices, altering or falsifying critical information.¹Shared traffic between connected medical devices and application software brings a security risk previously unrealized, i.e. transmission of radiology services, online health monitoring, programmable pace makers, IV pumps, insulin pumps, surveillance cameras, etc.—all can be hacked.⁷ Organizations, it seems, are ill-prepared to deal with the barrage of cyber-threat and cyber-attack connected directly to patient care. In response to the dramatic increase in cyber-intrusions on medical devices, the FBI Cyber Division issued a notice in 2014 to the healthcare industry. Their warning addressed the exploitation of medical devices by cyber-criminals as well as their concern related to the lack of preparation by healthcare organizations to combat cyber criminals.⁸ Subsequently, a year later, in a review of cyber risk management practice in healthcare, the Health Information Trust Alliance found that "the industries approach is reactive, inefficient, and labor intensive."⁹

As nurse leaders, it is imperative that we are keenly aware, in tune, and proactive to cyber-security threats. Organization are at risk for legal, regulatory, and financial costs. Patients risk the exposure of protected health information, their health, and wellness. Compliance with both internal and external regulations is helpful, but it does not equate to cyber-security. Cyber-safety is not a job that is left solely to IT Departments. It requires a collaborative team effort among many players within organizations. Active involvement in mitigating risks and avoiding consequences of cyber-crime is not a leadership option; it is a leader responsibility. Working with IT departments and Risk Management to enforce best practices and controls is a good starting point. However, creating an environment of awareness and accountability among all staff and leaders is vital. Technology’s purpose in healthcare is to improve quality of care, timeliness, and lower costs. Our challenge is to end the nightmare of cyber-threats and to create an atmosphere of cyber-security by managing information for the best benefit of healthcare organizations and for patients depending on us for high-quality care.

1. Nigran, D. (2014). When 'hacktivists' target your hospital. New England Journal of Medicine. Jul 31;371(5):393-5. doi: 10.1056/NEJMp1407326.
2. Ponemon Institute. (2013). Cost of data breach study: global analysis. May, 2013. http://www.ponemon.org/blog/2013-cost-of-data-breach-global-analysis
3. Ponemon Institute. (2015). Criminal Attacks Are Now Leading Cause of Data Breach in Healthcare, According to New Ponemon Study. May, 2015. http://www.ponemon.org/news-2/66.
4. Huddleston, T (2015). Premera Blue Cross Reveals Cyberattack that Affected 11 Million Customers. Fortune, March 17, 2015, http://fortune.com/2015/03/17/premera-blue-cross-hacking-breach/.
5. Finkle, J. & Humer. (2014). Community Health Says Data Stolen in Cyber Attack from China. Reuters, August 18, 2014, http://www.reuters.com/article/2014/08/18/us-community-health-cybersecurity-idUSKBN0GI16N20140818.
6. McCann, E. (2012) Healthcare data breaches on the rise, with a potential $7B price tag. Healthcare IT News. Dec. 2012. http://www.healthcareitnews.com/news/healthcare-data-breaches-trend-upward-come-potential-7b-price-tag.
7. Filkins, B. (2014). Health care cyber threat report. SANS Institute. Feb. 2014. https://www.sans.org/reading-room/whitepapers/analyst/health-care-cyberthreat-report-widespread-compromises-detected-compliance-nightmare-horizon-34735.
8. FBI Cyber Division. (2014). Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions for Financial Gain. April, 2014. http://www.aha.org/content/14/140408--fbipin-healthsyscyberintrud.pdf.
9. Drovak, K. (2015). Health providers lack awareness of cyberthreats. March, 2015. FierceHealthIT. (p.1) http://www.fiercehealthit.com/story/hitrust-providers-lack-awareness-cyberthreats/2015-03-06.