Part 3 of three-part series on technology security tips for nurses.
In this final installment of our three-part series, “Everyday technology security tips for nurses,” we address one of the most universal issues nurses face—personal use of technological equipment belonging to one’s employer. Even when there are strict rules prohibiting such use, it still happens.
There used to be prohibitions against using one’s work phone for personal calls. Today, not so much. But, situations do arise where employees have to check personal email—perhaps at their desks or on the computer in the lounge. Or maybe one of your kids will text you on your work cellphone to let you know he or she is home from school.
You’re thinking: “So, what’s the big deal? What could possibly go wrong?” Well, we’ll start by saying that every business involves the use of some kind of technology that employees need to do their jobs—whether cars, stethoscopes, computers, or MRI scanners—and this equipment is generally provided by the business. While some personal use of business equipment is justified and should be expected by employers, problems arise when that personal use is excessive or inappropriate.
OK, so who’s going to take an MRI machine home with them for little Jimmy’s science project? But consider this scenario: On the way home from work in the company car, you stop at the store to pick up some groceries. If nothing happens while doing so, no problem. But what if another automobile collides with your company car while you are in the store? Now you may have a problem. And what about that on-call phone or work computer you have in that company car? Nothing can go wrong when you use that equipment, right? Wrong.
Let’s start with the shared-device issue. While shared computers and other digital devices are found in other industries, shared devices in healthcare—from pagers to on-call cellphones to computers—are ubiquitous. This sharing allows organizations to operate smoothly as people move from role to role, from shift to shift, and even from location to location. But remember: The information you store, that email you send, and that application you download “belong” to everyone who uses that device. Don’t put anything on it or do anything from it that you don’t want others to see or know about.
Personal use of corporate assets
That game you play on your home computer is great! Very relaxing. And your boss has said you can use the company computer for personal use on breaks and at lunch. What could go wrong if you install that game on your computer at work or just go to the internet site and play? Whoops! Now you’ve brought in a virus. Or worse, there are conflicts between your game installed on the company’s computer and the hospital’s electronic health record (EHR) system, and the system doesn’t work right anymore. Who ya gonna call? More to the point, what are you going to say when you have to call IT and tell them that you put personal software on the company machine?
Besides annoying IT personnel, the restrictions they place on use of company equipment because of your regrettable action could trigger other problems, including the following:
- Morale problems: If personal use of company equipment is suddenly curtailed—blocking dating sites, as hospital administrators asked one of us [David Finn] to do—or if only some employees are allowed to use certain equipment, other workers may become frustrated, and attitudes may deteriorate.
- Excessive maintenance, such as having to reimage the computer: Reimaging a computer requires deletion of data on the hard drive and restoration of the machine to factory settings. This step is usually warranted when an operating system (OS) is damaged or corrupted, the computer won’t start up, or it is simply not working right. Reimaging usually fixes all problems caused by software issues. The procedure varies, depending on manufacturer, but usually takes anywhere between three hours and a full day.
- Lost productivity: Less is accomplished when employees use work time and company equipment for personal tasks or if a shared machine is “down.”
Acceptable use means you
Before you use your employer’s equipment to do any personal tasks, read your organization’s “acceptable use” policy, which outlines, as the name suggests, permissible uses of company equipment—including computers and other technology devices. The purpose of the policy is to protect you—the employee or workforce member—and the company. Inappropriate use of technology systems can expose your employer to risks that include, but are not limited to, virus attacks and other compromises of the network—even legal issues that affect both you and your employer. Remember, your company-issued computer is connected to a lot of other equipment the company owns, such as printers, fax machines, networking gear, and other computers—even clinical devices such as IV pumps. What if malware introduced to the system via a visit you made to an inappropriate website maliciously compromised an IV drip servicing one of your patients?
Here’s an instructive story ripped from the headlines. (If this happened at your company, it might be good news for your organization’s security staff but not so good for you if you were the one who stored—even accidentally—personal information on your employer’s equipment.) A recent court decision—and, yes, the case involved employees of a major academic medical center—ruled that employee information stolen during a breach wasn’t protected. The employees were not entitled to damages or protection because they had no reasonable expectation their data would be safe. Your patient’s information is protected, but not your personal information stored on company equipment through non-patient processes.
If your company doesn’t have an acceptable use policy, it should, for everyone’s sake, to protect the organization’s technology assets—particularly data—as well as personal information of employees. Click here to view an example of a comprehensive acceptable use policy for SANS Institute, a private, for-profit U.S. company. Founded in 1989, SANS, which stands for SysAdmin, Audit, Network, and Security, specializes in providing cybersecurity training.
Moving past education and training to awareness
An underlying purpose of this series has been to encourage you to think differently about technology data—how we use it and how others might use that data if it’s unprotected. We value the new smartphone we just bought because we paid good money for it. It is easy to forget, therefore, that our name and address—already in its phone book—can be used against us. But the internet allows the gathering of “harmless” bits of information that, when aggregated from several sources, can be turned into a wealth of information that allows those pesky bad guys to steal not only our bank accounts and credit card balances but our very identities.
Avoid being the victim of identify theft because it’s a real struggle to resolve. Be aware of bad links in emails from unknown sources. Avoid sites you’ve never heard of or uploading files to sites that don’t provide appropriate security. Once you are aware of traps to avoid, you can start making better decisions about what to do and what not to do—with your personal information, patient information (which has special protection under the law), devices you own, and devices provided by your employer to perform work duties.
If you’re reading this at work
If you’re viewing this on a device owned by your employer, let’s recap a few critical facts. Generally, employers have the right to monitor employee use of the internet— including visits to social networking sites, personal email, and instant messaging—on company-owned computers.
According to statista.com, 81 percent of the U.S. population uses social media in 2017, up 3 percent from 2016 and up 8 percent from 2015. Many employees, contractors, and workforce members post content and make comments on social media sites about their employers, employment status, and workplace issues. Your employer can legally monitor your work computer and activities performed while on the job, and many do. Employers who are concerned about lost productivity, excessive bandwidth usage, viral invasions, dissemination of proprietary or protected information, and liability for sexual and other forms of harassment that take place via email or on the web, see monitoring as an important deterrent for curbing inappropriate internet and computer usage.
As one might expect—and as affirmed by U.S. federal law (Electronic Communications Privacy Act, also known as ECPA)—an employer-provided computer system is the property of the employer. That means employers who provide employees with a computer system and internet access are free to monitor almost everything those employees do when using a company computer. Whether it’s a desktop, laptop, tablet, or smartphone provided for work purposes, expect that your employer is able to monitor it.
And that information you thought you deleted from the company device? That’s probably there, too—and available for your employer to monitor. Even when they appear to be erased, emails and other documents are often permanently backed up to locations only system administrators have access to. So, that nasty email you wrote to your boss but never sent? It may still be there. Think before you type!
When devices are shared, someone else may do the dastardly deed, and you might get the credit. Remember, whether at home or at work, sign out of accounts and devices when you are done using them. If you don’t, the next person to use it may appear to be you. You may be unaware of what they’re doing, but it will look like you did it.
We started this series by saying that “nurses—like CISOs—are becoming more and more the first line of defense against those who wage war on healthcare, its patients, and its employees.” Remember that security is an individual responsibility that operates on the collective level. If you practice security, you increase security for those around you.
Real threats—things that can actually harm you—often give warning signs. When a building burns down, usually very few lives are lost. Why? Because people know what to do when they smell smoke. Most folks know their own environment very well. The cyber world is certainly hard to see and even harder to smell, but the correct response to danger shouldn’t be terror—or worse, ignoring it. The way to prepare for the unexpected is to be aware of the unexpected and to practice for it.
We leave you with an anecdote that sums up some of what we have shared. Today, a web browser is found on almost every device in a hospital. Without it, our jobs would be much more difficult. That was not always the case.
In the mid-1990s, computers with web browsers began to appear in many places around hospitals. The systems they had access to were not integrated, and, for the most part, the computers were dumb terminals. The internet had just begun to develop, and many of the sites were inappropriate even for adults. Hospital administrators were concerned that employees were wasting time and visiting these sites on company time. It’s hard to believe this was among hospitals’ major concerns, but it was. No one had heard of something called “ransomware” in the mid-1990s. So how did administrators deal with the problem? They removed browsers from the terminals and put one computer in the library for all to share.
A young nurse administrator in one hospital, however, recognized the value of a web browser and the internet when appropriately used. She convinced others in the administration to develop and enforce a policy for use of the hospital’s internet-connected technology. It wasn’t long before a review of network traffic revealed that a PC in the residents’ quarters was being used to access inappropriate websites. A review of schedules revealed the wrongdoer, whose termination was well-publicized. The IT department then “wiped” the machine, assuring that generic passwords could no longer be used to access any technology in the organization.
The moral of the story is that the pen (written policies) is still mightier than the sword (technology). Good practices and policies that are appropriately implemented and enforced trump evildoers every time. Don’t be that resident who misuses technology. Be that nurse who positively influences policy and helps put healthcare technology where it belongs—in caregivers’ hands to improve patient care.
Liz Johnson, MS, RN-BC, FAAN, chief information officer, Tenet Healthcare, and board chair of the College of Healthcare Information Management Executives (CHIME), says it perfectly:
“As nurses we are the driving force in caring for, protecting, and communicating to patients. This is an awesome responsibility that provides great pride and joy for our profession, but it is also a responsibility that has now taken on a new dimension as we have moved into a digital world. Throughout this series of articles, David and Ken have provided ‘real life’ tips and tricks for success. Now it is on us.
“Today, as a result of vision, creativity, and innovation focused on patient-centered care, technology enables caregivers to put the patient at the center of everything they do. Whether clinical information is generated at the patient bedside or from within the patient’s home, increasing amounts of data are being captured and shared electronically, greatly enhancing patient safety and clinical outcomes. Regardless of who owns the technology, nurses can once again set the example for following best practice in leading the charge in helping to ensure a safe and secure environment for electronic patient information, no matter where that information is generated, where it travels, and where it is stored.”
David S. Finn, CISA, CISM, CRISC, is health information technology officer for Symantec, a global leader in cybersecurity, and board member of CHIME, The College of Healthcare Information Management Executives. He previously served as chief information officer, vice president of information services, and privacy and security officer for Texas Children’s Hospital, one of the largest pediatric integrated delivery systems in the United States. Co-author of the recently published The Journey Never Ends: Technology’s Role in Perfecting Health Care Outcomes, Finn has more than 30 years’ experience in planning, managing, and controlling information technology and business processes.
Kenneth W. Dion, PhD, MSN/MBA, RN, founder of Decision Critical Inc., is treasurer of the board of directors of the Honor Society of Nursing, Sigma Theta Tau International. He is past president of the board of trustees of the Foundation of the National Student Nurses' Association and past chair of the board of directors of Sigma Theta Tau International Foundation for Nursing.
Part 1 of series on technology security tips for nurses: Security tips for using personal technology
Part 2 of series on technology security tips for nurses: Security tips for using personal technology at your employer’s site