Part 1 of three-part series on technology security tips for nurses. (Republished from 2017.)
What do a nurse and a chief information security officer (CISO) have in common? (No, this isn’t a new geek joke—or a nurse joke.) As healthcare increasingly has become a target of hackers, cybercriminals, and even nation-states, nurses—like CISOs—are becoming more and more the first line of defense against those who wage war on healthcare, its patients, and its employees.
Since Florence Nightingale and the Crimean War, nurses have been on the front lines of every conflict, regardless of side. Just as nurses have been on the front lines of fighting disease and illness, they are now combatting cybercriminals trying to rob our patients of privacy, personal information, and identities. More than ever, nurses are required to perform a task—provide information security—that falls well outside their job description and for which they receive little training. While the combat role may not be new, the battle is.
Pamela F. Cipriano, PhD, RN, NEA-BC, FAAN, president of the American Nurses Association, observes: “In a world of unbridled electronic communication, the nurse’s responsibility to safeguard privacy and confidentiality of data and information soars. Being vigilant and following best practices along with institutional policies are important to protect our patients, ourselves, and our systems.”
Imagine the internet and everything connected to it as the vector for a new pathogen. You would not just rush into a room where an unknown pathogen has been and start touching and cross-contaminating items. If you did, it might be only once! No, you would approach that room like a forensic pathologist—gowned, gloved, and fully protected. After isolating and decontaminating what could be an infected room, you would begin searching for every source from which the pathogen may have been transmitted.
Before connecting an oxygen line to an outlet in a possibly pathogenic room, you would make sure that both the conduit and the source are free of the suspected pathogen so as not to re-contaminate the room. This is a great way to visualize why—in your battle to protect your patient’s information, your organization’s assets, and, most of all, your own digital life—you need to think of every digital device in a hospital as a potential source of infection.
In this three-part series, we’ll help train and arm you to engage safely in cyberspace, the digital world of computer networks. Whether you are using your own device to connect to your employer’s resources (or someone else’s resources) or using devices that belong to or are managed by someone else—and there are differences—you should pursue safety for all concerned. In Part 1 of the series, we address best practices that should be applied in almost every situation.
General best practices
Let’s start by focusing on state nurse practice acts. Because nurse responsibilities vary from state to state, check with your state’s guidelines to ensure compliance with information security requirements. You should also review Nursing: Scope and Standards of Practice, published by the American Nurses Association.
Observes Cipriano: “Nurses’ ethical practice commands the safeguarding of a patient’s right to privacy and confidentiality including their data and information. By being vigilant and using best practices to secure devices and the flow of information, nurses protect patients and maintain their trust.”
Remember, the internet is an ecosystem much like the one we live in but maybe even more connected. For example, you can visit a restaurant you know well and get a cold from a dirty glass. Chances of getting sick are even greater at restaurants you don’t know much about. Next thing you know, you’ve passed the germs on to others. Substitute “website” for “restaurant” in the above scenarios, and you get the picture for what happens when you visit unreliable digital destinations. So, the next time a glass of water comes your way, look at it carefully and, to reduce the likelihood of contracting an illness, ask for a straw.
In many countries, it seems as if almost everyone has at least one connected mobile device, but, to avoid generalities, let’s look at the U.S. population. According to Pew Research, 45 percent of us own anywhere from two to four connected devices, and 31 percent have five or more. That smartphone in your pocket or purse, or that tablet or laptop that you take almost everywhere, contains a lot of very significant information about you, your family, and your friends, including contact information, photos, locations, and more. You need to protect yourself and your loved ones. Here are a few things you should do so you have peace of mind while enjoying the conveniences of personal technology:
1) As in patient care, clean is good. Keep a clean machine. That means you have current—the most up-to-date available—security software installed and running on any device that connects to the internet. Also, make sure you have the most up-to-date web browser, operating system (iOS, Android, Windows, etc.) and even apps (applications). All of these collect and share data. Unfortunately, vulnerabilities or new threats to these systems are found almost daily. Make sure you check for updates and upgrades, especially those that mention security fixes.
2) If you’re like most of us, you download apps for specific purposes, such as planning a vacation. When you no longer need an app or you’ve lost interest in it, get rid of it. It doesn’t need to go into a ”sharps” container, but you should delete it. It is a good security practice to delete all apps you no longer need or use.
3) Under HIPAA rules (that’s a U.S.-relevant acronym for Health Insurance Portability and Accountability Act), you are required to protect your patient’s information. (Something similar may apply in your geographic region.) But who is protecting your information—and your family’s information—when you’re not a patient? Well, the bad news is, it is up to each of us to protect ourselves. The good news is, it doesn’t have to be that difficult. Here are four things you should be doing—the kids and your friends, too—to protect personal information:
Secure your devices. Use strong passwords, pass codes, or identity tools, such as biometric identification—fingerprint, for example—to lock your devices. Securing your device is one of the best ways to help protect your information should your device be lost or stolen and to keep out prying eyes.
When it comes to passwords, sharing is not caring. Just as with systems at work, don’t share your password with anyone, including family members. If you must, share it to accomplish a particular mission and then change that password as soon as you can. We’re not saying you shouldn’t trust people, but trust is not a security control. Someone who has your password may accidentally leave the device on—connected—that you are seeking to protect or may share your password unintentionally. Also, if you are like most people, you reuse passwords. In doing so, you may be giving access to systems or information they don’t even know they have access to. Also, since almost all activity on any account is tracked, anything that happens on that account—good or bad—will be attributed to you.
Change the way you think about your information. Personal information is like money in today’s world; we must value and protect it. Information about you—the games you play, what you search for online, and where you shop and live—has value, just like money. Be thoughtful about who gets that information and how it’s collected through apps and websites. Think Facebook, Twitter, and all shopping sites. What do you store? What do you share? Pictures are geotagged, so those great pics from the kid’s school party tell the bad guys you’re at school with the kids.
- Don’t take Facebook and Twitter for granted. Remember, only you are protecting your data, so you must own your online presence. Use security and privacy settings on websites and apps to manage who sees them and what is shared about you. And check those settings regularly. Sites change defaults, and sometimes we don’t know it!
- Do you feel as though you’re being ignored? You probably aren’t. Some stores, as well as other locations, “look” for devices that have Wi-Fi or Bluetooth turned on so they can track your movements when you are within range. Disable both when not in use. If you have “location services” turned on—even if you are not using a mapping app—someone can find you. If you must have Wi-Fi or Bluetooth on—your cellular data service is probably always on—but don’t need mapping or location services for apps such as Waze, Uber, or Maps—turn off location services.
Connect with care
In this age of “meaningful use” and “patient engagement,” many of us are connecting for care—to give or receive it. If you are using your personal device for any work-related activities (or personal, for that matter), you need to connect with care.
Make sure you understand the risk involved with using Wi-Fi “hot spots.” Public wireless networks and hot spots are not secure, which means that anyone can potentially see what you are doing on your laptop or smartphone. Limit what you do on public Wi-Fi, and avoid logging in to accounts such as banking or shopping sites. If you need a more secure connection, consider using a virtual private network (VPN) or personal (mobile) hot spot.
When you are connected to public networks, you may see unexpected text messages, calls, and voicemails from unknown sources. Don’t respond! Fraudulent communications are on the rise. Just as with email, mobile requests for personal data or to take immediate action are almost always scams.
Although one is more likely to think of phones and laptops when considering security, don’t forget other connected things. Fitness-tracking apps and devices, smart watches, children’s toys, even home-based devices such as Echo or Alexa, may be collecting information about you—where you are going and what you are looking at or doing online. We now call this the internet of things, and, like the networking advice we’ve provided above, if you aren’t using it, turn it off. “Always on” is bad for people, and it can be dangerous to people when applied to technology. Click here and here to learn how location tracking may be taking us where we don’t want to go.
In the next installment, we’ll provide everyday tips for using personal technology at your employer’s site. Be sure to check it out, but only after you’ve followed up on the tips provided in this article and have made a decision to make them habits.
Strong passwords strengthen security: 7 tips for creating and using them
We’ve heard it all before, but most of us still don’t take time to create strong passwords or use necessary precautions to protect them. Here are seven tips—five mandatory and two to consider—to protect your data and add to your peace of mind.
- Never share your password. I do mean never, although I can imagine a situation where doing so could be the most expeditious way to solve a patient care issue. If you absolutely must share a password, change it as soon as possible afterwards.
- Writing a password down and “hiding” it in an obvious place are the same as sharing it. I still find many passwords under keyboards and on the back of monitors. Those handy, pullout writing surfaces are also very popular.
- No well-managed site or business asks for your password. Be wary of emails, sites, or even callers who request your password—for any reason.
- Don’t reuse passwords. Yes, we all have multiple accounts, but the bad guys know that, too. So, if you share that Facebook login, and it also happens to work for your bank account, don’t blame me.
- Use passwords that are easy to remember but hard to guess. When possible, use a mnemonic device that works for you but is unlikely to work for someone else. For example, create a phrase or sentence such as “I got my RN in 2004 from Texas Woman’s,” and then use the initial of each word to create a password, like this: IgmRNin2004fTW. To extend a password’s usefulness to multiple sites, make variants by adding or deleting a couple of unique characters for each one. For some sites, you may want to use the entire phrase.
- Use at least eight characters. Combine a mix of upper-case, lower-case, and special characters, such as -, %, $, #, !, or ?.
- Don’t use dictionary words. If a password you’d like to use is in the dictionary, there is a chance someone will find it by running password-cracking software against, well, the dictionary.
- Consider using strong authentication or multifactor authentication. To prevent unauthorized users from accessing your account via a device not belonging to you, many companies or websites now offer users the option of verifying their identity. The typical method is to send a code via text or other message format to a mobile device registered to you. You then type in that code to verify that the person seeking access is really you. In most cases, you will not be required to use this procedure when logging in from a known device, such as your own computer, tablet, or phone.
- Consider using a password manager. These programs or web services let you create a different, very strong password for each of your sites. But you only have to remember that one password to access the program or secure site that stores your other passwords. Logons for sites you’ve selected can even populate the logon automatically when you “land” on those pages.
David S. Finn, CISA, CISM, CRISC, is health information technology officer for Symantec, a global leader in cybersecurity, and board member of CHIME, The College of Healthcare Information Management Executives. He previously served as chief information officer, vice president of information services, and privacy and security officer for Texas Children’s Hospital, one of the largest pediatric integrated delivery systems in the United States. Co-author of the recently published The Journey Never Ends: Technology’s Role in Perfecting Health Care Outcomes, Finn has more than 30 years’ experience in planning, managing, and controlling information technology and business processes.
Kenneth W. Dion, PhD, MSN/MBA, RN, is assistant dean for business development and strategic relationships at Johns Hopkins School of Nursing in Baltimore, Maryland, USA. The founder of Decision Critical Inc., Dion serves as treasurer of the board of directors of Sigma Theta Tau International Honor Society of Nursing (Sigma). He is past president of the board of trustees of the Foundation of the National Student Nurses' Association and past chair of the board of directors of Sigma Foundation for Nursing.
Part 2 of series on technology security tips for nurses: Security tips for using personal technology at your employer’s site
Part 3 of series on technology security tips for nurses: Security tips for using your employer’s technology
Editor's note: This article has been reposted because of technical problems with the RNL website when the article was first published on 30 March 2017.