Cybersecurity and Privacy

International Computer Security Day and You

Computer security at home

International Computer Security Day is just around the corner, recognized each year on November 30th. In 1988, the Association for Computer Security launched the first Computer Security Day to raise awareness concerning computer security issues. The essence of this day is to spur everyone to pay attention to their own online privacy and security. In the case of nurses, patient data privacy and security should also be an area of concern.

The increased use of digital and mobile technologies in healthcare are introducing many benefits to both providers and clients. However, they also introduce potential serious risks for invasion by hackers and cyber criminals. It is important that all health organizations embrace security strategies that safeguard protected health information (ePHI). All health professionals must follow the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) in all encounters with protected health information (PIH) of clients and families. This is not only morally or ethically required but also has legal sanctions and repercussions if not followed. Hefty fines can be enforced with willful neglect of the HIPAA directives and compliance is mandatory for all health care organizations and professionals and their business associates who are involved with client PIH. All health care organizations are required to follow stringent rules to achieve HIPAA compliance. 

The HIPAA Security Rule stipulates that security must be applied in three contexts within healthcare: physical, technical and administrative (Figure 1).

Figure 1: The Focus of the HIPPA Security Rule

It is also responsible for all health professionals to ensure that their clients are aware of the need to keep their own and their family’s electronic personal health information (ePHI) secure. Data as common as medical insurance number can be dangerous in the wrong hands. Clients may not be aware of the need for security and privacy – it is part of a health professional’s role to provide education about this.  

Protecting client ePHI is not just about meeting regulation standards. It is also a key part of establishing well-informed value-based, client-centered care by establishing client trust. “When patients trust you and health information technology (health IT) enough to share their health information, you will have a more complete picture of patients’ overall health and together, you and your patient can make more-informed decisions.  

To help cultivate patients’ trust, you should: 

  • “Maintain accurate information in patients’ records.
  • Make sure patients have a way to request electronic access to their medical record and know how to do so.
  • Carefully handle patients’ health information to protect their privacy.
  • Ensure patients’ health information is accessible to authorized representatives when needed” (Office of the National Coordinator for Health Information Technology, 2015, p. 8-9).  

ePHI Protection by Clients 

Health professionals must also be mindful of how data is exchanged with clients when interacting via patient portals, email, or text messaging. It is also important to teach clients how to ensure that they keep their own data private and secure on their own devices.  

Clients should be warned that data breaches could occur via their own mobile devices due to: 

  • Stolen Devices
  • Unsecured Devices
  • Insecure Apps
  • Weak Passwords
  • Malware or Viruses
  • Sharing Devices with Friends and Family
  • Unsecure Wi-Fi 

Clients need to know the basics of securing their mobile devices and how to avoid hackers, viruses, and malware infections. Health professionals can guide clients to consider locking their devices, using strong passwords, and encrypting their devices.  

Encryption of ePHI 

“Unfortunately, the things that health care organizations do to innovate and to drive patient experience, care delivery, and performance improvements are the very things that tend to create cyber risk. Health care’s large volume of high-value data, growing demand for interconnected IT environments, and cybersecurity program immaturity make it an attractive target. IOT-enabled medical devices (implantables, wearables, pacemakers) are also exposed to data security issues—over the last 10 years, there have been numerous incidents revealing the security vulnerabilities of connected devices. Yet, despite increasing attention and investment, many organizations remain unprepared for cyberattacks and other crises” (Deloitte Development2019, p. 25).  

Health care or medical data encryption is mandatory since it provides data security where electronic medical records (EHR) data are disguised so that unauthorized users may not read or make sense of them. This is a fundamental requirement of all data within health records but especially for personal health information (PHI) to protect against malicious attacks and data breaches. All computers and mobile devices used in health care must have data encryption. This includes email and other communication software used to communicate or exchange information. This is law, yet many health organizations, especially smaller practices fall short.  

It can be challenging to stay on top of HIPAA compliance at work due to the sheer busyness of the workplace. When a team is caring for a stream of clients all day long, situations come up when HIPAA may be in jeopardy. Try your hand at the following game to test your knowledge about how health professionals should react within several potentially risky workplace scenarios. 

Take some time to test your knowledge about HIPAA compliance by playing the game from the Office of the Chief Privacy Officer (OCPO) called Privacy & Security Challenge. The first screen you will see is a system check – click on the “Continue” button at the bottom to begin the game. As you move through the three levels notice all the potential situations a health professional could face within day to day practice. 

When finished the game, consider the following:  

  • How did you score on the three levels of the game? Were you surprised by your score? 
  • What aspects of privacy and security did you find easy to address? 
  • Which compliance scenarios were a challenge for you to address? Why? 
  • Did these scenarios seem like situations that you might experience in your practice? How? 

GAME:   Office of the Chief Privacy Officer (OCPO). (2019). Privacy & Security Challenge (Training Game). The Office of the National Coordinator for Health Information Technology (ONC).  https://www.healthit.gov/sites/default/files/cybersecure/sysPreCheck.htm

Nurses need to be aware of and practice privacy and security measures consistently and extensively in every practice encounter. Observing the principles of privacy and security not only meet national law and guidelines, but also protects our clients and organizations from serious data breaches.

The views and opinions expressed in this blog or by commenters are those of the author and do not necessarily reflect the official policy or position of HIMSS or its affiliates.

Online Journal of Nursing Informatics

Powered by the HIMSS Foundation and the HIMSS Nursing Informatics Community, the Online Journal of Nursing Informatics is a free, international, peer reviewed publication that is published three times a year and supports all functional areas of nursing informatics.

Read the Latest Edition

Deloitte Development (2019). 2019 Global health care outlook: Shaping the futurehttps://www2.deloitte.com/content/dam/Deloitte/global/Documents/Life-Sciences-Health-Care/gx-lshc-hc-outlook-2019.pdf 
Office for Civil Rights (OCR). (2017). HIPAA for Professionals. Washington, DC: U.S. Department of Health and Human Services (HHS). Retrieved from https://www.hhs.gov/hipaa/for-professionals/index.html 
Office of the Chief Privacy Officer (OCPO). (2019). Privacy & Security Challenge (Training Game). The Office of the National Coordinator for Health Information Technology (ONC).  https://www.healthit.gov/sites/default/files/cybersecure/sysPreCheck.htm
The Office of the National Coordinator for Health Information Technology. (2015). Guide to Privacy and Security of Electronic Health Information. U.S. Department of Health and Human Services. https://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf