Autumn is here once again, and with it comes Cybersecurity Awareness month. Since cybersecurity is a critical focus for all nurses and other health professionals using technologies in healthcare, this month provides an important reminder for us all. A key aspect of this awareness is to ensure that we support patients using telehealth, mHealth, eHealth and healthcare portals to protect themselves as they use these technologies.
This year, the theme for Cybersecurity Awareness month is “See Yourself in Cyber” which emphasizes the importance of individual people and how they protect themselves as they engage with various technologies. At the most basic level, fundamental precautions can protect people in their day-to-day cyber activities. These include the following guidelines from the US Cybersecurity and Infrastructure Security Agency (CISA):
Health care or medical data encryption is mandatory since it provides data security where health data are disguised so that unauthorized users may not read or make sense of them. This is a fundamental requirement of all data within health records but especially for personal health information (PHI) to protect against malicious attacks and data breaches. All computers and mobile devices used in health care must have data encryption. This includes email and other communication software used to communicate or exchange information.
Most health care organizations have security measures in place that require stringent privacy and security measures, including a requirement for encryption of all hardware and devices. “Encryption is vital to protect your patient’s data. You need to make sure that you adequately map out where PHI enters your environment, what happens once PHI enters (and where it is stored) and exits your environment or organization” (Security Metrics, 2015, p.8).
It is important that patients become aware of this need as well, especially if the devices they are using to access their PHI or engage in virtual care are not protected by encryption, firewalls, and antivirus software. Healthcare professionals can help patients to be aware of this and advise them to “Encrypt your data. If you have sensitive data on your mobile device, make sure it’s encrypted. Patient data will then remain secure, even if malware steals it” (Security Metrics, n.d., p.5). It is a responsibility of all health professionals to ensure that their patients are aware of this need to keep their own and their family’s PHI secure. Patients may not be aware of the need for security and privacy – it is part of a health professional’s role to provide education about this.
Although each device is different, nurses can encourage patients to take advantage of built-in encryption features on their phones or tablets. “Most phones have encryption settings you can enable in the security menu. To check if your iOS device is encrypted, go to the settings menu, and then click on “Touch ID & Passcode.” It will prompt you to enter your lock screen code. Then scroll to the bottom of the page where it should say “Data Protection is enabled.”
To encrypt an Android, you must first be sure your device is 80% charged, and unroot your phone before continuing. Once these things are done, go to “Security” and choose “Encrypt Phone.” If you don’t charge your device, unroot it or interrupt the encryption process, you may lose all your data. Encryption can take an hour or more” (Panda Security, 2019, p. 2).
Tablets like an Apple iPad can be easily encrypted as well – for an iPad it is as simple as setting up a pass code to the device. Once the pass code is established, the built-in encryption settings are activated. The longer the passcode (six digits or more), the more powerful the encryption.
Health professionals can also advise patients about security strategies they can use to protect the data they install via apps on their devices. A major aspect of mobile data security is using apps that are secure and that have built-in protections for the information stored in them. Many people use health apps that they can download from the Apple or Google Stores to monitor their own health particulars, track health behaviors or data progressions such as weight loss, or fertility related data. People also often use wearable devices such as fitness trackers to monitor and track their physical activity which may include GPS related data such as location, and routes used for running and walking.
Other apps may be used to monitor more physiological data such as pacemaker activity, heart rate, blood pressure, and so on. All in all, apps must meet standards to be recommended to patients. Health professionals can suggest which apps are the best choices for keeping their data secure, affording the best experience for the patient through expert design, and API connected so that data can be shared with their health providers if they so choose. Mobile apps used within practice need stringent measures built in to ensure personal health information (PHI) protection using APIs, encryption, and data capture solutions.
Using mobile and wearable apps can significantly boost communication and understanding between health professionals and patients. When apps are designed according to national standards, they can be very efficient modes for sharing data on a regular basis that can support goals, tracking to gauge progress, and keep an eye on conditions that require monitoring.
However, due to the diverse digital technology being used now in healthcare, attacks are escalating, and they can be extremely dangerous. This goes beyond a data breach which is very serious: there are actual people who may be very malicious in their intent and the results of breaching systems that are not encrypted and secured could be dangerous to the patient.
The Office of the National Coordinator for Health Information Technology (ONC). (n.d., p. 2) provided the following suggestions to patients when using mobile devices for health:
Nurses can be instrumental in helping patients to adopt these safe practices to promote cybersecurity of their own PHI data and prevent data breaches and intrusions. Keeping cybersecurity awareness strong within all health information interactions for both the patient and the provider is important, and a fundamental aspect of using technology in healthcare, every day and month of the year.
Powered by the HIMSS Foundation and the HIMSS Nursing Informatics Community, the Online Journal of Nursing Informatics is a free, international, peer reviewed publication that is published three times a year and supports all functional areas of nursing informatics.
Cybersecurity and Infrastructure Security Agency (CISA). (2022). Cybersecurity Awareness month (with toolkit). https://www.cisa.gov/cybersecurity-awareness-month
Office of the National Coordinator for Health Information Technology (ONC). (n.d.). Health IT: How to Keep Your Health Information Private and Secure. https://www.healthit.gov/sites/default/files/how_to_keep_your_health_information_private_and_secure.pdf
Panda Security. (2019, March 5). 8 Mobile Security Tips to Keep Your Device Safe. https://www.pandasecurity.com/en/mediacenter/panda-security/mobile-security-tips/
Security Metrics. (2015). Medical Data Encryption 101: Safely encrypt your protected health information. White Paper. https://www.securitymetrics.com/static/resources/orange/medical-data-encryption-101-white-paper.pdf
Security Metrics. (n.d.). 5 Tips for HIPAA compliant mobile devices. White Paper. https://www.securitymetrics.com/static/resources/orange/HIPAA_Compliant_Mobile_Devices_White_paper.pdf