According to McBride & Tietze (2019) there are three areas that precipitate security threats and they are human, software, and hardware. Software and hardware threats are relatively predictable and include a wide-range of issues (McBride & Tietze, 2019). The human threat is the least predictable. Human threats include the obvious malicious attacks but also include third-party partners with lax security protocols (McBride & Tietze, 2019). In my practice, I can make sure that software and hardware threats are minimal. I can achieve this by keeping software and hardware up-to-date, educating on malware, and ensuring devices are properly secured. In terms of the human threat, I can work to ensure third-party providers are thoroughly vetted and maintain the same (or better) security standards as my practice. Currently, we use Samsung devices for the majority of our field staff and that require passcodes to enter the device and additional passcodes to enter our EHR and secure text messaging system. Our email is encrypted and we are notified of any external emails in the title of the email. Our protocol for lost or stolen devices is to complete a formal write-up along with a police report. Some field staff also have laptops that require two-step authentication to enter our encrypted desktop. Our security team routinely sends reminders about phishing emails including what they look like and how to report them. Field staff are reminded to update software weekly on Wednesdays as our EHR sends out patches on Tuesday nights. These are a few current items we use to mitigate HIT security threats.
McBride, S., & Tietze, M. (2019). Nursing Informatics for the advanced practice nurse: Patient safety, quality, outcomes, and interprofessionalism (2nd ed.). Springer Publishing Company.
Very interesting hearing that your facility uses such high and expensive technology and hearing about the procedure for if those devices go missing. My hospital has spectrolinks for communication, which is the hospital version of a Nokia. Though very interesting to hear about our similarities in the two-step authentication process if accessing things at home. Surprisingly my hospital just implemented that two-step authentication within the past year. I also agree with your idea of thorough vetting to improve security standards of human threats. Though I think sometimes there are some people who look great on paper but don’t have honest intentions, which is where your software security comes into play with dual authentication. I think that technology that might impact the plans to mitigate the software updates might be the increasing spyware and hacking with identity theft. Though it is awesome to hear that you have software updates weekly to ensure your systems have the best security. Since I don’t have any background with devices like the Samsung, have you noticed anything through use that might be more helpful and practical in your use regarding patient safety and information safety? Thanks so much for sharing!
Hello Jenn, I agree with how you mentioned you would keep software up to date to prevent security threats from occurring in your practice. I believe a key aspect to keeping security threats at bay are ensuring your software is up to date and installing any malware security programs on devices. My plans differ from yours in that I aim to provide staff training on how to properly prevent inputting incorrect patient information. Another alternative I would think to add to your current plan is installing security software to prevent any cyber-attacks on your programming. Many organizations adapt security software’s that can alert staff of a possible security threat. Do you believe the two-step authentication poses a barrier for staff that are working from home or may not have access to a second method of authentication? Many of my co-workers find the two-step authentication exhausting when needing to login quickly. Do you believe there may be a better alternative to a two-step authentication for staff? I think an alternative of the future would be finger touch authentication. Similar to what smart phones have (iPhone), staff may be able to login using their fingerprint.
Thanks for sharing Jenn. Our protocols are mainly the same in that our tech team updates our EHR weekly and we have monthly downtime for upgrades and to backup the system. The facility where I am employed also have two step authentication passwords for emails. I agree with your tactics to keep your facility safe from cyber malware and trojans including using a phishing reminders and keeping passwords secure. Also I would like to add changing the password every ninety days, not sharing the password and logging off of the computer when we are not actively using it, that way no one can just walk up and use your computer or obtain information from it, if or when you walk away from it. Good job with data security.
You had a very well thought out discussion. It seems as though your place of employment tries very hard to anticipate the security threats on HIT systems. As far as the third party vendor, it looks like they are also very reliable in encrypting and securing information to make sure there is no breech in security. It is much more involved than the system that my employer has, as we do not use a third party system. We just scan for phishing emails and have our passcodes to be able to access the charting system. However, the passcodes and pins have to be changed every 4 months so it does add some level of security. For employees that do not perform anything on the administrative level we do not have access or get any sort laptop or phone to use off the premises of the clinics. This becomes very bothersome at times due to the fact if we have certain emails or education that we want to view or work on outside of work hours, we are unable. Yet this does lock down security more because we would never have any lost or stolen items that we are responsible for due to not having anything in the first place, and never having outside access to any servers or patient information. I feel as though your place of work has the highest level of security that it can, and is continually improving measure to keep the EHR and patient information protected. I don’t really have any suggestions to improve it further that would have much more of a beneficial effect, as if it becomes too tight it could inhibit workflow. I might offer that any laptops that go home with employees also have a tracking device so that they could never really get lost, but that could also be overstepping employee privacy in a way. While my job is much more simplified in its security measures, I think its is fairly secure and doesn’t have to be as complex given the nature of our clinics. However should anything ever get hacked or breeched, there are only two people (the facility administrator, and assistant administrator) that eyes would be on as they have the overall access, making it much easier to find where a problem would occur as there are far fewer places to look. Even our physicians can only access and log into the system at each clinic. While this is not ideal for them because they have to drive to each individual location, does force them to see patient face to face several times throughout the week, which I feel promotes a better patient care relationship.
Anyways, great work!
I share the same ideas you currently use in protecting patients from threat. The threat of hardware and software may be predictable, but some cases are not predictable as prediction relies on prior knowledge on possible attacks and failure or inability to mitigate.
Click here to ORDER an A++ paper from our Verified MASTERS and DOCTORATE WRITERS: NUR 752 Discussion 7.1: Security Threats
Human threats are not very predictable and may be more puzzling to handle. Updating software’s at the workplace as well as the personal devices; installing efficient malware aids in securing devices (Abdullahi et al., 2021). Interaction with third parties requires high level security mitigation. The application of different levels of security including passcodes and secure text messaging on verification of persons further ensures better security. Data encryption and reporting procedures to track and disable stolen devices also ensures better security for portable devices. Phishing and spamming are common on mails especially corporate and constant warnings and reminders not to open all mails and reporting suspicious mails also helps in preventing attacks (Shrivastava et al., 2021). Cloud technology makes data and information security more interesting.
Abdullahi, I., Dehling, T., Kluge, F., Geck, J., Sunyaev, A., & Eskofier, B. (2021). Security Engineering of Patient-Centered Health Care Information Systems in Peer-to-Peer Environments: Systematic Review. Journal of medical Internet research, 23(11), e24460. https://doi.org/10.2196/24460
Shrivastava, U., Song, J., Han, B. T., & Dietzman, D. (2021). Do data security measures, privacy regulations, and communication standards impact the interoperability of patient health information? A cross-country investigation. International journal of medical informatics, 148, 104401. https://doi.org/10.1016/j.ijmedinf.2021.104401
I agree that thoroughly vetting third-party security systems prior to engaging them in your patient care EHR is necessary. My facility also does this to avoid phishing and cyber trojans from infiltrating the EHR. When you discuss filing police reports with lost or stolen devices, that differs from my current healthcare system security. Instead of filing police reports, we simply report the device as stolen and the cybersecurity team at the hospital do a sweep of current active devices to reboot the system and prevent bugs from spreading. We also have a system in place for two-factor authentication to ensure that people engaging in electronic patient care are actual healthcare members. Your discussion post offered many similar suggestions to what I would propose to the hospital. However, I would like to note that you mention keeping systems up-to-date but that requires frequently upgrades to security systems, system reboots, as well as changes to everyday chart in the EHR. I believe the need to continue to upgrade systems leaves HIT vulnerable for malware and other unwanted cyber threats to leak in. Instead of encouraging hardware to remain up-to-date, you could suggest third-party security tests that are scheduled throughout the year. Instead of choosing to update a system, reinforce what is already present with HIT. By offering frequent security sweeps using a reliable system, we can reduce the number of security threats without providing the opportunity for threats to enter the EHR either by human or software route. One example of an emerging technology system that could be employed for security sweeps on pre-existing software might be Aura, introduced to the market in 2019 (Datanyze, n.d.).
Datanyze. (n.d.). Aura company profile: Management and employees list. Datanyze. Retrieved April 12, 2022, from https://www.datanyze.com/companies/aura/472889248
Security threats can be alarming for any organization. For healthcare entities, this is especially true due to the nature of the information collected and stored. The advent of EMR/EHR systems is a double-edged sword. Data can be stored and accessed by medical professionals easier, and give patients more autonomy over their health data, but can also be vulnerable to hackers and data breaches (McBride & Tietze, 2018). These threats can often be mitigated by proper security training, procedures, and protocols. Significant security measures need to be in place to protect health information as well as to help prevent erroneous orders and fraud (Vinaykumar et al., 2019). The EMR system is not the only vulnerable technology within healthcare entities.
According to McBride and Tietze (2018) additional technologies can be targeted through things like trojans, malware, viruses, etc. These threats are typically sent via email from outside untrusted sources that might look like they come from within the company. Once access has been gained unauthorized users can take over the computer, gain access to protected information, and even steal passwords. Our company has an automatic scan of any email with an attachment that delays the recipient from opening a potentially harmful attachment. At times, this can be cumbersome, but a slight delay is better than a system-wide breach.
Factors that contribute to security threats are vast and evolving rapidly. Some are easy to troubleshoot and safeguard against, limiting access to computers with EMR accessibility, password protection, and two-factor authentication are some of the easier implements against security threats (Chen et al., 2020). These can be done at the organization level with input from shareholders, IT, and end-users. Other threats are harder to protect against and not as easy to find. Making sure only clinical personnel can access HIIT is an important and often late consideration (McBride & Tietze, 2018). This can separate the protected data from those who shouldn’t have it. This has been a growing concern in hospitals near and around LA due to the celebrities that might be brought in. We had to all sign additional NDA forms and be restricted to patients on our floors only during my clinical rotations in nursing school to combat the release of protected health information.
Our practice utilizes block-chain EMRs for ease of use. This is a universal practice for our EMR system and helps to pull data in from participating partners. Our organization helps to safeguard against some threats by adding layers to the data that can be accessed (Vinaykumar et al., 2019). One of these layers is consent, each patient needs to authorize us to view their outside health information, another is a read-only feature for outside reconciled information and a third is the safe storage of any consolidated health information.
Chen, C. L., Huang, P. T., Deng, Y. Y., Chen, H. C., & Wang, Y. C. (2020). A secure electronic medical record authorization system for smart device application in cloud computing environments. Human-centric Computing and Information Sciences, 10(1), 1-31.
McBride, S., & Tietze, M. (2018). Nursing informatics for the advanced practice nurse (2nd ed.). New York: Springer Publishing Company. ISBN: 9780826140456
Vinaykumar, S., Zhang, C., & Shahriar, H. (2019). Security and privacy of electronic medical records. SAIS 2019 Proceedings, 29, 1-6.