Cybercrime has become an increasing concern for consumers in the United States and internationally. In recent years, cybercrimes in the healthcare industry have drastically increased in type, impact, and frequency. These attacks have negatively impacted patient privacy, the ability of providers to deliver care, and the security of healthcare organizations. Nurses are uniquely positioned to help protect against and report cybercrimes because they are one of the largest employed populations in the healthcare industry and they are on the front line of patient care and healthcare technology use. This article discusses the main concerns of cybersecurity in healthcare, the nurse’s role in preventing and managing cyber security, and recommendations for nurses, educators, and regulators.
Cybersecurity involves protecting information by preventing, detecting, and responding to cyberattacks (Cybersecurity and Infrastructure Security Agency, 2009). Despite highly advanced technology safeguards such as audits, authentication, authorization, and data privacy measures such as encryption, human error can cause breeches in security; thus, cybersecurity remains a high priority (McDermott, Kamerer, & Birk, 2019). Mistakes among healthcare personnel, which often result from a lack of knowledge and education regarding cybersecurity safety, can be alleviated through education and proper training (Wanyonyi, Rodrigues, Abeka, & Ogara, 2017). In 2017, nurses comprised the largest percentage of healthcare workers in the nation, with more than 2.9 million nurses working in hospitals (Carlson, 2017). For this reason, nurses must be properly trained to recognize, assess, and report cybersecurity threats within their organization as part of the informatics and healthcare technologies curriculum. The widespread use of electronic health records (EHRs), healthcare information system networks, wireless and cloud information transactions, and technology-based equipment present challenges for nurses managing technology in their daily job functions. As frontline users, nurses also play a vital role in securing protected health information (PHI) and the information of multiple stakeholders, including patients, colleagues, healthcare organizations, and nurses themselves.
The prevalence of healthcare cybercrime has become increasingly widespread. Cyberattack is an international threat to patient care and safety and crosses all healthcare settings. In a study by Luna, Rhine, Myhra, Sullivan, and Kruse (2016), 94% of healthcare agencies reported internal and external cyberattacks on patient data. The security of (EHRs) and maintenance of personal health information privacy are critical priorities for all healthcare agencies (Jilka, Callahan, Sevdalis, Mayer, & Darzi, 2015). Internal cyberthreats may occur from disgruntled employees, employees who do not have proper cybersecurity training, or outside attackers, also know as hackers. Both internal and external types of cyberthreats are of concern to anyone who has access to an EHR, especially nurses who access information repeatedly during their workday and may be unaware of how their actions affect patient information safety.
The repercussions of these attacks can become a financial and personal nightmare for patients and families. In 2013, it was estimated that Americans spent $12 billion to deal with the consequences of their compromised medical files (Luna et al., 2016). Some of the consequences of compromised patient health information include theft, fraud, and abuse. Of note, a medical record number is extremely more valuable than a social security number on the black market because it carries a large amount of additional information that can also be stolen, such as social security numbers, personal information, health information, and insurance and payment details (Luna et al., 2016; McDermott et al., 2019).
In 2015, healthcare agencies were victimized more than 187 times, which compromised the personal PHI of 84 million patients (McCarthy, 2015). Cybercriminals can cripple a healthcare organization through hacking, deploying malware and ransomware, and stealing data. Compromised EHRs may cause serious harm to patients by interrupting treatment, which can potentially lead to personal harm or death. Identity theft and data tampering may also result in astronomical personal costs to patients and healthcare personnel in the form of credit fraud, legal fees, and overdraft charges, as well as the emotional toll and stress of dealing with these repercussions.
Given the prevalence of healthcare technology and informatics use in nursing practice, the American Association of Colleges of Nurses (AACN) recognized the need to integrate informatics curriculum into nursing degree programs. The AACN Essentials of Master’s Education in Nursing (AACN, 2011) and the Essentials of Baccalaureate Education for Professional Nursing Practice (AACN, 2008) directs curricula for nursing degree programs related to informatics and healthcare technologies. These essentials recognize technology as critical to the delivery of patient care by nurses and requires programs they accredit to address these concepts in their curricula. The AACN further recognizes “that the master’s-prepared nurse uses patient-care technologies to deliver and enhance care and uses communication technologies to integrate and coordinate care” (AACN, 2011, p. 5). As frontline workers, nurses are accountable for using technology effectively, safely, and efficiently. This accountability should include competency in maintaining the security of sensitive data related to patient information and the care nurses provide.
In 2012, the National Council of State Boards of Nursing (NCSBN) developed guidelines for social media use (Spector & Kappel, 2012) in recognition of the rapidly changing “user-generated” technology environment that may affect patient care and PHI. The NCSBN suggested prelicensure nurses apply concepts of information technology use to nursing practice by including it as an element in the 2016 NCLEX test blueprint in the management of care category. This category may include security plans, safe use of equipment, and reporting of incidents, errors, or variances (NCSBN, 2015). The NCSBN also recognized emerging nursing informatics issues as key elements in the transition to practice for new nurses entering the profession in a dedicated Transition for Practice module (NCSBN, n.d.). While these are important first steps in response to rapidly changing technologies used by nurses, none of the aspects of the threats to the security of EHRs have been addressed by regulatory boards. The learning objectives do not include a concept related to cybersecurity in relation to EHR, PHI, or nursing informatics.
In addition, despite the need to integrate this content into nursing degree programs, the recognition of properly educating nurses on their role in cybersecurity has faltered. The rate of healthcare security breaches rises each year, accounting for 21% of all cybersecurity breaches across the world (Heald, 2016). Quality and Safety Education for Nurses calls for nurses to meet a minimal competency in informatics to safely and effectively provide patient care. The competency relates to the nurses’ involvement in the design, implementation, use, and evaluation of healthcare technology in patient care (Hunt, 2012). However, it does not quantify where maintaining security intersects with the concepts of informatics in nursing roles or education. Both novice and experienced nurses struggle with learning how to use the technology and have little knowledge about how their use of it may affect patient safety.
This article summarizes areas of cybersecurity that directly relate to the role of the nurse as well as provide recommendations for curricular inclusion of measures to prevent or respond to a cyberattack and mitigate the harm to patients and healthcare organizations. In addition, recommendations are provided for regulatory boards to suggest inclusion of cybersecurity training as continuing education (CE) for license application and renewal.
PubMed (Medline), Cumulative Index of Nursing and Allied Health Literature (CINAHL), and ProQuest databases were used to conduct literature searches related to cybersecurity threats in healthcare and cybersecurity education in nursing programs with various inclusion and exclusion criteria. Search criteria were limited to blinded, peer-reviewed scholarly articles published in English after 2010.
Key terms used in the search were (a) electronic health record security, (b) cybersecurity in healthcare, (c) security informatics, (d) electronic medical record security, (e) nursing cybersecurity, (f) nursing education informatics, (g) nursing cyber security human factors, and (h) private health information security. The search yielded an initial sample of 70 articles. Each article was screened by the authors for threats to cybersecurity that were specific to EHR and nursing. Because little research has been conducted on this subject, we also included informational articles and position papers. Twenty-five papers were reviewed by the research team to determine the top threats to cybersecurity in healthcare and the literature-based recommendations to address or prevent cyberthreats related to nursing education and professional role. From these findings, the most common cyberthreats and recommendations for nurses to prevent or address them were identified. Next, a review was conducted of each state’s board of nursing to identify states requiring CE related to informatics or cybersecurity considerations in nursing practice.
The growing number of security threats in healthcare, particularly against EHRs, has led to concerns regarding security of personal and financial information (Seckman, 2018). Achieving information security is an essential topic in nursing informatics (Banerjee, Rao, Tamakuwala, & Koru, 2018). However, most of the literature regarding cybersecurity related to the healthcare market is lacking nursing-specific practice considerations. The articles reviewed revealed trends and deficiencies across healthcare systems and were analyzed to identify their correlation to professional standards and practice implications for nurses. Much emphasis has been placed on using EHR systems, integrating medical records and data collection into the nursing procedures of delivering care, and managing informatics as part of the nursing role. However, outside of hospital-based education, little education exists regarding the need to protect EHR systems and PHI of patients from cyberthreats by nurses.
The U.S. Department of Health and Human Services (HHS) states that a cyberthreat is or has the potential to cause unauthorized disclosure, unavailability, changes, or destruction of an asset (HHS, 2018, 2019). Cyberthreats include the compromise of patient information, inability to access information systems vital to nursing and other providers’ job functions, or destruction of system or patient information. Top areas for cybercrime within healthcare were identified and included: (a) physical threats, (b) portable devices, (c) internal users, (d) technical threats, and (e) administrative threats (McDermott et al., 2019). Although many technological safety features were available to prevent and safeguard against cyberattacks or threats, the human factor remained one of the most prevalent areas of concern in the literature, including the role of the healthcare worker, especially the nurse, in maintaining EHR safety (McDermott et al., 2019).
Physical threats occur when nonelectronic records are lost, accidentally discarded, or stolen. Actions such as leaving a workstation unsecured or improperly filing or disposing of documents may be unintentional; however, they present serious concerns regarding the safety and protection of a patient’s PHI.
According to Blanke and McGrady (2016), portable device breaches were the highest number of reported threats and remained especially vulnerable to cyberattacks. Lost, stolen, or unattended devices such as cell phones, laptops, and other mobile equipment contributed to this type of cyberthreat (Namoglu & Ulgen, 2013).
Because it is difficult to control for the decisions and actions of employees, EHR internal users remain one of the weakest links in safeguarding patient PHI (Parikh, 2018). Healthcare workers who intentionally delete, change, or misuse data, as well as those who intentionally violate computer safety protocols within the organization, contribute to insider cyberattack (HHS, 2019).
Technical threats may be used to extract a patient’s secure health information by tricking the user into providing passwords or other personal information (HHS, 2019). These include social engineering threats such as identity theft, ransomware, phishing, and spoofing. Phishing and spoofing refer to the creation of a fake website that appears legitimate to entice users and gain access to their personal information such as passwords.
Administrative threats are breakdowns in protocols, policies, and procedures of the daily operations of an EHR. Security policy breaches and improper staff training leave healthcare agencies open to cyberattack.
As EHR use has proliferated in the United States, additional education on the prevention of cyberthreats has become imperative at the hospital and in turn, arguably, the academic and regulatory levels. While nurses are not expected to understand the complicated code bases or system implementation technology aspects of cybersecurity, they are able to prevent and respond appropriately to cyberattacks as part of their role and professional responsibilities. Table 1 provides recommendations for nurses in safeguarding PHI of patients through increased cybersecurity awareness according to categories of identified threats in the literature.