Supporting Cybersecurity Awareness in October and all Year Long!

Autumn is here once again, and with it comes Cybersecurity Awareness month. Since cybersecurity is a critical focus for all nurses and other health professionals using technologies in healthcare, this month provides an important reminder for us all. A key aspect of this awareness is to ensure that we support patients using telehealth, mHealth, eHealth and healthcare portals to protect themselves as they use these technologies.

This year, the theme for Cybersecurity Awareness month is “See Yourself in Cyber” which emphasizes the importance of individual people and how they protect themselves as they engage with various technologies. At the most basic level, fundamental precautions can protect people in their day-to-day cyber activities. These include the following guidelines from the US Cybersecurity and Infrastructure Security Agency (CISA):

• Think Before You Click: Recognize and Report Phishing: If a link looks a little off, think before you click. It could be an attempt to get sensitive information or install malware.
• Update Your Software: Don't delay -- If you see a software update notification, act promptly. Better yet, turn on automatic updates.
• Use Strong Passwords: Use passwords that are long, unique, and randomly generated. Use password managers to generate and remember different, complex passwords for each of your accounts. A passwords manager will encrypt passwords securing them for you!
• Enable Multi-Factor Authentication: You need more than a password to protect your online accounts, and enabling MFA makes you significantly less likely to get hacked (CISA, 2022, p.1).
  These directives are a great start to help people protect themselves in their routine technology use, but when using technology in healthcare, cybersecurity must be optimal. The use of digital technologies in healthcare entails careful attention to the foundational principles of privacy, confidentiality, data ownership and rights, and the process of protecting these principles within a technological environment.

The Importance of Encryption

Health care or medical data encryption is mandatory since it provides data security where health data are disguised so that unauthorized users may not read or make sense of them. This is a fundamental requirement of all data within health records but especially for personal health information (PHI) to protect against malicious attacks and data breaches. All computers and mobile devices used in health care must have data encryption. This includes email and other communication software used to communicate or exchange information.

Most health care organizations have security measures in place that require stringent privacy and security measures, including a requirement for encryption of all hardware and devices. “Encryption is vital to protect your patient’s data. You need to make sure that you adequately map out where PHI enters your environment, what happens once PHI enters (and where it is stored) and exits your environment or organization” (Security Metrics, 2015, p.8).

It is important that patients become aware of this need as well, especially if the devices they are using to access their PHI or engage in virtual care are not protected by encryption, firewalls, and antivirus software. Healthcare professionals can help patients to be aware of this and advise them to “Encrypt your data. If you have sensitive data on your mobile device, make sure it’s encrypted. Patient data will then remain secure, even if malware steals it” (Security Metrics, n.d., p.5). It is a responsibility of all health professionals to ensure that their patients are aware of this need to keep their own and their family’s PHI secure. Patients may not be aware of the need for security and privacy – it is part of a health professional’s role to provide education about this.

Although each device is different, nurses can encourage patients to take advantage of built-in encryption features on their phones or tablets. “Most phones have encryption settings you can enable in the security menu. To check if your iOS device is encrypted, go to the settings menu, and then click on “Touch ID & Passcode.” It will prompt you to enter your lock screen code. Then scroll to the bottom of the page where it should say “Data Protection is enabled.”

To encrypt an Android, you must first be sure your device is 80% charged, and unroot your phone before continuing. Once these things are done, go to “Security” and choose “Encrypt Phone.” If you don’t charge your device, unroot it or interrupt the encryption process, you may lose all your data. Encryption can take an hour or more” (Panda Security, 2019, p. 2).
Tablets like an Apple iPad can be easily encrypted as well – for an iPad it is as simple as setting up a pass code to the device. Once the pass code is established, the built-in encryption settings are activated. The longer the passcode (six digits or more), the more powerful the encryption.

Supporting Mobile Data Security

Health professionals can also advise patients about security strategies they can use to protect the data they install via apps on their devices.  A major aspect of mobile data security is using apps that are secure and that have built-in protections for the information stored in them. Many people use health apps that they can download from the Apple or Google Stores to monitor their own health particulars, track health behaviors or data progressions such as weight loss, or fertility related data. People also often use wearable devices such as fitness trackers to monitor and track their physical activity which may include GPS related data such as location, and routes used for running and walking.

Other apps may be used to monitor more physiological data such as pacemaker activity, heart rate, blood pressure, and so on. All in all, apps must meet standards to be recommended to patients. Health professionals can suggest which apps are the best choices for keeping their data secure, affording the best experience for the patient through expert design, and API connected so that data can be shared with their health providers if they so choose. Mobile apps used within practice need stringent measures built in to ensure personal health information (PHI) protection using APIs, encryption, and data capture solutions.

Using mobile and wearable apps can significantly boost communication and understanding between health professionals and patients. When apps are designed according to national standards, they can be very efficient modes for sharing data on a regular basis that can support goals, tracking to gauge progress, and keep an eye on conditions that require monitoring.  

However, due to the diverse digital technology being used now in healthcare, attacks are escalating, and they can be extremely dangerous. This goes beyond a data breach which is very serious: there are actual people who may be very malicious in their intent and the results of breaching systems that are not encrypted and secured could be dangerous to the patient. 

The Office of the National Coordinator for Health Information Technology (ONC). (n.d., p. 2) provided the following suggestions to patients when using mobile devices for health:

• Research mobile apps – software programs that perform one or more specific functions – before you download and install any of them. Be sure to use known app websites or trusted sources.
• Read the terms of service and the privacy notice of the mobile app to verify that the app will perform only the functions you approve.
• Consider installing or using encryption software for your device. Encryption software is now widely available and increasingly affordable.
• Install and activate remote wiping and/or remote disabling on your mobile devices. The remote wipe feature allows you to permanently delete data stored on a lost or stolen mobile device. Remote disabling enables you to lock data stored on a lost or stolen mobile device and unlock the data if the device is recovered.

Nurses can be instrumental in helping patients to adopt these safe practices to promote cybersecurity of their own PHI data and prevent data breaches and intrusions. Keeping cybersecurity awareness strong within all health information interactions for both the patient and the provider is important, and a fundamental aspect of using technology in healthcare, every day and month of the year.