In addition to complying with federal HIPAA and HITECH guidelines regarding the privacy of patient information, healthcare systems need to be vigilant in the way that they secure information and manage network security. Mowry and Oakes (n.d.) discuss the vulnerability of electronic health records to data breaches. They suggest that as many as 77 persons could view a patient’s record during a hospital stay. It is critical for information technology (IT) policies and procedures to ensure appropriate access by clinicians and to protect private information from inappropriate access. However, authentication procedures can be cumbersome and time consuming, thus reducing clinician performance efficiency.

Physicians spend on average 7 minutes per patient encounter, with nearly 2 minutes of that time being devoted to managing logins and application navigation. Likewise, an average major healthcare provider must deal with more than 150 applications—most requiring different user names and passwords—making it difficult for caregivers to navigate and receive contextual information. Healthcare organizations must strike the right balance, in terms of simplifying access to core clinical datasets while maximizing the time providers can interact with patients without jeopardizing data integrity and security (Mowry & Oakes, n.d., para. 7).

This chapter explores use of information and processes for securing information in a health system computer network.

Securing Network Information

Typically, a healthcare organization has computers linked together to facilitate communication and operations within and outside the facility. This is commonly referred to as a network . The linking of computers together and to the outside world creates the possibility of a breach of network security and exposes the information to unauthorized use. With the advent of smart devices, managing all of these risks has become a nightmare for some institutions’ security processes. In the past, stationary devices or computers resided within healthcare facilities. Today, smart devices travel in and out of healthcare organizations with patients, family members, and other visitors, as well as employees—both staff and healthcare providers alike. According to Sullivan ( 2012 ), “Even as they promise better health and easier care delivery, wireless medical devices (MDs) carry significant security risks. And the situation is only getting trickier as more and more MDs come with commercial operating systems that are both Internet-connected and susceptible to attack” (para. 1).

The three main areas of secure network information are (1) confidentiality , (2) availability, and (3) integrity . An organization must follow a well-defined policy to ensure that private health information remains appropriately confidential. The confidentiality policy should clearly define which data are confidential and how those data should be handled. Employees also need to understand the procedures for releasing confidential information outside the organization or to others within the organization and know which procedures to follow if confidential information is accidentally or intentionally released without authorization. In addition, the organization’s confidentiality policy should contain consideration for elements as basic as the placement of monitors so that information cannot be read by passersby. Shoulder surfing , or watching over someone’s back as that person is working, is still a major way that confidentiality is compromised.

Availability refers to network information being accessible when needed. This area of the policy tends to be much more technical in nature. An accessibility policy covers issues associated with protecting the key hardware elements of the computer network and the procedures to follow in case of a major electric outage or Internet outage. Food and drinks spilled onto keyboards of computer units, dropping or jarring hardware, and electrical surges or static charges are all examples of ways that the hardware elements of a computer network may be damaged. In the case of an electrical outage or a weather-related disaster, the network administrator must have clear plans for data backup, storage, and retrieval. There must also be clear procedures and alternative methods of ensuring that care delivery remains largely uninterrupted.

Another way organizations protect the availability of their networks is to institute an acceptable use policy. Elements covered in such policy could include which types of activities are acceptable on the corporate network. For example, are employees permitted to download music at work? Restricting downloads is a very common way for organizations to prevent viruses and other malicious code from entering their networks. The policy should also clearly define which activities are not acceptable and identify the consequences for violations.

The last area of information security is integrity. Employees need to have confidence that the information they are reading is true. To accomplish this, organizations need clear policies to clarify how data are actually inputted, determine who has the authorization to change such data, and track how and when data are changed. All three of these areas use authorization and authentication to enforce the corporate policies. Access to networks can easily be grouped into areas of authorization (e.g., users can be grouped by job title). For example, anyone with the job title of “floor supervisor” might be authorized to change the hours worked by an employee, whereas an employee with the title of “patient care assistant” cannot make such changes.

Authentication of Users

Authentication of employees is also used by organizations in their security policies. The most common ways to authenticate rely on something the user knows, something the user has, or something the user is ( Figure 12-1 ).

A © Photos.com

C © Gary James Calder/Shutterstock

Figure 12-1 Ways to Authenticate Users

A. An ID badge, B. Examples of weak and strong passwords, C. A finger on a biometric scanner.

Something a user knows is a password . Most organizations today enforce a strong password policy, because free software available on the Internet can break a password from the dictionary very quickly. Strong password policies include using combinations of letters, numbers, and special characters, such as plus signs and ampersands. Some organizations are suggesting the use of passphrases to increase the strength of a password. See Box 12-1 for an overview of best practices to create strong passwords. Policies typically include the enforcement of changing passwords every 30 or 60 days. Passwords should never be written down in an obvious place, such as a sticky note attached to the monitor or under the keyboard.

BOX 12-1 BEST PRACTICES FOR CREATING AND MANAGING PASSWORDS

· Review the specific system guidelines for users—most will have information on password parameters and allowable characters.

· Use a combination of letters, numbers, special characters (!, $, %, &, *) and upper- and lowercase.

· Longer passwords are harder to crack. Consider at least 8 characters if the system allows.

· Choose a password that is based on a phrase: Use portions or abbreviations of the words in the phrase, or use substitutions (e.g., $ for S, 4 for “for”) to create the password. Example phrase: “Lucy in the Sky with Diamonds” was released in 1967; example password: LUit$wdia67.

· Think carefully about the password and create something that is easy for you to remember.

· Change your password frequently, and do so immediately if you believe your system or email has been hacked.

· Consider using a password manager program to help you create strong passwords and store them securely.

Do NOT:

· Share your password with anyone.

· Post your passwords in plain sight.

· Use dictionary words or any personal characteristics (your name, phone number, or birthday).

· Use a string of numbers.

· Use the same password for multiple sites.

Data from Pennsylvania State Information Technology Services. ( 2015 ). Password best practices. Retrieved from http://its.psu.edu/legacy/be-safe/password-best-practices.html

The second area of authentication is something the user has, such as an identification (ID) card. ID cards can be magnetic, similar to a credit card, or have a radio frequency identification (RFID) chip embedded into the card.

The last area of authentication is biometrics . Devices that recognize thumb prints, retina patterns, or facial patterns are available. Depending on the level of security needed, organizations commonly use a combination of these types of authentication.

Threats to Security

The largest benefit of a computer network is the ability to share information. However, organizations need to protect that information and ensure that only authorized individuals have access to the network and the data appropriate to their role. Threats to data security in healthcare organizations are becoming increasingly prevalent. A nationwide survey by the Computing Technology Industry Association (CompTIA) found that human error was responsible for more than half of security breaches . Human error was categorized as failure to follow policies and procedures, general carelessness, lack of experience with websites and applications, and being unaware of new threats ( Greenberg, 2015 ). According to Degaspari ( 2010 ), “Given the volume of electronic patient data involved, it’s perhaps not surprising that breaches are occurring. According to the Department of Health and Human Services’ Office of Civil Rights (OCR), 146 data breaches affecting 500 or more individuals occurred between December 22, 2009, and July 28, 2010. The types of breaches encompass theft, loss, hacking, and improper disposal; and include both electronic data and paper records” (para. 4). The Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data ( Ponemon Institute, 2015 ) reported that “[m]ore than 90 percent of healthcare organizations represented in this study had a data breach, and 40 percent had more than five data breaches over the past two years” (para. 3). Interestingly, the most common type of data breach was related to a criminal attack on the healthcare organization (up 125% in the last 5 years). Key terms related to criminal attacks are brute force attack (software used to guess network passwords) and zero day attack (searching for and exploiting software vulnerabilities). Of the intentional data breaches (as opposed to unintentional), “45 percent of healthcare organizations say the root cause of the data breach was a criminal attack and 12 percent say it was due to a malicious insider” (Ponemon Institute, para. 4). That leaves nearly 43% of data breaches in the unintentional category. The Healthcare Information and Management Systems Society (HIMSS) 2015 survey reported the negligent insider as the most common source of a security breach. Examples of unintentional/negligent breaches include lost or stolen devices, or walking away from a workstation without logging off. If you use a device in your work and it is lost or stolen, or you violate policy by walking away from a workstation without logging off, this may be considered negligence and you may be subject to discipline or even lose your job. An interesting example of an unintentional data breach was reported on the OCR website: A company leased photocopier equipment and returned it without erasing the healthcare data stored on the copier hard drive, resulting in a settlement of over $1.2 million (U.S. Department of Health and Human Services, n.d.). Healthcare organizations need to be proactive in anticipating the potential for and preventing security breaches.

The first line of defense is strictly physical. A locked office door, an operating system that locks down after 5 minutes of inactivity, and regular security training programs are extremely effective in this regard. Proper workspace security discipline is a critical aspect of maintaining security. Employees need to be properly trained to be aware of computer monitor visibility, shoulder surfing, and policy regarding the removal of computer hardware. A major issue facing organizations is removable storage devices ( Figure 12-2 ). CD/DVD burners, jump drives , flash drives , and thumb drives (which use USB port access) are all potential security risks. These devices can be slipped into a pocket and, therefore, are easily removed from the organization. One way to address this physical security risk is to limit the authorization to write files to a device. Organizations are also turning off the CD/DVD burners and USB ports on company desktops.

Figure 12-2 A Removable Storage Device

The most common security threats a corporate network faces are hackers , malicious code ( spyware , adware, ransomware , viruses , worms , Trojan horses ), and malicious insiders . Acceptable use policies help to address these problems. For example, employees may be restricted from downloading files from the Internet. Downloaded files, including email attachments, are the most common way viruses and other malicious codes enter a computer network. Network security policies typically prohibit employees from using personal CDs/DVDs and USB drives, thereby preventing the transfer of malicious code from a personal computer to the network.

Let’s look more closely at some of these common network security threats. We typically think of hackers as outsiders who attempt to break into a network by exploiting software and network vulnerabilities, and indeed these black hat (malicious) hackers (crackers) do exist. However, more organizations are looking to employ ethical hackers (white hat hackers), those who are skilled at looking for and closing network security vulnerabilities ( Caldwell, 2011 ).

Spyware and adware are normally controlled in a corporate network by limiting the functions of the browsers used to surf the Internet. For example, the browser privacy options can control how cookies are used. A cookie is a very small file written to the hard drive of a computer whose user is surfing the Internet. This file contains information about the user. For example, many shopping sites write cookies to the user’s hard drive containing the user’s name and preferences. When that user returns to the site, the site will greet her by name and list products in which she is possibly interested. Weather websites send cookies to users’ hard drives with their ZIP code so that when each user returns to that site, the local weather forecast is immediately displayed. On the negative side, cookies can follow the user’s travels on the Internet. Marketing companies use spying cookies to track popular websites that could provide a return on advertising expenditures. Spying cookies related to marketing typically do not track keystrokes in an attempt to steal user IDs and passwords; instead, they simply track which websites are popular, and these data are used to develop advertising and marketing strategies. Nurse informaticists exploring new healthcare technologies on the Internet may find that ads for these technologies begin to pop up the next few times they are on the Internet. Spyware that does steal user IDs and passwords contains malicious code that is normally hidden in a seemingly innocent file download. This threat to security explains why healthcare organizations typically do not allow employees to download files. The rule of thumb to protect the network and one’s own computer system is to only download files from a reputable site that provides complete contact information. Be aware that malicious code is sometimes hidden in an email link or in a file sent by a trusted contact whose email has been hacked. If you are not expecting a file from an email contact, or if you receive an email with only a link in it—resist the urge to download or click!

A relatively new threat to healthcare organizations is ransomware—malicious code that blocks the organization from using their computer systems until a ransom is paid to the hacker. Consider this recent case of ransomware intrusion:

In February 2016 a hospital in Los Angeles made headlines for giving in to the ransom demand of hackers who used encryption to cripple its internal computer network, including electronic patient records, for three weeks, causing it to lose patients and money. After the hackers initially demanded $3.4 million, the hospital paid them $17,000. In explaining his decision, Allen Stefanek, president of Hollywood Presbyterian Medical Center, said, “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom.” The money was transferred through Bitcoin, a cryptocurrency that permits anonymity. ( Goldsborough, 2016 , para. 2–3)

In addition to strict policies related to network security, organizations may also use such devices as firewalls (covered in the next section) and intrusion detection devices to protect from hackers. Protect yourself at home by ensuring that you have an updated version of antivirus software, be wary of unusual emails, and develop strong passwords and change them frequently. If your email is hacked, report it to the proper authorities as soon as possible, warn your contacts that you have been hacked, change your password, and check to see that your antivirus software is up to date.

Another huge threat to corporate security is social engineering , or the manipulation of a relationship based on one’s position (or pretend position) in an organization. For example, someone attempting to access a network might pretend to be an employee from the corporate IT office, who simply asks for an employee’s user ID and password. The outsider can then gain access to the corporate network. Once this access has been obtained, all corporate information is at risk. A second example of social engineering is a hacker impersonating a federal government agent. After talking an employee into revealing network information, the hacker has an open door to enter the corporate network. A related type of social engineering is phishing . Phishing is an attempt to steal information by manipulating the recipient of an email or phone call to provide passwords or other private information. Box 12-2 contains an example of a phishing email and tips for identifying phishing scams.

BOX 12-2 IDENTIFYING PHISHING SCAMS

Example of a Phishing Scam Email

Check suspicious emails for grammar and spelling errors, generic greetings (User, Dear, Dearest, etc.), requests for immediate action, or requests for personal information (passwords, bank account numbers). Some phishing emails may appear to come from your bank or other trusted organization. Think carefully about why a seemingly legitimate organization might be asking for information they should already have, or ask yourself why they might need to know what they are asking for. Be aware of your organization’s procedures for reporting phishing scams, and do so immediately.

Data from Pennsylvania State University Office of Information Security. (2016). Stop phishing scams. Retrieved from http://phishing.psu.edu/what-is-phishing

Additional types of social engineering schemes include spear phishing , which is a more specifically targeted scheme where the attacker takes advantage of contact information provided in an organization’s directory and tailors the scam email to a specific person; baiting , where a malware-infected USB flash drive is left in a public area, thus tricking the finder into loading it to identify its owner; and scareware , where the scam email reports that the user has been hacked and tricks them into giving the hacker remote access to the computer to “fix” it (TechTarget, n.d.).

Another example of an important security threat to a corporate network is the malicious insider. This person can be a disgruntled or recently fired employee whose rights of access to the corporate network have not yet been removed. In the case of a recently fired employee, his or her network access should be suspended immediately upon notice of termination. To avoid the potentially hazardous issues created by malicious insiders, healthcare organizations need some type of policy and specific procedures to monitor employee activity to ensure that employees carry out only those duties that are part of their normal job. Separation of privileges is a common security tool; no one employee should be able to complete a task that could cause a critical event without the knowledge of another employee. For example, the employee who processes the checks and prints them should not be the same person who signs those checks. Similarly, the employee who alters pay rates and hours worked should be required to submit a weekly report to a supervisor before the changes take effect. Software that can track and monitor employee activity is also available. This software can log which files an employee accesses, whether changes were made to files, and whether the files were copied. Depending on the number of employees, organizations may also employ a full-time electronic auditor who does nothing but monitor activity logs. More than half of healthcare organizations have hired full-time employees to provide network security ( HIMSS, 2015 ). Additional strategies for securing networks suggested in this most recent HIMSS survey were mock cyberdefense exercises, sharing information between and among healthcare organizations, monitoring vendor intelligence feeds, and subscribing to security alerts and tips from US_CERT (United States Computer Emergency Readiness Team).

Security Tools

A wide range of tools are available to an organization to protect the organizational network and information. These tools can be either a software solution, such as antivirus software , or a hardware tool, such as a proxy server. Such tools are effective only if they are used along with employee awareness training. The 2015 HIMSS Cybersecurity Survey results indicate that an average of 11 different software tools were used by respondents to provide network security, with antivirus technology, firewalls, and data encryption as the most common tools.

For example, email scanning is a commonly used software tool. All incoming email messages are scanned to ensure they do not contain a virus or some other malicious code. This software can find only viruses that are currently known, so it is important that the virus software be set to search for and download updates automatically. Organizations can further protect themselves by training employees to never open an email attachment unless they are expecting the attachment and know the sender. Even IT managers have fallen victim to email viruses that sent infected emails to everyone in their address book. Employees should be taught to protect their organization from new viruses that may not yet be included in their scanning software by never opening an email attachment unless the sender is known and the attachment is expected. Email scanning software and antivirus software should never be turned off, and updates should be installed at least weekly—or, ideally, daily. Software is also available to scan instant messages and to delete automatically any spam email.

Many antivirus and adware software packages are available for fees ranging from free to more than $25 per month (for personal use) to several thousands of dollars per month (to secure an organization’s network). The main factors to consider when purchasing antivirus software are its effectiveness (i.e., the number of viruses it has missed), the ease of installation and use, the effectiveness of the updates, and the help and user support available. Numerous websites compare and contrast the most recent antivirus software packages. Be aware, however, that some of these sites also sell antivirus software, so they may present biased information.

Firewalls are another tool used by organizations to protect their corporate networks when they are attached to the Internet. A firewall can be either hardware, software, or a combination of both that examines all incoming messages or traffic to the network. The firewall can be set up to allow only messages from known senders into the corporate network. It can also be set up to look at outgoing information from the corporate network. If the message contains some type of corporate secret, the firewall may prevent the message from leaving. In essence, firewalls serve as electronic security guards at the gate of the corporate network.

Proxy servers also protect the organizational network. Proxy servers prevent users from directly accessing the Internet. Instead, users must first request passage from the proxy server. The server looks at the request and makes sure the request is from a legitimate user and that the destination of the request is permissible. For example, organizations can block requests to view a website with the word “sex” in the title or the actual uniform resource locator of a known pornography site. The proxy server can also lend the requesting user a mask to use while he or she is surfing the Web. In this way, the corporation protects the identity of its employees. The proxy server keeps track of which employees are using which masks and directs the traffic appropriately.

With hacking becoming more common, healthcare organizations must have some type of protection to avoid this invasion. An intrusion detection system (both hardware and software) allows an organization to monitor who is using the network and which files that user has accessed. Detection systems can be set up to monitor a single computer or an entire network. Corporations must diligently monitor for unauthorized access of their networks. Anytime someone uses a secured network, a digital footprint of all of the user’s travels is left, and this path can be easily tracked by electronic auditing software.

Offsite Use of Portable Devices

Offsite uses of portable devices, such as laptops, tablets, home computing systems, smartphones, smart devices, and portable data storage devices, can help to streamline the delivery of health care. For example, home health nurses may need to access electronic protected health information (EPHI) via a wireless laptop connection during a home visit, or a physician might use a smartphone to get specific patient information related to a prescription refill in response to a patient request. These mobile devices are invaluable to healthcare efficiency and responsiveness to patient need in such cases. At the very least, however, agencies should require data encryption when EPHI is being transmitted over unsecured networks or transported on a mobile device as a way of protecting sensitive information. Hotspots provided by companies, such as coffee shops or restaurants, and by airports are not secured networks. Virtual private networks (VPNs) must be used to ensure that all data transmitted on unsecured networks are encrypted. The user must log into the VPN to reach the organization’s network.

Only data essential for the job should be maintained on the mobile device; other nonclinical information, such as Social Security numbers, should never be carried outside the secure network. Some institutions make use of thin clients, which are basic interface portals that do not keep secure information stored on them. Essentially, users must log in to the network to get the data they need. Use of thin clients may be problematic in patient care situations where the user cannot access the network easily. For example, some rural areas of the United States do not have wireless or cellular data coverage. In these instances, private health information may need to be stored in a clinician’s laptop or tablet. This is comparable to home health nurses carrying paper charts in their cars to make home visits, and it entails the same responsibilities accompanying such use of private information outside the institution’s walls.

What happens if one of these devices is lost or stolen? The agency is ultimately responsible for the integrity of the data contained on these devices and is required by HIPAA regulations ( U.S. Department of Health and Human Services, 2006 ) to have policies in place covering such items as appropriate remote use, removal of devices from their usual physical location, and protection of these devices from loss or theft. Simple rules, such as covering laptops left in a car and locking car doors during transport of mobile devices containing EPHI, can help to deter theft. If a device is lost or stolen, the agency must have clear procedures in place to help ensure that sensitive data are not released or used inappropriately. Software packages that provide for physical tracking of the static and mobile computer inventory including laptops, smartphones, and tablets are being used more widely and can assist in the recovery of lost or stolen devices. In addition, some software that allows for remote data deletion (data wipe) in the event of theft or loss of a mobile device can be invaluable to the agency in preventing the release of EPHI.

If a member of an agency is caught accessing EPHI inappropriately or steals a mobile device, the sanctions should be swift and public. Sanctions may range from a warning or suspension with retraining to termination or prosecution, depending on the severity of the security breach. The sanctions must send a clear message to all that protecting EPHI is serious business.

The U.S. Department of Health and Human Services (n.d.) suggests the following strategies for managing remote access:

· Restricting remote access to computers owned or configured by your organization

· Disallowing administrator privileges on remote access computers

· Placing restrictions in the VPN and remote access policies

· Configuring the VPN to operate in a “sandbox” or virtual environment that isolates the session from other software running on the remote machine

· Educating users about safe computing practices in remote locations (para. 8)

To protect our patients and their data, nurses must consider the impact of wireless mobile devices (see Box 12-3 ). Data can be stolen by an employee very easily through the use of email or file transfers.

Malware , or malicious code that infiltrates a network, can collect easily accessible data. One of the evolving issues is lost or stolen devices that can provide a gateway into a healthcare organization’s network and records. When the device is owned by the employee, other issues arise as to how the device is used and secured.

The increase in cloud computing has also challenged our personal and professional security and privacy. Cloud computing refers to storing and accessing data and computer programs on the Internet, rather than the local hard drive of a computer. Common examples of cloud computing for personal use include Google Drive, Apple iCloud, and Amazon. Cloud computing allows for easy syncing of separate devices to promote sharing and collaboration ( Griffith, 2016 ). According to Jansen and Grance ( 2011 ), cloud computing “promises to have far reaching effects on the systems and networks of federal agencies and other organizations. Many of the features that make cloud computing attractive, however, can also be at odds with traditional security models and controls” (p. vi). Healthcare organizations are moving to the cloud because cloud computing tends to be cheaper and faster, offers more flexibility for work location, provides nearly immediate disaster recovery, supports collaboration, provides security, and offers frequent software updates ( Salesforce UK, 2015 ). However, there are important security concerns related to cloud computing in health care. Guccione ( 2015 ) offers these important considerations for maintaining security in a cloud environment:

BOX 12-3 POKEMON TARGETS HOSPITAL

Informatics nurse specialists must be aware of the uses of portable devices. In 2016, one hospital in the Pittsburgh area was a site of a popular game, and the administration was upset because it creates a privacy issue for people using their hospital as a search site. This hospital actually contacted the game developer to be removed from their game.

Hospitals must always be concerned about privacy and safety issues within their control, but also be on the alert for those outside their control, such as the Pokemon Go game. Pittsburgh’s Action News 4, Marcie Cipriani, reported that Pokemon Go used West Penn Hospital, part of Allegheny Health Network in Pittsburgh, as a real-world location in the game. The game utilizes enhanced reality, which allows players to combine images from the real world with those of the game. The Allegheny Health Network officials stated that the exciting, interactive game created concerns when it brought players inside their hospital. They say hunting Pokemon at the hospital created a patient privacy issue and a safety concern. Administrators warned those who are playing to stay out of their hospitals and contacted the game’s developer, who agreed to remove their hospitals from the app. They have asked their employees to be on the lookout for anyone playing the app while they are walking around the hospital and to contact security if they see Pokemon Go players.

Data from Cipriani, M. (2016, July 30). Pokemon Go targets Allegheny Health System hospitals in Pittsburgh. Pittsburgh’s Action News 4. Retrieved from http://www.wtae.com/news/pokemon-go-players-not-welcome-at-allegheny-health-network-hospitals/40946828

First, a cloud service should be have client-side encryption of data, which both protects files on the local hard drive as well as in the cloud. Second, a secure cloud service should offer multi-factor authentication to add an extra layer of access control for all users. Finally, a secure cloud provider should either provide data loss prevention tools to protect the stored data or allow an organization to extend its DLP protocols to the cloud. In both cases, the organization is alerted immediately the moment a user attempts to send sensitive files to an outside source. (para. 5)

It is clear that healthcare organizations need to be extra vigilant about their data security when using cloud computing. However, as we emphasized several times in this chapter, employee training on security measures may be the most important defense, because “the latest techniques for cyber theft are much less about breaching networks from the outside, such as through the cloud service, than they are exploiting holes inside an organization, particularly from careless employees” ( Guccione, 2015 , para. 9).

Summary

Technology changes so quickly that even the most diligent user will likely encounter a situation that could constitute a threat to his or her network. Organizations must provide their users with the proper training to help them avoid known threats and—more importantly—be able to discern a possible new threat. Consider that 10 years ago wireless networks were the exception to the rule, where today access to wireless networks is almost taken for granted. How will computer networks be accessed 10 years from now? The most important concept to remember from this chapter is that the only completely safe network is one that is turned off. Network accessibility and network availability are necessary evils that pose security risks. The information must be available to be accessed, yet remain secured from hackers, unauthorized users, and any other potential security breaches. As the cloud expands, so do the concerns over security and privacy. In an ideal world, everyone would understand the potential threats to network security and would diligently monitor and implement tools to prevent unauthorized access of their networks, data, and information.

THOUGHT-PROVOKING QUESTIONS

1. Sue is a chronic obstructive pulmonary disorder clinic nurse enrolled in a master’s education program. She is interested in writing a paper on the factors that are associated with poor compliance with medical regimens and associated repeat hospitalization of chronic obstructive pulmonary disorder patients. She downloads patient information from the clinic database to a thumb drive that she later accesses on her home computer. Sue understands rules about privacy of information and believes that because she is a nurse and needs this information for a graduate school assignment, she is entitled to the information. Is Sue correct in her thinking? Describe why she is or is not correct.

2. The nursing education department of a large hospital system has been centralized; as a consequence, the nurse educators are no longer assigned to one hospital but must now travel among all of the hospitals. They use their smartphones to interact and share data and information. What are the first steps you would take to secure these transactions? Describe why each step is necessary.

3. Research cloud computing in relation to health care. What are the major security and privacy challenges? Please choose three and describe them in detail.

References

1. Caldwell, T. (2011). Ethical hackers: Putting on the white hat. Network Security, 2011(7), 10–13. doi:10.1016/S1353-4858(11)70075-7

2. Degaspari, J. (2010). Staying ahead of the curve on data security. Healthcare Informatics, 27(10), 32–36.

3. Goldsborough, R. (2016). Protecting yourself from ransomware. Teacher Librarian, 43(4), 70–71.

4. Griffith, E. (2016). What is cloud computing? PCMag. Retrieved from http://www.pcmag.com/article2/0,2817,2372163,00.asp

5. Greenberg, A. (2015). Human error cited as leading contributor to breaches, study shows. SC Magazine. Retrieved from http://www.scmagazine.com/study-find-carelessness-among-top-human-errors-affecting-security/article/406876

6. Guccione, D. (2015). Is the cloud safe for healthcare? Healthcare Informatics. Retrieved from http://www.healthcare-informatics.com/article/cloud-safe-healthcare

7. Health Information and Management Systems Society (HIMSS). (2015) 2015 HIMSS Cybersecurity Survey. Retrieved from http://www.himss.org/2015-cybersecurity-survey/executive-summary

8. Jansen, W., & Grance, T. (2011). National Institute of Standards and Technology (NIST): Guidelines on security and privacy in public cloud computing. Retrieved from https://cloudsecurityalliance.org/wp-content/uploads/2011/07/NIST-Draft-SP-800-144_cloud-computing.pdf

9. Mowry, M., & Oakes, R. (n.d.). Not too tight, not too loose. Healthcare Informatics, Healthcare IT Leadership, Vision & Strategy. Retrieved from http://www.healthcare-informatics.com/article/not-too-tight-not-too-loose

10. Ponemon Institute. (2015, May). Fifth annual benchmark study on privacy & security of healthcare data. Retrieved from http://media.scmagazine.com/documents/121/healthcare_privacy_security_be_30019.pdf

11. Salesforce UK. (2015). Why move to the cloud? Ten benefits of cloud computing. Retrieved from https://www.salesforce.com/uk/blog/2015/11/why-move-to-the-cloud-10-benefits-of-cloud-computing.html

12. Sullivan, T. (2012). Government health IT: DHS lists top 5 mobile medical device security risks. Retrieved from http://www.govhealthit.com/news/dhs-lists-top-5-mobile-device-security-risks

13. TechTarget (n.d.). Social engineering. Retrieved from http://searchsecurity.techtarget.com/definition/social-engineering

14. U.S. Department of Health and Human Services. (2006). HIPAA security guidance. Retrieved from https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/remoteuse.pdf

15. U.S. Department of Health and Human Services. (n.d.). Implement privacy and security protection measures. Retrieved from http://www.hrsa.gov/healthit/toolbox/healthitimplementation/implementationtopics/ensureprivacysecurity/ensureprivacysecurity_9.html