In the wake of the recent global cyber attack, Eric Perakslis discusses some basic principles of cyber security.
The recent global cyber attack that has struck institutions across many nations, including a large number of hospitals in the UK, is just the latest reminder that cyber defense is a fundamental necessity of the connected age. While the variety and velocity of the risks appears massive, the simplest of solutions can still be the most effective. [1]
Proficient use of cyber security best practices requires an understanding that can be difficult to achieve given the barriers of expertise and jargon. However, medical personnel are well-trained in the basics of infection prevention and control (IPC) and these same principles can be used as a model of cyber security education and practice. Using the outline from the National Institute for Health and Care Excellence (NICE) clinical guideline CG 139 (Healthcare-associated infections: prevention and control in primary and community care, 2017), we can construct a parallel set of cyber security guidelines for healthcare professionals.
Infection prevention and control standard principles (NICE CG 139 1.1)
Everyone involved in providing care should be educated about the standard principles of infection prevention and control.
Cyber security standard principles
All healthcare institutions must have comprehensive and mandatory information asset control (IAP) training that provides a fundamental understanding of the basic principles of data and cyber protections. The training must be administered yearly and require recertification. Cyber threats are evolving and changing quickly. Training must be put in place to keep up.
Hand decontamination (NICE CG 139 1.1.2)
Hands must be decontaminated in all of the following circumstances: immediately before every episode of direct patient contact or care, including aseptic procedures, immediately after every episode of direct patient contact or care, immediately after any exposure to body fluids etc.
Cyber hand decontamination
When you move a computing device between physical and electronic environments, you risk the spread of a computer pathogen. Computing endpoints such as cell phones, laptops, tablets etc must be decontaminated under the following circumstances—immediately after connecting to any unsecured wifi (including the free/open wifi of their own institution), and transferring between the work and home environment etc. At a minimum, the methods of decontamination are to update all antivirus and similar programs and then run full file and system scans.
Use of personal protective equipment (CG139 1.1.3)
Selection of protective equipment must be based on an assessment of the risk of transmission of microorganisms to the patient, and the risk of contamination of the healthcare worker’s clothing and skin by patients’ blood, body fluids, secretions, or excretions.
Cyber protective equipment
While not 100% effective, available computer protections must be rigorously and diligently used. Anti-virus and malware must be kept up to date and run daily. On the server and infrastructure side, technology versions must be up to date and properly managed. Patches and other security fixes must be immediately applied. No competent healthcare professional would use out of date gloves, drugs, or disinfectant and neither can outdated and unsupported computer infrastructure be tolerated.
Safe use and disposal of sharps (CG 139 1.1.4)
Sharps should not be passed directly from hand to hand, and handling should be kept to a minimum.
Cyber sharps
Portable media are the sharps of the computing world and are all potential infection vectors. Safe flash drive and external media use must be well-trained and governed closely. For some sensitive systems, the use of portable media may be completely banned.
Waste disposal (CG 139 1.1.5)
Healthcare waste must be segregated immediately by the person generating the waste into appropriate colour-coded storage or waste disposal bags or containers defined as being compliant with current national legislation and local policies.
Cyber waste disposal
All networks and email will be subject to phishing emails, malware, and other intrusion attempts. Sanitation must be held to a very high standard. Not only should emails with suspicious links be deleted, but such files must be reported and completely purged. Long-term file storage should also be occasionally purged in accordance with local records management policy.
Long-term urinary catheters (CG 139 1.2)
Indwelling urinary catheters should be used only after alternative methods of management have been considered. Patients and carers should be educated about and trained in techniques of hand decontamination, insertion of intermittent catheters where applicable, and catheter management before discharge from hospital.
Cyber urinary catheters
Business-to-business (b2b) connections, patient portals, dedicated research networks are all long-term infection risks. What is going in and out can be difficult or impossible to monitor. These should be limited and only done under the proper circumstances. They are analogous to catheter drainage and maintenance in that any shared areas must be occasionally flushed and purged.
Enteral feeding (CG 139 1.3)
Patients and carers should be educated about and trained in the techniques of hand decontamination, enteral feeding, and the management of the administration system before being discharged from hospital.
Cyber enteral feeding
Information is the lifeblood of health delivery and must flow quickly into healthcare organizations but data in must be scrubbed. Temporary quarantine and pre-release file scans can all be very useful. Sources of data should be scrutinized and must be able to confirm the integrity of the content they are delivering.
Vascular access devices (CG 139 1.4)
An aseptic technique must be used for vascular access device catheter site care and when accessing the system. Before discharge from hospital, patients and their carers should be taught any techniques they may need to use to prevent infection and safely manage a vascular access device
Cyber vascular access devices
Core IT infrastructure, such as server rooms and network control centers, are the cardiovascular system of any computing environment. Major systems upgrades must always be conducted with care. Multiple layers of testing as well as end-to-end penetration and sanitation testing must be done. Backup systems and data should be properly isolated and redundant.
While there are highly complex and technical aspects to cyber security, the best protections still lie in solid understanding and execution of sound basic principles.
Eric D Perakslis is currently senior vice president and Head of the Takeda R&D Data Sciences Institute and Visiting faculty at the Department of Biomedical informatics of Harvard Medical School. Eric’s career spans industry, academia, federal government and multiple NGOs and his current research interests include cyber security, open data/technology, humanitarian crisis management and people-powered rare disease and exceptional drug response research.
Competing interests: None declared.
References:
Langer, S. (2017). Cyber-Security Issues in Healthcare Information Technology. J Digit Imaging , 118-125.