An Athletic Trainer’s Role in Cybersecurity: Best Practices to Protect Patients
Posted May 22, 2019
By Jeremy D. Howard, MS, LAT, ATC
In many settings, patients look to Athletic Trainers (ATs) to support their overall health. This responsibility includes not only injury management and rehabilitation, but also injury prevention and reduction. At first glance, cybersecurity may not seem like an important area for ATs in protecting their patients. However, in , “Cybersecurity in healthcare: A systematic review of modern threats and trends” published February 21, 2017 in the Technology and Health Care journal, authors Clemens Scott Kruse, Benjamin Frederick, Taylor Jacobson and Kyle Monticone point out that the majority of individuals conducting cybercrime on health care organizations are doing so to gather the sensitive personal and financial information kept in electronic medical records (EMRs). Not only does this create privacy law (HIPAA) violations, but it can also cause harm to the patient whose information is stolen.
While the patient may not suffer physical injury due to hacking, this act can cause significant damage to their credit rating, peace of mind and overall life. In his book, “Proceedings of the 13th European Conference on Cyber Warfare and Security The University of Piraeus Greece,” Andrew Liaropoulos argues that the moral of this story is that cybersecurity and information assurance in health care have become a major security challenge of our time. Liaropoulos references the cyberattack that took place on the entire country of Estonia in 2007. Estonia experienced a three-week distributed denial of service attack using both ‘botnets’ and ‘ping floods’ to deny access to emergency health systems, cell phones, banking and communication networks. Please take a moment to contemplate how ATs would conduct business without daily access to EMRs, local emergency services, email, cell phones and financial accounts.
In, “Cybersecurity in health care” published in the The New England Journal of Medicine in 2014, Eric Perakslis states that 94 percent of health care institutions have been victimized by cyberattacks. In addition, research reported in “Cyber threats to health information systems: a systematic review,” an article published in 2016 in the Technology and Healthcare journal, suggests that there are major concerns across the health care industry’s lagging cybersecurity and information assurance (IA) when compared to other industries. In the aforementioned article, authors Raul Luna, Emily Rhine, Matthew Myhra, Ross Sullivan and Clemens Scott Kruse argue that health care systems are prime targets for cyberattacks.
Don’t let your sports medicine department be the gateway for a cyberattack that takes down the entire institution. Knowing the risks associated with cyber-attacks, ATs should work to increase their awareness of cyber security best practices. In turn, ATs could be protecting not only their athletic training facilities, but their patients as well. While many aspects of cybersecurity and IA are managed by an institution’s IT department, it is important for the sports medicine department to work collaboratively with IT. The director of sports medicine or head AT should connect with the IT department to discuss information exchange and cybersecurity requirements of the sports medicine department to ensure protection of the patients. Additionally, the two areas can work together on things like multi-factor authentication, password policies, email security and anti-virus or anti-malware patch updates.
Multi-factor authentication is a strong starting point for discussion. While a single password is one type of authentication, an enhanced protection is created using multi-factor authentication. This includes something you know, something you have, something you are and somewhere you are. To expand on these concepts, something you know is a knowledge-based authentication, such as your password. Something you have is a possession-based authentication. This could be a smart card or institutional identification. Something you are is a physical characteristic-based authentication. This includes biometrics like retinal, face or fingerprint scanners. Finally, somewhere you are is a location-based authentication. Think of this as your access to a specific and protected network. As a department head, it is worth discussing with the IT department the need to add, at a minimum, two-factor authentication to your department’s systems.
Password policies are a component of authentication, but they also have their own specific concepts toward protection from cyberthreats. Some of these need to be done through the IT department and others within your own department through staff-based policy. Regarding IT department-specific discussion topics, most institutions have password requirements. These requirements may include the use of capital letters, lower case letters, special characters, numbers, password length and password expiration time frames. These are vital in increasing the security of protected health information. If your institution does not have these password rules in place, it needs to be a major point of discussion. Policy surrounding passwords at the sports medicine department level should include the following specific concepts with justifications.
- Do not use a shared password. Each staff member should have their own password. If a shared password is hacked, the cybercriminal has access to multiple individuals’ data.
- Do not use passwords that are ‘dictionary’ words. Passwords that use the organization mascot, department name, the word password or even names should not be used. They are far more easily guessed and hacked then randomized passwords. It is worth looking at the top 100 passwords of the year to see examples of bad passwords that place your organization at risk (for example: password1). Consider creating a password ‘blacklist’ to prevent staff from using passwords that create a cyberthreat.
- Do not write down passwords. Often, people with numerous or complex passwords will write them down and display them at their desk. This defeats the purpose and increases the vulnerability of the system.
- Do not use the same password across multiple platforms. The staff should use various passwords for access to EMR systems, email and concussion baseline systems to name a few.
- Do not save account information through the internet access application. Regardless of whether you use Chrome, Internet Explorer, Firefox, Safari or Edge, saving your account information to the application creates cyberthreat.
Email security is another area where collaboration is critical between the IT and the sports medicine departments’ staff. The department head should first understand their own information exchange requirements, along with department access requirements. Are the department staff expected to access their emails through the institution’s network? Or are they expected to access the email on an internet with little to no security? If the staff are expected to access the department’s systems from unsecure networks, then adding a virtual private network (VPN) to department laptops could create additional security.
Your email server should not be on simple message transfer protocol (SMTP) port 25, as this will not allow any encryption to protect your exchange of patient-specific data. With SMTP out, the use of post office protocol (POP3) port 110, or internet message access protocol (IMAP) port 143, become the points of discussion. POP3 downloads the emails from the email server to the local computer which frees up space on the email server but removes the emails from the server. This assumes your email is accessed from one application only. IMAP allows simultaneous access of emails by multiple clients by remotely access to the email server. IMAP may be preferred over POP3 if your department uses a single email account or if emails must be accessed from multiple systems by one user.
A sports medicine department-specific policy for staff should include not forwarding department email to staff members’ personal emails. This creates a spillage of HIPAA-protected information to a less secure or controlled system, creating another cyberthreat to the patient. To illustrate this threat, let’s look at Gmail, which uses transport layer security (TLS). TLS only protects the message while in transport and assumes the far-side recipient is also using TLS. It does not protect the message on the far-side of receipt. Furthermore, Gmail, like other major email systems, can scan messages and attachments of emails sent to a Gmail account to check for phishing and spam attempts. However, this means that HIPAA-protected information is being viewed by unintended systems, creating a potential threat to the patient.
Anti-Virus and Anti-Malware Patches and Updates
One of the best practices in cybersecurity is using the most current and up-to-date protective programs. If your organization is not using these, you should advocate for their implementation. Sometimes updates and patches to these programs can create unintended second and third order issues based on program interactions. For this reason, it is worth discussing a slight delay in pushing the patches and updates across the network to the sports medicine department’s systems to ensure there are no unintended side effects of the updates. Think of this as quarantining your department’s systems to protect the vital information while testing the updates and patches on less vital systems to ensure there are no unintended negative effects. Likely, the institution already does this to protect other vital areas. You will just need to advocate for your department to be added to the vital group of systems that get the delayed receipt of patches and updates.
According to Luna, Rhine, Mhyra, Sullivan and Kruse, increased efforts in department and institutional cybersecurity and IA are necessary in order to protect our patients from the risk of cyberthreats. ATs and administrators can make major changes to help decrease these risks through coordination with local IT departments, along with policy development and enforcement.
Kruse, C.S., Frederick, B., Jacobson, T., & Monticone, K. (2017). Cybersecurity in healthcare: A systematic review of modern threats and trends. Technology and Health Care, 25, 1-10. doi: 10.3233/THC-161263.
Liaropoulos, A. (2014). Cyberconflict and theoretical paradigms: Current trends and future challenges in the literature. Proceedings of the 13th European Conference on Cyber Warfare and Security The University of Piraeus Greece, 133-139.
Perakslis, E.D. (2014). Cybersecurity in health care. The New England Journal of Medicine, 371 (5), 395-397. doi: 10.1056/NEJMp140358.
Luna, R., Rhine, E., Myhra, M., Sullivan, R., & Kruse, C.S. (2016). Cyber threats to health information systems: a systematic review. Technology and Healthcare, 24(1), 1-9. doi: 10.3233/THC-151102.
About the Author
Jeremy Howard is the State Health Promotion Officer for Florida Army National Guard under the Resilience, Risk Reduction, and Suicide Prevention Program. Howard graduated with a Bachelor of Science in Athletic Training from Florida Gulf Coast University (#DunkCity) and from the University of Saint Augustine for Health Sciences’ Master of Health Science in Athletic Training programs. He is currently pursuing an Educational Doctorate in Health Sciences at the same institution. In 2002, Howard enlisted in the Florida Army National Guard and is still currently serving; he is also a veteran of Operation Enduring Freedom-Afghanistan. His professional interests include Concussion/TBI, Injury Prevention Programs and Manual Therapy.