ABSTRACT
INTRODUCTION: Healthcare data have significant value as a potential target for hackers. Phishing is a method of exploitation for malicious reasons using targeted communications (email/messaging). This study reports on an internal evaluation targeting hospital staff and summarises peer-reviewed literature regarding phishing and healthcare. METHODS: An assessment was performed as part of cybersecurity activity during a designated test period using multiple credential harvesting approaches through staff email. We also searched the medical-related literature to identify relevant phishing-related publications. RESULTS: During the 1-month testing period, the organisation received 858 200 emails: 139 400 (16%) marketing, 18 871 (2%) identified as potential threats. Of 143 million internet transactions, around 5 million (3%) were suspected threats. 468 employee email addresses were identified from public data and targeted through phishing using a range of payloads including attachments and malicious links; however, no credentials were recovered or malicious files downloaded. Several hospital employees were, however, identified on social media profiles, including some tricked into accepting false friend requests. DISCUSSION: Healthcare organisations are increasingly moving to digital systems, but healthcare professionals have limited awareness of threats. Increasing emphasis on 'cyberhygiene' and information governance through mandatory training increases understanding of these risks. While no credentials were harvested in this study, since up to 5% of emails/internet traffic are suspicious, the need for robust firewalls, cybersecurity infrastructure, IT policies and, most importantly of all, staff training, is emphasised. CONCLUSION: Hospitals receive a significant volume of potentially malicious emails. While many staff appear to be aware of phishing and respond appropriately, ongoing education is required across the spectrum of cybersecurity, with specific emphasis around 'leakage' of information on social media.
Subject(s)
Awareness , Computer Security/standards , Deception , Delivery of Health Care/standards , Electronic Mail , Hospitals , Humans , Personnel, Hospital/education , Personnel, Hospital/standards , Risk Management , Social MediaABSTRACT
BACKGROUND: The Chief Information Officer (CIO) and Chief Clinical Information Officer (CCIO) are now established senior roles in hospital practice. With increasing emphasis on optimising use of routine health data for secondary purposes and research, additional skills are required as part of the senior information officer team, particularly in academic health care institutions. OBJECTIVE: Here we present the role of the Chief Research Information Officer (CRIO), as an emerging, and important, component of the senior information team. Method: We review recent publications describing the composition of the senior information team, including CIO and CCIO roles, and present evidence for development of the CRIO as a distinct component of the team. RESULTS: The CRIO is emerging as an additional senior role in academic healthcare institutions, whose roles include leadership of the informatics strategy and optimisation of routine data collection systems for research data use. Such individuals should be senior clinicians with experience in informatics, in addition to having established research expertise and knowledge of research processes, governance and academic networks. CONCLUSION: The CRIO is emerging as a distinct senior information leadership role in conjunction with the already established positions of CCIO and CIO, who together, can provide optimal oversight of digital activities across the organisation.
Subject(s)
Hospitals, University/organization & administration , Medical Informatics/organization & administration , Research , Hospital Administrators , HumansABSTRACT
BACKGROUND: Numerous studies have examined specific factors related to success, failure and implications of Electronic patient record (EPR) system implementations, but usually limited to specific aspects. Objective: To review the published peer-reviewed literature and present findings regarding factors important in relation to successful EPR implementations and likely impact on subsequent clinical activity. METHOD: Literature reviewResults: 312 potential articles were identified on initial search of which 117 were relevant and included in the review. Several factors were related to implementation success, such as good leadership and management, infrastructure support, staff training and focus on workflows and usability. In general, EPR implementation is associated with improvements in documentation, and screening performance, and reduced prescribing errors, whereas there are minimal available data in other areas such as effects on clinical patient outcomes. The peer-reviewed literature appears to under-represent a range of technical factors important for EPR implementations, such as data migration from existing systems and impact of organisational readiness. CONCLUSION: The findings presented here represent synthesis of data from peer-reviewed literature in the field and should be of value to provide the evidence-base for organisations considering how best to implement an EPR system.
