Digital literacy part 5: Staying safe online

The fifth article in our series on digital literacy explains how to safeguard confidential information about you, your patients and your organisation so you can enjoy the advantages of being an e-nurse

The fifth article in our series on digital literacy explains how to safeguard confidential information about you, your patients and your organisation so you can enjoy the advantages of being an e-nurse

Picture: iStock

What is online security, or ‘cybersecurity’?

The internet has many clear advantages over traditional ways of exchanging information but, like them, it can be insecure. Cybersecurity establishes simple rules and measures to prevent intrusion or fraud.  

How important is it?

Without it, privacy and confidentiality can be threatened and data may be stolen.  At its worst, poor online security can make people and organisations vulnerable to a cyberattack.

What is a cyberattack?

Cyberattacks are malicious acts, usually carried out by an anonymous source, that seek to steal from, alter or destroy computer information systems, infrastructures, computer networks or personal computer devices. Hackers target susceptible systems, which is why it is important to protect them. 

Can health services be affected?

In May 2017 a cyberattack known as WannaCry affected more than 200,000 computers in at least 100 countries. The NHS was among the organisations targeted, with the perpetrators threatening to perpetually block access to or even publish the victim's data unless a ransom is paid.

According to NHS England, at least 81 of the country’s 236 trusts were either affected by the ransomware or turned off their devices and systems as a precaution. A further 603 primary care and other NHS organisations were infected, including 595 general practices.

Was there an impact on patients and staff?

No organisations reported harm to patients or data being compromised or stolen.

There was, however, considerable disruption, with thousands of operations cancelled. Staff were locked out of devices, which prevented or delayed access to patient information, including sending test results to GPs and transferring or discharging patients from hospital.

The National Audit Office’s investigation, published in October, explains what happened, its impact and the response.

Can attacks like this be prevented?

Arguably, no way of storing and exchanging information, online or otherwise, is entirely free of risk. But NHS Digital says all organisations infected with WannaCry had the same vulnerability and could have taken relatively simple action to protect themselves.

NHS England’s view is that some organisations were affected because of a failure to maintain good cybersecurity practices. Some had failed to patch and update their systems or were relying on old software.

People talk about malware, worms, trojans and phishing. What do these terms mean?

Malware is short for malicious software, and is the generic term for any computer programme intended to damage, destroy or steal information from a computer or IT system. Effects include making a computer or system run slowly, locking it, preventing it from starting up, damaging or changing how it operates, stealing, destroying or corrupting information, and sending unauthorised messages.

Malware has various subcategories, including viruses, trojans, worms and spyware. Briefly, trojans perform functions on a computer without the user’s knowledge, worms copy themselves to other computers on a network, slowing things down, and spyware collects information on the user’s activities. Phishing means using bogus emails to try to steal information from you – for example, when an email purporting to be from your bank asks you to provide personal details or your PIN.

Is there anything I can do to help prevent all this?

Yes. While most of the responsibility is organisational, individual users can play an important part in protecting networks and devices. For example, email is one of the main ways viruses are distributed.

Get Safe Online, a public-private partnership supported by the government, provides free resources and information in this area. It advises not to reply to or click on links in emails that look suspicious or are from companies or people you don’t recognise.

It says: ‘Take your time and think twice, because everything may not be as it seems.’

Also be careful about which sites you visit and what information you transfer to your computer using removable media, such as memory sticks.

NHS Digital advises this should be kept to a minimum, and such media should be authorised and scanned with your organisation’s anti-virus application before use. Never try to reconfigure or change your organisation’s system settings or turn off anti-virus software. If you think you’ve received a virus, contact your organisation’s IT department for help as soon as possible.

Can I reduce the risk of unauthorised people seeing confidential information on screen or online?

Yes. One way is by following a ‘clear desk and screen’ approach:

  • Clear your desk at the end of the working day, or when it is left unattended for an hour or more.
  • Clear or lock screens when talking to unauthorised people. Set your auto screensaver so that it activates when there is no activity for a specified time, and set the screen to lock when you’re away for a significant period, with a password required to unlock it.

NHS Digital says these measures secure the work environment by helping to reduce the risk of unauthorised disclosure and of damage and disruption to IT systems, information, facilities and business operations. Its guidance published last May says this reduces the opportunity for a security incident or data breach to occur.

I work in the community and use mobile computing. How can I stay safe online?

Your organisation should have policies setting out how devices such as laptops, tablets and smart phones are used and secured, and how information is handled and transferred. If you use portable equipment, make certain it’s kept with you or locked away when not in use, and never allow others to use it.

Keep devices out of sight when travelling and minimise the amount of data they hold. Back up data in accordance with your organisation’s policies.

Be wary of using Wi-Fi hotspots as they may not always be secure. For work, use a virtual private network (VPN).

Can passwords help?

NHS Digital says: ‘Passwords are the keys that open the doors to your private and your organisation’s information, and should be treated with as much care as you would treat the keys to your home.’

It advises that passwords should be a minimum of eight characters, not contain a dictionary word of more than four characters, contain at least two upper and two lower case letters and two numbers, and contain at least two special characters, such as the ampersand or pound sign.

One tip is to use phrases to make a complex and secure password. For example ‘the number 27 bus stops at my street’ can become ‘N27bs@M$’ by using the first letter of each word.

Generally, your passwords should be changed regularly and whenever you think they may have been compromised. Never share them with anyone, including your manager, IT department or security staff. And use different passwords for each system, including home and work computers.

For more advice, read NHS Digital’s passwords user guide.

I use social media to talk about my professional activities. What security measures should I take?

You can check your Facebook privacy settings quickly and easily following the simple steps in a leaflet produced by NHS Employers. This will show you what others see when they view your timeline and profile.

For Twitter, the default setting is to keep your tweets public, but you can protect them by going to your security and privacy settings.

You can also control who tags you in any photographs. Consider any location functions that enable others to see exactly where you are, changing settings as appropriate.

Test your knowledge on this subject by completing our multiple choice quiz

Take the quiz

More in this series


This article is for subscribers only