Three tips to help ASCs align cybersecurity and patient safety initiatives into one unified culture and help mitigate negative impacts on the delivery of safe and effective care.
October is Cybersecurity Awareness Month, and it serves as a good reminder that while your daily priority is to provide safe and effective healthcare to patients, a large part of that safety is ensuring their health information remains private and secure.
Healthcare organizations continually face evolving cyber threats that can put patient safety at risk. Ambulatory surgery centers (ASCs) would be mistaken to view these threats as a purely technical issue that solely falls under the responsibility of IT departments or technical solutions. Rather, surgery centers should align cybersecurity and patient safety initiatives into one unified culture. Doing so not only helps your organization protect patients' protected health information (PHI), but also ensures continuity throughout the effective delivery of high-quality care by mitigating disruptions that can have a significant negative impact on clinical outcomes.
See Yourself in Cyber
This year's Cybersecurity Awareness Month campaign theme is "See Yourself in Cyber" and demonstrates that while cybersecurity may often seem like a complex subject, recognizing the role that people play in building cyber resilience can go a long way to reducing risk.
Technology is undoubtedly important, but we've all heard the saying: “You’re only as strong as your weakest link.” That’s why it’s crucial for you to ensure that every person – from your staff to your ASC technology vendors and even you yourself – understands their role in your information security chain.
Here, we’ll look at 3 people-focused practices you can put in place across your facility to strengthen your cybersecurity posture and better protect sensitive patient and financial data.
1. Educate Your Team
You can have top-of-the-line security systems in place at your ASC, but it’s education that can have the most significant impact on reducing one of the biggest cybersecurity risks: human error.
While healthcare-related cyberattacks can be attributed to several factors, a lack of employee training greatly increases the likelihood of human error and introduces vulnerabilities to your security program. If the members of your team don’t understand the importance of strong passwords, know how to identify and report suspicious emails, or recognize social engineering tactics, it presents opportunities that hackers can exploit to access and compromise your PHI and confidential data.
It's important to develop and deliver comprehensive, ongoing security training for every employee and physician at the ASC. Provide ongoing security reminders to your team, frequently audit compliance with security measures, and assess workforce security awareness. Then continue to review and revise your policies and processes to address new threats as they emerge. All of this will help in creating a “security-oriented” culture.
There are many companies that provide security training solutions, including some that provide programs specifically designed for healthcare providers, and include anti-phishing, simulated attacks, and interactive security awareness training.
2. Practice Strict Access Controls
Your organization’s data is only as secure as the people accessing it.
Staff at all levels, regardless of designation or status, are capable of making human errors that may expose your facility’s sensitive information to hackers. Whether maliciously or unintentionally, staff with access to critical systems and data can sometimes end up sharing information that helps cyber criminals breach the network.
To help fight against these types of threats, it’s critical to ensure strict access controls are in place to protect your facility’s physical (e.g., medical records rooms, inventory, servers) and digital (e.g., computer network, system files) resources.
There are many ways that you can tighten your ASC’s access controls, including the practice of strong password requirements, such as creating a long passphrase that incorporates letters, numbers, and special characters, is easy to remember but difficult to crack, multi-factor authentication (MFA), and implementing “least privilege access.”
Least privilege is the concept and practice of restricting user information access to only those staff and technology resources necessary to perform job responsibilities. For example, one of your ASC’s clinical employees should not be able to access coding or billing information.
Decreasing the number of people that have access to confidential information helps to lower the chances of that information being compromised.
3. Know Your Vendor’s Cybersecurity Stance
There are people outside of your surgery center that also have a hand in protecting your patients’ PHI: your technology vendors.
If you use electronic health record (EHR) technology in your surgery center, then your clinical data security is directly impacted by how dedicated your vendors are to cybersecurity. This is not to say that using an ASC EHR is risky – it’s proven that the use of cloud-based electronic health records can increase the security of your PHI – but because health records contain so much information of high monetary and intelligence value to cyber adversaries, the responsibility of protecting this data is shared in part with your ASC EHR vendor.
Make an effort to question ASC EHR vendors about their cybersecurity posture and implement solutions from vendors who demonstrate a commitment to developing a robust cybersecurity program while dedicating the time and resources to securing their applications and client data. Ensure their security program in its entirety has been evaluated by an independent third party. For example, has the vendor completed third-party cybersecurity certifications or attestations? Have they achieved SOC II compliance for ALL elements of the services being provided i.e., both their EHR application software and the data center that hosts the data? Do they have a dedicated cybersecurity team that continually monitors for cyber threats?
These are just a few of the questions that any security-focused ASC EHR vendors should be able to answer, providing you with increased clarity and confidence in how they can protect your confidential and sensitive information.
Creating a Patient-Safety-Focused Culture
Financially motivated cybercriminals allocate a significant amount of time to figuring out how to bypass your cybersecurity procedures and controls. To better defend yourself, make cybersecurity vigilance part of your surgery center’s mindset. Stay updated on cybersecurity incidents in the industry and learn the evolving tactics that hackers are using. Educate your staff and encourage them to speak up about cybersecurity.
Leverage your existing culture of patient care to include a complementary culture of cybersecurity, where staff members view themselves as proactive defenders of patients and their data. Instilling a patient-safety-focused culture of cybersecurity can have a tremendous impact on mitigating cyber risk to the organization and to patients.
About Cybersecurity Awareness Month
Now in its 19th year, Cybersecurity Awareness Month, formally known as National Cybersecurity Awareness Month, is an annual collaborative effort between government and industry that works to increase the understanding of cyber threats and empower the American public to be safer and more secure online.
For more information on Cybersecurity Awareness Month, visit the Cybersecurity & Infrastructure Security Agency (CISA) and the National Cyber Security Alliance (NCSA).
Throughout October, SIS will be sharing content across various platforms that promotes vital cybersecurity information, tips on how you can keep your ASC safe from bad actors, and more. Be sure to subscribe to our blog and follow our social media accounts to stay in the loop!