Five essential practices to implement at your surgery center to better safeguard patient data and financial information.
October is Cybersecurity Awareness Month! As we embrace this annual occasion, it’s important to recognize the shared responsibility we all hold in maintaining robust cybersecurity. While your primary focus revolves around delivering safe and effective healthcare to patients, there is also an obligation to protect their confidential health and financial data.
To assist you in fortifying the cybersecurity stance at your ambulatory surgery center (ASC) and better safeguarding patient and financial information, we've compiled five essential tips for your consideration.
1. Routinely emphasize the importance of cybersecurity to your team
Cybercriminals allocate a significant amount of time to figuring out how to bypass your cybersecurity procedures and controls. To better defend yourself, make cybersecurity vigilance part of your surgery center’s mindset. To help achieve this, you can:
- Make cybersecurity a common topic of conversation.
- Prioritize cybersecurity awareness training.
- Encourage staff to speak up about cybersecurity.
- Stay updated on industry cybersecurity incidents and learn the evolving tactics that threat actor groups are using.
A culture of patient care is also a culture of cybersecurity awareness. Ensure that your staff members view themselves as proactive defenders of patients and their data and aren’t afraid of taking a deeper look at cybersecurity. This patient-focused thinking can have a tremendous impact on mitigating cyber risk to the organization and to patients.
2. Simulate email phishing attacks to test your staff's cybersecurity knowledge
Technology is ever-evolving. This means that while there have been major advances in security controls, cybercriminals are actively finding new ways to bypass them. In fact, phishing remains the #1 method used by threat actors to gain initial access to an organization.
Anyone, regardless of role or designation, is a potential phishing victim. Whether tricked into opening an email attachment or accidentally clicking on a malicious link, all it takes is a single mistake to give an attacker the access they need to your patient data.
Therefore, it is imperative to know where your surgery center stands in its defense against these threats. Test your organization by launching regularly occurring simulated email phishing tests. These tests can help to:
- Establish a baseline of your staff’s cybersecurity knowledge.
- Uncover the vulnerable areas that need attention.
- Train staff on how to identify and report phishing attempts.
- Encourage them to stay vigilant year-round.
ASC staff are the first and last line of defense at your facility. Training them to be vigilant defenders of information security should be prioritized just as any other training. Don’t stress over creating these resources, though – there are a multitude of companies that can facilitate comprehensive phishing campaigns for your surgery center and discussing with your IT support provider is a great starting point.
3. Stay up to date with your software updates and system patches
Staying up to date with software updates and system patches is a fundamental part of a proactive cybersecurity strategy. Software, including operating systems and applications, can contain vulnerabilities or weaknesses that cybercriminals are able to exploit and gain access to systems. When these vulnerabilities are found, software developers release updates and patches to fix them. If you aren’t keeping your software and systems updated, you leave yourself open to attacks that could have been prevented with patches.
Building the habit of regularly updating and patching systems offers a range of benefits that help protect against cyber threats, enhance functionality, and ensure compatibility with evolving technology, including:
- Strengthened system security, reducing the risk of unauthorized access, data breaches, malware infections, and other cyberattacks.
- Improved system stability and compatibility through applied bug fixes and performance enhancements.
- Reduced vulnerability window and attack surface – the time between the discovery of the number of potential vulnerabilities that can be exploited.
Applying software updates and patches usually only takes a few clicks, so here are still some best practices to keep in mind:
- Enable automatic software updates whenever possible to ensure that software updates are installed as quickly as possible.
- If you have to manually download and apply the update yourself, always visit the vendor site or known client portal directly rather than clicking on advertisements.
- Avoid software updates while using untrusted networks.
System updates and patches play a crucial role in maintaining the security, stability, and performance of software and systems. Staying proactive in applying updates is essential for maintaining a secure and efficient computing environment.
4. Practice strict access controls
Your organization’s data is only as secure as the people accessing it. Staff at all levels, regardless of designation or status, are capable of making human errors that may expose your facility’s sensitive information to hackers. Whether maliciously or unintentionally, staff with access to critical systems and data can sometimes end up sharing information that helps cyber criminals breach the network.
To help fight against these types of threats, it’s critical to ensure strict access controls are in place to protect your facility’s physical (e.g., medical records rooms, inventory, servers) and digital (e.g., computer network, system files) resources.
There are many ways that you can tighten your ASC’s access controls, including:
- The practice of strong password requirements, such as creating a long passphrase that incorporates letters, numbers, and special characters.
- Applying multi-factor authentication (MFA) wherever possible.
- Implementing “least privilege access.”
Least privilege is the concept and practice of restricting user information access to only those staff and technology resources necessary to perform job responsibilities. For example, one of your ASC’s clinical employees should not be able to access coding or billing information.
Decreasing the number of people who have access to confidential information helps to lower the chances of that information being compromised.
5. Ask your IT vendor if they have any resources to support your security training
Cybersecurity is a team effort. Every surgery center has different needs and resources, and seeking external guidance for cybersecurity training may prove to be highly beneficial. Your third-party IT contractor, in particular, can serve as a valuable source of expertise to enhance your cyber preparedness. Consider asking your IT vendor if they can provide assistance in the following areas:
- Designing a disaster recovery plan.
- Assisting with a reliable backup strategy.
- Reporting on threat landscapes.
- Offering security awareness training.
Developing and delivering cybersecurity training internally takes time and engaging your IT vendor can help to streamline this process and offer tailored resources to meet your staff’s specific needs and security demands.
Take advantage of our cybersecurity resources
To help you gain a better understanding of cyber threats and resilience in the ASC industry, we’ve rounded up our cybersecurity resources for public viewing. You can access blog posts, webinars, and podcasts for the entire month of October, and even share the content with your staff to increase your facility’s knowledge and vigilance of the cybersecurity landscape.
About Cybersecurity Awareness Month
Now in its 20th year, Cybersecurity Awareness Month is an annual collaborative effort between government and industry that works to increase the understanding of cyber threats and empower the American public to be safer and more secure online.
For more information on Cybersecurity Awareness Month, visit the Cybersecurity & Infrastructure Security Agency (CISA) and the National Cyber Security Alliance (NCSA).
Throughout October, SIS will be sharing content across various platforms that promote vital cybersecurity information, tips on how you can help keep your ASC safe, and more. Be sure to subscribe to the SIS Blog and follow our social media accounts to stay in the loop!