Eight actions to take to foster an environment that supports ASC cybersecurity culture and lessens the likelihood of being targeted by malicious individuals.
There has been a significant rise in cybercrime in recent years, including cybercrime targeting healthcare. The threat the healthcare industry faces from cybercriminals is now in the national spotlight due to the hack of Change Healthcare that has caused significant disruption in billing, prescription, and insurance authorization processes affecting many providers that rely on one or more of Change's services.
Cybercrime is expected to surge in the coming years, and unfortunately for the ambulatory surgery center (ASC) industry we serve at SIS, threat levels tend to be significantly higher due, in part, to healthcare data's value on the black market. Two of the main reasons healthcare data has higher value than other types of data is because electronic protected health information, or ePHI, can typically be used by cybercriminals for longer than other personal data, and it often takes longer for healthcare fraud to be discovered, thus making healthcare data even more ideal for theft.
The Appeal of an ASC: Cybersecurity Takes on Elevated Importance
Due to the value that ePHI holds for cybercriminals, healthcare facilities such as ASCs are at a higher risk of being targeted by bad actors. ASCs are also a prime target for cybercriminals because they tend to be small businesses with smaller cybersecurity budgets and few, if any, on-site cybersecurity experts compared to larger entities, such as hospitals and health systems.
A successful data breach of a surgery center could lead to significant financial damage, decrease productivity, halt business operations altogether for at least some period of time, and significantly harm a center's reputation in its community and among patients, surgeons, and payers.
With a better understanding of why it's so essential for an ASC to implement a security strategy and create an environment that fosters cybersecurity culture, here are eight steps that can help you begin the process.
1. Designate an ASC (cyber)security officer
A key initial or at least early step for strengthening ASC cybersecurity is to establish responsibility for information security within your facility by designating a security officer. This means identifying an individual or group of individuals, depending on available resources, who will own and champion all information security initiatives.
ASC employees are the first line of defense against cybercriminals and cyberattacks. The security officer will take responsibility for better ensuring consistent communication and training for employees. This individual(s) may also work with leadership and IT vendor partners, like SIS, to identify areas of security risk and vulnerabilities and then develop appropriate policies and processes to reduce risk and build cyber resilience for the ASC.
2. Understand your IT environment
You cannot protect what you do not understand. That speaks to the importance of gaining a better understanding of your ASC's IT environment. To do so, take an inventory of all technology assets. This should include hardware, software (applications), and databases. Identify where your healthcare data "crown jewels"— i.e., your ePHI — are stored and who can access it. This is where you will want to direct a significant focus for your ASC cybersecurity controls.
3. Address HIPAA
Speaking of security controls, HIPAA mandates minimum requirements for the protection of ePHI in the form of administrative, physical, and technical safeguards. As healthcare providers, it is essential for ambulatory surgery centers to have those safeguards in place.
The previous step helped you identify your ePHI crown jewels. Understanding HIPAA requirements relative to securing your crown jewels and maintaining compliance is a valuable follow-up step.
Note: One common misconception is that implementing HIPAA requirements will mean your data is secure. This is not the case. To be crystal clear: HIPAA compliance does not equal security.
4. Implement fundamental, yet essential ASC cybersecurity safeguards
Cyberattackers are always looking to exploit vulnerabilities and find new ways to access ePHI. The ever-changing cyber threat landscape requires security professionals to be one step ahead in identifying and addressing potential threats, vulnerabilities, and cyber risks. ASC employees are the first line of defense. They can also be the weakest link and the most targeted and successfully exploited asset by bad actors.
Arguably, the most important and often poorly managed security function within healthcare organizations is access control. Access control determines who is permitted to access specific data, software, and resources — and under what circumstances are they permitted to do so. It is critical to review who in your ambulatory surgery center has access to what data and ensure permissions are granted using the principle of "least privilege." This means your employees only have access to what they need to complete their daily tasks and nothing more.
Another of the most basic but critical ASC cybersecurity processes within any organization is to establish a formalized patch management plan. Keeping your IT systems current with the latest security patches will significantly reduce the number of vulnerabilities across your ASC.
Developing a patch management plan is important even if third-party companies or vendors are managing your systems or applications and are responsible for applying security patches. Your security officer(s) should speak with these partners about their patch management processes.
It is also recommended to have a third party validate your patching program and other implemented security controls through quarterly vulnerability scanning of your environment.
5. Document ASC cybersecurity policies and procedures
No good security program is complete without everyone's favorite step: documentation, specifically of policies and procedures. While it's time-consuming to create these policies and procedures, doing so is essential to the continued effectiveness of your ASC cybersecurity strategy.
Policies and procedures formalize requirements, responsibilities, and accountability relative to your security controls. Once developed, these policies and procedures should be disseminated throughout the ASC with all employees and become a standard part of onboarding. Staff should not only be aware of their existence but also their purpose and content.
6. Educate and train staff on cybersecurity
By completing steps 1 through 5, you should have a better understanding of your IT environment, know some of the most significant potential risks to your environment, have implemented some key security processes, and have documented some critical ASC cybersecurity controls to better protect your environment. That's a lot of change.
Now you need to train others across your ambulatory surgery center on these changes and improvements. Work to ensure your staff understand not only the need for security controls but also how to work effectively and securely with these controls. You will also want to stress why staff must always follow company security policies and procedures and the importance of staff speaking up when they have any concerns at all about cybersecurity, including observing questionable security behavior by fellow staff members. The term "insider threat" is used to describe the potential for an insider — a person who has or had authorized access to or knowledge of an organization's resources — to use this authorized access or understanding to harm that organization through intentional or unintentional acts. Insider threats are frequently cited as one of the most common causes for cybersecurity incidents.
Note: Policies and procedures should undergo regular review and updating, when necessary. Staff training on changes to policies and procedures should immediately follow.
7. Assess your IT partners
Once you’ve made progress in securing your ASC, it's time to look outward. ASCs must ensure all the work put in isn't turned upside down because a vendor partner doesn't take cybersecurity as seriously. You must ensure the software used in your ASC has a proper security team behind it and that you are partnering with the right vendors. A good way to do this is to evaluate your vendor partners by issuing security risk assessments to identify the policies and controls they have in place designed to help secure your data. You will want to look for vendors who demonstrate their commitment to protecting client data, such as those that have earned certified status by HITRUST for information security.
It is also essential that you partner with healthcare-focused IT vendors whenever possible as they are more likely to understand and alleviate the risks involved with protecting ePHI. You should make sure you have business associate agreements (BAA) in place with any vendors that have access to your ePHI.
8. Stay vigilant with ASC cybersecurity
Even after you have completed the seven essential steps for security that we've discussed above, you have not completed your efforts around security. Your ASC cybersecurity program will require periodic auditing for several reasons. Among them: You must ensure your controls remain effective, that policies and procedures are being followed correctly and consistently, and that new risks are identified and appropriate steps taken to address them.
You have a security program in place — one that should help improve your protection against cybercrime. That's no small feat, but don't celebrate for too long. Get to work on maturing and improving the program. Cybercriminals don't take days off, so you cannot afford to do so either.
Giving ASC Cybersecurity the Attention It Deserves
The idea of creating and enforcing an ASC security program for your facility might seem like a daunting task, but the importance of having one and fostering a culture that supports cybersecurity cannot be overstated. Remember: Cybercriminals are looking for the path of least resistance. If you take the time to build a robust ASC security program, you will be less likely to be targeted by these malicious individuals. The goal is to make their job as difficult as possible, so they look elsewhere.
Want to learn more about ASC cybersecurity? Join us for a special event focused navigating ASC cyberattacks! We'll walk through a real-life cyberattack simulation with our cybersecurity experts - you'll gain a deeper understanding of how to manage a cyber attack in a healthcare setting.