Eight actions ASCs can take to foster an environment that supports cybersecurity culture and lessens the likelihood of being targeted by malicious individuals.
In the wake of a pandemic that has affected how the world works and forced many organizations toward more of a remote working environment, there has been a significant rise in cybercrime. This growth can be attributed to the increased time away from traditional security controls often implemented to protect the internal office environment as well as criminals working to exploit potential vulnerabilities that can come with increased staff turnover, heightened fear and anxiety about navigating a COVID-19 world, and financial challenges.
Unfortunately, for the ambulatory surgery center (ASC) industry we serve at SIS, threat levels tend to be significantly higher due to healthcare data's value on the black market. One of the main reasons healthcare data has higher value than other types of data is because electronic protected health information, or ePHI, has a longer shelf life than other personal data, thus making it even more ideal for identity theft.
Due to the value that ePHI holds for cybercriminals, healthcare facilities such as ASCs are at a higher risk of being targeted by bad actors. ASCs are also a prime target for cybercriminals because they tend to be small businesses with smaller cybersecurity budgets and few, if any, on-site cybersecurity experts compared to larger entities (e.g., hospitals, health systems).
A successful data breach of a surgery center could lead to significant financial damage, will undoubtedly decrease productivity, is likely to halt business operations altogether for at least some period, and can significantly harm your reputation in the community and among patients, surgeons, and payers.
Now that you have a better understanding of why it's so essential to implement a security strategy and create an environment that fosters cybersecurity culture, I will share eight steps that can help you begin the process.
1. Designate an ASC security officer. The first step is to establish responsibility for information security within your facility by designating a security officer. This means identifying an individual or group of individuals, depending on available resources, to own and champion all information security initiatives. Your employees are the first line of defense against cybercriminals and cyberattacks, so the security officer will take responsibility for ensuring consistent communication and training for employees. This individual(s) may also work with leadership and IT vendor partners, like SIS, in identifying areas of security risk and developing appropriate security policies and processes to reduce risk and build cyber resilience for ther ASC.
2. Understand your IT environment. You cannot protect what you do not understand. This next step is geared toward gaining a better understanding of your IT environment. To do so, take an inventory of all technology assets, including hardware, software (applications), and databases. Identify where your "crown jewels" are kept — i.e., your ePHI — and who has access to it. This is where the focus of your security controls should be.
3. Address HIPAA. Speaking of security controls, HIPAA mandates minimum requirements for the protection of ePHI in the form of administrative, physical, and technical safeguards and as a healthcare provider, it is essential for ambulatory surgery centers to have those safeguards in place. The previous step helped you identify your ePHI "crown jewels." Understanding HIPAA requirements relative to securing your crown jewels and maintaining compliance is step 3.
One common misconception is that implementing HIPAA requirements will mean your data is secure. This is not the case. To be crystal clear: HIPAA compliance does not equal security.
4. Implement basic, yet essential safeguards. New vulnerabilities are identified on an almost daily basis, and cyberattackers are always looking for new ways to gain access to ePHI. This ever-changing threat landscape requires security professionals to be one step ahead in identifying and addressing potential threats, vulnerabilities, and cyber risks. ASC employees are the first line of defense. They can also be the weakest link and the most targeted and successfully exploited asset by bad actors. Arguably, the most important and often poorly managed security function is access control. It is critical to review who in your ambulatory surgery center has access to what data and ensure permissions are granted using the principle of least privilege. This means your employees only have access to what they need to complete their daily tasks and nothing more.
Another of the most fundamental security processes within any organization is to establish a formalized patch management plan. Keeping your IT systems current with the latest security patches will significantly reduce the number of vulnerabilities across your ASC. This step is important even if third-party companies or vendors are managing your systems or applications and are responsible for applying security patches. It is also recommended to have a third party validate your patching program and other implemented security controls through quarterly vulnerability scanning of your environment.
5. Document Policies & Procedures. No good security program is complete without everyone's favorite step: documenting policies and procedures. While it's time-consuming to create security policies and procedures, doing so is essential to the continued effectiveness of your ASC's information security strategy. Policies and procedures formalize requirements, responsibilities, and accountability relative to your security controls. Once developed, these policies and procedures should be disseminated throughout the ASC with all employees. Staff should not only be aware of their existence but also their purpose and content.
6. Educate and train staff. By completing steps 1 through 5, you should have a better understanding of your IT environment, know some of the most significant risks to your environment, have implemented some key security processes, and have documented some critical security controls to better protect your environment. That's a lot of change. Now you need to train others across your ambulatory surgery center on these changes. Work to ensure they understand not only the need for security controls but also how to work effectively and securely with these controls and why they must always follow company security policies and procedures. Note: Policies and procedures should undergo regular review and updating, when necessary. Staff training on changes to policies and procedures should follow.
6. Assess your IT partners. Once you’ve made some good progress in securing your ASC, it's time to look outward. ASCs need to ensure all the work put in isn't turned upside down because you have partnered with a vendor that doesn't take security as seriously as you do. You must ensure the software used in your ASC has a proper security team behind it and that you are partnering with the right vendors. The best way to do this is to evaluate your vendor partners by issuing security risk assessments to identify the policies and controls they have in place designed to help secure your data.
It is essential that you partner with healthcare-focused IT vendors whenever possible as they are more likely to understand and alleviate the risks involved with protecting ePHI. You also need to make sure you have business associate agreements (BAA) in place with any vendors that have access to your ePHI.
7. Stay Vigilant. While you may have completed seven essential steps for ASC security, you have not completed your efforts around security. Your security program will require periodic auditing for several reason. Among them: You must ensure your controls remain effective, that policies and procedures are being followed correctly and consistently, and that new risks are identified and appropriate steps taken to address those risks.
You have a security program in place. That's no small feat, but don't celebrate for too long. Get to work on maturing and improving the program. Cybercriminals don't take days off, so you cannot afford to do so either.
Giving ASC Security the Attention It Deserves
The idea of creating and enforcing an ASC security program for your facility might seem like a daunting task, but the importance of having one and fostering a culture that supports cybersecurity cannot be overstated. Remember: Cybercriminals are looking for the path of least resistance. If you take the time to build a robust ASC security program, you will be less likely to be targeted by these malicious individuals. The goal is to make their job as difficult as possible, so they look elsewhere.
About Cybersecurity Awareness Month
Now in its 19th year, Cybersecurity Awareness Month, formally known as National Cybersecurity Awareness Month, is an annual collaborative effort between government and industry that works to increase the understanding of cyber threats and empower the American public to be safer and more secure online.
For more information on Cybersecurity Awareness Month, visit the Cybersecurity & Infrastructure Security Agency (CISA) and the National Cyber Security Alliance (NCSA).
Throughout October, SIS will be sharing content across various platforms that promotes vital cybersecurity information, tips on how you can keep your ASC safe from bad actors, and more. Be sure to subscribe to our blog and follow our social media accounts to stay in the loop!