An excerpt from a recent episode of "ASC Podcast with John Goehle."
Earlier this month, Surgical Information Systems’ Chief Information Security Officer Dr. Paul Alcock, DIT, CISSP, CCSP, CISM, CCISO, GCIH, was invited to be a guest on the "ASC Podcast with John Goehle” to discuss ASC cybersecurity in conjunction with Cybersecurity Awareness Month. During his conversation with John Goehle, Dr. Alcock explored the importance of cybersecurity for ASCs, how to appreciate the significance of the topic, and how ASCs and the ASC industry can better manage cybersecurity risks.
The following is an excerpt from the conversation between John Goehle and Dr. Alcock, slightly edited for clarity. To hear the segment in its entirety, visit the "ASC Podcast with John Goehle."
John Goehle (JG): What are some of the major cybersecurity threats facing ASCs right now?
Dr. Paul Alock (PA): In the ASC industry, and healthcare industry as a whole, we have patient data we need to protect, and we need to understand what we’re protecting it from. Healthcare continues to be a significant, lucrative target for adversaries looking for financial gains. We see a ton of phishing emails being used to gain initial access into organizations, and ransomware continues to grow in popularity amongst threat actors because of the success rate that they’re seeing in performing these types of attacks.
Then there’s insider threats. Particularly in healthcare, we see a lot of unintentional disclosure of protected health information (PHI) and issues with exposing patient information. While there hasn’t been a huge change in the trends relative to the type of attacks that we’re seeing, such as phishing and ransomware, some of the techniques have been adjusted as our own cybersecurity defenses have become more advanced.
JG: Can you address the cybersecurity risks associated with the increased use of mobile devices?
PA: We don’t always consider the threat or potential exposure that comes from accessing corporate resources through mobile devices, particularly cell phones. Some organizations may issue cell phones, but I think the majority are allowing personal devices to be used to access things like work email and file sharing. How do we secure some of these tools being used for work purposes, such as Outlook, on a personal device? How far can we go as a company to secure somebody else’s personal property? I think that’s one of the biggest challenges.
Thankfully, there are tools out there that, if we’re able to purchase and adopt them, and then get staff enrollment throughout our organization, we can isolate certain applications that are used specifically for corporate resources. That way, if the account is compromised in some way and we’re concerned that it could lead to an exposure of corporate data, we can wipe that segmented piece from the personal device without touching any of that individual user’s sensitive personal information, such as photographs or personal emails. Ultimately, that personal data is not ours, and we shouldn’t be touching it.
It’s a challenge. We’ve got that barrier between what’s personal and what’s corporate, but we need to protect what’s important to the business and to our patients.
JG: That’s an interesting challenge. Is it smaller or larger organizations that are more prone to these types of issues? Or should everyone be concerned?
PA: Everybody needs to be concerned. I think there’s a common misconception amongst smaller organizations that maybe aren’t quite as sophisticated or haven’t been exposed to these risks. There are some ASCs that believe they are “too small” to be targeted when it’s actually the reverse.
We hear about a lot of larger health systems targeted in the mainstream media, and not so much about smaller organizations like ASCs, but typically due to lack of resources or, again, just not being exposed or aware of the risk from a cyber standpoint, they often don’t have the level of data protection maturity to be able to defend these types of attacks. This can make them easy targets.
In addition, we see smaller businesses being a way into some of the larger organizations and health systems because they may be connected through systems and networks. The smaller organization may not have the controls or internal resources to be able to identify and respond to malicious activity, and when the bad guys see that they can get in this way, they can do so and then pivot to the larger health system.
In short: Both small and large organizations are prone to these threats. Don’t ever think that you’re too small for these threat actors to look at, because they’re 100% looking at your organization and hoping to find a way in.
Take Advantage of Our ASC Cybersecurity Resources
To help you gain a better understanding of cyber threats and resilience in the ASC industry, we’ve assembled a collection of cybersecurity resources. You can access blog posts, webinars, and podcasts for the entire month of October, and share the content with your staff to increase your facility’s knowledge and understanding of the cybersecurity landscape.
About Cybersecurity Awareness Month
Now in its 20th year, Cybersecurity Awareness Month is an annual collaborative effort between government and industry that works to increase the understanding of cyber threats and empower the American public to be safer and more secure online.
For more information on Cybersecurity Awareness Month, visit the Cybersecurity & Infrastructure Security Agency (CISA) and the National Cyber Security Alliance (NCSA).
Throughout October, SIS will be sharing content across various platforms that promote vital cybersecurity information, tips on how you can help keep your ASC safe, and more. Be sure to subscribe to the SIS Blog and follow our social media accounts to stay in the loop!