As Director of Information Security here at Surgical Information Systems, I recently hosted a panel discussion webinar with Nelson Gomes from Medicus IT to discuss the importance of a cybersecurity strategy across an ASC. In the wake of a pandemic that has affected how the world works and forced many organizations toward a remote working environment, there has been a significant rise in cybercrime. This growth can be directly attributed to the increased time spent online and away from traditional security controls often implemented to protect the internal office environment, as well as criminals playing off the heightened fear and anxiety individuals may be experiencing as they navigate a COVID-19 world. Unfortunately, for the industry that we serve, threat levels tend to be significantly higher due to healthcare data's black-market value. The reason being, electronic protected health information, or ePHI, has a longer shelf life than other personal data making it ideal for identity theft.
Because of the value that ePHI holds for cybercriminals, healthcare facilities such as ASCs are at a higher risk of being targeted by bad actors. A successful data breach of your facility poses potentially significant financial damage, will undoubtedly decrease productivity, is likely to halt business operations altogether, and can harm your reputation in the community and among your patients. Now that you know why it's so essential to implement a security strategy and create an environment that fosters cybersecurity culture, I will outline how to begin the process.
- The first step is to establish responsibility for information security within your ASC by designating a Security Officer. This means identifying an individual or group of individuals, depending on available resources, to own and champion all information security initiatives. Your employees are the first line of defense, and so the Security Officer will take responsibility for ensuring consistent communication and training for employees. They will also work with business leaders in identifying areas of security risk and developing appropriate security policies and processes to reduce risk and build cyber resilience.
- You cannot protect what you do not understand. So, the next step is geared toward gaining an understanding of your corporate environment. Take an inventory of all assets, including hardware, software (applications), and databases. Identify where your "crown jewels" are kept and who has access to it. These are your most critical items and where the focus of your security controls should be.
- Talking of security controls, HIPAA mandates minimum requirements for the protection of ePHI in the form of administrative, physical, and technical safeguards. There is a lot of ambiguity across these HIPAA requirements, but as a healthcare provider, it is essential to have those safeguards in place. The previous step helped you identify your "crown jewels," which in an ASC is your ePHI. Understanding HIPAA requirements relative to securing your crown jewels and maintaining compliance is step 3. There is one thing I feel I must add; a common misconception is that implementing HIPAA requirements will mean your data is secure; this is not the case. To be crystal clear: HIPAA compliance does not equal security.
- New vulnerabilities are identified on an almost daily basis, and cyber attackers are always looking for new ways to gain access to your ePHI. This ever-changing threat landscape requires security professionals always to be one step ahead in identifying potential threats, vulnerabilities, and cyber risks. Our employees are our first line of defense; they can also be our weakest link and the most targeted and successfully exploited asset by bad actors. Arguably, the most important and often poorly managed security function is access control. It is critical to review who in your ASC has access to what and ensure permissions are granted using the principle of least privilege. This means your employees only have access to what they need to complete their daily tasks and no more. Another of the most fundamental security functions within any organization is to establish a formalized patch management plan. Keeping your system up to date with the latest security patches will significantly reduce the number of vulnerabilities across your ASC. It is also recommended, resources permitting, to have a third party validate your patching program and other implemented security controls through quarterly vulnerability scanning of your environment.
- You now have an understanding of your corporate environment and have identified the threats, vulnerabilities, and cyber risks to your ASC; it's time to begin applying the appropriate security controls to reduce those risks and protect your crown jewels. As I delicately touched on in step 3, these controls may well be, and in all likelihood will be, above and beyond those required to maintain HIPAA compliance.
- No good security program is complete without everyone's favorite step, documenting policies and procedures. As tedious and time-consuming as creating security policies and procedures is, it is essential to the continued effectiveness of your information security strategy. Policies and procedures formalize requirements, responsibilities, and accountability relative to your security controls. Once developed, they should be disseminated throughout the ASC with all employees, not only being aware of their existence but also their purpose and content.
- Ok, so we've made it to step 7; we know the environment, we know the risks to our environment, we have implemented and documented our security controls to protect our environment. That's a lot of change! Now we need to train others across the ASC on these changes and ensuring they understand not only the need but also how to work effectively and securely with these new security controls and ensure they follow company security policy.
- We've made some good progress in securing your ASC. It’s time to look outward. We need to ensure that all the work we put in isn't turned upside down because we are partnered with a vendor that doesn't take security as seriously as we do. You need to ensure that the software you use in your ASC has a proper security team behind it and that you are partnering with the right vendors. The best way to do this is to evaluate them by issuing vendor security risk assessments to see what policies and controls they have in place to help secure your data. It is essential that you select healthcare-focused IT vendors whenever possible, as they are more likely to understand and alleviate the risks involved with protecting ePHI. You also need to make sure you have a Business Associate Agreement (BAA) in place with any vendors that have access to your ePHI.
- The final step, we made it! Unfortunately, it is not that simple; your security program will require periodic auditing for several reasons: you need to ensure your controls remain effective; that policy is being followed; and that new risks are identified and appropriate steps are taken to address those risks. You have a security program in place; now is the time to mature and improve that program.
I know that the idea of creating and enforcing a security program within your facility might seem like a daunting task, but the importance of having one and fostering a culture that supports cybersecurity cannot be overstated. As Nelson at Medicus IT says: “The best way to eat an elephant is one bite at a time.” Remember, cybercriminals are looking for the path of least resistance, so if you take the time to build a security program, you will be less likely to be targeted by these hackers. The goal is to make their job as difficult as possible.