Last month, Surgical Information Systems’ Senior VP of Development, Bobby Roberts, and Director of Information Security, Paul Alcock, were invited to participate in a conversation surrounding cybersecurity with the ASC Podcast with John Goehle. In a time when the entire world, and most notably the healthcare industry, is experiencing an uptick in cyber threats and feeling an increase in the presence of “bad actors” attempting to take advantage of vulnerabilities, this was a timely discussion. Here are some highlights from the interview:
John Goehle: The New York State Department of Health recently released a warning to the healthcare industry of possible cybersecurity attacks. Are you able to shed some light on why we are seeing an increase in activity now, during the pandemic?
Paul Alcock: I think there are two reasons we are seeing an increase in activity. One, ransomware operators are in this business for financial gain. When you couple the need for a healthcare operation’s access to their data with the stress of a pandemic, the healthcare operation is much more likely to pay the ransom being demanded by these attackers. They are preying on the sense of urgency that is present during this pandemic. The other reason, I believe, can be directly attributed to a majority of the world’s population working from home. Home offices are usually on unsecured networks and it can be harder to mitigate these attacks on unsecured networks.
John: We have a saying here, “What are you going to do tomorrow morning after you listen to this podcast?.” So, what can our listeners do to help prevent an attack on their ASC or their organization?
Paul: The first thing you need to do is assign responsibility for cybersecurity to somebody in your organization - before an attack happens, not after. There is a common misconception among inexperienced organizations that creating a cybersecurity team is overly complex and costs a bunch of money. While this can be true among larger firms, it doesn’t have to be when you are just getting started. The most important thing you can do is appoint an individual, or individuals, to audit your data and find out where your “crown jewels” are located and identify weak spots in the security surrounding this data. When I say, crown jewels, I am referring to information like Protected Health Information (PHI), client financial data, etc. Once you have located and identified this data, it is time to implement controls over this information. And lastly, it is never a bad idea to invest in a third-party audit over your controls. A second set of eyes, especially an expert pair, can make all the difference.
Bobby Roberts: I second what Paul has said, and if I may just interject – most ambulatory surgery centers (ASCs) are currently using some kind of management software for their patient data. Do not be afraid to reach out to the vendor(s) providing that software and ask for help. You can ask them what their processes are for backing up your data, or have them assist you in backing up your own data depending on how your solution is hosted. At the end of the day, keeping your crown jewels secure is important, but if somebody wants to get a hold of your data, they are likely going to find a way. This is why we stress the importance of keeping that data backed up.
John: A lot of our listeners belong to smaller facilities that may not have the means to provide these types of audits for themselves, and I know that you mentioned employing a third-party to assist in preparing a plan for cybersecurity. What do you recommend someone look for in a security vendor, and can you touch on the up-front cost?
Paul: My advice is to do your research before you commit to any one vendor. Ask around for references from your peers and inquire about their reputation. Do they specialize in cybersecurity protocols specifically for healthcare organizations? We deal with different regulations in healthcare, and whatever vendor you work with needs to be well versed in HIPAA guidelines. Often, having someone come in and perform an annual risk assessment is more cost-effective than building out your own internal security team.
Bobby: I think ASCs need to look at the issue of cybersecurity and prepare for “when” an attack will happen to them, not “if” it will. When you think about it this way, it is much easier to justify the up-front costs of hiring an outside vendor to help perform risk assessments on your organization. If your ASC is attacked with ransomware without the proper data back-ups or controls in place, you will likely be shelling out a lot more cash on the back-end to unencrypt your patient data. And if PHI or personally identifiable information (PII) was copied by your hackers, you will spend even more money on credit monitoring services for the patients affected.
This is only a small excerpt from a much larger conversation. To hear the segment in its entirety, visit the ASC Podcast with John Goehle homepage and listen for free.