The best way to protect your ASC is a robust cybersecurity program, but if you've been breached, the next best thing is to have a clear response plan.
When technology systems fail and data is lost, breached, or stolen, it is usually not because a hacker broke through a firewall. It is because the strongest link in the chain of your business is the weakest link when it comes to cybersecurity. According to Verizon's 2024 Data Breach Investigations Report, nearly 70% of data breach incidents involved a human element.
When cybercriminals look to compromise healthcare organizations, they typically focus on the human element. Phishing emails and social engineering are among the tactics used by cybercriminals to try to get your ASC staff to make one mistake that they can exploit.
What is the best course of action for protecting your surgery center? The first thing you need is a strong, current cybersecurity program that leverages advanced technology and frequent staff training. A crucial component of this program involves preparing a detailed incident response plan to enhance your ability to successfully navigate a data breach and swiftly recover from a cyberattack.
Dr. Paul Alcock, Chief Information Security Officer for Surgical Information Systems (SIS), explored how ASCs can improve identification of and response to a cyber incident in the interactive webinar, “From Identification to Response: Navigating an ASC Cyberattack.” Dr. Alcock led a simulated ASC cyberattack in which program attendees went step by step through the experience, weighing the pros and cons of each response action, and learned how their surgery centers can better protect themselves from cybercriminals and execute their incident response plans.
Additional key takeaways from the workshop are shared below. To experience this simulation, watch the on-demand presentation.
Importance of ASC Cybersecurity
Between the cybersecurity attacks that affect the healthcare industry (e.g., Change Healthcare) and the breaches that impact us personally (e.g., AT&T, Ticketmaster), the importance of cybersecurity should be well understood by everyone.
At the beginning of the program, Dr. Alcock posed a question to the audience: How often does your ASC provide cybersecurity training for staff? More than 60% of respondents said their surgery center provides cybersecurity training for their staff only once a year.
The most forward-thinking organizations, Dr. Alcock said, provide monthly training for their team (only 16% of our poll respondents provide monthly training to their team). Routine training helps to keep ASC staff vigilant against cybercriminals, both from their “tried and true” techniques such as phishing and from the newer, more sophisticated tactics they may attempt to exploit.
Responding to a Breach
Even with proper training, no ASC is 100% immune from cyberattacks. What steps should a surgery center take in the event of a cybersecurity breach?
The first phase of an incident response plan is discovery. With the right tools and safeguards in place, a potential breach can be spotted relatively early. Signs of a potential breach include unusual spikes in your network's outbound activity, unusual account activity such as your EHR being accessed after hours, or unfamiliar devices accessing your network or software systems.
If you find yourself in a situation where you've discovered a breach, best practice is to disconnect affected systems immediately. This means disconnecting devices from the Wi-Fi network or unplugging the networking cable from your devices. These actions sever the cybercriminal's connection to your facility and can help prevent them from inflicting further damage.
A common — and understandable — mistake that affected organizations sometimes make at this stage is to completely turn off all their devices. When cybercriminals successfully breach an organization, they leave behind valuable information on your devices that can help determine how the cybercriminals broke into your network and what actions they took. Once a device is turned off, this trace evidence can be lost.
Once you've taken your systems offline, the next step is responding to the cyberattack. If the attack involves a ransomware request, there are several actions you can take:
- Attempt to restore backups — Once your information technology (IT) team has disconnected your devices from the network, they can begin working to restore your system and files from backups.
- Notify law enforcement and cyber insurance provider — Both entities can help guide you through the response process. Depending on your cyber insurance policy, you may have coverage that helps offset the cost of hiring cyber negotiators to engage with the attackers to lower the ransom.
- Determine whether to negotiate with the attackers to lower the ransom — Negotiating with cyber attackers can help lower the ransom they seek to unlock your systems and riles. However, ASCs should not engage directly with ransomware actors. Rather, ask law enforcement and your cyber insurance provider whether negotiating is in your best interest. If they recommend doing so, consider consulting with specialized incident response teams before beginning negotiations and bring in a third party that specializes in these negotiations to take the lead on the efforts.
Running multiple workflows in tandem helps give your ASC the best chance of getting back up and running as quickly as possible. You can also engage your technology vendors in your response efforts as they may be able to provide recommendations and help with recovery and restoring files. Note: To better understand the benefits of a multi-pronged approach, check out the on-demand webinar recording.
Once you've begun efforts to respond to the ransom request and restore operations, your next steps should focus on communication and your legal responsibility with appropriate stakeholders. It's vital that these steps are approached properly to avoid as little blowback, negative media coverage, and potential fines as possible. A structured, pre-prepared communication plan, included within an incident response plan, that determines the likes of communication channels, timing, and role-based notifications can better ensure a smoother and more successful response.
Depending on the size and structure of your ASC, the stakeholders may vary:
- Internal team — Notify any members of your ASC leadership, legal team, and compliance team who are still unaware of the incident about what has happened and the go-forward strategy.
- Department of Health and Human Services (HHS) — HIPAA states that in the event of a breach that affects PHI, you must notify HHS (and any affected individuals) within 60 days of the breach. It is generally wise to contact HHS as soon as possible and especially when incidents lead to significant data exposure.
- Patients — Notify affected patients within 60 days following the discovery of breach as required by HIPAA. Some states have additional notification requirements. Explain to your patients the steps you are taking to resolve the issue and what you will do to prevent such an incident from occurring again. A direct and transparent approach to patient communications can help organizations rebuild trust with patients affected by the breach.
- US Federal and State Agencies – Notify Department of Health and Human Services (HHS) you must notify HHS within 60 days of the breach for data breaches affecting more than 500 individuals and on an annual basis for all other breaches. It is generally wise to contact HHS as soon as possible and especially when incidents lead to significant data exposure. Some states have additional notification requirements.
- Media — For data breaches affecting more than 500 residents of a state or jurisdiction, HIPAA also requires notice in a prominent media outlet. Ensure messaging is consistent and clear. Consider hiring a public relations firm that specializes in cyberattacks for assistance. Some states have additional notification requirements.
The final step in dealing with a cybersecurity breach is recovery. In addition to getting your ASC to a place where it can resume its normal operations, it's important to debrief with your organization's cyber incident response team: What went well, and where did your organization struggle? Most importantly, what can you do to build resilience against future cyberattacks and strengthen your incident response plan? You may need to invest in a more resilient security infrastructure. If the breach was traced back to an action taken by a member of your staff, implementing stronger and more frequent cybersecurity training for all members of your organization can help prevent a similar incident from occurring in the future.
This article briefly highlights how organizations can respond to a cyberattack. For a more in-depth understanding, we invite you to experience Dr. Alcock's full presentation, which has been approved by the Board of Ambulatory Surgery Certification for 1 hour of AEU credit.
