Q&A with Dr. Paul M. Alcock, Chief Information Security Officer at Surgical Information Systems.
Dr. Paul Alcock, Chief Information Security Officer for Surgical Information Systems (SIS), recently hosted a webinar on "The Growing Threat of Cyberattacks: How to Better Protect Your ASC." During the program, he explored a range of topics, including the current state of healthcare cybersecurity, what makes ambulatory surgery centers (ASCs) appealing targets for cyberattacks, current cybercriminal tactics and techniques, controls that can decrease the risk of a successful cyberattack, and steps to recover from an attack. He also shared resources to help ASCs with cybersecurity preparation and response.
The audience was engaged and asked great questions during the Q&A portion of the program. For those questions Dr. Alcock did not have time to answer, he provided responses in writing. Below are the highlights of those questions and responses, edited for readability. To view the on-demand webinar, please visit the SIS Resource Library.
Q: How important is multi-factor authentication (MFA) for ASCs?
Dr. Paul Alcock: In today's rapidly evolving cybersecurity landscape, relying solely on usernames and passwords is no longer sufficient to protect the sensitive information housed within ASCs. Traditional login credentials can be easily compromised through phishing attacks, data breaches, or simple human error. In healthcare environments, where patient data and medical records are at stake, the consequences of unauthorized access can be severe. This is why implementing multi-factor authentication (MFA) has become crucial. MFA adds an extra layer of security that significantly reduces the likelihood of unauthorized access, even if usernames and passwords are compromised.
MFA should be a cornerstone of any comprehensive ASC cybersecurity strategy, not just for its ability to deter external threats, but also for its efficacy against internal threats and compliance with regulatory standards like HIPAA. Implementing MFA is like adding an additional lock to your digital assets, serving both as a deterrent and an early warning system against unauthorized access.
Given the value and sensitivity of the data ASCs handle, MFA is more than just a best practice — it's a necessity for maintaining the integrity and security of healthcare operations.
Q: What's your take on using cloud services for storing patient data?
PA: If you're considering using cloud services to store patient data in your ASC, it's essential to understand that security is a shared responsibility. While your cloud provider will help ensure the foundational security of the infrastructure, it's up to you to secure the data you store there. Think of it like renting a safe deposit box: The bank ensures the vault is secure, but you're responsible for what goes in your box and who has access to it.
When considering cloud services, it's not enough to assume that a reputable provider will automatically be secure and compliant. You must do your due diligence. Make sure to ask your potential cloud providers if they have undergone third-party security assessments like SOC 2 or HITRUST. These certifications should apply to both the cloud application you're using and the hosting facility itself, not just one or the other. By checking these certifications and understanding the division of security responsibilities, you can be confident that you're taking the appropriate measures to safeguard your patient data and business effectively.
Q: How can we educate our vendors and third-party service providers about cybersecurity?
PA: Educating vendors and third-party service providers about cybersecurity is crucial, especially in a sensitive industry like healthcare. First, it's vital to recognize that cybersecurity is a shared responsibility. Your organization's security posture is only as strong as its weakest link, which often can be an uninformed third-party. A practical first step to take is to include cybersecurity clauses in contracts and service-level agreements (SLAs). This sets the expectation right from the outset and can provide a framework for what cybersecurity measures need to be in place.
Given that cybersecurity is an ever-evolving field, continuous communication is key. Regularly update your vendors and third-party service providers about any changes in your security policies and inquire about updates to theirs. An annual or bi-annual review meeting focused on cybersecurity can also be beneficial to ensure everyone is on the same page.
In summary, take a proactive, transparent, and continuous approach to educate your third parties. Setting expectations, providing resources, and insisting on third-party validations are essential steps in ensuring that everyone involved is contributing to a more secure healthcare environment.
Q: How does cybersecurity insurance fit into an ASC's risk management strategy?
PA: Cybersecurity insurance is becoming an increasingly integral component of an ASC risk management strategy. At its core, cybersecurity insurance is designed to help mitigate financial losses resulting from cyber incidents, be it a data breach, ransomware attack, or other cyber threat. Especially in healthcare, where patient data is sensitive and highly regulated, having a safety net in the form of insurance can be invaluable.
However, obtaining cybersecurity insurance can come with its own set of challenges. In recent years, given the rise in cyber incidents, insurance providers have become more stringent in their underwriting processes. They often require organizations to demonstrate fundamental security controls before providing coverage. For ASCs, this means having robust cybersecurity policies, regular risk assessments, up-to-date software, MFA, and staff training programs, to name a few. It's not just about showing that you have these controls in place but also about providing evidence that they're being effectively implemented and regularly reviewed.
Q: How can we make cybersecurity a part of our organizational culture?
PA: Embedding cybersecurity into the organizational culture of an ASC is crucial, especially given the sensitivity of healthcare data. Making cybersecurity a cultural norm begins with leadership. Leaders must not only champion cybersecurity initiatives but also demonstrate a commitment by incorporating security practices into their daily operations.
Start with regular and consistent education and training for all staff, not just those in information technology (IT) roles. This means conducting regular cybersecurity awareness sessions, which can include understanding common threats like phishing, best practices for password management, and the importance of timely software updates. Make these sessions interactive, with real-life examples, quizzes, and feedback loops, so they resonate more with non-technical personnel.
Moreover, ensure open lines of communication. Create an environment where employees feel comfortable reporting potential security concerns or incidents without fear of reprisal. Celebrate and acknowledge those who take proactive steps in cybersecurity, be it by reporting suspicious emails or suggesting improvements in security protocols. Positive reinforcement can foster a sense of collective responsibility.
Additionally, integrate cybersecurity into onboarding processes for new hires. Make it clear from day one that cybersecurity is everyone's responsibility and that everyone plays a role in protecting the organization. Offering tools and resources, like cheat sheets or quick reference guides, can also help staff remember and implement best practices in their daily tasks.
Lastly, review and update policies regularly, seeking input from various departments, including those who are on the front lines of patient care. This inclusive approach ensures that cybersecurity measures are practical and do not hinder day-to-day operations, making them more likely to be embraced by the entire team.
To truly embed cybersecurity into the culture of an ASC, it must be approached as a collective effort. By fostering an environment of continuous education, open communication, and shared responsibility, you can ensure that cybersecurity becomes second nature to everyone in your ASC.
