No homeowners willingly allow a burglar to enter their home and steal their most valuable possessions. Instead, people put locks on doors, install alarm systems, build fences, or keep big dogs. The thieves may still get in, but deterrents like these will reduce the risk of a successful burglary.
Ambulatory surgery centers (ASCs) should likewise think about security measures to protect their digital information. There may be no foolproof way to stop determined hackers. But why make it easy for them?
"You can and should decrease your cybersecurity risks," says Nelson Gomes, president and CEO of PriorityOne Group, which provides information technology (IT) services and solutions to healthcare organizations and other businesses.
Conducting a risk assessment, implementing protective devices and practices, and educating employees about the prevalence of hacking are essential action items for avoiding potential security breaches.
A clear and present danger
Statistics and news reports make clear that healthcare data is a priority target for cybercriminals. Although statistics may vary, the 2017 Annual Data Breach Year-End Review found that the business sector topped the list with 870 reported incidents, followed by the medical/healthcare sector with 374 breaches (23.7% of total breaches). The report was released by the Identity Theft Resource Center®, a nonprofit organization established to support victims of identity theft, and CyberScout®, a company that provides data and identity defense services.
"There is money to be made in hacking health information," says Federal Bureau of Investigation Supervisory Special Agent Timothy Russell, head of the criminal cyber squad in Boston. "If you are involved in healthcare, you are being researched, reconnoitered, and targeted."
Despite the facts, many healthcare systems are nowhere near ready for the remarkably sophisticated, well-structured, and highly successful organizations of criminal hackers. And it may be some time before they are adequately prepared, experts say.
Patient safety threat
Healthcare leaders must change their world view to see the relationship between cybersecurity and patient safety, says Gerard M. Nussbaum, Esq, a principal with Zarach Associates.
In June 2017, the Health Care Industry Cybersecurity Task Force reported to Congress that it believes preventing the theft of healthcare information is just as serious as preventing medical errors. "The healthcare system cannot deliver effective and safe care without deeper digital connectivity. If the healthcare system is connected but insecure, this connectivity could betray patient safety," its report states.
The biggest danger is not identity theft, supply chain disruption, or fraud, but the disruption to patient care and hospital systems from breaches of electronic health records, medical devices, tablets, and computer systems, says Theresa Meadows, senior vice president and chief information officer for Cook Children's Health Care System in Fort Worth, Texas. Meadows was cochair of the cybersecurity task force.
It may be only a matter of time before a cybercriminal works out how to shut down IV pumps or change medication dosages on the pumps if more is not done to protect healthcare system data.
"If we don't get in front of the problem, I think it could happen," Meadows says.
The 1999 Institute of Medicine (IOM) report, "To Err is Human: Building a Safer Health System," was a call to arms for patient safety. In the same vein, the cybersecurity task force hoped its report would galvanize both the public and private sectors to comprehensively address cybersecurity challenges to protect patients, Meadows says.
Although the response was not as immediate as that seen after the IOM report, a quiet momentum has been building during the last year, particularly in the Food and Drug Administration and the Department of Health and Human Services (HHS), Meadows says.
These agencies are looking at some of the cybersecurity report's recommendations, such as how new medical devices can be built so they can be patched and updated once in use. Private individuals have also formed committees to look for practical ways to implement the report's recommendations.
"I think the action is picking up, and we will be seeing more reports," Meadows says.
Building a secure system
Although even the most highly secured computer systems are still vulnerable to attacks, that does not mean healthcare administrators should just throw up their hands and ignore the problem, Nussbaum says.
Cybersecurity is often considered to be less important in small healthcare organizations than in large ones. However, smaller organizations, such as ASCs, may face even greater challenges and can be more vulnerable to attack because they typically have:
• an inability to devote time to monitoring security and patching systems
• budget limitations
• an overall less secure environment
• less technical security expertise.
Budget restrictions can hold healthcare administrators back from spending more on something intangible but necessary, like cybersecurity, than on staff providing direct patient care. The challenge is convincing them of the need.
The cybersecurity task force report found that healthcare leaders who have not experienced a serious breach or loss of data often do not see the value of cybersecurity expenditures. Many security professionals say it is difficult to convince leaders about the importance of cybersecurity and being proactive, which can in the long run limit possible patient harm, according to the 2017 report.
"It's really difficult to find a balance," Meadows says. "But there are many steps that can be done for little or no money to increase a system's cybersecurity defenses."
Indeed, the two most important steps ASC leaders can take are educating all employees about cybersecurity and conducting a cybersecurity risk assessment. At least then they will recognize risks, prioritize them, and hopefully start taking additional security measures, Meadows says.
The challenge in educating ASC staff is making cybersecurity relevant to their work. This can be done by using interactive campaigns that show how cyber breaches can potentially harm patient care.
For example, both Gomes and Meadows recommend conducting false "phishing campaigns." These are done by sending employees false emails to see if they respond. Meadows says her facility sends false emails saying that a package has arrived for an employee and instructing the person to confirm by clicking on a specified link.
If a staff member takes the bait, up pops educational material about how phishing works, what it does, and how to recognize it, Meadows says.
Cook Children's Healthcare System has used "lunch and learn" sessions during which staff go into an ICU room and are asked to point out potential cybersecurity breaches in all the equipment they see.
At the end of such an exercise, staff then want to know how they can better detect these breaches on their own, Meadows says.
Don't forget HIPAA
Education on the HIPAA Privacy Rule also needs to be continuously administered and reinforced. This information should include:
• proper handling of suspicious emails
• proper use of passwords
• inappropriate texts and social media posts sharing personal health information.
Other security steps that any healthcare organization can take but that specifically apply to small facilities include the following.
Choose a security leader
Small organizations like ASCs may not have the money to hire a full-time IT specialist. Most contract with IT security companies to keep their computer systems safe.
But experts agree that someone within the organization must be designated to oversee other security initiatives, such as employee training and education. This should be someone within the ASC who is willing to take on the additional role of leading cybersecurity planning and providing oversight.
Conduct a cybersecurity risk assessment
An assessment will reveal where systems are most vulnerable to attack. A security plan can then be built based on the assessment's findings. The plan should be tested at least annually, if not more frequently.
Also plan for how your ASC would respond to a successful cyberattack. "Do you have a plan so that you can do your core business function if your system goes down?" Russell asks.
Encrypt all your data and patch networks
There is no excuse not to encrypt data and keep patches current, Nussbaum says. Encryption is a method of scrambling data with an algorithm so that it is unreadable to anyone who does not have the encryption key. Patching is updating the computer software with a new version that enhances functionality or closes security vulnerabilities.
Oversee your IT vendor
The contracted vendor that provides IT and security services for your ASC should be held accountable. Do not assume this vendor is doing everything possible to secure and protect your ASC's data.
Purchase cybersecurity insurance
ASCs should purchase cybersecurity insurance. But before purchasing a plan, Gomes suggests asking if it covers ransom payment if a ransomware attack occurs.
Think ahead
Prepare for a possible security breach by anticipating what you will need to mitigate the loss of data. But remember the tried and proven military adage: "The best defense is a good offense"–even when the enemy is not visible. ✥
