While news reports tend to focus on cyberattacks directed at large organizations, cybercriminals are not only targeting big players — and thinking your ASC is automatically safe because of its size could get you into big legal and financial trouble.
Statistics show that all organizations are at risk: data breaches in healthcare totaled over 112 million records in 2015, and approximately 35% of the entire U.S. population's health records were compromised in 2015. In fact, 91% of all healthcare organizations reported at least one data breach over the last two years.
When you look at the federal government's "wall of shame" (i.e., HHS Breach Portal) that lists organizations with breaches of unsecured patient health information (affecting at least 500 individuals), there are more than 300 reports of breaches affecting less than 1,000 individuals.
An NPR report revealed that a single Medicare number was worth close to $500 on the black market. At that rate, even stealing just a few hundred records can be quite profitable for cybercriminals — which makes ASCs an appealing target.
What also makes ASCs attractive for cybercriminals are their likely security vulnerabilities. Larger organizations tend to invest heavily in security measures to prevent breaches (although sometimes these measures are still not enough to deter cybercriminals). On the other hand, an ASC's information technology (IT) budget, including budgeting for IT security, is typically much smaller than big organizations. With fewer resources dedicated to IT security, ASCs lack enterprise-type security measures and are more vulnerable to a security breach as less work is required of cybercriminals to breach an ASC's systems.
What to do
Even though ASCs typically lack the IT and security budget of larger providers, there are still many steps surgery centers can — and should — take to better ensure the security of their patient data. Here are 10 to take now.
1. Standardize antivirus/antimalware and intrusion detection software. Once installed, make sure these programs are kept up to date, and ensure licenses are active (i.e., renew them before they expire).
Note: Be careful of installing free security software (i.e., "freeware"). Oftentimes, free programs lack critical features of paid versions of software, including automatic updates and the ability to schedule routine scans. Free versions are also often reactive, meaning they only address threats after they have attacked and had an opportunity to inflict damage.
2. Ensure portable workstations remain secured. In our "always-connected" society, many physicians will often need to travel with their computers. However, sometimes these laptops will travel by themselves. The price tag associated with losing patient data has reached astronomical heights.
Consider making sure all devices are encrypted to protect data. Not only is this a smart security measure, but encrypting data can help you to avoid a HIPAA penalty. The loss or theft of an encrypted device is not considered a breach.
Note: It is wise to avoid putting patient data on laptops. As Verizon noted in its "2016 Breach Investigations Report," laptops are usually the most common type of device stolen or lost.
3. Patient records accessed from outside ASC should be done so securely. Your center should have a secure authentication method (with dual authentication as the preferred method) of having its systems accessed remotely. If it does not, remote access should not occur under any circumstance.
4. Train staff in HIPAA rules and regulations. As Wiks Moffat, president of MedSafe, notes, effective training and education is such an important step that the Office of the Inspector General and U.S. Department of Health and Human Services have included it in their "seven fundamental elements of an effective compliance program." Staff education, identified as element number three, is the cornerstone of your compliance program. It is important to also address elements one and two: write your policies and procedures customized and specific to your ASC and appoint a compliance officer and compliance committee respectively.
ASCs and the employees that violate the rules due to lack of education make themselves inviting targets for new enforcement initiatives and higher fines under the Health Information Technology for Economic and Clinical Health (HITECH) Act. One of the best ways for ASCs to avoid being targeted and perform well during an audit is to train all employees and document the training, Moffat advises.
Training in privacy, security, unsecured breaches and regulations, and how these laws affect your ASC, is critical. All employees need to understand how the laws affect them and their responsibilities. As with any standards and laws, someone must be in a position to monitor, update, document and train staff on the rules and guidelines. More importantly, staff need to know who is responsible and who to go to should an issue arise.
Note: Do not forget to train new hires as they come on board, and it is recommended to provide training annually at a minimum.
5. Cease use of unsupported operating systems and software. Older versions of operating systems and software (e.g., Windows XP, Microsoft Office 2003 and many other applications) eventually become ineligible for updates and patches — they reach their "end of life" (EoL). Why is that important?
Such updates and patches serve many purposes, but the most critical is that updates — specifically security updates — protect a computer from security vulnerabilities. Without security updates and patches, computers running these systems and programs are vulnerable to ongoing security risks.
If your ASC uses computers with an EoL system or programs for anything involving protected health information, the ASC effectively becomes non-compliant with HIPAA and the HITECH Act. You should work with your IT partner to upgrade to a newer version of the software prior to the EoL date. Failure to do so could leave your IT systems at risk. A cybercriminal may attempt to exploit the software's vulnerability and gain a connection to your computer
Note: Are you using computers with Windows Vista or Office 2007? Support for Vista ends April 11, 2017, and support for Office 2007 ends October 10, 2017, so you will want to transition to newer versions of prior to those dates.
6. Choose the right practice management and EHR — and use it to your advantage. If you're evaluating systems, make sure any you are considering include all recommended security features, such as defined access privileges and data encryption. Once you select a system, or if you have one already, make sure these security features are activated and your ASC is using them to their full potential.
If you are unsure if your systems are doing all it can to help with your security efforts, speak with your vendor.
7. Institute a password complexity policy. Simple passwords are one of the leading causes of breaches. The use of "weak" and common passwords is so concerning that Microsoft recently announced it is banning the use of such passwords across platforms that include Office and Skype.
It is imperative for ASCs to develop a password complexity policy, and make it a requirement. The policy should state the rules for passwords used to access any ASC data. These requirements may include the use of a mix of uppercase and lowercase characters, numbers and non-alphanumeric characters (e.g., !, @, #, $, %, &); it may also require that passwords do not include user's names and birthdates.
8. Do not use Social Security numbers as a patient's unique identifier. While it was once commonplace for healthcare providers to identify patients using Social Security numbers (SSNs), more organizations are moving away from the practice — and your ASC should do so as well if it has not already.
There are many reasons not to use an SSN to identify a patient. For example, if healthcare data is stolen and it includes patient SSNs, cybercriminals can more easily steal identities and commit fraud. As another example, registration staff often verbally ask patients for identification information. If patients will be required to say their SSN, people nearby will be able to hear the SSN.
9. Act fast on staff changes. When staffing changes occur and team members leave your facility, immediately remove these users from your IT systems or change their status to inactive. Even if a member of your staff leaves on good terms, you should not wait to change their status. Not only will doing so leave your systems more vulnerable to cyberattacks, you may ultimately forget to remove this user's account, which will prolong the vulnerability.
It is wise to add an IT termination checklist to your current employee termination policy and procedures, and follow it with every member of your staff. It is also worthwhile to involve IT in your off-boarding process. This will reduce the likelihood of missing a change that could allow a former employee to maintain access to your systems and data.
10. Conduct regular security IT audits. A security IT audit is a comprehensive review and examination of IT used within an ASC. The audit is primarily intended to detect security and compliance gaps. IT security audits should be conducted by a qualified third party, regardless of whether or not an ASC has an IT provider in place. A third party is more likely to provide a truly objective report.
Some organizations choose not to conduct such audits as a means to save time and cost, but this is a mistake, and one that can cost the ASC much more time and money than what was saved by skipping audits.
Cybercriminals are becoming more savvy every day. They are hoping organizations will take IT security for granted. Even a small gap in security can be the opening a cybercriminal needs to gain access to your network. Once in your network, it is likely only a matter of time before the cybercriminal accesses critical patient and financial information, which will be a difficult — and expensive (the average cost of a healthcare breach has been estimated at $363 per exposed personally identifiable record) — situation to resolve.
Nelson Gomes is a seasoned information technology veteran who has spent the past 15-plus years specifically focused on healthcare and has more than two decades of IT experience. He is the founder of PriorityOne Group. His method of leveraging technology to help healthcare providers deliver higher-quality care while maintaining IT security has made him a sought after thought leader who is frequently called upon for his expertise by professional groups, associations and publications.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.