While most cyberattacks you likely hear about are those directed at large organizations, cybercriminals are not just targeting big players.
This is critical for ASCs to understand. Assuming your center will automatically be safe because of its smaller size could lead to significant legal and financial trouble.
Statistics show that organizations of all sizes are at risk and in the crosshairs of cybercriminals. Almost a third of data breaches in 2020 involved small businesses, according to Verizon. The number of records exposed last year reached a high not seen since 2005. Most concerning for healthcare providers: There were nearly 600 healthcare data breaches in 2020, which is a 55% jump from 2019. In addition, the average cost per breach increased by about 10% to nearly $500 per breached record.
You might be asking: Why would cybercriminals be interested in small healthcare businesses like ASCs when larger organizations like hospitals and health systems have so much more valuable data? Smaller organizations are attractive because of their perceived security vulnerabilities. Larger organizations tend to invest heavily in security measures aimed at preventing breaches (although these measures are sometimes not enough to stop cybercriminals).
On the other hand, an ASC's information technology (IT) budget, including money for IT security, is typically much smaller. With fewer resources dedicated to IT security, small businesses generally lack enterprise-type security posture. This leaves them more vulnerable to a security breach since less work is generally required by cybercriminals to breach an ASC's systems.
Take action to strengthen your cybersecurity
Even without the IT and security budget of larger organizations, there are still ways ASCs can strengthen protection of sensitive patient and financial data. Here are six worth considering if you are not doing them already.
1. Schedule security awareness phishing campaigns
Phishing is one of the most effective online tactics used by cybercriminals today. In a phishing scam, criminals target victims with an e-mail that appears like it was sent by a trusted or believable source (e.g., organization leadership, partner vendor). These emails attempt to exploit "social engineering" and trick recipients into providing personal identifying information, such as usernames and passwords. Using this information, cybercriminals will attempt to open new or access existing accounts.
A security awareness phishing campaign is a training simulation tool typically provided by a healthcare IT firm. The campaign simulates a phishing attack and tracks how recipients (i.e., staff) respond. With the results, ASCs can better train employees on how to identify and report suspected phishing attempts. When scheduled regularly, such security awareness phishing campaigns are proven to be highly effective in increasing staff awareness of phishing and reducing the potential that they fall victim to the tactic.
2. Undergo regular dark web scans
Your ASC's digital credentials, such as usernames and passwords, connect staff to essential applications and online services. This is why digital credentials represent some of the most valuable assets found on "dark web." The dark web, frequently referred to as an "internet shadow world," is where largely untraceable communications and transactions occur. If your digital credentials end up here for sale, your ASC is more likely to experience a successful cyberattack and subsequent data breach.
Undergoing regular dark web scans that are performed by a healthcare IT firm can help you identify whether and which of your digital credentials have made their way onto the dark web. With this information, you can then change or remove credentials to decrease the threat and allocate more resources to staff training and security safeguards to help keep more digital credentials from being stolen.
3. Standardize antivirus, antimalware, and intrusion detection software
Installing computer security software remains a best practice to this day. Once you've installed the software, ensure these programs are kept current and licenses always remain active.
When researching software options, avoid installing free security software. These "freeware" programs typically lack critical security features of paid versions, including functions like automatic updates, ability to schedule routine scans, and identification of threats before they inflict damage.
4. Migrate to the cloud
ASCs are increasingly embracing cloud solutions for many good reasons, including enhanced security. If you use cloud data storage, responsibility for hosting, managing, maintaining, and securing the technology where data is stored falls on the shoulders of the healthcare IT managed services provider (MSP).
In addition, for its cloud computing services, the MSP will typically use a mix of risk management, monitoring, policies, technologies, and other resources and processes to help protect client data and applications from cybercriminals. The business model for cloud providers relies upon preventing data breaches and keeping customers satisfied, so MSPs are motivated to leverage solutions that will help keep data protected.
5. Implement two-factor authentication
You're probably already familiar with and using two-factor authentication, also referred to as two-step verification and multi-factor authentication. It is the security feature that requires users to provide two pieces of evidence (i.e., credentials) when logging in to an account.
Such credentials fall generally fall into three categories: something you know (e.g., password, PIN); something you possess (e.g., smartphone), and something you are (e.g., fingerprint). Two-factor authentication requires a user to provide credentials from two different categories but not two from the same category (e.g., two passwords).
Companies that recommend or are increasingly requiring two-factor authentication include financial institutions, email providers, Microsoft, Google, Apple, and healthcare companies providing services that involve sensitive data.
Two-factor authentication adds a highly effective layer of security that makes it more difficult for cybercriminals to log in as if they were an approved user. For any of your ASC's systems that store sensitive and protected health data, ensure two-factor authentication is required for users and cannot be disabled. If any of your systems are lacking two-factor authentication where it would help strengthen security, speak with your MSP or system vendors about options for activating it.
6. Perform a security risk assessment
ASCs, like all HIPAA-covered entities, must undergo regular security risk assessments. Such assessments serve a multitude of purposes, including analyzing your current IT environment and identifying troublesome security gaps. By receiving a security risk assessment, you will receive a list of your ASC's potential security vulnerabilities, guidance for improvement, potential technology investments that can help strengthen security, and a remediation plan with solutions for your security vulnerabilities. The assessment should be provided by a qualified, third party like a healthcare MSP to help ensure you receive a comprehensive and unbiased report.
Keeping cybercriminals at bay
These are just a few of the ways your ASC can strengthen its cybersecurity. Surgery centers should combine these and other recommended practices and solutions to better ensure data security remains a top priority and vulnerabilities are identified and addressed in a timely manner.
Cybercriminals are becoming savvier and developing new mechanisms and tactics to try to access and steal healthcare data. They are waiting for healthcare organizations of any size and type to take data security for granted. When even a small security vulnerability is identified by a cybercriminal, that can be the door to your network that they need. Once a cybercriminal gets in, getting them out of your ASC and repairing the damage they've done will likely prove to be difficult and expensive.
Nelson Gomes is an information technology veteran with 30-plus years of IT experience. He is the senior vice president of business development and general manager of New Jersey for Medicus IT, an award-winning healthcare-focused managed services.