HSTpathways CEO Tom Hui told Becker's ASC Review what surgery centers should do to improve their cybersecurity training programs and identified areas administrators can target to make improvements.
Note: Responses have been lightly edited for style.
Question: What does a cybersecurity training program look like, and how can administrators implement one in their centers?
Tom Hui: I want to strongly emphasize that in the case of a breach, an ASC organization will have greater defense if employees have gone through cybersecurity training programs.
As a first step, most ASC organizations will want to hire an expert to conduct cybersecurity training, as most administrators won't have the cybersecurity knowledge to create a training program. The second step is to identify how often the training program needs to be conducted.
Human resources should own the training program and make it available to all ASC facility employees. It will need to offered quarterly or semi-annually. Quarterly may be too intrusive for some organizations. Semi-annual refresher courses may work well for most organizations, but let me emphasize there is no right or wrong on frequency. Most importantly, all training should be documented for each employee.
Q: What are the most important aspects for training to focus on?
TH: The training curriculum should include:
- Definition of patient health information tohelp people understand the scope of patients' data
- Common ways hackers attempt to breach cybersecurity
- Faxing patient information; facilities mistakenly fax patient information to the wrong number
- Use of email; most surgery centers do not send encrypted emails
- A checklist to determine the state of the internal network
- The low-hanging fruit, which is the personal and bad behavior of workers
Q: Is there something surgery centers can do today to make an immediate impact?
TH: I have two recommendations. Most importantly, address the single point of failure by having multiple backup systems and staff in place – at least three layers deep on your team. If you have a security or risk officer managing cybersecurity, you will want to have two layers of security underneath each person. You have then created a process that will be consistent and persist over time.
Second, it's important for HR to periodically go through and authorize their network accounts. If someone changes jobs, should they still have access to patient accounts? Terminated employees or employees with different roles should not have access to practice management systems. This is a very real problem today. Administrators need to manage user accounts. There needs to be a consistent review of user accounts and to make this review checklist part of an organization's annual process. This is a perfect example of low-hanging fruit.
