In a day and age when cybersecurity is of the utmost importance, the easiest way to prevent a cybersecurity accident is to focus on the "low-hanging fruit," said HSTpathways CEO Tom Hui.
Mr. Hui spoke to Becker's ASC Review about cybersecurity in the surgery center setting and offered actionable strategies for improving ASC security.
One of the most common way centers are exploited is through phishing. Phishing occurs when an unauthorized third party attempts to gain access to a center's internal network through a fraudulent email or malicious attachment that gathers and logs a user's password.
For example, Mr. Hui relayed a scenario in which a cyber attacker posed as the CEO of a company and emailed the CTO, asking him to reset the CEO's password. The cyber attacker claimed the CEO was heading into a meeting and needed his password reset to access his email. The usual password reset process was ignored, and the CTO sent the cyber attacker a password reset link that granted him access to the entire company's network.
"[The CTO said], 'My CEO is in a bind, and I have less than 15 minutes to get this done,'" Mr. Hui said. "They broke every internal rule to do this. The CTO forwarded the reset of the password and [the cyber attacker was in]. There were no high-tech tools, it was just exploiting human behavior and the company's information was made available."
It's an extreme example of an all-too-common threat in the workplace.
It's also common for cyber attackers to exploit EHR logins. Surgery centers frequently employ visiting nurses. Mr. Hui said he has seen many centers create generic profiles for all visiting nurses instead of creating an individual profile for each visiting nurse.
"This is a no-no," Mr. Hui said. "[Creating multiple generic accounts] breaks so many rules because, from our point of view, you don't know who that is. If you were to audit who put in that data, you wouldn't know. It's something that should never happen, but it does happen. The account doesn't get changed, and if you were a temp nurse that didn't come back, you now have an active login."
Surgery center administrators often don't think their center will be targeted by a cyber attacker and fail to consider the long-term economic consequences associated with a cyberattack that can be mitigated with regular training.
Setting up an EHR system properly and requiring each individual employee to have their own profile and login, for instance, lowers the risk of a cyberattack at the expense of a few extra minutes of administrative taskwork.
Mr. Hui also elaborated on a commonly exploited scenario for surgery centers with in-house server hosting. When a surgery center shares a medical office space with other companies, routine server maintenance is hardly noticed or tracked. However, taking a lax approach to server maintenance can be disastrous.
On-site hosting exposes the entire medical office building to risk, because if a cyber attacker posing as a server technician gained access to the server closet, they'd have access to clearly labeled networks throughout the entire building, exposing confidential patient information.
The easiest way to mitigate all these risks is to prepare and execute, Mr. Hui said. Administrators should review their network policies frequently and train staff members on what to do in the event of a cybersecurity incident. The training should be frequently updated and shouldn't stop after a new employee is onboarded.
Administrators need to proactively approach cybersecurity. Mr. Hui recommends centers perform at least one in-service a year to train employees on cybersecurity policies and imaginary scenarios.
"No system is unhackable," Mr. Hui said. "We're dealing with people and human behavior, but [regularly reviewing policies can] give ourselves better odds."
For more information on Mr. Hui or HSTpathways, click here.