Is your data completely secure? Cyber attacks can happen anytime and can be detrimental to your surgery center.
The surgical world is becoming more digital. It isn’t just that surgery centers have implemented electronic medical record (EMR) software. More surgical training is being done through augmented reality, patient information is being stored in the cloud, patients and guests are visiting facilities each day armed with smartwatches and smartphones. There are so many opportunities for a cybersecurity breach.
Are Surgery Centers at Risk for Cyber Attacks?
Sure, large hospital conglomerates should be concerned about security threats. But why would a small, specialty surgery center be at risk?
“It 100% will happen to you,” says J.D. Keith, Network Security Analyst. “Small, independent companies are typically targeted in a cyberattack.”
A classic example of this is Target’s 2013 data breach. Hackers hit the store during the holiday season and obtained
40 million credit card or debit card numbers and affected 70 million customers.
However, while Target made headlines, the initial data breach wasn’t through the global corporation.
In fact, that data breach was traced back to a small HVAC company that serviced a target location.
Why Are Surgery Centers Targeted For Cyber Attacks?
From 2021-2022, cyberattacks among specialty surgery centers rose from 23% to 31%. Healthcare organizations are the most targeted for security breaches, and surgery centers seem like an easy target due to smaller staff and fewer resources allocated to IT. This paired with an ample amount of sensitive data stored on digital systems makes surgery centers seem like the ideal target.
Sensitive data- Patient identification data, payment data, and access to medical device companies is a reason that surgery centers are an attractive target to hackers.
Critical Infrastructure- After a data breach, it’s imperative that a surgery center become back up and running as quickly as possible. Many hackers will hold data hostage with a large ransom price tag on the data. Unfortunately, many desperate healthcare facilities will pay the amount to access their data.
Poor Security- While healthcare facilities are extremely reliant on sensitive data, IT isn’t always a top priority. Especially with the hustle and bustle of a surgery center on a good day, it can be challenging to implement an infrastructure to keep all information safe.
And if your center gets hacked, not only could it stop daily operations but healthcare data breaches are expensive. In fact, healthcare companies average $10.10 million per security incident according to the
Cost of a Data Breach Report.
Everyone working at an admin level of a surgery center should be alarmed by this possibility.
4 Things to Implement Now To Decrease Likelihood of Breach
While no one can be completely safe from an attack, Keith recommends starting with these 4 steps to secure your network.
1. Make Sure All Data is Encrypted.
All digital devices should be encrypted which helps protect private information and sensitive data.
“An encrypted device means that if someone were to take your password, there are other authentication steps in place making the password worthless,” says Keith.
He goes on to say any device that holds patient data should be encrypted.
“Anything confidential about the person such as an address, hair color, or any data that describes someone needs to be encrypted and secured.
2. Establishing policies around passwords.
One way to keep devices secure is by implementing policies and procedures around changing passwords often.
“Every 90 days passwords should reset,” says Keith. “All secure passwords should include alphanumeric special characters.”
Also, idle devices should go to sleep after a certain amount of time. For example, if a nurse steps away from a computer, it should go into password-protected sleep mode.
3. Conduct regular security training.
Yes, surgery centers are always busy, however, it’s critical to make time for security training sessions. Everyone needs to understand the risks involved with a cyber attack and how daily tasks could easily lead to compromised information.
“Pay attention to what you are doing,” says Keith. “It only takes one click of a link to infect an entire system.”
4. Organize a Phishing Campaign.
A phishing scam is a hacker trying to see what kinds of information they can gain online. This can be done by sending out several emails in hopes that one person will click on a link and expose their organization.
“Phishing is a way to collect data,” says Keith. “So the email will say something like ‘your Microsoft account is going to expire.’ But, instead of being sent by Microsoft, it’s a cyber attack hoping that one person will click the link.”
While no one can stop phishing attacks, there are ways to avoid this kind of attack. Implementing an email security system is a great way to block the attempts of phishing.
Mimecast is a great email security system that will ban and quarantine suspicious emails and keep your inboxes safe. In addition, this company provides lots of training resources for your employees.
How Your Employees Can Avoid Falling for Phishing
The best way to avoid phishing: training. Here are a few key things your employees need to know about phishing scams.
- Employees need to know that emails demanding immediate action or containing a link need to be checked. The first step is to look at the company name that sent the email. If there is a misspelling, that could be a good indication it’s a phishing scam.
- Check all attachments included in emails and do not open anything suspicious.
- If there is an urgency to purchase or update something, it’s probably a phishing scam. Often these emails will ask an employee to purchase several gift cards immediately.
Where to Begin Protecting Your Surgery Center for a Cyber Attack
The entire concept of cybersecurity and data protection is overwhelming. However, Keith has some advice on where to begin.
“Start by looking at all of your systems,” says Keith. “That will give you an understanding of weaknesses and what needs to happen from a security standpoint. After that, it’s crucial to write down policies and procedures when it comes to technology, data, and security.”
Surgery Centers can also hire a Managed Security Service Provider (MSSP) which is an outsourced IT security company that can help make sure everything is secure as well as monitor your system for threats.
“You may have great software, but if one server goes down so does the entire surgery center,” says Keith.
Providing additional budget and resources for an MSSP can make or break a surgery center.
“One of the biggest risks outside of a cyber attack is receiving a fine from the ORC (Office of Civil Rights.) If data is compromised or not secure it can result in a major fine,” says Keith.
Choosing the Right Partners to Prevent an Attack
As mentioned in the Target security breach, the hackers targeted a 3rd party vendor. The same scenario can happen to your surgery center. Therefore, when you choose DME providers, it’s important to make sure the company has cyber security measures in place such as:
- Email security
- Full cyber security team that monitors everything
- Anti-virus software on all company devices
- Limits USB devices which can lead to viruses
- Only partner with companies that will help your surgery center stay in compliance.