EXECUTIVE SUMMARY

Cybercriminals have attacked hundreds of healthcare organizations in recent years, including surgery centers.

  • Phishing scams, in which an employee is targeted with a spurious phone call or email, remain common.
  • Cybersecurity plans are needed to educate staff on how to prevent attacks and what to do when one occurs.
  • Surgery centers should conduct an annual vulnerability assessment to learn about weaknesses in the business that need correcting.

Cybercriminals go after small businesses, especially those in the healthcare industry, because they are easy targets. One breach can be very time-consuming and costly.

The U.S. Department of Health and Human Services lists more than 470 cyberattacks executed on healthcare organizations over the past two years. Many of these are smaller healthcare businesses, including surgery centers. (Read more about these episodes at: http://bit.ly/2JBkJZj.)

“They’re more susceptible because they do not have a lot of the tools and security measures necessary to protect themselves,” says Nelson Gomes, CEO of PriorityOne Group in Rutherford, NJ, of small healthcare businesses. Gomes speaks at national surgery center conferences about cybersecurity, and PriorityOne is a provider of integrated managed information technology services for healthcare organizations.

A surgery center is only as secure as its weakest link — employees who are uneducated about phishing scams. These days, phishing scams are more complex than ever. Scammers engage in social engineering. For instance, a phisher might research an employee’s specific interests and education online, perusing the person’s social media accounts.

One scenario could play out this way: A surgery center’s chief financial officer or business director lets people know through social media that he or she is leaving town for vacation next week. The cybercriminal learns of this and finds out who is filling in on that job. Then, the phisher breaks into the director’s email and sends the fill-in person an email that appears to be from the director. The email reads something like, “Please pay Jeff for this invoice when it comes in this week.” A day later, the invoice arrives, and the director’s email says, “Hi, it’s me. Jeff and I are colleagues, and you need to send a payment for $5,000.”

The common-sense thing to do is call the director to verify, but employees rarely do this. “There should be an incident response plan or cybersecurity plan in place to say that if I’m out of the office, there needs to be two signatures before someone pays a bill,” Gomes offers.

Likewise, staff should be educated about what to do when they receive an email that seeks username and password information. “All they need is the person’s credentials,” Gomes says. “I could phish you, send you an email, and get information about what you are doing and who you are.”

Once the phisher convinces a person that the email is legitimate, and the employee inputs the password and username, the phisher has what is necessary to hack into the business’ computers. For example, a cybercriminal might send an email that looks as though it is from Office 365. The message asks the target to re-enter the password and username. Once the person enters this information, the hacker uses the same information to obtain access to the business account. Many people use different passwords and emails, but there always are some who will use the same information for different accounts, Gomes explains.

“All they need is for one person out of an organization to do that,” he says. “The opportunity is there.” Surgery centers can prevent and prepare for a cyberattack by following these steps:

Strengthen cybersecurity. A surgery center’s IT department or contractor should require all staff to reset their passwords every six months. New passwords should be strong and not used in any other application. Plus, there should multifactorial authentication. This typically means there will be a text message sent to the user to verify his or her identity. Still, phones are vulnerable to cloning, so other authentication methods could be devised, Gomes says.

“The way hackers work is if they have to spend too much time breaking into your system, they’ll skip it and move on to the next one,” he adds.

Conduct annual vulnerability assessments. Gomes suggests hiring a third party to perform a security assessment. For instance, a cybersecurity expert could test staff’s ability to withstand a phishing campaign by conducting a test attack. This way, the IT expert can see what percentage of staff were fooled into opening their emails and computers to potential hackers.

“When we do an assessment, we go over it with organizations to say, ‘Here’s what we found. Here are the gaps, and here’s what you need to do,’” Gomes says.

Then, the organization can target the staff who were scammed and provide them with additional training and information about cybersecurity. Annual vulnerability assessments should be part of an ASC’s disaster recovery continuity plan, which is necessary to ensure a surgery center can recover its information and return to normal business as quickly as possible.

Train staff. Teach employees how to be wary of emails and pop-ups, even if they seem to know what the employee likes or does. Before clicking, check with the IT department. Surgery centers also can provide video training about smart security measures.

Create incident response plan. Most surgery centers lack an incident response plan (IRP). “If you don’t have that in place, how do you know what to do if you’re hacked?” Gomes asks.

Surgery centers need to put certain procedures in place in the event of a cyberattack. Creating an IRP will make it easier to respond, and it will ensure the surgery center returns to business as usual faster. The plan should include actions the center will take in the event of a breach. What will leadership do? What will the business office do? How will affected people, including patients, be notified?

“You need to keep revisiting the plan and decide what to do in the case an incident happens,” Gomes adds.

Buy cybersecurity insurance — with caution. Healthcare organizations often lack the right cybersecurity insurance, Gomes says. “It might cost a couple thousand more per year, but the right insurance is worth it.”

The right kind of cybersecurity insurance will help cover the costs of a breach, including a forensics team investigation and mitigating damage to the surgery center’s reputation. The insurance company can send notifications to patients whose data were affected during the breach, letting them know of the breach and how it is being handled.

“If you have 500,000 patients in the database, you have to send out 500,000 letters, and that can be a nightmare logistically for you to do,” Gomes notes.

Protect against ransomware attacks. Several years ago, there were multiple reports of healthcare organizations paying tens of thousands of dollars to retrieve their data after ransomware attacks. Today, organizations are protecting themselves from these attacks better, but they still will be vulnerable as long as there is money to be made, Gomes notes.

“If your system is compromised or encrypted through a ransomware attack, you need to have the right system to bring everything back,” he explains. “When you bring everything back, you’re back in business, but how many days of business did you lose?”

A surgery center might create a data recovery backup plan, but how often is the plan tested? Also: If a surgery center’s database is held hostage by a ransomware attack, it could be tempting to pay the attackers to regain access to the data. But if the surgery center pays the ransom, the center has set up itself to be attacked again, Gomes warns.

“You pay it once, you’ll pay it again,” he says. “Do what you can to not be susceptible anymore and to make sure it doesn’t happen again.”

Check with business associates about their cybersecurity. Some cyberattacks in recent years have involved healthcare business associates. For instance, in July 2015, there was a breach at a medical software company, compromising nearly 4 million users’ Social Security numbers and health records. There is little surgery centers can do to prevent these third-party breaches. But they can ask their vendors for information about cybersecurity plans and practices.

“A prime example is a billing company that is a business associate and can connect to the surgery center’s system,” Gomes says. “Ask them what kind of insurance they have in place to protect their clients.” Billing systems are targeted because they contain data from hundreds of healthcare organizations; their own cybersecurity should be robust. “Managed service providers [MSPs] are another huge target,” Gomes says. “We support 70-something companies, and 90% are healthcare clients.” Gomes knows of several MSPs that were breached, causing all their clients to be attacked with ransomware.

“They had back-ups, but they had to spend months or weeks to get their servers up and running.”

These risks are why it is crucial to select business associates carefully, checking out their cybersecurity processes before going into business with them.