OR Manager - July 2018 - 31

AMBULATORY
SURGERY CENTERS
to their work. This can be done by
using interactive campaigns that show
how cyber breaches can potentially
harm patient care.
For example, both Gomes and
Meadows recommend conducting false
" phishing campaigns. " These are done
by sending employees false emails to
see if they respond. Meadows says her
facility sends false emails saying that
a package has arrived for an employee
and instructing the person to confirm by
clicking on a specified link.
If a staff member takes the bait, up
pops educational material about how
phishing works, what it does, and how
to recognize it, Meadows says.
Cook Children's Healthcare System
has used " lunch and learn " sessions
during which staff go into an ICU room
and are asked to point out potential
cybersecurity breaches in all the equipment
they see.
At the end of such an exercise,
staff then want to know how they can
better detect these breaches on their
own, Meadows says.
Don't forget HIPAA
Education on the HIPAA Privacy Rule
also needs to be continuously administered
and reinforced. This information
should include:
* proper handling of suspicious
emails
* proper use of passwords
* inappropriate texts and social
media posts sharing personal
health information.
Other security steps that any
healthcare organization can take but
that specifically apply to small facilities
include the following.
Choose a security leader
Small organizations like ASCs may not
have the money to hire a full-time IT
specialist. Most contract with IT security
companies to keep their computer
systems safe.
But experts agree that someone
within the organization must be desigwww.ormanager.com
Teach
staff how data breaches
threaten patient safety.
nated to oversee other security initiatives,
such as employee training and
education. This should be someone
within the ASC who is willing to take on
the additional role of leading cybersecurity
planning and providing oversight.
Conduct a cybersecurity risk
assessment
An assessment will reveal where systems
are most vulnerable to attack. A
security plan can then be built based
on the assessment's findings. The
plan should be tested at least annually,
if not more frequently.
Also plan for how your ASC would
respond to a successful cyberattack.
" Do you have a plan so that you can
do your core business function if your
system goes down? " Russell asks.
Encrypt all your data and patch
networks
There is no excuse not to encrypt data
and keep patches current, Nussbaum
says. Encryption is a method of scrambling
data with an algorithm so that it
is unreadable to anyone who does not
have the encryption key. Patching is
updating the computer software with a
new version that enhances functionality
or closes security vulnerabilities.
Oversee your IT vendor
The contracted vendor that provides
IT and security services for your ASC
should be held accountable. Do not
assume this vendor is doing everything
possible to secure and protect your
ASC's data.
Purchase cybersecurity insurance
ASCs should purchase cybersecurity
insurance. But before purchasing a
plan, Gomes suggests asking if it covers
ransom payment if a ransomware
attack occurs.
Think ahead
Prepare for a possible security breach
by anticipating what you will need to
mitigate the loss of data. But remember
the tried and proven military adage:
" The best defense is a good offense " -
even when the enemy is not visible. ✥
Janet M. Boivin, BSN, BSJ, RN, is a
freelance health writer/editor in the
Boston area.
References
2017 Annual Data Breach Year-End Review.
https://www.idtheftcenter.org/
images/breach/2017Breaches/2017
AnnualDataBreachYearEndReview.pdf.
Curren S. Better Protecting the Healthcare
System-and, Ultimately, Patient
Care-Against Cyberattacks.
June 2, 2017. https://www.hhs.
gov/blog/2017/06/02/better-protecting-healthcare-system-againstcyberattacks.html.
Gomes
N, Russell T. ASC Cyber Security
Guidance from the Front Lines. Presented
at 2018 ASCA Conference.
Health Care Industry Cybersecurity Task
Force. Report on Protecting Cybersecurity
in the Healthcare Industry.
June 2017. https://www.phe.gov/
Preparedness/planning/CyberTF/
Documents/report2017.pdf.
Related Content
For more on this topic, see these OR
Manager articles:
* Top 10 health technology hazards for
2018 named (February 2018; 20-21)
* Ransomware attacks: How to
protect your medical device
systems (September 2017; 19-21)
* Top 10 health technology hazards for
2017 named (February 2017; 24-27)
* Wearable technology brings both
benefits and risks to the OR
(August 2016; 16-19)
OR Manager | July 2018
31
https://www.idtheftcenter.org/ https://www.hhs https://www.phe.gov/ http://www.ormanager.com
OR Manager - July 2018

Table of Contents for the Digital Edition of OR Manager - July 2018
