10 critical security safeguards for ASCs to know

In collaboration with Surgical Notes - Print  |

At Surgical Notes, we understand there is an inherent risk when ASCs outsource their critical business processes and data.

A breach by proxy can damage client confidence and lead to fines, penalties, lost revenue and worse. It's why we take our responsibility seriously to protect the data entrusted to us. To do so, we have implemented vigorous administrative, physical and technical controls. These are protections that all ASCs should know about and expect any partner that handles their sensitive data to leverage. In addition, surgery centers should strongly consider adding these defense mechanisms to further strengthen their security posture.

Here are 10 of the most critical security safeguards with key questions to ask.

1. Antivirus and antimalware. It's long been best practice to use antivirus and antimalware software. That remains the case today. ASCs should ensure this software is on their endpoint devices, workstations, servers and all other machines handling sensitive data.

But a growing trend is seeing movement beyond this "legacy" technology. There are now what can be considered "next-generation" solutions. We use endpoint detection and response tools designed to defend every endpoint against the more sophisticated attacks. This is a more intelligent solution that leverages pattern recognition (i.e., artificial intelligence/machine learning) to help quickly identify, isolate, and remediate issues if they do occur.

2. Awareness training. Are you routinely training your employees on security best practices? Are you training them on how to identify phishing emails? Are you running regular simulation tests and exercises to assess staff security knowledge? These are just a few of the areas that would fall under awareness training. Consider that about 9 out of 10 security attacks today begin with the pressing of an index finger. That's someone clicking on a link within a phishing email that installs ransomware or unknowingly gives their password away. With phishing and ransomware attacks on the rise, security awareness must be a major focus for everybody. ASCs can leverage a variety of free and paid services that can strengthen awareness training.

Another essential best practice is to act quickly if a team member falls for a phishing email. This will not only protect your data but also deliver the remedial training that can help ensure an incident does not occur again. Acting fast allows you to associate a learning activity more effectively with the mistake made by the staff member. The closer these can be brought together, the more impactful the training will be as opposed to following up weeks later when the incident will be less fresh in the team member's mind.

3. Backups. All ASCs should be backing up their data. But that's just one step in the backup process. Key questions to ask concerning backup security: Are your backups disconnected and inaccessible from your organization's network? Are they secured with different access credentials from other administrative credentials used within the environment? Are you testing your ability to restore and recover those backups as needed?

4. Encryption (at rest and in motion). Encryption is essentially the process that takes data and turns it into unreadable text. It's designed to protect information even in the event of a breach or theft, ultimately leaving the data useless to anyone who obtains it. ASCs should use encryption for data that's at rest and data that's in motion. Data at rest is electronic data, stored on a device, that's not being transferred from one endpoint to another. Data in motion is electronic data that's being transferred.

A few considerations for data at rest: Do you have full disc encryption on all workstations? Do you have transparent data encryption at your database layer? Are your backups encrypted?
A few considerations for data in motion: Are you using a minimum 256-bit AES encryption for all your transmissions over a public and/or an internal network? Do you have data loss prevention solutions in place to notify you when certain sensitive data is moving outside of your organization? Are you using a secure messaging platform?

5. Multifactor authentication (MFA). By now, MFA is commonplace in our lives. Sometimes referred to as two-factor authentication, it's the extra step required to access an account. The multiple factors typically involve something you know (e.g., password, pin, pattern) and something you have (e.g., fingerprint, cell phone). Sounding familiar? Financial institutions, companies like Apple and Google, social media networks, and many other companies now require or strongly advise the use of MFA.

Now you can add Surgical Notes as a company that recommends MFA. Two areas where it's strongly recommended for ASCs: all privileged user accounts and all remote network connections.

6. Patching. In simple terms, patching is the process to repair a problem or flaw in software. A patch can help a program perform better. From a security standpoint, patching is intended to eliminate vulnerabilities that can be exploited by cybercriminals. Some important questions about your patch management process: Are you regularly patching operating systems on workstations and servers? Do you have a process to ensure critical software security patches are completed in an expedited timeframe (usually within 30 days or less)? Are you patching third-party applications?

7. Third-party risk assessments. Members of our team have written about the importance of an ASC revenue cycle assessment, noting that it's designed to take a deep dive into an ASC's revenue cycle metrics and processes to discover issues that may be negatively affecting cash flow. A security risk assessment is a similar process, only it dives into an ASC's IT infrastructure to discover vulnerabilities and opportunities to strengthen controls. And like a revenue cycle assessment, a risk assessment should be performed by a qualified third party.

Why? While there's nothing wrong with performing internal risk assessments as they can help spot problems, an ASC should get a second set of unbiased eyes on its IT environment. The provider of an external security risk assessment will likely take a different approach than the internal risk assessment and can help identify additional gaps that may exist. An ASC will also benefit from the expertise that the provider brings to the table.

8. Vendor management. You know the idiom, "A chain is only as strong as its weakest link?" That's true for ASC security, and one of the links that can be easily overlooked is those partner vendors that handle sensitive center data. If a partner vendor is compromised, then your ASC's data can be compromised.

That's why a critical component of an ASC's vendor management program should require the same or a higher level of safeguards and controls that you have instituted for your center. It's also beneficial if you can audit a partner's defense mechanisms by reviewing a vendor's security policies and procedures and requesting information on the solutions they are using to protect sensitive data.

9. Monitoring and logging. These are two important processes for maintaining security. Monitoring activity in your IT environment is the method through which you can detect abnormal activity that may indicate something nefarious is afoot or at least flag a potential problem that can invite criminal activity. Logging is the recording of the activity in your environment, from logins into applications to emails to web browsing.

If an IT security incident were to occur, an investigation would likely involve the analysis of log files. But there's a potential problem with this: Numerous new log files are generated every week to reflect the work being performed within an ASC. If an investigation needed to occur, that could require a lot of time for one or more individuals to go through potentially thousands of logs with entries to weed out all the noise and hopefully piece together what occurred.

That's where event correlation comes in. With a security incident and event management (SIEM) solution or similar technology, users can more efficiently assess logs and identify potentially noteworthy patterns, such as those that may indicate a security breach or hardware failure.

10. Password policy enforcement. Last but certainly not least on this list is a subject that's long been an essential aspect of IT security: passwords. It's critical that ASCs develop a strong password policy and enforce that policy across the board. Permitting any users to deviate from the policy will increase the likelihood of an incident.
One of the items that should be included in your policy is the use of an established password manager. This is preferable to what many people are now relying upon: built-in browser password managers. These are more susceptible to attack.

In addition, ASCs should ensure their password policy and controls apply not only to their own internal systems but also all software-as-a-service (SAAS) solutions used by the center. It's not unusual to see situations where a password policy is only applied to those applications hosted by a center, but that may be shortsighted when there are an increasing number of applications hosted by other organizations.

Giving security the attention it deserves
Cybercrime is on the rise, and ASCs are appealing targets. Surgery centers capture valuable patient data and typically have smaller IT security budgets than larger providers, like hospitals and health systems. By making security a top priority and ensuring the vendors you partner with do the same, you increase the likelihood that cybercriminals will view your ASC and its data as challenging targets and move on. Even if a cybercriminal manages to penetrate your systems and network, a strong security program should help you spot this intrusion early and allow you to move quickly to reduce the damage. To learn more about Surgical Notes revenue cycle solutions, visit www.surgicalnotes.com and follow Surgical Notes on LinkedIn.

Nathan Hess (nathan.hess@surgicalnotes.com) is chief information and technology officer for Surgical Notes. Surgical Notes is a leading provider of revenue cycle solutions, including, transcription, coding, revenue cycle management (RCM), and document management applications for the ASC and surgical hospital markets.

Copyright © 2021 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.