Last June, Dallas-based Texas Retina Associates, the largest retina practice in the state, reported its IT network had been breached and the personal and protected health information (PHI) of up to nearly 313,000 current and former patients may have been stolen.¹ A month later, the Ambulatory Surgery Center of Westchester in Westchester, N.Y., reported that an employee’s email account had been breached and the personal and PHI of as many as 22,139 patients may have been stolen.²

These incidents didn’t make national headlines, but they put yet another spotlight on the need for health-care organizations, including ophthalmic ASCs, to maintain vigilance and strong defenses against cyber threats. Just one successful attack could bring a practice to a standstill and cost tens of thousands to millions of dollars or more in losses, recovery expenses, state and federal financial penalties, and reputational damage. 

“The internet's a bad neighborhood, and if you're doing business on the internet, you need to protect yourself,” says Errol Weiss, chief security officer of the Health Information Sharing and Analysis Center (Health-ISAC), a nonprofit group that facilitates sharing of cyber threat intelligence and best practices among health-care stakeholders. Based in Orlando, Fla., Health-ISAC counts more than 900 health care, pharma, health IT, medical device manufacturers and insurance companies among its members, says Mr. Weiss.

CYBER ATTACKS BY THE NUMBERS

Health-ISAC recorded nearly 500 successful ransomware events worldwide against healthcare-related organizations in 2023, 315 of which occurred in the United States. In addition, as of mid-2023, more than 5,500 cybersecurity events totaling almost 438 million breached PHI records occurred since 2009, when the U.S. Department of Health and Human Services Office for Civil Rights (OCR) began reporting breaches affecting more than 500 individuals, according to Health-ISAC.³

The rate of cyberattacks targeting health-care organizations, moreover, is accelerating. More than 2,200 events have occurred since 2022, compared to 3,349 during the first 10 years of reporting, according to Health-ISAC.⁴

The costs associated with investigating, recovering from, and litigation related to a cyberattack range from tens of thousands to tens of millions of dollars. The average cost of the 20 largest network intrusion investigations as of 2020 was more than $350,000, says Skip Pleninger, president of Paris Kirwan Associates Inc., a Rochester, N.Y., insurance agency that offers regulatory compliance and cybersecurity insurance policies.

The largest healthcare-related breach in the United States occurred last February, when Change Healthcare, the largest health-care payment system in the country, was crippled by ransomware. In addition to the loss of millions of patient data files, the attack delayed claims processing for several weeks for such entities as Naval Hospital Camp Pendleton, CVS Health, Walgreens, GoodRx, BlueCross BlueShield of Montana, and Athenahealth, among others. Change Healthcare paid the perpetrators’ ransom of $22 million in Bitcoin.⁵

In addition to the losses associated with rectifying IT and cybersecurity infrastructure, data recovery efforts and repairing damage to their reputation, ASCs may also incur severe fines if a breach is the result of negligence in safeguarding PHI under HIPAA regulations, says Vanessa Sindel, MSN, BSN, RN, CAIP, a senior consultant with Progressive Surgical Solutions, a division of VMG Health.

“Not only could someone lock down your system until you pay them, but then you also have to deal with [the OCR], which could impose significant fines if they determine that you failed to follow proper PHI procedures,” Ms. Sindell says. 

According to the OCR, the average settlement for 13 cases in 2023 was $321,000, up threefold over the average of $99,000 for 22 cases settled in 2022.

BEST PRACTICES FOR ASC CYBERSECURITY

First, budget

Given the consequences, maximizing IT security requires major investments in cybersecurity technology and staff, Mr. Weiss says. He recommends that cybersecurity budgets make up 6% to 10% of an organization’s overall IT budget. Yet many IT leaders struggle to secure the resources needed to deliver sufficient defenses.

“In health care, we're already struggling on the bottom line with razor-thin margins, and many [health-care leaders] say, ‘We have to spend a ton more money on IT and security, but that does not improve patient care.’ Well, it will improve patient care when there's an outage,” he argues. 

Aside from investing in the security of their IT infrastructure, the Health-ISAC recommends other measures for preventing and responding to cyberattacks. Among them:

Backup, Upgrade and Patch 

Scheduling and storing regular system-wide backups, especially of electronic health records systems and storage in the cloud, is critical. According to Ms. Sindell, Medicare-certified ASCs are required to back up critical systems to the cloud daily. She adds that health-care facilities are also required to conduct periodic IT risk assessments. However, she says, not every facility complies, in part because assessments are expensive.

“But there are so many things important to cybersecurity and protection of patient information from ransomware, and I think that that's a huge risk for surgery centers,” she says. BMS Progressive Surgical Solutions offers templates and checklists to help ASCs develop their own plans for preventing and responding to cyberattacks.

Mr. Weiss also recommends testing backup systems to ensure they will work when needed.
“Are you rebooting, factory resetting your system, and attempting to restore those backups? You must make sure the backups are good and that you practice rebuilding critical systems for the day when you’ll need them,” he says. 

Installing network software upgrades and patches as soon as they are available is another task that should never go untended. Delaying them leaves a facility vulnerable to threats that, Mr. Weiss says, are evolving by the day. He recalls that while still working in computer and network penetration testing for the National Security Agency, he once had to brief a secure military base IT manager on how he breached their cybersecurity defenses.

“I could see the steam rising out of the guy's head. He just raised his arms in frustration, saying, ‘How could this be? We passed compliance testing last week,’" he recounts. “That’s when you have to explain that, yes, you checked all the boxes in having the software and configurations set up according to the guidelines, but you weren’t keeping up on [upgrades and patches].”

Develop Manual Workarounds

There is always the chance that, despite its best efforts, an ASC will fall victim to a cyberattack that takes its systems down for days or even longer. That’s when having plans for working manually can mean the difference between weeks of downtime — and lost revenue — and getting back up and ready to go almost immediately. 

Dan Chambers, CEO of Key-Whitman Eye Center, can speak from experience on the value of such plans. Based in Dallas, Key-Whitman’s patient data systems were locked down for about two weeks several years ago after its third-party IT service provider sustained a ransomware attack. Instead of having to close shop, Key-Whitman turned to paper-based documentation and records until operations got back to normal.

“We had backup procedures already in place for handling the paperwork and information needed to take care of the patients,” Mr. Chambers says.

Mr. Weiss estimates that about half of Health-ISAC members experienced some degree of disruption when a faulty software update issued by cybersecurity provider CrowdStrike caused network outages across the United States in July. Those members with contingency plans for manual operation fared best during the outage. 

“You've got to be able to go back to paper and operate without IT if you're facing a big outage like that,” Mr. Weiss says. “We tell our member organizations to make sure people understand what to do in times like that.”

Authenticate and Educate

One simple and effective way to prevent cyberattacks is to require multifactor authentication for access to privileged accounts. Multifactor authentication is especially important for facilities that permit staff to work remotely, Mr. Weiss says, explaining that usernames and passwords are too easy to steal and crack. 

“If the bad guys steal my username and password, I don't care. I've got a one-time password coming to my cell phone, or I can use my fingerprint or a screenshot of my face,” he explains. “[Scammers] will have a tough time getting past multifactor authentication.”

Educating employees on the importance of detecting and avoiding clicking on suspicious links in email is also essential. Mr. Weiss says about 75% of all intrusion attempts consist of phishing emails. Citing a BakerHostetler Data Security Incident Response Report, Mr. Pleninger adds that more than half of successful breaches are the result of employees clicking a suspicious link.

“Fifty-five percent of cybersecurity breaches are due to employee error. It’s not that the employee did anything blatantly deliberate. They just clicked on something they shouldn’t have, and they didn’t have the proper training,” he says.

A common misconception is that scammers only target one organization at a time and focus mainly on large organizations. In fact, most hackers take a shotgun approach, sending millions of phishing emails out at a time, Mr. Weiss says. The shotgun “pellets” consist of links that invariably look virtually identical to one an employee would normally click but lead to a veritable twin of the real vendor website, payment processor, or patient portal. 

“As IT and security professionals, we owe it to the industry to do a better job of making it easier for leaders and staff to do the right thing from a security perspective,” Mr. Weiss says. “We have some very motivated bad actors out there who will do anything they can to get what they want.”

DON'T THINK IT CAN'T HAPPEN TO YOU

Thinking cyber attackers won’t strike their own ASC is one of biggest mistakes leaders can make, Mr. Weiss says. At health-care cybersecurity conferences, he frequently encounters those who believe their facilities are too small to be targeted. But when it comes to phishing for victims, there’s no such thing as a fish that’s too small.
“It doesn't matter how big or small you are. If they can use you to get access to the network, you are the jumping- off point for their next steps. Like I mentioned earlier, the Internet's a bad neighborhood, and you've got to be proactive to protect your organization,” he says. OASC

References:
1. Portalatin A. Texas ophthalmology practice experiences data breach affecting 312K individuals. Becker’s ASC Review. July 1, 2024.
https://www.beckersasc.com/ophthalmology/texas-ophthalmology-practice-experiences-data-breach-affecting-312k-individuals.html. Accessed Aug. 13, 2024.
2. Adler S. Email breach affects 22,000 ambulatory surgery center of Westchester patients. The HIPAA Journal. July 5, 2024.
https://www.hipaajournal.com/email-breach-affects-22000-ambulatory-surgery-center-of-westchester-patients/. Accessed Aug. 13, 2024.
3. Health-ISAC. Healthcare Heartbeat: Cybersecurity Trends and Threats in the Healthcare Sector 2023 Q4. https://h-isac.org/. Accessed Aug. 14, 2024.
4. Health-ISAC, American Hospital Association. Current and Emerging Healthcare Cyberthreat Landscape. February 2024. https://www.aha.org/system/files/media/file/2024/02/h-isac-tlp-white-executive-summary-for-cisos-current-and-emerging-healthcare-cyber-threat-landscape-2-2024.pdf. Accessed Aug. 14, 2024.
5. Minemyer P. Change Healthcare begins breach notifications to firms with impacted members, patients. June 20, 2024.https://www.fiercehealthcare.com/payers/optums-change-healthcare-responding-cybersecurity-issue#:~:text=The%20healthcare%20giant%20did%20confirm,to%20the%20BlackCat%20hacking%20group. Accessed July 27, 2024.