- For ambulatory surgery centers (ASCs), healthcare cybersecurity challenges and responses are different depending on the size of the operation, observed Tom Hui, founder of SurgiCenter Information Systems and CEO of HSTpathways.
Hui noted that around 40 percent of ASCs are owned or jointly owned and managed by large corporate entities such as Hospital Corporation of America, Surgical Care Affiliates, and United Surgical Partners International.
The remaining 60 percent, however, are small independently owned and managed surgery centers. These two groups have very different resources and staff to bear on cybersecurity challenges, Hui told HealthITSecurity.
“Larger organizations and hospitals tend to be much more formal. They have deeper IT resources, and they have dedicated and devoted a lot of time and energy and money into developing their cybersecurity threat detection, remediation, and policies and procedures,” Hui noted.
At the same time, they tend to overreact and want to lock down IT systems and devices “so tight that it makes it very unwieldy and clumsy to connect” patients and medical personnel.
“What I've been seeing is this kind of struggle between the operators of the surgery center and what they need to get done as a business, and the concerns of the IT department in terms of risks,” he related.
Hui noted that some organizations will not allow physicians or employees to bring their own devices to work, so-called BYOD. Instead, they can only use corporate-issued devices.
Another trend that Hui is noticing is the use of virtual PCs by organizations to control risk. The IT department hosts the virtual PCs, so they can control and monitoring them, making it harder for hackers to penetrate the network and data to leak out.
Unfortunately, virtual PCs can add to the complexity of the IT infrastructure, which can interfere with applications. “Anytime you add another layer of something, it's one more thing that can go wrong. There are different ways to implement these virtual desktops, and sometimes applications do not work as intended on those devices.”
On the other hand, the smaller, independent surgery centers usually have limited staff. Often, the owners and managers are the physicians themselves.
“They don't have the knowledge; they don't even typically know the right question to ask about security. So, they will rely typically on local IT consultants to come in, who need to be educated about PHI and HIPAA,” he said.
“Even if they do security very well, the problem is that they can't maintain a high level of cybersecurity over a long period of time. It's very expensive,” he added.
“Six months from now, one year from now, are they still doing a good job? Oftentimes, you'll find that the IT consultant has moved on. The physician, if he did it himself, has lost interest, and that's where you start to see deterioration of cybersecurity.”
In the interview, Hui also touched on the issue of medical device security in ASCs. These devices generate and transmit lots of data over the local network. That data is usually not encrypted.
“The data is only as safe as the network that they have at the surgery center. If someone breaks through the network, then they've lost the security of that clinical data,” he noted.
“The other thing that we are seeing is that a lot of centers have old devices, and those devices frequently were not designed to transmit data. So, now if they want to stream data in real time to an electronic health record, they need to replace those with the latest models, and we see that happening quite a bit,” he said.
“If someone got into a network, they can change the data, and they can change the way you see the data. But I haven't heard of cases where someone did that to create a medical problem,” he added.
The bottom line is, whether part of a larger organization or a small independent entity, an ASC should follow cybersecurity best practices but ensure that physicians and staff can communicate effectively with each other and with patients. It’s not an easy task, but it is crucial for data security and patient safety.