FEATURE nology rules. All staff also sign a

“computer access agreement.” “This agreement states that staff

are aware of the need for an individual password to access our systems, and that this password may not be shared with anyone else under consequences of termination,” Koles says. “It states that some employees receive a com- pany email account and that it is to be used solely to conduct business and not for any personal reasons. In addi- tion, it makes staff aware that no soft- ware may be downloaded and installed on company computers without prior permission from the IT manager. The number one thing we stress to staff is only work-related web browsing may take place in our ASC.” Staff members at Punshon’s ASCs

receive training on data privacy and security upon hire and a yearly review of HIPAA education. That is not all. “When there is something in the

news about data security, we use that as an opportunity to provide additional education,” she says. “We also invest in online training services, and our man- agement company provides resources.” If an incident occurs that jeopar- dizes data security, turn a negative experience into a positive one, Rubino says. “Rather than penalize staff, rec- ognize that as an opportunity for edu- cation. Incidents help you find and fix weaknesses.”

Reduce Your Risk Because human error is inevitable, says Josh Frazier, IT manager for Coastal Orthopedics & Sports Medicine, he works to reduce the likelihood of mis- takes by using technology to help pre- vent problems from ever occurring. Tools he uses include content filtering, anti-virus software and firewalls. “We also have a tool that labels any email that comes to us from outside the orga- nization,” Frazier adds. “If staff thinks the email looks suspicious, they for- ward it to me for review.”

Protecting Your Data Security from Social Media Threats

Social media presents a growing threat to data security. As Proofpoint, a cyber security company based in Sunnyvale, California, noted in its Q4 2016 “Threat Summary” report, social media phishing attacks, in which cyber criminals impersonate a business to trick users into providing personal or confidential information, increased 500 percent during 2016.

To help prevent social media use from harming your ASC, consider a firm policy restricting its use, says Christopher Koles, information technology manager for Hillmont GI and its ASC, Springfield Ambulatory Surgery Center, in

Flourtown, Pennsylvania. “We do not allow the use of social media among staff while at work, so threats of this nature are very minimal for us.”

Even with a policy like that in place, education on how social media can threaten data security is imperative, says Tracy Rubino, privacy officer of ambulatory surgery centers for not-for-profit health system Sutter Health in Sacramento, California. “Social media is engrained as part of our culture, especially with the younger staff who may not realize or fully understand what they are doing with it.”

She recommends that staff education address the ways cyber criminals can use social media and how staff can accidentally violate data privacy laws using social media. She cites news reports about photos taken inside of health care facilities that show computer screens and scheduling whiteboards containing patient information. “While the staff members who took these photos did not mean to include this information, that is not a valid excuse for sharing private information.”

If an ASC is going to employ social media as part of its marketing efforts, Rubino says, it is important to establish rules. “We use social media to promote our community involvement. We stress the importance of getting this message out without compromising privacy and security, and we have a vetting process for messages before they are posted.”

Staff are encouraged to comment on Sutter’s social media campaigns, but advised never to discuss patient issues. This is guidance that pertains to any social media post, Rubino says. “We have all seen people vent about work on social media. In health care, it is critical that staff never reference a specific patient, even vaguely. Particularly in small towns, a person may be recognizable with just a few details shared about them.”

Services that can help ASCs

improve their security efforts are worth investigating, Frazier says. “We are considering a service that sends fake emails to staff to train them on identi- fying suspicious emails.”

The more an ASC can be proactive in its data security efforts, the better, Rubino says. “You cannot wait for the errors to occur. Criminals have their eyes on our data. We have to do all we can to fix holes before a criminal finds them.”

ASC FOCUS MAY 2017 | 19

Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30