CYBER SECURITY


  BY NELSON GOMES


ASCs are attractive tar- gets for cybercriminals. Surgery centers collect and store vast amounts of sensitive personal infor-


mation. This is highly valued as it can be used for identity theft, blackmail and extortion. In addition, ASCs are appealing because of their size. Larger organizations tend to invest heavily in cybersecurity measures. ASCs, how- ever, have comparatively smaller bud- gets for information technology (IT), including cybersecurity. With fewer resources dedicated to IT security, ASCs lack enterprise-type security measures and are more vulnerable to a security breach. ASCs could take multiple steps to strengthen their defenses against data breaches but nothing is foolproof. Cybercriminals become savvier with each passing day, successfully finding new security gaps to exploit. Through the first half of this year, cybersecurity company Bitdefender reported that 2020 was on track to set a new data breach record. While breach preven- tion efforts must remain a top priority, ASCs must ensure they are prepared for and ready to manage a breach if one occurs.





The backbone of a successful data breach response is a formal, writ- ten plan. A data breach is considered a type of manmade disaster, so treat development of this plan as seriously as other disaster plans. To begin crafting a comprehen-


sive plan, assemble an incident response team. This team should at least include company personnel, such as the administrator, IT director


(if applicable) and superusers; legal counsel; a computer forensic special- ist; and a crisis management/public relations firm. Work with this team to identify the steps you may or will be legally required by the Health Insur- ance Portability and Accountability Act of 1996 (HIPAA) to take when you learn your ASC has experienced a breach.


At a minimum, your plan should spell out what will need to occur to achieve a successful response, who on the incident response team is assigned what tasks and the timeline to com- plete these responsibilities. Your plan should cover a variety of responses to account for the different types of breaches you can experience. Exam-


26 ASC FOCUS OCTOBER 2020 | ascfocus.org


ples include external hacking; theft of a media device containing sensitive data; internal error leading to unau- thorized access of data; malicious actions by an employee; and violations caused by business associates, i.e., third-party partners.


Once the plan is drafted, circulate it among the incident response team and your governing board for feed- back and approval. Like other disaster response plans, regularly review and make updates to your breach response plan, such as those that reflect changes to the response team and new IT investments. In addition, periodically drill your breach response plan to help you identify opportunities to further strengthen the plan.


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52