By Bill Prentice
You don’t have to work in health care to be familiar with the Change Healthcare ransomware attack that occurred earlier this year. That hack caused billing disruptions across the country and inspired congress to convene hearings to begin exploring how the breach occurred and what steps to take to prevent comparable attacks in the future.
What you might not know, says Dr. Paul Alcock, chief information security officer for Surgical Information Systems and adjunct professor of cybersecurity at New York University, North Carolina State University and the University of Central Florida, is that although attacks on large companies make headlines, cybersecurity breaches are much more prevalent in small and medium-sized businesses. Also, the number one industry targeted by those attacks is health care.
Alcock and I recently sat down together to record an episode of ASCA’s Advancing Surgical Care Podcast titled “Cybersecurity for Surgery Centers.” Although most of ASCA’s podcast listeners work in surgery centers, health care professionals in many settings can benefit from the advice Alcock shares. Anyone can listen for free using a link on ASCA’s website (www.ascassociation.org/cyber-podcast) or the podcast hosting platform of their choice. I encourage everyone reading this column to take time to listen to this valuable 12-minute program.
One reason health care entities are especially vulnerable to cybersecurity hacks, Alcock says, is the interconnectedness of the health care ecosystem. The dependence health care entities have on third-party vendors for critical business functions is another. One reason small businesses are often targeted, he adds, is that they tend to believe that because they are small, adversaries are not concerned with their data when, in fact, the opposite is true.
No matter what controls a facility puts in place, Alcock concedes, some level of risk remains. Since that risk can never be eliminated entirely, he encourages organizations to reduce it as much as possible. As a beginning, he recommends some practical, low-cost solutions that organizations can use to frustrate potential attackers enough that they will move on to their next target. Those include:
- identify any obvious vulnerabilities by starting with an internal risk assessment (he mentions some free resources that can help and talks about when hiring professional assistance makes sense);
- evaluate your business relationships with your third-party vendors from an IT perspective;
- determine what data might interest your adversaries most and how they might attack, then look for security gaps that should be addressed;
- implement strong password management policies;
- leverage multi-factor authentication;
- update and patch your systems regularly;
- deploy some antivirus protections;
- train your employees; and
- invest a little time and money on the front end that could save you a great deal of time, money and energy on the back end.
Organizations with greater financial resources, he says, can create a more robust cybersecurity program that incorporates more advanced technologies, expertise and processes.
If a hacker does manage to break through your defenses, Alcock says, your reputation and future viability will largely depend on how well you respond. To help, Alcock recommends preparing an incident response plan well before any attack occurs, having a cyber insurance policy in place, ensuring quick access to a third-party consultant that can help with a response if one becomes necessary and more.
When it comes to cybersecurity, Alcock says, there is no endgame. Because the threat landscape is always evolving and “the bad guys” are always trying new tactics, facilities that want to remain protected need to constantly review the protections they already have in place and make sure they remain relevant.
In a whitepaper titled “The State of Ransomware 2024,” cybersecurity company Sophos reports that high ransom demands are no longer limited to high-revenue organizations and expectations of payouts of $1 million or more have become commonplace. In fact, the average ask among 1,701 organizations that had their data encrypted and contributed data to the report was $4,321,880. Also, according to that report, other recovery costs associated with attacks typically exceed $1 million and average $2.73 million across businesses of all sizes. Health care entities of all shapes and sizes need to protect themselves from that kind of risk. I encourage you to listen to Alcock’s advice and make sure that cybersecurity is a top priority in your facility today.
Before I sign off, I have one reminder on an entirely separate matter specifically targeted to ASCs. As I have pointed out in this column before, beginning in 2025, as part of Medicare’s ASC Quality Reporting Program, ASCs must conduct the Outpatient and Ambulatory Surgery Consumer Assessment of Healthcare Providers and Systems (OAS CAHPS) Survey or face reduced Medicare reimbursement rates in 2027 and beyond. ASCs cannot administer these surveys on their own, but at last count, only about a quarter of Medicare-certified ASCs had authorized a Medicare-approved vendor to conduct the survey in their facility.
Survey vendors have informed ASCA that they do not have the capacity to sign up all the ASCs that are not already administering this survey at the same time, and ASCs that are already participating have indicated that while setup can take many weeks or more, making certain an ASC achieves the high scores it deserves can take even longer.
I encourage every ASC that participates in Medicare’s ASC Quality Reporting Program to start now to select a vendor and begin administering this survey as soon as possible. Delaying any longer could cause your facility to be noncompliant in 2025. If you don’t know where to begin, visit ASCA’s website (www.ascassociation.org/prepare-oas-cahps) for help.
