HSTpathways CEO Tom Hui walked Becker's ASC Review through what surgery centers should do in the event of a cybersecurity breach.
Note: Mr Hui's responses below were lightly edited for style.
Step one: Do your due diligence
Now is the best time for ASCs to take steps to improve their organization's cybersecurity posture. Addressing and remediating cyber risk is a necessary evil for all healthcare organizations, but ASCs are more reactive. It's time for ASCs to go on the cyberoffensive. The status quo today is simply not acceptable.
Studies show larger healthcare organizations are becoming more secure, while smaller providers are struggling.
The first step [in the event of a breach] is to identify the nature of the breach. Second, determine how serious the breach is. Not all breaches have the same level of seriousness. Some breaches are mischievous, while others are very serious around disclosing patient health information and proprietary business information. Finally, understand if the breach is contained or will need remediation.
Step two: Plan communications procedures
All cybersecurity communications and planning needs be developed prior to a breach. What allows ASC leaders to sleep well at night is having a plan in place so the team is ready to respond effectively in the unlikely event of a data breach. The best time to put together an organization's plan is when your organization is not experiencing a breach.
For your communications planning:
- Have multiple versions of a letter with instructions, reminding staff of best practices
- Document the contact information for each stakeholder, state and federal agencies
Remember, when a breach occurs, you are vulnerable to litigation and fines. All internal and external communications should be reviewed by your law firm prior to the incident and then ensure another review of any finalized communications materials once a breach occurs.
Internal communications:
Execute on communications by first identifying and communicating to an organization's internal team. Understand who should be notified and the nature of the content. Priority communications include:
No. 1: Management
No. 2: Ownership
No. 3: Staff
Communications should be first with executive leaders and ownership, followed by
general information to ASC staff describing the nature of the breach: Is it ongoing and remediated? What actions should be taken by the team?
External communications:
Once the nature of the breach is understood,that information dictates who needs to be notified. Then, have a law firm weigh in on the legal ramifications of the steps that should be taken. Assess whether any government agencies need to be notified, particularly as [the breach] relates to HIPAA violations. HHS requires that security breaches involving the data of more than 500 people be reported within 60 days of discovery.
Don't forget to contact your insurance company. Unfortunately, some insurance companies are still reluctant to offer insurance on a cybersecurity policy.