What You Should Do If Your Ambulatory Surgery Center Is A Victim Of A Cyber-Attack
More often than not, freestanding surgical centers lack the right information technology resources to keep them safe against a range of issues, including but not limited to malware infections, viruses, and cyber-attacks. Up until recently, ambulatory surgical centers have been slow to adopt and implement innovative technologies, such as electronic health records. But nowadays, there’s a major push towards integrating the latest and greatest, such as anesthesia machines with information systems, to provide the care patients need in a much more effective way. This is great, except it introduces entirely new risks that aren’t typically accounted for and safeguarded against.
What Should You Do in the Aftermath of a Cyber-Attack?
Reports show that ransomware and other forms of cybercrime are increasing at an incredible rate, and unfortunately, healthcare is amongst the top targeted industries. Naturally, prevention is vital when it comes to staying safe. You need a multi-layered approach that encompasses firewalls, anti-virus software, intrusion detection software, and other forms of cybersecurity technology to stay safe. But if all fails and a cyber-attack occurs, what do you do? Here’s our recommendations:
- Execute Your Response and Mitigation Plans
Your response and mitigation plans should be executed right away – outlining the steps necessary to fix any technical issues, prevent the further disclosure of protected health information, and recover your systems as soon as possible. This is typically done with your own information technology staff or an outside, third-party company.
- Report the Incident to the Relevant Law Enforcement Agencies
If you don’t already have a list of the relevant law enforcement agencies to report an incident to, make sure you create one. This may include local or state law enforcement or the FBI. If necessary, you may be asked to avoid reporting the breach due to the fact that it could impede with an investigation.
- Speak with All Federal and Information-Sharing and Analysis Organizations
This should include the HHS Assistant Secretary for Preparedness and Response, the Department of Homeland Security, and any other ISAOs necessary. Make sure you do not include any sort of protected health information in your reports or documentation while sending them over.
- Report the Incident to the OCR Immediately (Within 60 Days)
The OCR must be notified of the breach within 60 days after the discovery of the breach affecting 500 or more individuals. You also must notify all affected individuals and the media, except in the event that law enforcement has asked you not to. If less than 500 individuals are affected, they must be notified within 60 days and OCR must be notified within 60 days after the end of the calendar year that the breach was discovered.
Remember, All of Your Efforts Matter When the OCR Investigates. A Proper Response Can Mitigate Any Potential Fines And/Or Lawsuits. Kraft Technology Group Can Help You Minimize the Risk AND Respond Appropriately If Something Happens.
Call (615) 600-4411.
Like this article? Keep reading…