Ambulatory surgery centers (ASCs) and other health care entities continue to face heightened levels of cyberattacks in 2024.
Earlier this month, it was revealed that a Florida surgery center had a data breach affecting more than 48,000 patients. Around the same time, an Idaho-based ASC announced it also had a “data security incident.”
These latest ASC cyberattacks came slightly over a month after the Ambulatory Surgery Center of Westchester had a data security incident of its own.
Generally, there are several reasons why health care cyberattacks are up.
One of the most prominent is the overarching trend of digital transformation. As more systems and processes in health care are digitized, with examples being adoption of electronic health records (EHRs), telehealth services and connected medical devices, it creates new opportunities for bad actors.
Resource constraints are also contributing to an increased volume of data security incidents. As health care organizations see their margins shrink due to reimbursement cuts or operational expenses going up, that leaves less money to implement strong cybersecurity defenses.
What’s more, ransomware is becoming more sophisticated, and hackers’ appetite for the valuable information within health care data – financial records, social security numbers and more – remains as robust as ever.
“As our health care system becomes more consolidated, the impacts of cyberattacks – if successful – may be more widespread, pulling in even more agencies and offices within HHS,” House Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-Wash.) said earlier this year on a congressional hearing on health care cybersecurity.
The Surgery Center of Mid Florida’s (SCOMF) data breach resulted in an unauthorized party being able to access consumers’ sensitive information, which includes their names, social security numbers, addresses, dates of birth, health information, health insurance information and financial account information, according to a summary from Console and Associates posted via JD Supra.
An investigation conducted by a third-party data expert revealed that the Florida ASC’s incident was triggered by a vulnerability with a vendor partner.
“Through this investigation, SCOMF confirmed that unauthorized parties were able to access sensitive patient information through a vendor that SCOMF uses for certain IT services,” the JD Supra summary details. “Evidently, SCOMF’s IT vendor was hacked first, and then the unauthorized user used the connection between SCOMF and its vendor’s network to attack SCOMF’s systems directly.”
Among its services, SCOMF’s team offers gastroenterology procedures such as flexible sigmoidoscopy, colonoscopy, upper endoscopy and more. It also offers a range of ophthalmology procedures, including surgery, glaucoma surgery and blepharoplasty, among others.
Meanwhile, on Aug. 12, Kootenai Health and its subsidiaries – Kootenai Clinic, Kootenai Outpatient Surgery and Kootenai Outpatient Imaging – announced their staff learned of a data security incident impacting data belonging to certain employees, employees’ dependents and patients.
“On March 2, 2024, Kootenai Health became aware of unusual activity that disrupted access to certain IT systems,” the announcement stated. “Upon discovering this activity, Kootenai Health took steps to secure its digital environment. Kootenai Health also engaged leading cybersecurity experts to assist with an investigation and to determine whether personal information may have been accessed or acquired without authorization.”
The investigation found that an unknown actor may have gained unauthorized access to certain data from the Kootenai Health network on or around Feb. 22, 2024.
“Kootenai Health takes the security and privacy of personal information in its possession very seriously and is taking additional steps to prevent a similar event from occurring in the future,” the announcement continued.
Multi-factor authentication is one way health care providers can work to avoid data security incidents.
Basic staff training is another, as many incidents are the result of human error.
“For example, phishing remains one of the most common attack vectors,” Jeremy Carriger, chief information security officer at Arcadia, previously told ASC News. “Consequently, it’s important to prioritize employee training and promote a culture of security awareness. I recommend organizations move beyond annual training to an ‘always on’ or ‘steady drip’ approach.”