By Nathan Hess, Chief Information Technology & Security Officer
There's significant attention being paid to data security these days,
and justifiably so. Cyberattacks
are on the rise, and the news is filled with reports of ransomware attacks crippling businesses
and communities.
When ASCs choose Surgical Notes to manage their revenue cycle, data security
usually isn't a reason driving the decision. Rather, it's typically
one or more financial objectives, such as improving collections, reducing
denials, eliminating bad debt and revenue leakage, streamlining business
office performance, and maximizing profitability. While these are areas
where Surgical Notes excels as a company, all this great work would be
naught if we didn't effectively protect our partners' sensitive
patient and financial data. After all, a breakdown in security that leads
to the theft of client data could lead to significant financial, compliance,
and reputation challenges for us and our partner ASCs. That's why
we treat all layers of security as a top priority.
Here are just a few of the approaches Surgical Notes takes to help keep
our client ASCs' data protected.
1. Follow best practices for security management
To manage security, we use the "CIA triad" model and pair it
with our own hybrid, risk-based framework to guide our decisions and actions.
While that's a little heavy on the security jargon, understanding
the triad model provides a broad picture of what we do and how we think
about security.
CIA stands for confidentiality, integrity, and availability. Following
these three elements helps:
-
ensure that we are protecting our systems and data from unauthorized access;
-
ensure that we are protecting our data from unauthorized changes; and
-
ensure that our systems and data are available for users.
2. Treat security and compliance as complementary
Security and compliance are typically treated as separate functions with
a symbiotic relationship. They share the goal and vision of helping organizations
manage their risk, and thus should work hand in hand. Yet many companies
struggle to achieve such successful collaboration between security and
compliance, which usually results in these functions operating in silos.
That's how it's possible for an organization to be secure and
not compliant or be compliant and not secure.
The most famous example of the latter is Target in 2013. The company had
its Payment Card Industry Data Security Standard (PCI DSS) compliance
confirmed just weeks before it suffered one of the
largest data breaches on record.
At Surgical Notes, we're fortunate to have strong security and compliance
leadership who understand the complementary nature of those two functions
and work closely together. As a result, we are able to perform better
in both areas.
3. Investments in security
While cybercriminals are becoming more savvy with their tactics, we are
fortunate that security technology companies are developing solutions
to help keep criminals at bay. We've invested in a number of these
solutions, including powerful data encryption, password managers, and
endpoint detection and response tools that leverage artificial intelligence.
We also provide ongoing security training to our staff and undergo routine
assessments to identify opportunities for improvement.
4. Commitment to continuous improvement
As a company, we have an overarching commitment to continuous improvement.
That's not just for our client-facing services, but our internal operations
as well, which extends to how we manage risk and the steps we take from
a security standpoint.
Strengthening Your ASC's Security
As we continue to do all we can to keep data secure, there may be more
that your ASC can do. I recently wrote a column for Becker's ASC Review
highlighting essential security safeguards for ASCs, all of which reflect
controls we have implemented at Surgical Notes. To access the story,
click here. And if you're considering outsourcing revenue cycle management or
any other function that will require you to share sensitive data with
a third party, make sure to ask each of those companies under consideration
about how they approach data security. If the answer you're given
doesn't instill confidence, you may want to look elsewhere for a partner.