Ambulatory surgical centers are an important part of modern healthcare, providing procedures that are quicker, more efficient, and many times, less costly than going to a hospital. With this change in focus comes a growing cybersecurity concern: the ambulatory surgery center is becoming a major target for cybercriminals because the technology infrastructure is often much less sophisticated than the technology infrastructure at larger hospitals.

This issue became front and center recently when Sun Valley Surgery Center Data Breach notified patients that hackers accessed some patient information. While further details are still unfolding, this incident underscores the larger challenge within the overall industry: many ambulatory surgical centers are busy enhancing their clinical operations without enhancing their cybersecurity breaching.

Unlike large hospital networks which have dedicated IT teams, outpatient surgical facilities often have much leaner operating models. The primary focus of outpatient surgery centers is patient care, which is understandable, although that also means there may be fewer technology upgrades, security audits, and proactive monitoring in place. Hackers see this opportunity and continue to take advantage, with email phishing techniques, credential harvesting, and exploiting the vulnerabilities of outdated software systems.

Another significant concern is the kind of data stored by these centers. Surgical centers have very sensitive medical information, which is made up of past treatments, diagnosis information, insurance, patient billing, and identifiers. This type of protected health information (PHI) has a high black-market value, and even a small outpatient facility makes a very attractive target. The attackers recognize that if they are successful in compromising one surgery center, they will be able to access thousands of complete medical records. 

Additionally, many ambulatory centers use third-party service providers. This means simply being an ambulatory center makes them more vulnerable. The ambulatory center may be contracting billing services, or even information systems for anesthesia documentation, imaging, assurance reviews, etc., and may not know they are at additional risk. Each external partner unnecessarily widens the attack surface. A single compromised vendor account can be the major point of failure in a security incident, which a healthcare facility may not find out about until it is too late. 

The use of poor network segmentation also hinders security in these environments. In outpatient centers, the patient intake devices and administrative systems that are used share the same network as clinical equipment. This makes it much easier for attackers to lateral once they gain access. A single email with a successful phishing attempt may foil all systems, and all the protected health data and internal email communications may be compromised equally.

Despite these threats, outpatient surgery centers have multiple options to improve their cybersecurity posture. Regular software updates, implementing modern authentication processes, and performing annual penetration testing can go a long way to minimize exposure. Further, there is a value to staff training, as human error is often the cause of breaches rather than a technical failure. Ensuring vendors are held to strict security standards and employing effective network segmentation will also provide measurable difference. 

As the targets of cybercriminals increase, outpatient surgical facilities must realize that they are not low-profile targets any more. With data from patients, physicians, and often overlooked digital systems, outpatient surgical facilities have become targets for bad actors. Enhancing cybersecurity is no longer a choice, it is part of protecting patients, community health, and trust in an ever evolving digital environment.