Senior living is evolving into a highly technical and heavily regulated industry. As baby boomers retire, and the industry continues to grow, it has become apparent that a locked cabinet for patient files is not longer enough to protect Personal Health Information (PHI). Traditionally, it was believed that senior living was at lesser risk of a cybersecurity attack. However, recent years have shown that it is a primary target, and the senior living industry is not prepared to combat an attack. When a community faces a large security breach or challenge, not only is there a risk to reputation and patient trust, but also a risk of heavy government fines. Here are 4 security challenges facing senior living communities today:
1. Culture & Awareness
In senior living, employees are often primary targets for hackers, because they have access to many of the community’s computers, systems, and networks. These employees serve as the front line against an attack. However, when establishing a cybersecurity program, these employees are often forgotten, and the design and implementation are left exclusively to an IT department or vendor. In order to protect resident data, it is imperative that each senior living community looks closely at their culture and take steps to address any gaps.
While a robust information and cybersecurity program involves many different technical solutions, these solutions, and the people implementing them, cannot work independently from the business operations. In establishing a cybersecurity culture, everyone, including executive leadership and management, plays an equal part. A culture that promotes security achieves three important objectives:
• It aligns security practices with business objectives in order to improve the organization’s security posture.
• It demonstrates that security is not a project relegated to the IT department, but an essential part of every person’s job.
• It prepares employees for the current threat trends, highlighting the tactics, techniques and procedures used by hostile actors.
In senior living communities, employees often have multiple passwords to remember and update. Many systems require those passwords to change on a regular basis. As a result, employees attempt to choose the same password or weak passwords in order to make it easier and quicker to log into the necessary systems.
When passwords do not meet strong technical standards, it is easier for bad actors to pose security threats and create potential breaches of information. Not only can comprehensive password policies help protect against hacking, but they can also make it more difficult for phishing scams to be successful in cracking passwords. The Department of Health and Human Services has recommended several technical safeguards to help prevent these security risks. These federal requirements are designed to be flexible, but they cannot be ignored.
3. Healthcare Ransomware
Ransomware has quickly become one of the top threats in senior living. According to the US Justice System, ransomware attacks have quadrupled in the past year to nearly 4,000 per day. Senior living has proven to be as susceptible to these attacks as any other industry, but woefully unprepared to combat them. As the attacks become increasingly sophisticated, many senior living facilities, unable to break the encryption on their own, are forced to pay.
Whether a hacker is able to infiltrate a network or an employee inadvertently downloads a malicious files or clicks on a suspicious link, ransomware has the potential to put an entire system on lockdown. Monitored backups are essential. To ensure that they are secured and protected, ideally, backups would be stored in a HIPAA-compliant data center. Creating a disaster recovery plan now that will allow an organization to quickly identify and address any breaches will help get systems running quickly and avoid clinical downtime in the event of an attack. Additionally, establishing a cybersecurity culture will allow employees to better protect your community from attack.
4. Non-Hacking Incidents
While senior living’s vulnerability has increased with the use of technology, that does not mean PHI cannot be compromised in other ways. Paper documents can be lost, or a laptop might be left or stolen. In either case, PHI security needs to be considered on multiple fronts. To truly protect data, organizations must know at all times how PHI is accessed, stored and transmitted. This would require knowing how each team or division uses data and fosters a culture of transparency.
In considering security challenges, it is helpful to have an outside expert on information security and government regulations conduct a vulnerability assessment and review your systems, policies and procedures. From there, you can put together a plan to address any areas of concern.
What steps have you taken to address your data security challenges?