Assessing your organization’s cybersecurity risk: 5 key areas for senior living operators – Guest Columns

Cyberattacks are a nightmare scenario for businesses of all types. For senior living providers with protected health data, cyber-breaches create heightened risk.

And although corporate boards and leadership teams are paying more attention to cybersecurity, they still may not understand just how at risk they are. Start with these questions:

• What would it cost your company to lose access to data or key business operations, such as electronic medical records and billing systems, for even one day?
• Do you know the top cybersecurity risks at your organization and have a plan in place to address them?
• Do you have data security policies and processes that are clearly communicated to staff — and if not, do you know the associated liability?
• Do you have a disaster recovery data center to keep critical operations running?

Today, the cost of cybercrime is in the billions of dollars, and healthcare data breaches jumped more than 50% in 2020, according to CPO Magazine. Hacking and IT security issues accounted for 70% of those breaches — and it took the average business 236 days to recover from one, according to a Bitglass report.

Addressing cybersecurity risks

So what can your company do to protect itself from cyberattacks?

If you don’t have in-house cybersecurity expertise — which is not feasible for many organizations — then seek a managed services provider, MSP, that does. Cybersecurity experts are highly skilled individuals who monitor, detect, investigate, analyze and respond to security events. They should work in concert with the MSP’s chief security officer who has helped determine your risk profile, the cost to improve it and make intelligent financial decisions about how to address your risk profile, and build a more robust and safer IT infrastructure.

The five areas important to senior living providers:

1. Protected health information and identity management
2. Legacy systems
3. Policies for data security
4. Disaster planning for business continuity
5. Network security

1. Protected health information

The top causes of data breaches, according to the Healthcare Information and Management Systems Society:

• Phishing attacks (57%)
• Credential harvesting (21%)
• Malware/ransomware (20%)
• Social engineering attacks (20%)

In a phishing attack, an employee receives an email appearing to come from a vendor or high-level executive within the organization. They ask you to click on a link or transfer key account or employee information. Unwittingly, the employee has provided access for a ransomware attack on your network or abetted identity theft. Sharing this news with affected employees and the cost to address the identity theft create long-lasting financial and organizational trust issues.

Those scenarios are all too common. Despite ongoing education, protected health information breaches continue to occur through phishing in the form of malicious and increasingly sophisticated email scams.

In a typical ransomware attack, malicious software penetrates the organization’s systems and encrypts accessible data. Hackers then demand a costly ransom to decrypt it — and also may threaten to sell or release your data on the internet. The news is rife with examples, such as the July breach of IT firm Kaseya, where hackers demanded a $70 million ransom.

So how do you protect yourself against data breach and loss? When it comes to protecting your organization from cyber-probes, employees are your first line of defense. Identity management is a critical back-up.

Here are high-level cybersecurity measures that the Thrive Well team addresses after performing a comprehensive organizational security audit:

• Comprehensive and frequent cybersecurity education for staff
• Automated back-ups of critical systems
• Encryption systems for emails and data in case of device loss or theft
• Implementation of alerts for large or suspicious file or monetary transfers
• Identity management processes for systems access

2. Legacy systems

Here’s an example involving a legacy system.

Your organization’s billing department uses a computer with an operating system that no longer is supported by the developer. The data it holds and sends is not encrypted — and the system cannot be updated to add this critical security layer. If this system is breached, either through phishing or a network hack, then your organization faces fines through the Health Insurance Portability and Accountability Act that increase exponentially with each resident/patient record breached — tens or hundreds of thousands of dollars. Communicating this breach to affected clients, and dealing with the aftermath, is a CEO’s nightmare — even more so if the breach is made public.

Legacy operating systems and hardware that carry security risks are an unfortunate fact of life for most organizations. It’s extremely costly to keep every piece of hardware and software up to date — especially when balanced against day-to-day operating needs.

Common cyber-risks include operating systems where updates no longer are being provided by the vendor or the hardware can’t handle an updated operating system. Additionally, some pieces of technology— kiosks for example — simply may not be able to be updated, meaning you will need to bring in an entirely new system. That’s a costly, complicated and long-term process.

So, how do you address legacy systems risk?

• Identify all legacy systems.
• Conduct a vulnerability scan that identifies the risks — and put a process in place to repeat and follow up on findings.
• Clearly convey the risk and cost of not investing in fixes to leadership and board.
• Establish a POAM (plan of action and milestones) to address vulnerabilities in accordance to risk. In some cases, an organization simply may need to assign acceptable risk to a piece of technology for a certain amount of time.

Addressing cyber-risk is not a once-a-year or one-and-done discussion. Leadership, department leaders and IT routinely should discuss the security risks inherent in the systems they use and have a defined process for addressing them.

3. Policies and procedures for data security

Compliance os key. In the earlier phishing scenario, I outlined an unintentional action by a well-intentioned employee that led to dire consequences. What could make this even more dire? Leaving yourself open to greater liability — and a liability insurance claim denial — if your organization cannot demonstrate processes and policies around such areas as staff cyber training and online behavior.

Creating policies addressing data security and online behavior is not an IT safeguard in the same way as blocking someone’s ability to download software on their laptop or applying content filtering software. But such policies can help drive employee behavior in areas of risk — and mitigate organizational liability.

Key policies include requiring cybersecurity and HIPAA education in your organization’s employee onboarding and compliance programs, setting data encryption standards, and addressing device sharing and usage standards.

Here are a few key considerations:

• What is your policy for taking a device home and the repercussions if someone leaves a device unattended and it is stolen?
• Have you defined a policy for an employee who does not follow your organization’s cybersecurity procedures and clicks on a phishing email?
• Does your staff know what constitutes a breach of HIPAA through email and social media and your policy for those who unintentionally versus intentionally share protected information?
• Are you providing targeted training for staff members who routinely handle protected health information — in all departments, not just clinical? 

Identity management

Say an employee who has access to online financial accounts or your electronic medical record resigns. The person’s supervisor is out on leave, and your organization has no process that notifies IT that access to these accounts needs to be removed. The employee, who harbors a grudge against your company, logs on, and the damage is done.

Another common situation is loss or theft of a device that is owned by the organization or which has access to online business systems. With dual authentification or a formal off-boarding process addressing systems access, your organization substantially reduces associated risk.

Identity management factors into a multitude of areas. Organizations must consider how they are managing passwords, including dual-verification or other technologies that protect against password sharing. Using single sign-on technology can help organizations manage password security more effectively and can create ease of use for staff members who use multiple systems.

Access to systems online — where most systems “live” these days — such as VPNs, EMRs, financial systems and websites, need to be routinely audited to ensure that former employees do not still have access. Systems access should be baked into an organization’s onboarding and, most importantly, off-boarding process.

Finally, do you have a record of log-ins, especially for clinical systems? This becomes critical if an allegation of fraud or a care concern is raised.

Do you know who is logging into your systems and what data they are accessing? If your organization suffered a data breach, would an IT forensics team be able to track backward to identify when, who and how? With a tight identity management system, the answer will be yes.

Business continuity/disaster recovery

Have you calculated the cost to your business if you lost power and, along with it, your ability to operate key systems for a day? What if a flood or fire damaged your data center? What is the revenue loss over two weeks — or a month? Putting a dollar amount to this scenario is the critical first step to making the case for investing in a back-up data center that would avert such a catastrophic shut-down.

Like legacy systems, business continuity planning in the event of a disaster is one of those areas that is tempting to push to the back burner — with dire consequences. And although it technically is not a cybersecurity issue, it’s a key cyber issue.

For complete business continuity, an organization essentially would need to budget for a second IT data center in an alternative location that is simultaneously running your operating systems. Understandably, this is cost prohibitive.

But you can ensure that you are backing up data, that your organization has identified the core systems required for short-term, day-to-day operations and has a temporary worksite and server ready to support those. The security posture at your temporary work site should be the same.

For organizations that have planned ahead by establishing an alternate data center, don’t fall into the geography trap. Too often, we have seen organizations build data center B too close to their primary operational center. That may be convenient for travel and oversight, but if you are on the same power grid or susceptible to the same fire or weather event, then your back-up plan has failed.

Building a strong cyber foundation

As more business operations move to the cloud, the safeguards built into your Wi-Fi network are fundamental to cybersecurity. Secure, partitioned networks for various users and operating systems add strength to your chosen Wi-Fi provider’s own security safeguards.

This and the other areas outlined here are just some of the many pitfalls that can make arming your organization against cyber-attack a daunting task.

Finding a managed services provider with a breadth of talent, strong references and a deep understanding of the senior living industry is your first step to creating the most secure organization possible.

Paul Steinichen is chief technology officer of ThriveWell Tech. He is a pioneer in the healthcare information technology industry, having developed one of the first-ever health information technology systems. He also worked for NASA designing the International Space Station’s control system for high temperature hot water, air conditioning and pressurized air systems through connected devices.

The opinions expressed in each McKnight’s Senior Living guest column are those of the author and are not necessarily those of McKnight’s Senior Living.

Comments are closed.